Email-Worm:VBS/LoveLetter

Classification

Category :

Malware

Type :

Email-Worm

Aliases :

Email-Worm:VBS/LoveLetter, VBS/LoveLetter, Email-Worm.VBS.LoveLetter, I-Worm.LoveLetter, LoveLetter

Summary

Email-Worm:VBS/LoveLetter is a worm written in Visual Basic Script. It spreads through email as a chain letter, using the Microsoft Outlook email application to spread itself. The worm can also spread using an mIRC client as well.

Removal

Manual removal of LoveLetter worm can be done by deleting the following files from the infected machine:

  • All "*.VBS" files from all drives and all subdirectories.
  • The file LOVE-LETTER-FOR-YOU.HTM from the Windows System directory.
  • WIN-BUGSFIX.EXE and WINFAT32.EXE from the Internet Explorer download directory.
  • If you are using mIRC, delete the "script.ini" file from the mIRC installation directory.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

LoveLetter was found globally in-the-wild on May 4th, 2000. It seems to originate from the Philippines.

The virus contains the following text at the beginning of the code:

  • barok -loveletter(vbe) by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines

Installation

When it is executed, it first copies itself to the Windows System directory as:

  • MSKernel32.vbs
  • LOVE-LETTER-FOR-YOU.TXT.vbs

and to the Windows directory as:

  • Win32DLL.vbs

Then it adds itself to the registry, so that it will be executed when the system is restarted. It adds the following registry keys: After that the worm replaces the Internet Explorer home page with a link that points to an executable program, "WIN-BUGSFIX.exe". If the file is downloaded, the worm adds this to the registry as well, which causes the program to be executed when the system is restarted.

Payload

The executable part the LoveLetter worm downloads from the web is a password stealing trojan. On the system startup the trojan tries to find a hidden window named 'BAROK...'. If it is present, the trojan exits immediately, in other case the main routine takes control. The trojan checks for the WinFAT32 subkey in the following Registry key:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

If the WinFAT32 subkey key is not found, the trojan creates it, copies itself to the \Windows\System\ directory as WINFAT32.EXE and then it runs the file from that location. The above registry key modification causes the trojan to become active every time Windows starts.Then the trojan sets the Internet Explorer startup page to 'about:blank'. After that the trojan tries to find and delete the following keys:

  • Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds
  • Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching
  • .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds
  • .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching

Then the trojan registers a new window class and creates a hidden window titled 'BAROK...' and remains resident in the Windows memory as a hidden application.Immediately after startup and when timer counters reach certain values, the trojan loads the MPR.DLL library, calls the WNetEnumCashedPasswords function and sends stolen RAS passwords and all cached Windows passwords to email address 'mailme@super.net.ph' that most likely belongs to the trojan's author.The trojan uses mail server 'smtp.super.net.ph' to send emails. The email's subject is 'Barok... email.passwords.sender.trojan'.There is the author's copyright message inside the trojan's body:

  • barok ...i hate go to school suck ->by:spyder @Copyright (c) 2000 GRAMMERSoft Group >Manila,Phils.

There are also some encrypted text messages in the trojan's body for its own use.

Propagation (email)

Then the worm uses Outlook to mass mail itself to everyone in each address book. The message that it sends looks like this:

  • Subject: ILOVEYOU
  • Body: kindly check the attached LOVELETTER coming from me.
  • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

LoveLetter sends the mail once to each recipient. After a mail has been sent, it adds a marker to the registry and does not mass mail itself anymore. Then the virus searches for certain file types from all folders in all local and remote drives and overwrites them with its own code. The files that are overwritten have either a "vbs" or a "vbe" extension. The virus creates a new file with the same name for files with the following extensions: ".js", ".jse", ".css", ".wsh", ".sct" and ".hta". The only difference is that the extension of the new file is ".vbs". The original file will be deleted. After this has been done, the the virus locates files with ".jpg" and ".jpeg" extensions, adds a new file next to it and deletes the original file. Then the virus locates ".mp3" and ".mp2" files, creates a new file and hides the original file. In both cases the new files created will have the original name with the additional extension ".vbs". For example, a picture named "pic.jpg" will cause a new file called "pic.jpg.vbs" to be created.

Propagation (IRC)

The worm creates an HTML file called "LOVE-LETTER-FOR-YOU.HTM" to the Windows System directory. This file contains the worm and it will be sent using mIRC whenever another person joins an IRC channel where the infected user currently is. To accomplish this the worm replaces the "script.ini" file from the mIRC installation directory.