Table of Contents
If you have Loveletter spyware installed on your computer, this guide can help you fix it.
Approved
Technical Details
This is the Internet worm that caused the current global epidemic in May 2000. This worm spreads like email, sending messages from
affected computers. When spreading, the worm works with MS Outlook and forwards to itself all the addresses stored in the MS Outlook address book. As a result, the infected computer sends many messages to many addresses stored in the current MS Outlook contact list.
The worm is likely written in the basic scripting language “Visual Script” (VBS). It only works on computers that have a full Windows Scripting Host (WSH) installed. In Windows 98 and Windows 2007, WHS is installed by default. To
propagates, the worm gains access to MS Outlook and uses its functions and solution lists, which are only available in Outlook 98/2000, so the worm
can only be distributed if this version of MS Outlook is properly installed.
When launched, the worm sends its real copies by e-mail, installs itself according to the system, performs destructive actions, downloads and installs the Trojan. wormь can also be distributed via mIRC channels.
baroque-loveletter(vbe)
from: spyder and [email protected] via @GRAMMERSoft Group / Manila, Philippines
Spread
The worm arrives on the computer as an e-mail message with an associated VBS file, which is the worm itself. Message in the old version of the worm:
When activated by this user, the Double worm launches (by clicking on a very good attached file) MS Outlook, accesses the address book and receives all addresses from there in full The worm also installs itself on the host system. It creates copies of itself found in Windows with directories with our names: These files are then written back to the system registry during Windows autostart: HKLMSoftwareMicrosoftWindowsCurrentVersionRunMSKernel32=MSKERNEL32.VBS HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesWin32DLL = Win32DLL.VBS The ASR Pro repair tool is the solution for a Windows PC that's running slowly, has registry issues, or is infected with malware. This powerful and easy-to-use tool can quickly diagnose and fix your PC, increasing performance, optimizing memory, and improving security in the process. Don't suffer from a sluggish computer any longer - try ASR Pro today! As a result, the specific worm is reactivated each time Windows is restarted. worm This also creates any type of HTM dropper in the Windows policy catalog for use when publishing to mIRC channels (see below). This copy is titled LOVE-LETTER-FOR-YOU: .TXT.HTM In order to install the Trojan on the system, the worm changes the URL of the Internet Explorer home page. The new URL points to a website (randomly selected from four options) and causes File Explorer to download the EXE file =hklmsoftwaremicrosoftwindowscurrentversionrunwin-bugsfix WIN-BUGSFIX.exe The next time I run it, Internet Explorer downloads my trojan cache and usually ends up in the system download directory. The next time you start Windows, the Trojan will take control and If the Trojan was installed by default, the worm sets the Internet Explorer home page to “about:blank”. The downloaded and installed file is a Trojan that steals passwords. It gets your local computer and IP address, network logins and passwords, RAS email.passwords.sender.trojan MIRC32.EXE, MLINK32.EXE, MIRC.INI, SCRIPT.INI, MIRC.HLP In extreme cases, at least one of these found files is likely to be in a subdirectory of the worm mIRC script Khaled Mardam Bey When an IRC user receives this HTML code, they are re-infected in the IRC download directory. The worm is then activated from the idea file only when the user clicks on it. Since the browser’s security settings do not allow scripts to guarantee that you are accessing files on disk and displaying a message, the worm uses a trick to prevent this. First, the scammer will see the message: This HTML file requires an ActiveX
Message text: Please check the attached LOVE LETTER from me.
Attached concept file: LOVE-LETTER-FOR-YOU.TXT.vbs
and sends messages to everyone with a copy attached. The subject, text and name of the lodge attached to the message are always the same.
Approved
Download Trojan horse file
Belonging. The file is called WIN-BUGFIX.EXE and is a Trojan. The worm then saves this file in the system registry in a new autorun section:
copy t itself into the exact Windows directory system named WINFAT32.EXE.
information, etc. And sends them to the owner of the Trojan. Recently scanned samples send messages to “[email protected]”, often with a subject line like this
like the next Baroque…:Broadcast on IRC channels
puts a big new SCRIPT.INI file there. This file contains mIRC
instructionsthat the mail worm (LOVE-LETTER-FOR-YOU.TXT.File) copies htm if you want all users
join a corrupt IRC channel.
Please don’t modify this script… mIRC will most likely becorrupted if mIRC does this
damaged… WINDOWS will be damaged and will not work properly. thank you
http://www.mirc.com
control
