[14781] in bugtraq
Re: ILOVEYOU worm
daemon@ATHENA.MIT.EDU (Jaanus Kase)
Thu May 4 17:28:38 2000
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0000_01BFB609.949A14F0"
Message-Id: <NDBBLPMNJHCONOFDHGCNIENLABAC.j.kase@privador.com>
Date: Thu, 4 May 2000 20:44:45 +0200
Reply-To: Jaanus Kase <j.kase@PRIVADOR.COM>
From: Jaanus Kase <j.kase@PRIVADOR.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000504095618.N24513@securityfocus.com>
This is a multi-part message in MIME format.
------=_NextPart_000_0000_01BFB609.949A14F0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of Elias
> Levy
> Sent: 04. mai 2000. A. 18:56
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: ILOVEYOU worm
>
> I've not been able to obtain copy of the binary to figure out
> what it does.
F-secure has a nice analysis on this:
http://www.europe.f-secure.com/v-descs/love.htm
According to the site,
"The executable part that the LoveLetter worm downloads from the web is a
password stealing trojan. On startup the trojan tries to find a hidden
window named 'BAROK...'. If it is present, the trojan exits immediately, if
not - the main routine takes control. The trojan checks for the WinFAT32
subkey in the following Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
If the WinFAT32 subkey key is not found, the trojan creates it, copies
itself to \Windows\System\ directory as WINFAT32.EXE and then runs the file
from that location. The above registry key modification makes the trojan
become active every time Windows starts.
Then the trojan sets Internet Explorer startup page to 'about:blank'. After
that the trojan tries to find and delete the following keys:
Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds
Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideShar
ePwds
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisableP
wdCaching
Then trojan registers a new window class and creates a hidden window titled
'BAROK...' and remains resident in Windows memory as a hidden application.
Immediately after startup and when timer counters reaches the certain
values, the trojan loads MPR.DLL library, calls WNetEnumCashedPasswords
function and sends stolen RAS passwords and all cached Windows passwords to
'mailme@super.net.ph' e-mail address that most likely belongs to trojan's
author. The trojan uses the 'smpt.super.net.ph' mail server to send e-mails.
The e-mail's subject is 'Barok... email.passwords.sender.trojan'. "
Several antivirus software vendors (including F-secure, Symantec and others)
have already provided updates for their software that deal with this. Check
with your vendor.
If you need to disinfect systems without having up-to-date antivirus
software, Magnus Hiie of mega.ee also provided what appears to be a fix for
this - handy if hundreds of computers at your network need to be disinfected
quickly before more damage is done. It is attached to this mail as
"disinfect_vbs.txt" (in order not to trigger trojan autolaunch...).
NOTE: I haven't verified it to be working. I am not the author. I just
downloaded it and changed the strings to English language. BE SURE to check
the file contents yourself before launching it (such as should have been
done in the first place?).
Save the file, see that it really DOES do what it claims to do, rename it to
"disinfect.vbs", and launch it with "cscript //T:0 //NoLogo Disinfect.vbs".
Regards,
Jaanus Kase
Privador AS
http://www.privador.com/
------=_NextPart_000_0000_01BFB609.949A14F0
Content-Type: text/plain;
name="disinfect_vbs.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="disinfect_vbs.txt"
rem original author: Magnus Hiie, http://www.mega.ee, magnus@egrupp.ee, =
May 4, 2000
rem modified to English language by Jaanus Kase, =
http://www.privador.com, j.kase@privador.com
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
eq=3D""
ctr=3D0
Set fso =3D CreateObject("Scripting.FileSystemObject")
Set logfile =3D fso.CreateTextFile("Disingect.log", True, False)
Set regedit =3D CreateObject("WScript.Shell")
main()
logfile.Close
sub main()
On Error Resume Next
Set dirwin =3D fso.GetSpecialFolder(0)
Set dirsystem =3D fso.GetSpecialFolder(1)
Set dirtemp =3D fso.GetSpecialFolder(2)
Set c =3D fso.GetFile(WScript.ScriptFullName)
fso.DeleteFile dirsystem&"\MSKernel32.vbs", True
fso.DeleteFile dirwin&"\Win32DLL.vbs", True
fso.DeleteFile dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs", True
regruns()
html()
spreadtoemail()
listadriv()
end sub
Sub LogLine(logstr)
logfile.WriteLine logstr
WScript.Echo logstr
End Sub
Function RegRead(key)
On Error Resume Next
RegRead =3D ""
RegRead =3D regedit.RegRead(key)
End Function
Sub RegDelete(key)
On Error Resume Next
regedit.RegDelete key
End Sub
sub regruns()
Dim num,downread
If =
RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run=
\MSKernel32") <> "" Then
LogLine "System infected!"
Else
LogLine "System probably not infected."
End If
=09
RegDelete =
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKerne=
l32"
RegDelete =
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices=
\Win32DLL"
downread=3D""
downread=3DRegRead("HKEY_CURRENT_USER\Software\Microsoft\Internet =
Explorer\Download Directory")
if (downread=3D"") then
downread=3D"c:\"
end if
regedit.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
Page","http://www.mega.ee/"
fso.DeleteFile dirsystem&"\WinFAT32.exe"
RegDelete =
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUG=
SFIX"
fso.DeleteFile downread&"\WIN-BUGSFIX.exe"
End Sub
sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc =3D fso.Drives
For Each d in dc
If d.DriveType =3D 2 or d.DriveType=3D3 Then
folderlist(d.path&"\")
end if
Next
listadriv =3D s
end Sub
Sub CheckFile(filespec)
Dim f, firstline
Set f =3D fso.OpenTextFile(filespec, 1, False, 0)
firstline =3D f.ReadLine
f.Close
If InStr(firstline, "loveletter") <> 0 Then
fso.DeleteFile filespec, True
LogLine "Infected file " & filespec & ", original may have been =
destroyed"
End If
End Sub
sub infectfiles(folderspec) =20
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f =3D fso.GetFolder(folderspec)
set fc =3D f.Files
for each f1 in fc
ext=3Dfso.GetExtensionName(f1.path)
ext=3Dlcase(ext)
s=3Dlcase(f1.name)
if ext=3D"vbs" or (ext=3D"vbe") Then
CheckFile f1.path
end if
if s=3D"script.ini" then
set scriptini=3Df1.OpenAsTextStream(1, 0)
scriptfile =3D scriptini.ReadAll
scriptini.Close
If InStr(scriptfile, "LOVE-LETTER") <> 0 Then
f1.Delete True
LogLine "Infected file " & filespec & ", original may have been =
destroyed"
End If
end if
Next =20
end sub
sub folderlist(folderspec) =20
On Error Resume Next
dim f,f1,sf
set f =3D fso.GetFolder(folderspec) =20
set sf =3D f.SubFolders
for each f1 in sf
WScript.Echo "Checking directory " & f1.Path
infectfiles(f1.path)
folderlist(f1.path)
next =20
end sub
function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
msg =3D 0
else
msg =3D 1
end if
fileexist =3D msg
end function
function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
msg =3D 0
else
msg =3D 1
end if
fileexist =3D msg
end function
sub spreadtoemail()
End sub
sub html
fso.DeleteFile dirsystem+"\LOVE-LETTER-FOR-YOU.HTM"
End Sub
------=_NextPart_000_0000_01BFB609.949A14F0--
