LoveLetter.A
Threat LevelDamageDistribution

Effects 

LoveLetter.A carries out the following actions:

• It downloads the file WIN-BUGSFIX.EXE from a web page.
  This file is a Trojan detected by Panda Security as Barok, which steals passwords from the affected computer. LoveLetter.A runs this file and then assigns it the name WINFAT32.EXE.
• It collects confidential information from the affected computer every 48 seconds, from the day after infection. It collects the following information:
  - Windows passwords.
  - Personal data included in the affected user's Remote Access Services (RAS) phone book: name, password, user's telephone number (including the country and area code), the computer's IP address and the DNS and WINS of the server used for the connection (primary and secondary).

• It sends the information collected from the affected computer to the e-mail address mailme@super.net.ph.
• It overwrites the contents of all the files with a VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, JPG, JPEG, MP3 and MP2 extension, thus their contents are lost and cannot be recovered.

Infection strategy 

LoveLetter.A creates the following files:

• MSKERNEL32.VBS in the Windows system directory. This file is a copy of the worm.
• WIN32DLL.VBS in the Windows directory. This file is another copy of the worm.
• LOVE-LETTER-FOR-YOU.TXT.VBS, in the Windows system directory. This file is a copy of the worm, which will be sent out via e-mail.
• LOVE-LETTER-FOR-YOU.HTM in the Windows system directory. This is the file that LoveLetter.A will send out via IRC.
• SCRIPT.INI, which is the file that LoveLetter.A uses to ensure that it spreads via IRC. It only creates this file if the program mIRC is installed in the affected computer.
  LoveLetter.A checks if the mIRC program is installed by looking for the files MIRC32.EXE, MLINK32.EXE, MIRC.INI, SCRIPT.INI or MIRC.HLP on the affected computer's hard disk or on the network drives that can be accessed from it.
• LoveLetter.A creates a copy of itself whenver it finds a file with a MP3 or MP2 extension. This copy will have the same name as the original file, but the worm will add the extension VBS (a file called SONG.MP3 would be changed to SONG.MP3.VBS).
  Then, LoveLetter.A hides the original file.

LoveLetter.A modifies the following files:

• Files with a VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, MP3 and MP2 extension. It changes the extension of the original files to VBS and overwrites the contents of each one, modifying their size.
  For example, a file called STYLE.CSS would be changed to STYLE.VBS.
• Files with a JPG or JPEG extension. It adds the extension VBS and overwrites the content, modifying the size of eazh one.
  A file called IMAGE.JPG would be changed to IMAGE.JPG.VBS.
  Then, LoveLetter.A hides the original file.

LoveLetter.A creates the following entries in the Windows Registry:

• HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  MSKernel32 = %sysdir%\ MSKernel32.vbs
• HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunServices
  Win32DLL = %windir%\ Win32DLL.vbs
  where %sysdir% is the Windows system directory, and %windir% is the Windows directory.
  By creating these two entries, LoveLetter.A ensures that it is run whenever Windows is started.
• HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main
  Start Page = http://www.skyinet.net/ ~koichi/ jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/ WIN-BUGSFIX.exe
  This entry enables LoveLetter.A to download from a certain website the file WIN-BUGSFIX.EXE, which belongs to the Trojan Barok.

Then, LoveLetter.A runs the file WIN-BUGSFIX.EXE, changes its name to WINFAT32.EXE and carries out the following actions:

• It looks for a window with the title Connect to (remote access service) every 150 milliseconds. It only does this in computers with the operating system installed in English.
• If it finds this window, it writes its own password, which allows it to establish RAS connections (to the Internet).
  Then, every 150 milliseconds it enables the checkbox Save password. By doing this, it ensures that the access password it has entered is always available for establishing connections.
• From the day after it has affected the computer, LoveLetter.A collects information about the affected user's RAS connection: name, password, telephone number (including the country and area code), etc.
• LoveLetter.A sends the information it has gathered to the e-mail address mailme@super.net.ph.

Means of transmission 

LoveLetter.A spreads via e-mail and the chat program IRC.

1.- Transmission via e-mail.

LoveLetter.A follows the routine below:

• It reaches the computer in an e-mail message with the following characteristics:
  
  Subject:
  ILOVEYOU
  
  Message:
  kindly check the attached LOVELETTER coming from me
  
  Attachments:
  LOVE-LETTER-FOR-YOU.TXT.VBS

• The computer is affected when the attached file is run.
• LoveLetter.A sends itself out to all the contacts in the Address Book.

2.- Transmission via IRC.

• LoveLetter.A only uses this means if the mIRC program is installed.
• When the affected user joins an IRC chat channel, LoveLetter.A sends the file LOVE-LETTER-FOR-YOU.HTM to all the users connected to the channel at the time.

Further Details  

LoveLetter.A is written in the programming language Visual Basic Script. This worm is 10,307 bytes in size.

The e-mail message sent by LoveLetter.A with the information gathered on the affected computer has the following format:

This message has specific sender (test@192.168.8.36), recipient (mailme@super.net.ph) and subject (Barok...email.passwords.sender.trojan---by: spyder).