How Viruses Works

GovernmentSecurity.org > System Security > Trojan & Virus Errata

hks-3207

Jul 18 2003, 08:58 PM

i just made this up here to ppl who are interested to know how does virus works ...

this thing i found it on yahoo web search so that u could learn a little more about this. if you got any question just ask please.

How "I Love You" Works

Author's note: The most difficult part about writing an accurate article about how to prevent incursions from email viruses is that it could give certain people new ideas about how to perfect existing viruses. For that reason, I have to weigh two interests against each other: Do I tell you enough for you to be able to understand what an email virus is and what it does, or do I withhold some information in order to protect you from others who might get some bad ideas? I've decided not to tell you everything I know about the ILOVEYOU virus, although I may consider answering some questions more
advertisement

explicitly through email. For legal purposes, however, I must disclaim any responsibility for future developments on the part of any malicious party that may arise as a result of me disclosing preventative measures that you need to know NOW. In the end, I think it's better that you be prepared for what's coming BEFORE it comes.

What does ILOVEYOU do?
Without revealing any of the details of how the virus goes about its job, here is exactly what the virus does, in the order in which it does it:

1. It asks for a copy of itself from Windows' internal filing system -- which is the virus' way of checking whether your computer is already infected. If the virus script is already present, the virus goes ahead and copies this script into memory. This will become important later, because it's part of how the virus proliferates.

2. The virus disables your Windows Scripting Host's ability to pause before executing script code, effectively thwarting the efforts of any other program that might be able to discern whether the code is malicious before Windows executes it. For Outlook to have time to notice an email attachment's type and send up a warning, or for an anti-virus program to have the time to see which application has been loaded, there needs to be a pause in the Scripting Host's activity. Here, the virus takes away that pause. This makes it impossible for Outlook to stop itself and renders it more difficult (though not impossible) for an anti-virus program to step in and stop damage from happening.

3. The virus makes its first three copies of itself, generally with the following names:
C:\WINDOWS\SYSTEM\MSKernel32.vbs, C:\WINDOWS\WIN32DLL.vbs and C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.vbs.

4. The ILOVEYOU virus registers itself in your Windows System Registry, so that whenever you start Windows, the script is executed from wherever it is. Remember step 1: The first thing the virus does is copy itself. The first time the virus is run, the file it's looking for doesn't exist yet, so it makes the file. The second time and thereafter, the virus finds its own file and proliferates by spawning copies of it. 5. Next, the ILOVEYOU virus makes it possible for another virus or some other script -- for instance, one embedded in a Web page -- to come into your system and potentially inflict significantly more damage. The virus asks your computer for the name of the directory where Internet Explorer downloads its files. Next, it checks for the presence of a file that theoretically could be created by a second virus or by a "Trojan horse" script. The file being searched for is a dummy file called C:\WINDOWS\SYSTEM\WinFAT32.exe. Because of its name, the file might easily be mistaken by a novice for part of Microsoft Windows, but Windows doesn't actually use an .EXE file for its FAT32 file system. If this dummy file exists, ILOVEYOU makes Internet Explorer automatically download an executable file instead of your home page the next time you start it up. This second file is called WIN-BUGSFIX.exe, and its online location is any one of four Web pages, chosen by the virus at random, whose names appear to have been generated by someone pounding on his own keyboard -- they're jumbles of letters and numbers. (Apparently the virus' author felt that a jumble of letters and numbers would throw the authorities off his trail -- this shows how truly stupid he or she is.) Once WIN-BUGSFIX.exe is downloaded, ILOVEYOU uses that download directory it obtained earlier to register the file so that it's run automatically the next time you start Windows. Reports vary as to the true purpose of this second Trojan horse executable file, since the server that would have carried it has been shut down, but we can assume it's not good. It is still prudent to be cautious for the presence of WinFAT32.exe and WIN-BUGSFIX.exe (and if you find these files on your system, to remove them immediately), because somebody else could conceivably release a variant of the virus in which the obvious bugs are corrected, the server name has been changed, the dummy file can be downloaded and the damage could be more widespread.

6. The virus checks for the presence of that downloaded executable file WIN-BUGSFIX.exe, and if it exists, the virus presumes it's already been run once already. (Apparently its purpose is not to take down your system, because if it did, what part of your system would be left to run the virus again to check for the file's presence?) In that case, it changes your Internet Explorer start page to a blank page, masking the location from which the virus downloaded WIN-BUGSFIX.exe.

7. Next, ILOVEYOU generates the contents of an HTML page that will be stored as C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.HTM. This page contains the same malicious code that was used in step 3, only this time it is designed to appear in a Web browser, in an email program that displays HTML in the form of Web pages, or as an attachment shared by users of an Internet chat program. Once displayed, the file compels its viewer to please press a button on the page to "enable ActiveX" so that she can read this nice love letter addressed to her. Well, in fact, the entire window is a button; so if she clicks anywhere inside it or if the mouse pointer enters and exits the visible area of the page, the code inside the page will automatically generate the same VBS script files as in step 3. This enables a second method for distributing the virus other than email, which you'll see shortly. 8. The virus sets itself up to spread via email, using the Microsoft Outlook component of Microsoft Office. The way the virus is written, the proliferation code should function if the infected user has either Outlook 97 or Outlook 2000. (Outlook Express will not work here.) ILOVEYOU uses so-called automation code (invented, incidentally, by Microsoft) to read the contents of the infected user's Windows address book -- the names of all the people to whom Outlook regularly sends email messages. If you do not use either the Windows address book or the Contacts section of Outlook to store names and addresses, then this part of the virus won't work. If you maintain more than one address list within Outlook (in other words, if you have compartmentalized your lists), then the virus knows to collect its names from all your lists. The virus then generates email messages addressed to every recipient in your Windows address book, as well as in every Contacts list you keep in Outlook. (For unknown reasons, the Melissa virus was written to contact only the first 30 recipients in the first contacts list.) Each message sent by the original ILOVEYOU virus contains exactly the following text:

kindly check the attached LOVELETTER coming from me.

