Home / malware

PDF

Email-Worm:VBS/LoveLetter

First posted on 15 June 2010.
Source: SecurityHome

Aliases :

There are no other names known for Email-Worm:VBS/LoveLetter.

Explanation :

This type of worm is embedded in an e-mail attachment, and spreads using the infected computer's e-mailing networks.

Additional DetailsEmail-Worm:VBS/LoveLetter is a worm written in Visual Basic Script. It spreads through e-mail as a chain letter, using the Microsoft Outlook e-mail application to spread itself. The worm ccan also spread using an mIRC client as well.

The virus contains the following text at the beginning of the code:

€ barok -loveletter(vbe)
by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
LoveLetter was found globally in-the-wild on May 4th, 2000. It seems to originate from the Philippines.

Installation

When it is executed, it first copies itself to the Windows System directory as:

€ MSKernel32.vbs € LOVE-LETTER-FOR-YOU.TXT.vbs
and to the Windows directory as:

€ Win32DLL.vbs
Then it adds itself to the registry, so that it will be executed when the system is restarted. It adds the following registry keys:

After that the worm replaces the Internet Explorer home page with a link that points to an executable program, "WIN-BUGSFIX.exe". If the file is downloaded, the worm adds this to the registry as well, which causes the program to be executed when the system is restarted.

Payload

The executable part the LoveLetter worm downloads from the web is a password stealing trojan. On the system startup the trojan tries to find a hidden window named 'BAROK...'. If it is present, the trojan exits immediately, in other case the main routine takes control.

The trojan checks for the WinFAT32 subkey in the following Registry key:

€ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
If the WinFAT32 subkey key is not found, the trojan creates it, copies itself to the \Windows\System\ directory as WINFAT32.EXE and then it runs the file from that location. The above registry key modification causes the trojan to become active every time Windows starts.

Then the trojan sets the Internet Explorer startup page to 'about:blank'. After that the trojan tries to find and delete the following keys:

€ Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds € Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching € .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds € .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching
Then the trojan registers a new window class and creates a hidden window titled 'BAROK...' and remains resident in the Windows memory as a hidden application.

Immediately after startup and when timer counters reach certain values, the trojan loads the MPR.DLL library, calls the WNetEnumCashedPasswords function and sends stolen RAS passwords and all cached Windows passwords to e-mail address 'mailme@super.net.ph' that most likely belongs to the trojan's author.

The trojan uses mail server 'smtp.super.net.ph' to send e-mails. The e-mail's subject is 'Barok... email.passwords.sender.trojan'.

There is the author's copyright message inside the trojan's body:

€ barok ...i hate go to school suck ->by:spyder @Copyright (c) 2000 GRAMMERSoft Group >Manila,Phils.
There are also some encrypted text messages in the trojan's body for its own use.

Propagation (E-mail)

Then the worm uses Outlook to mass mail itself to everyone in each address book. The message that it sends looks like this:

€ Subject: ILOVEYOU € Body: kindly check the attached LOVELETTER coming from me. € Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs


LoveLetter sends the mail once to each recipient. After a mail has been sent, it adds a marker to the registry and does not mass mail itself anymore.

Then the virus searches for certain file types from all folders in all local and remote drives and overwrites them with its own code. The files that are overwritten have either a "vbs" or a "vbe" extension.

The virus creates a new file with the same name for files with the following extensions: ".js", ".jse", ".css", ".wsh", ".sct" and
".hta". The only difference is that the extension of the new file is ".vbs". The original file will be deleted.

After this has been done, the the virus locates files with ".jpg" and ".jpeg" extensions, adds a new file next to it and deletes the original file. Then the virus locates ".mp3" and ".mp2" files, creates a new file and hides the original file. In both cases the new files created will have the original name with the additional extension ".vbs". For example, a picture named "pic.jpg" will cause a new file called "pic.jpg.vbs" to be created.

Propagation (IRC)

The worm creates an HTML file called "LOVE-LETTER-FOR-YOU.HTM" to the Windows System directory. This file contains the worm and it will be sent using mIRC whenever another person joins an IRC channel where the infected user currently is. To accomplish this the worm replaces the "script.ini" file from the mIRC installation directory.



Detection

F-Secure Anti-Virus detects LoveLetter worm with the latest updates.

Last update 15 June 2010

 

TOP