These were the files that were copied in the previous procedure. It first creates registry entries for MSKernal32.vbs and Win32DLL.vbs files to be run on the startup.
MSKernel32.vbs and into SystemFolderĪfter that it invokes main sub procedures. First it’s going to map special folders WindowsFolder, SystemFolder and TemporaryFolder and copy itself in the following manner. Once the malware is activated, it’s going to start from this point. Individual function analysis is as follows. In order to help the main ones, there are three supporting sub procedures and three function procedures. This malware program consists of four main sub procedures along with an initializing sub procedure. A Trojan file(WIN-BUGSFIX.EXE) will be downloaded and set it to run on startup.įigure-1 Propagation mechanism Technical Analysis. It has the ability to delete some original files and replace a copy of malware as I described above to trick the user to click them. Your “mp3” and “mp2” files will be hidden and the malware file will be copied with their names as well. All your image files of “jpg” and “jpeg” extensions will also be deleted and replaced with malicious code keeping original file names. Files with js, jse, css, wsh, sct and hta extensions will be replaced with malicious script with original file names following “vbs” extension. vbe) will be overwritten with malware code. If you are infected with this worm, you will lose a considerable amount of data in your machine. As a result of that, their machines will also be infected with the Trojan program as yours and also their contact list will also get the same email and it will continue as an email chain. Once your contacts get your email, they’ll also tend to open the attachment. At the same time it will go through your email address book and send the same email that you got, to your contacts. Then it will let your windows explorer download a Trojan program(WIN-BUGSFIX.EXE) onto your machine. Once you click on the attachment, it will execute the VBScript. 
Subject : ILOVEYOU Body : kindly check the attached LOVELETTER coming from me. You will receive an email as follows with an attachment.
According to the remarks with in the malware file, it seems to be originated in Philippines by a person under the alias of “spyder”. This is a worm type malware written in Visual Basic Script.
So for this, I use Love Letter for You (aka ILOVEYOU, Love Bug) malware which infected windows machines since early 2000. Here I’m going to give you a basic idea of how does malware work. Malware Source Code Analysis (Love Letter for You)
0 kommentar(er)
