Love Lettered
The Love Bug has hit almost 10 billion users within less than a weeek of its existence. The Damage done by it is considered to be more than that done by Melissa. It is considered to be one of the all time greats in the Virus history with around 13 variants already on loose.

The worm spreads through email and IRC and has been written in Vbscript. Hence it infects only those Windows users that have Windows Scripting Host installed.(This would mean users who have IE 5.0 installed on a Win98, Win95 system or Win98 with Active Desktop Update installed are vulnerable.) Again it uses Outlook Express to send itself to all email addresses in the Address Book.

The Virus arrives with a .vbs file attachment. The Subject and Body of the Virus vary as there are more than 13 variants of this worm. For Complete List of Variants and the Subjects and Bodies associated with them refer to The Love Bug Track at the end of this document.

The actual virus spreads with the
Subject: ILOVEYOU
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

Notice the .TXT part in the attachment name. This has been possibly done to fool users into assuming that the attached file is only a safe to use text document. In reality the attachment is a dangerous snippet of VbScript code.

Once executed, the virus checks to see if the following key is set to a positive number or not.

HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout 

If it is set to a positive number then it is changed to zero. If this key is not present then it is not affected.
Then the worm copies itself to three different locations-:
1. In the C:\windows\system directory as MSKernel32.vbs
2. In the C:\windows\system directory as LOVE-LETTER-FOR-YOU.TXT.vbs
3. In the C:\windows directory as Win32DLL.vbs.

Note: If Windows has been installed in any other directory like say for example, C:\Win then the above folders will change accordingly. ('C:\win\system\' and 'c:\win' would be the directories where the worm copies itself.

It then creates new entries in the Registry to execute these programs automatically when Windows starts.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL

This means that on bootup, the C:\windows\system\MSKernel32 and the C:\windows\Win32DLL.vbs 
files which were earlier created by the worm are executed.

It then modifies the Home Page or the Start Page of Internet Explorer to point to a pre defined page from which it downloads a binary called WIN-BUGSFIX.exe. To do this it edits the HKCU\Software\Microsoft\Internet Explorer\Main\StartPage key which folds the default IE home page and points it to any of the following URL's. [ It chooses randomly from the below list.]

http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe
http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj
4w/WIN-BUGSFIX.exe
http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe
http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebm
znxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe

The worm then changes a number of registry keys to run the downloaded binary.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX = > (download directory)\win-bugsfix.exe

It then edits the Registry to change the home page of Internet Explorer to the default blank page.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page = > about:blank

It then creates an HTML file named: LOVE-LETTER-FOR-YOU.HTM, which contains the following text:

This HTML file need ActiveX Control
To Enable to read this HTML file
- Please press |YES| button to Enable ActiveX

The ActiveX then edits the registry entries to make it run at boot and writes to the files as it did earlier. This file is also used by the worm to spread itself. It is this file that is DCC' ed to users on IRC.

The worm then opens a MAPI connection to Outlook Express and sends itself to all entries in the Outlook Address Book. The virus attaches the file, LOVE-LETTER-FOR-YOU.TXT.vbs to these emails.

Then it searches all drives and starts doing the damage. It looks for the files with the following extensions on both local and remote drives:
.vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .mp3, and .mp2. 

All files with the extensions .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, or .jpeg are replaced with a copy of the Virus itself. A copy of the Virus is also written to the name of the file with the extension .vbs. This means that say there is a file ankit.bmp then the virus copy is also saved as ankit.bmp.vbs

The virus does not delete files with the extension .mp2 or .mp3. It merely changes the attributes of such files to hidden and creates a copy of itself with the filename of the mp2 or mp3 having the extension .vbs For example, if there is a file ankit.mp3 then the virus also copies itself to ankit.mp3.vbs. it also overwrites .jpg and .jpeg files and changes the extension name. 

The it looks for the mIRC windows IRC client and if found, overwrites the script.ini file such the it will DCC the LOVE-LETTER-FOR-YOU.HTM file to all people who join the IRC channel.

