Login Register

Email.Worm.Win32.Loveletter Souce Code filter_list
Email.Worm.Win32.Loveletter Souce Code #1
For research purposes only.  Do not attempt to compile and run malicious code unless you know exactly what you are doing.

Loveletter arrives in an email with the subject line of "ILOVEYOU" with an attachment "LOVE-LETTER-FOR-YOU.TXT.vbs" that people were encouraged to open. The message body is "kindly check the attached LOVELETTER coming from me. The sender line will be the address it was sent from. The user must download and execute the worm by clicking on it.

The worm may also come from an infected computer on the same IRC channel using mIRC. The worm will be in an infected HTML document named LOVE-LETTER-FOR-YOU.TXT.HTM downloaded into the IRC downbloads folder. The user must access the .htm file to activate the worm.

Internet Explorer security settings do not allow scripts to access disk files and will display a warning when they try to. To work around this, the worm displays a message telling the user to give ActiveX control to the .htm file. If the user clocks on "Yes", the worm will infect the system. If the user clicks on "No", the worm reloads the message in an infinite loop until the user clicks on "Yes" to allow it to infect the system.

When the worm is executed, it copies itself as the files LOVE-LETTER-FOR-YOU.TXT.VBS and MSKERNEL32.VBS in the Windows_system_folder and WIN32DLL.VBS in the Windows directory. It creates its own key named MSKernel32 under the Local machine registry key that causes programs to run and adds the value MSKERNEL32.VBS to it. It also create a new Local Machine RunServices key named Win32DLL and adds WIN32DLL.VBS as a value to it, so it will run when the system boots, before the user even logs on.

The worm sets the Internet Explorer start page to one of four randomly chosen webpages so that it downloads the file WIN-BUGSFIX.EXE, a trojan. It then adds a registry key for it in the same manner that it registered its own files, so it will run at startup. After the WIN-BUGSFIX.EXE program has been run, it copies itself to the Windows system folder as WinFAT32.EXE, and replaces the WIN-BUGSFIX.EXE registry key with one for itself. This file obtains the system's logins, passwords, machine name, IP address, RAS information and some other information about the computer and sends it to mailme@super.net.ph.

Loveletter searches for files to modify, mostly by replacing those files with a copy of itself. If the file has a .vbs or .vbe extension, it will simply overwrite the files. If they have the extensions js, jse, css, wsh, sct, or hta, it will overwrite the file as well as the extension, changing it to .vbs, but retaining the original name (program.js becomes program.vbs). For .jpg or .jpeg files, it overwrites them, retains the original file name and extension, but adds .vbs to the extension (picture.jpg becomes picture.jpg.vbs). Mp3 and mp2 files are not overwritten, but rather hidden.

Loveletter opens the Outlook email program, and scans for email addresses in the Address book. It sends the email with an attached copy of itself

The worm scans for the files mirc32.exe, mlink32.exe, mirc.ini, script.ini and mirc.hlp. If it finds one or more of these files, it will generate a new script.ini and place it in the directory where the files are found. The script contains instructions to send the file LOVE-LETTER-FOR-YOU.TXT.HTM to all users on the same IRC channel as well as a comment:

 ;mIRC Script"
 ;  Please dont edit this script... mIRC will corrupt, if mIRC will
 ;     corrupt... WINDOWS will affect and will not run correctly. thanks"
 ;Khaled Mardam-Bey

There were also several variants of this worm shortly following the original. Loveletter being a script worm, variants were relatively easy to create as the source code was the worm itself. Most are unremarkable, usually with a few changes to the text, if even that.

The B variant was modified in Lithuania, and the subject field of the sent e-mail messages is "Susitikim shi vakara kavos puodukui…", which is Lithuanian and means "Let's meet this evening for a cup of coffee…"

Loveletter.CN carries a copy of a CIH variant. It attempts to entice the user with a naked picture of Jennifer Lopez on a beach. It overwrites files with the extensions VBS, VBE, JS, JSE, WSH, HTA, JPG, JPEG, MP2, MP3, SCT and CSS. Files with extensions of CSS, HTA, JS, JSE, SCT, and WSH get changed to a VBS. VBS gets added as a second extension to JPG, JPEG, MP2 and MP3 files.


The source code can be found here: http://pastebin.com/G9qvXKxY
[Image: slsig.png]

[+] 1 user Likes Skullmeat's post

RE: Email.Worm.Win32.Loveletter Souce Code #2
Please do code red worm next plox!
Scientia potentia est

[Image: inkexplosion.jpg]


RE: Email.Worm.Win32.Loveletter Souce Code #3
(02-20-2017, 07:47 AM)DarkMuse Wrote: Please do code red worm next plox!

You got it. Ive got the source for that saved.
[Image: slsig.png]

[+] 1 user Likes Skullmeat's post

RE: Email.Worm.Win32.Loveletter Souce Code #4
Thank you good one and nice explain.


RE: Email.Worm.Win32.Loveletter Souce Code #5
My goodness, now this brings back memories.

I believe I still have the worm sitting on my external from around 15 years ago, but not entirely sure. It'll be nice to have the source code.
Excellent contribution, thank you.


RE: Email.Worm.Win32.Loveletter Souce Code #6
Thank you, i can finally rekt plebs. xD


RE: Email.Worm.Win32.Loveletter Souce Code #7
(05-26-2017, 03:05 PM)ExiArmy Wrote: Thank you, i can finally rekt plebs. xD
Skull specifically stated to not use it for malicious purposes...
[Image: tumblr_n4fsswcwZa1sbhzgao1_250.gif]

"Crack it open, throw it in a pan and let it cook." ~ Filthy Frank


RE: Email.Worm.Win32.Loveletter Souce Code #8
I did some research on this a while ago, was kinda interesting.

@ExiArmy this might 'wreck' someone running Windows 98, but nothing modern.

(11-02-2018, 02:51 AM)Skullmeat Wrote: Ok, there no real practical reason for doing this, but that's never stopped me.


RE: Email.Worm.Win32.Loveletter Souce Code #9
(08-29-2017, 05:29 PM)Drako Wrote:
(05-26-2017, 03:05 PM)ExiArmy Wrote: Thank you, i can finally rekt plebs. xD
Skull specifically stated to not use it for malicious purposes...

Its a very old sample. It most likely would have no effect on a target system. Even so, please refrain from using it for malicious purposes.
[Image: slsig.png]


Users browsing this thread: 1 Guest(s)