The worm itself is Win32 application written in VisualBasic. The
worm code seems to be based on I-Worm.LoveLetter VBS worm (the
worm routines and their names look very similar to "Loveletter"
ones), and its seems that this worm was created by adapting
"Loveletter" VBS source to VisualBasic language.
When run (if a user clicks on attached infected file) the worm
sends its copies by email, installs itself into the system and
performs destructive actions.
The worm sends itself as email messages with attached EXE file,
that is the worm itself. The message has:
The Subject: My baby pic !!!
Message body: Its my animated baby picture !!
Attached file name: mybabypic.exe
Being activated by a user (by double click on attached file) the
worm opens MS Outlook, gets access to the Address Book, gets all
addresses from there and sends messages with its attached copy to
all of them. The message subject, body and attached file name are
the same as above.
The worm also installs itself into the system. It creates its
copies in Windows system directory with the names:
WINKERNEL32.EXE, MYBABYPIC.EXE, WIN32DLL.EXE, CMD.EXE, COMMAND.EXE
and registered in Windows auto-run section in system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mybabypic = %WinSystem%\mybabypic.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WINKernel32 = %WinSystem%\WINKernel32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices = %WinSystem%\Win32DLL.exe
where %WinSystem% is Windows system directory. As a result the
worm is re-activated each time Windows boots up. The worm also
creates the registry key:
Default = HACK[2K]
mailed = %number%
where %number% is a number from 0 to 3 and depends on the process
the worm is currently performing or done: installing, spreading,
activating its payload routine.
The payload routine is quite a large. Depending on the system
date and time the worm:
- switches on/off NumLock, CapLock and ScrollLock keys
- sends to keyboard buffer the message:
- connects the www.youvebeenhack.com site and sends one of texts
HAPPY VALENTINES DAY FROM BUGGER
HAPPY HALLOWEEN FROM BUGGER
The worm also corrupts and/or affects other files. It scans
subdirectory trees on all available drives, lists all files there
and depending on filename extension performs actions:
VBS, VBE: the worm destroys these files contents.
JS, JSE, CSS, WSH, SCT, HTA, PBL, CPP, PAS, C, H: the worm
creates a new file with original filename plus ".EXE" extension
and copies its body to there, and then deletes original file,
i.e. the worm overwrites these files with its code and renames
them with EXE extension. For example, "TEST.CPP" becowes
JPG, JPEG: the worm does the same as above, but adds ".EXE"
extension to full file name (does not rename to ".EXE"). For
example, "PIC1.JPG" becomes "PIC1.JPG.EXE".
MP2, MP3, M3U: the worm creates a new file with ".EXE" extension
(for "SONG.MP2" the worm creates the "SONG.MP2.EXE" file), writes
its code to there and sets the file attribute "hidden" for the
[Analysis: Eugene Kaspersky, KL; February 2001]