![]()
Finally “mp3, mp2” files will be replaced with the malware file having the original file names and. These image files will be removed afterwards. Similarly “jpg, jpeg” files will also be replaced with the worm keeping the original name with. vbs extension to the original name and removing the original file. Then all the “js, jse, css, wsh, sct, hta” files will be replaced with the worm file adding. This point onward the infection process begins “ infectfiles()” module is used to infect files.įirst it searches for all the “vbs” and “vbe” file types and overwrites their content with malicious script. Then it will list all the folders within the drives using “ floderlist()” sub procedure. First it will list all the Fixed drives as well as Network drives. Infection of the files in the local drive is going to happen in this module. Then it will send the malicious email to the recipient avoiding multiple emails to the same recipient. As I mentioned above in the Propagation Mechanism, it will create a registry key for each list of addresses you have and then in order to track each and every address, it will assign another registry key for the relevant address. Malware propagation is happening using this module. It will create a web page containing the malware script to achieve this while replacing the “script.ini” file in the mIRC installation folder. It will compromise the systems by sending the worm when a person is joined with the infected machine via mIRC channel. #I love you virus download download#In order to run the Trojan file, it checks whether the file is available in the download location and if so it will add that file to be run on windows startup and will make explorer start page to blank. #I love you virus download update#Then it will randomly update the start page of windows explorer to one of the following links to automate the download process of the Trojan program at startup of windows explorer, After that it checks for the Windows explorer download directory and if it couldn’t find it, it sets C:\ drive as the download location for the Trojan. ![]() These were the files that were copied in the previous procedure. It first creates registry entries for MSKernal32.vbs and Win32DLL.vbs files to be run on the startup. MSKernel32.vbs and into SystemFolderĪfter that it invokes main sub procedures.First it’s going to map special folders WindowsFolder, SystemFolder and TemporaryFolder and copy itself in the following manner. Once the malware is activated, it’s going to start from this point. ![]() Individual function analysis is as follows. In order to help the main ones, there are three supporting sub procedures and three function procedures. This malware program consists of four main sub procedures along with an initializing sub procedure. A Trojan file(WIN-BUGSFIX.EXE) will be downloaded and set it to run on startup.įigure-1 Propagation mechanism Technical Analysis.It has the ability to delete some original files and replace a copy of malware as I described above to trick the user to click them.Your “mp3” and “mp2” files will be hidden and the malware file will be copied with their names as well. #I love you virus download code#All your image files of “jpg” and “jpeg” extensions will also be deleted and replaced with malicious code keeping original file names. Files with js, jse, css, wsh, sct and hta extensions will be replaced with malicious script with original file names following “vbs” extension. vbe) will be overwritten with malware code. If you are infected with this worm, you will lose a considerable amount of data in your machine. As a result of that, their machines will also be infected with the Trojan program as yours and also their contact list will also get the same email and it will continue as an email chain. ![]() Once your contacts get your email, they’ll also tend to open the attachment. ![]() At the same time it will go through your email address book and send the same email that you got, to your contacts. Then it will let your windows explorer download a Trojan program(WIN-BUGSFIX.EXE) onto your machine. Once you click on the attachment, it will execute the VBScript. Subject : ILOVEYOU Body : kindly check the attached LOVELETTER coming from me. You will receive an email as follows with an attachment. According to the remarks with in the malware file, it seems to be originated in Philippines by a person under the alias of “spyder”. This is a worm type malware written in Visual Basic Script. So for this, I use Love Letter for You (aka ILOVEYOU, Love Bug) malware which infected windows machines since early 2000. Here I’m going to give you a basic idea of how does malware work. Malware Source Code Analysis (Love Letter for You) ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |