susan

"taffie for Susan Frederick " wrote:

> Normally, virus warnings tend to be hoaxes, but this one is real:
>
> -------- Original Message --------
> The following analysis is the work of the researchers at Frisk Software
> International, primarily Dr. Vesselin Bontchev and Peter Ferrie.
>
> The worm poses a risk to users that have Windows Scripting Host
> (including
> Win '98 users, users who have installed IE 5.x in default mode, users
> who
> have installed WSH specifically, and probably users of Windows 2000).
>
> The worm will only spread from infected machines that have Outlook '98
> or Outlook 2000 installed, but it will damage/overwrite files even if
> Outlook is not in use.
>
> The worm is received either as an e-mail attachment or via IRC. If the
> user does not open (double-click on) the attached file, the worm will
> not
> run or do any damage.
>
> If it is received via e-mail, the Subject: of the message
> is "ILOVEYOU" and the body of the message says
>
> kindly check the attached LOVELETTER coming from me.
>
> The name of the attachment is LOVE-LETTER-FOR-YOU.TXT.vbs
> (which, if the system is configured not to show the
> extensions of the files, will look like a TXT file to the
> user).
>
> If it is received via IRC, it resides in a file named
> LOVE-LETTER-FOR-YOU.HTM.
>
> When executed, the worm makes copies of itself under
> the names MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs
> in the Windows System directory and under the name
> Win32DLL.vbs in the Windows directory. Then it modifies
> the Registry, so that the files Win32DLL.vbs and
> MSKernel32.vbs will be executed every time Windows is
> started.
>
> Then the worm modifies the Registry, changing the
> startup page of the Internet Explorer, so that when IE
> is started, it will download a file named WIN-BUGSFIX.exe
> from one of 4 possible places on http://www.skyinet.net
> (randomly selected) and the Registry is modified, so
> that this file is executed the next time Windows is
> started.
>
> Then the worm creates an HTML version of itself, in a
> file named LOVE-LETTER-FOR-YOU.HTM in the Windows System
> directory.
>
> Next, the worm starts a copy of Outlook in the
> background (only Outlook 98 or 2000 will work - not
> Outlook 97 or Outlook Express). It examines all Outlook
> Address Books and, if an Outlook Address Book contains
> more addresses than the Windows Address Book, the worm
> mass-mails itself to all addresses in that Outlook
> Address Book. (The worm does NOT mass-mail itself to
> any addresses in the Windows Address Book.)
>
> Finally, the worm examines all directories on all hard
> and network drives. If a file has one of the following
> extensions: VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, MP2,
> MP3, JPG or JPEG the worm overwrites the file with a
> copy of itself. If the extension was not VBS or VBE, the
> worm adds the extension VBS to the name of the file -
> so that, for instance, PICTURE.JPG becomes
> PICTURE.JPG.vbs. In case a MP2 or MP3 file was
> overwritten, the worm also sets its file attribute to
> ReadOnly.
>
> If, during this directory traversal, any of the following
> files is found: mirc32.exe, mlink32.exe, mirc.ini,
> script.ini or mirc.hlp, the worm drops in that directory
> a file named SCRIPT.INI which begins with the comments
>
> ;mIRC Script
> ; Please dont edit this script... mIRC will corrupt, if mIRC will
> corrupt... WINDOWS will affect and will not run correctly. thanks
> ;
> ;Khaled Mardam-Bey
> ;http://www.mirc.com
>
> This file tries to send the file LOVE-LETTER-FOR-YOU.HTM
> from the Windows System directory via IRC's command /DCC
> to all users joining the IRC channel which the infected
> user is on.
>
> The worm sets or modifies the following Registry keys:
>
> HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
> Host\Settings\Timeout
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win
> 32DLL
> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
> Directory
> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
>
> The file WIN-BUGSFIX.exe is a Backdoor created in the
> Phillippines which collects the network passwords cached
> by Windows and sends them to an attacker's site when the
> infected user connects to the Internet.
> --
> Fridrik Skulason Frisk Software International phone:
> +354-5-617273
> Author of F-PROT E-mail: frisk@... fax:
> +354-5-617274
> Barb Baxter
> ----------------------------------------------------------------------