VBS/LoveLet-DO

Discussion in 'malware problems & news' started by FanJ, Aug 15, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: VBS/LoveLet-DO
    Aliases: VBS/LoveLetter@MM, VBS/LoveLetter.gen,
    I-Worm.LoveLetter
    Type: Visual Basic Script worm
    Date: 15 August 2002


    At the time of writing Sophos has received just one report of
    this worm from the wild.

    Note: This IDE includes detection for VBS/LoveLet-DO and
    mIRC/LoveLet-DO

    Description
    VBS/LoveLet-DO arrives in an email with the following characteristics:

    Subject line: fwd: Joke
    Attached file: Very Funny.vbs
    The email contains no message text.

    When the worm is first executed it creates three copies of itself as C:\Windows\System\MSKernel32.vbs, C:\Windows\Win32DLL.vbs and C:\Windows\System\Very Funny.vbs.

    The following two entries are added to the registry and point to the infected files MSKernel32.vbs and Win32DLL.vbs respectively:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL

    This will run the worm when Windows starts up.

    If the file C:\Windows\System\WinFAT32.exe exists then the Internet Explorer
    start page will be changed, via the registry setting

    HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

    to one of the following four addresses:

    http://www.xxx.xxx/xxx/xxx/WIN-BUGSFIX.exe

    http://www.xxx.xxx/xxx/xxx/WIN-BUGSFIX.exe

    http://www.xxx.xxx/xxx/xxx/WIN-BUGSFIX.exe

    http://www.xxx.xxx/xxx/xxx/WIN-BUGSFIX.exe

    If the file WIN-BUGSFIX.exe is downloaded from one of the above addresses
    then the following entry is added to the registry and points to the downloaded file:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX

    The Internet Explorer start page will then be set to a blank page. At the time of writing, the file WIN-BUGSFIX.exe is not available from any of the above addresses.

    The virus infects VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, JPG, JPEG, MP2 and
    MP3 files by overwriting their original contents with a copy of itself and
    adding a VBS extension, except in the case of VBS and VBE files.

    The worm searches for a mIRC installation and creates a new script.ini file
    in the mIRC folder. This script.ini file attempts to send the infected file
    C:\Windows\System\Very Funny.vbs to all users who join the current channel.
    Script.ini will be detected by Sophos as mIRC/LoveLet-DO.

    The virus is sent to all contacts in the user's Windows address book in an
    email as described at the start of this description.

    An HTML file named Very Funny.HTM is created in the Windows system folder.
    This HTM file contains a VBScript that will not execute correctly.



    More information about VBS/LoveLet-DO can be found at
    http://www.sophos.com/virusinfo/analyses/vbsloveletdo.html


    Note from FanJ: I have deleted some links
     
Thread Status:
Not open for further replies.