Attached to each message is a copy of LOVE-LETTER-FOR-YOU.TXT.vbs. Even if the recipient's copy of Windows is set to hide the ".vbs" part of the filename, leaving the ".TXT" (so that the recipient might think it's just a text file), the blue-scroll icon that will still appear is a clear indicator that this is a script and not an ordinary text file.

9. The virus sends every message it's generated -- or at least, it tries to. The way Microsoft's automation languages were designed to work, a script can call on the services of an Office application without the user's actually seeing that application pop up on-screen. Again, this is by design. So Outlook can send messages without you ever seeing the "Microsoft Outlook ... Copyright 2000, Microsoft Corp." box pop up or the application itself coming on screen. This is the very reason why there are email viruses in the first place. If you happen to be running Outlook at the time the virus is generating messages, the fact that the virus starts up another instance of Outlook in the background will not affect the way the virus was designed to work.

10. The virus makes an adjustment to the Registry for each entry in the address book in an attempt not to send the same message twice to the same recipient. Here's the funny part: There's a bug in the virus program itself, the result being that it always sends a new message to every recipient in the address book anyway, whenever you restart Windows. Still, this part of the virus depends on one crucial factor: that when it tells Outlook to send those messages, your computer is online. If you work in an office that has a persistent Internet connection, that computer is online then, so those messages are sent right away. But if you use a dial-up connection to reach the Internet, then if your machine is offline when the virus generates these messages, they'll spill into Outlook's Outbox. In such a case, you can delete those outgoing messages from the Outbox before you go online and before they're sent. Your copy of Outlook may be set up to send and receive messages from its Outbox every so often, but that setting is generally pointless anyway with respect to a dial-up connection, in which case you may be offline during an interval in which Outlook attempts to send and receive messages. So the malicious messages that the virus created should hang there in the Outbox, giving you the opportunity to delete them before anything or anyone sends them. This doesn't stop the virus from being able to generate outgoing messages in the future, however, as long as the virus is still on your system. 11. Next comes the part of the ILOVEYOU virus that actually does the damage. First, it checks for fixed drives (hard disks) attached to your local system and your network and records where they are. Removable drives are left out, so Iomega disks are safe, and so are floppies. The virus effectively deletes certain files not the old-fashioned way but by writing a copy of itself on top of those files. Here are the file types the virus affects:

Other VBScript files or components (.VBS, .VBE) (the virus probably accidentally finds its own file but cannot copy over the top of it because it's already "open" at the time it's running)

JavaScript elements of stored Web pages, or other JavaScript components (.JS, .JSE)

Cascading style sheet elements of Web pages (.CSS)

Windows Scripting Host settings file (.WSH) (the very type of file designed to prevent malicious operation of the Scripting Host in the first place)

Other, less-used types of embedded Web page scripts (.SCT, .HTA)

JPEG-format images (.JPG, .JPEG)

MPEG-compressed songs and videos (.MP3, .MP2)
The virus leaves all other types of files alone, although it does search for a few specific other files, which we'll mention shortly. The copy of itself that the virus writes in place of these files is given the same name as those files but with the .VBS extension added. (The old extension remains, as in "D:\MEDIA\PICTURE.JPG.VBS") Worse yet, the destroyed files don't appear in the Recycle Bin, so you cannot retrieve them from there. And yes, once those files are gone, they're gone. (A TV network reported that some files were simply renamed but not deleted; that report was in error.)

12. Finally comes the ILOVEYOU virus' second mode of proliferation: You'll recall in step 7 that the virus generated a file named LOVE-LETTER-FOR-YOU.HTM and stuck it in the WINDOWS\SYSTEM directory. While the virus is busy overwriting files with copies for itself, it keeps a lookout for certain key files associated with a program called mIRC. This is the most popular program used to conduct online chats outside the Web, using the Internet relay chat (IRC) protocol. The virus will look for the automated script file used by mIRC that runs user commands and preferences when the program starts up. It then attaches commands to this script that send a copy of the virus's .HTM file to anyone who joins the chat group, the moment he joins it. (Attachments such as photographs and HTML pages are often shared in IRC chat groups.)

Since mIRC's script file (SCRIPT.INI) is a simple text file, the only way the virus can keep you from deleting its little additions if you were to open the file is by literally pleading with you not to delete them. So the additions it makes include a message that looks like this:

[script]
;mIRC Script
; Please dont edit this script... mIRC will corrupt, if mIRC will corrupt... WINDOWS will affect and will not run correctly. thanks ;
;Khaled Mardam-Bey
;http://www.mirc.com
;

The instructions in the SCRIPT.INI file that follow these comments are the instructions that have mIRC send the virus-attached HTML file to every person who enters the chat group. If you use mIRC, and your SCRIPT.INI script file includes these lines, delete this script file entirely; don't bother to edit it. Chances are, the real Khaled Mardam-Bey had nothing to do with this message, and the intention of the virus' author was to malign this person's good name.

This completes the list of malicious tasks that the ILOVEYOU virus performs when it infects your computer. Next week I'll answer some questions you might have.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.