The worm scans local drives and looks for files: The samples that have been analyzed send messages to the message subject looks Information, etc., and sends them to the Trojan host. It obtains the local machine name and IP address, network login(s) and password(s), RAS The downloaded and installed file is a password-stealing Trojan. When the Trojan has been installed into the system, the worm sets the Internet Explorer start page to blank (“about:blank”).
WORM VIRUS DOWNLOAD WINDOWS
Upon the next Windows startup, the Trojan gets control, andĬopies itself to the Windows system directory with WINFAT32.EXE name.
WORM VIRUS DOWNLOAD DOWNLOAD
Upon the next run, Internet Exlorer downloads the Trojan and stores it in the Download directory in the system. HKLMSoftwareMicrosoftWindowsCurrentVersionRunWIN-BUGSFIX = WIN-BUGSFIX.exe The worm then registers this file in the system registry in an auto-run section: That file has the WIN-BUGSFIX.EXE name and is the Trojan program. The new URL points to a Web site (randonly selected from four variants) and forces Explorer to download an EXE fileįrom there.
WORM VIRUS DOWNLOAD INSTALL
To install the Trojan program to the system, the worm modifies the URL to the Internet Explorer start page. The worm also creates a HTM dropper in the Windows system directory to use it while spreading to mIRC channels (see below). HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesWin32DLL = Win32DLL.VBSĪs a result, the worm is re-activated each time Windows boots up. HKLMSoftwareMicrosoftWindowsCurrentVersionRunMSKernel32 = MSKERNE元2.VBS These files are then registered in the Windows auto-run section in the system registry: In Windows system directory: MSKERNE元2.VBS, It creates its copies in the Windows directories with the names: The worm also installs itself into the system. The message subject, body and attached file name are the same as above. Upon activation by a user, (by double clicking on an attached file) the worm opens MS Outlook, gains access to the Address Book, gets all addresses from thereĪnd sends messages with its attached copy to all of them. Message body: kindly check the attached LOVELETTER coming from me.Īttached file name:
The message in the original worm version has: The worm arrives to a computer as an e-mail message with an attached VBS file that is the worm itself. The worm also has the ability to spread through the mIRC channels.īy: spyder / / Group / Manila,Philippines When run, the worm sends its copies by e-mail, installs itself into the system, performs destructive actions, downloads and installs a Trojan program. Spread itself, the worm accesses MS Outlook and uses its functions and address lists, which is available in Outlook 98/2000 only, so the worm isĪble to spread only in case one of these MS Oulook versions is installed.
In Windows 98 and Windows 2000, WHS is installed by default. It operates only on computers on which the Windows Scripting Host (WSH) has been installed. The worm is written in the scripting language “Visual Basic Script” (VBS). As a result, an infected computer sends as many messages to as many addresses that are kept in the MS Outlook contacts list. While spreading, the worm uses MS Outlook and sends itself to all addresses that are stored in the MS Outlook Address Book. The worm spreads via e-mail by sending infected messages fromĪffected computers. This is the Internet worm that caused the global epidemic at the beginning of May 2000.