Protection

Firstly do not open any attachments with the extension .vbs even if the email appears to be from a trusted source instead delete the email. Also do not accept any DCC's from anyone, again not even from a trusted source. OK you are infected, how do you disinfect your system? Simply follow the below procedure:
NOTE: This removal procedure may cause loss of some useful .vbs files as well

First of all Remove the following registry entries

HKEY_CURRENT_USER\Software\Microsoft\Windows ScriptingHost\Settings\Timeout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

Remove all instances of the following files on all drives, both local and remote:

LOVE-LETTER-FOR-YOU.HTM
*.vbs
*.vbs
*.vbe
*.js
*.jse
*.css
*.wsh
*.sct
*.hta

Locate your .mp2 and .mp3 files and remove the Hidden attribute.
System Administrators should filter out all mail going to: MAILME@SUPER.NET.PH and also prevent the downloading of the WIN-BUGFIX.exe. [This has something to do with the HTTP Proxy and Sendmail Rules. Read about it at the URL: http://www2.sendmail.com/loveletter and also check out http://biocserver.cwru.edu/~jose/iloveyouhack.txt]

I picked up the following rules that will filter out the Virus, from a posting to a site, however they seem to be incomplete

alert tcp any 110 -> any any (msg:"Incoming Love Letter Worm"; content:"rem barok -loveletter"; content:"@GRAMMERSoft Group";)
alert tcp any 143 -> any any (msg:"Incoming Love Letter Worm"; content:"rem barok -loveletter"; content:"@GRAMMERSoft Group";)
alert tcp any any -> any 25 (msg:"Outgoing Love Letter Worm"; content:"rem barok -loveletter"; content:"@GRAMMERSoft Group";)

WIN-BUGSFIX.exe Explained

The binary Executable part of the worm which it downloads from the net is a password stealing Trojan sort of utility. The following is an excerpt from a posting to Bugtraq which describes the working of this Password Stealing Trojan associated with this worm.

On startup the trojan tries to find a hidden window named 'BAROK...'. If it is present, the trojan exits immediately, if not - the main routine takes control. The trojan checks for the WinFAT32 subkey in the following Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

If the WinFAT32 subkey key is not found, the trojan creates it, copies itself to \Windows\System\ directory as WINFAT32.EXE and then runs the file from that location. The above registry key modification makes the trojan become active every time Windows starts.

Then the trojan sets Internet Explorer startup page to 'about:blank'. After that the trojan tries to find and delete the following keys:

Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds
Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching

Then trojan registers a new window class and creates a hidden window titled 'BAROK...' and remains resident in Windows memory as a hidden application.

Immediately after startup and when timer counters reaches the certain values, the trojan loads MPR.DLL library, calls WNetEnumCashedPasswords function and sends stolen RAS passwords and all cached Windows passwords to 'mailme@super.net.ph' e-mail address that most likely belongs to trojan's author. The trojan uses the 'smpt.super.net.ph' mail server to send e-mails. The e-mail's subject is 'Barok... email.passwords.sender.trojan'. "

If you need to disinfect systems without having up-to-date antivirus software, Magnus Hiie of mega.ee also provided what appears to be a fix for this - handy if hundreds of computers at your network need to be disinfected quickly before more damage is done. It is attached to this mail as "disinfect_vbs.txt" (in order not to trigger trojan autolaunch...).

The WIN-BUGSFIX.exe program connects to the SMPT server at 199.108.232.1 port 25 to send out its email message. You should block the address at your firewall. The message looks as follow:
To: mailme@super.net.ph
Subject: Barok... email.passwords.sender.trojan
X-Mailer: Barok... email.passwords.sender.trojan---by: spyder

Host: kakker
Username: Default
IP Address: 10.67.101.123

RAS Passwords:

Cache Passwords:

BLABLA\MPM : xxx
BJORN\MUSIC : xxx
TOM\SHARED : xxx
TOM2\MP3 : xxx
www.server.com/ : xxx:xxx
MAPI : MAPI

where all xxx's stand for plaintext usernames and passwords of SMB shares in the subnet.

The Love Bug Reference Section

The following is the general description of the variants of the Love Bug-:

VBS.LoveLetter.A

ATTACHMENT: LOVE-LETTER-FOR-YOU.TXT.vbs
SUBJECT LINE: ILOVEYOU
MESSAGE BODY: kindly check the attached LOVELETTER coming from me.

VBS.LoveLetter.B or Lithuania

ATTACHMENT: same as A
SUBJECT LINE: Susitikim shi vakara kavos puodukui...
MESSAGE BODY: same as A

VBS.LoveLetter.C or Very Funny

ATTACHMENT: Very Funny.vbs
SUBJECT LINE: fwd: Joke
MESSAGE BODY: empty

VBS.LoveLetter.D or BugFix

ATTACHMENT: same as A
SUBJECT LINE: same as A
MESSAGE BODY: same as A
INFO: registry entry: WIN- -BUGSFIX.exe instead of WIN-BUGSFIX.exe

VBS.LoveLetter.E or Mother's Day

ATTACHMENT: mothersday.vbs
SUBJECT LINE: Mothers Day Order Confirmation
MESSAGE BODY: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place.Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com
INFO: mothersday.HTM sent in IRC, & comment: rem hackers.com, & start up page to hackes.com, l0pht.com, or 2600.com

VBS.LoveLetter.F or Virus Warning

ATTACHMENT: virus_warning.jpg.vbs
SUBJECT LINE: Dangerous Virus Warning
MESSAGE BODY: There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it.
INFO: Urgent_virus_warning.htm

VBS.LoveLetter.G or Virus ALERT!!!

ATTACHMENT: protect.vbs
SUBJECT LINE: Virus ALERT!!!
MESSAGE BODY: a long message regarding VBS.LoveLetter.A
INFO: FROM support@symantec.com. This variant also overwrites files with .bat and .com extensions.

VBS.LoveLetter.H or No Comments

ATTACHMENT: same as A
SUBJECT LINE: same as A
MESSAGE BODY: same a A
INFO: the comment lines at the beginning of the worm code have been removed.

VBS.LoveLetter.I or Important! Read carefully!!

ATTACHMENT: Important.TXT.vbs
SUBJECT LINE: Important! Read carefully!!
MESSAGE BODY: Check the attached IMPORTANT coming from me!
INFO: new comment line at the beginning: by: BrainStorm / @ElectronicSouls. It also copies the files ESKernel32.vbs & ES32DLL.vbs, and MIRC script comments referring to BrainStorm and ElectronicSouls and sends IMPORTANT.HTM to the chat room.

VBS.LoveLetter.J 

ATTACHMENT: protect.vbs
SUBJECT LINE: Virus ALERT!!!
MESSAGE BODY: Largely the same as the G variant.
INFO: This appears to be a slight modification of the G variant.

VBS.LoveLetter.K 

ATTACHMENT: Virus-Protection-Instructions.vbs
SUBJECT LINE: How to protect yourself from the IL0VEY0U bug!
MESSAGE BODY: Here's the easy way to fix the love virus.

VBS.LoveLetter.L or I Cant Believe This!!!

ATTACHMENT: KillEmAll.TXT.VBS
SUBJECT LINE: I Cant Believe This!!!
MESSAGE BODY: I Cant Believe I have Just Recieved This Hate Email .. Take A Look!
INFO: comment has phrase/words: Killer, by MePhiston, replaces GIF & BMP instead of JPG & JPEG, hides WAV & MID instead of MP3 & MP2. NO IRC routine, there it will not infect chat room users. Copies KILER.HTM, KILLER2.VBS, KILLER1.VBS to the hard disk.

VBS.LoveLetter.M or Arab Air

ATTACHMENT: ArabAir.TXT.vbs
SUBJECT LINE: Thank You For Flying With Arab Airlines
MESSAGE BODY: Please check if the bill is correct, by opening the attached file
INFO: Replaces DLL & EXE files instead of JPG & JPEG. Hides SYS & DLL files instead of MP3 & MP2. Copies no-hate-FOR-YOU.HTM to the hard disk.




This is compiled together using many net sources, I am not to be held responsible for anything that this information may do to anyone's systems/files.



Article written by dogbomb