W32.Suclove.A@mm

[TJ]

W32.Suclove.A@mm is a mass-mailing worm that uses MS Outlook to send a copy of itself to other users. It also spreads through MIRC, and opens a back door.

When W32.Suclove.A@mm is executed, it performs the following actions:

   1. Creates the following copies of itself:

          * %System%\dllhost.dll
          * %System%\LOADER32.COM
          * %Windir%\LoveLetter.doc.exe
          * %SystemDrive%\WINLOGON.EXE

            Note:
          * %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
          * %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
          * %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.

   2. Adds the value:

      "DLL32" = "dllhost.dll"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that it runs every time Windows starts.

   3. Adds the value:

      "@" = "%Root%\WINLOGON.EXE"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      policies\Explorer\Run

      so that it runs every time Windows starts.

   4. Adds the value:

      "@" = ""%1" %*"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\shell\open\command

      so that DLL files are executable.

   5. Adds the value:

      "@" ""%System%\LOADER32.COM" %1"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command

      so that it runs everytime an executable file is run.

   6. Adds the value:

      "CheckedValue" = "1"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      Explorer\HideFileExt

      in order to hide itself from the user.

   7. Adds the value:

      "NoFolderOptions" = "1"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      policies\Explorer

      in order to hide itself from the user.

   8. Adds the value:

      "DisableRegistryTools" = "1"

      to the registry subkey:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Policies\System

      in order to disable registry editing.

   9. Attempts to create the file script.ini, which contains IRC script to send itself to other users, in the following folders:

          * %SystemDrive%\MIRC
          * %SystemDrive%\MIRC32
          * %ProgramFiles%\MIRC
          * %ProgramFiles%\MIRC32

            Note:
          * %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
          * %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.

  10. Creates and runs the file %Root%\progra~1\micros~1\outlook.vbs. This is a VBScript file that contains code which uses MS Outlook to send a copy of the worm to all users in the Outlook address book.

      The email will have the following properties:

      Subject: Read my letter for you
      Body: this was created from the deep inside my heart.
      Attachment: LoveLetter.doc.exe

  11. Creates and runs the file C:\sender.vbs. This is a VBScript file that contains code to send a copy of the worm to all users found in the %Root%\program files\yahoo!\messenger\profiles folder.

      The email will have the following properties:

      Subject: Love, for Forgiveness :->
      Body: I love u please forgive me!...
      Attachment: LoveLetter.doc.exe

  12. Opens a backdoor on TCP port 1111 that allows a remote attacker to download and execute files on the compromised computer.

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/w32.suclove.a@mm.html

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   5. In the right pane, delete the value:

      "DLL32" = "dllhost.dll"

   6. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      policies\Explorer\Run

   7. In the right pane, delete the value:

      "@" = "%Root%\WINLOGON.EXE"

   8. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\shell\open\command

   9. In the right pane, delete the value:

      "@" = ""%1" %*"

  10. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command

  11. In the right pane, delete the value:

      "@" ""%System%\LOADER32.COM" %1"

  12. Navigate to the subkey:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      policies\Explorer

  13. In the right pane, reset the value to the original value if applicable:

      "NoFolderOptions" = "1"

  14. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      Explorer\HideFileExt

  15. In the right pane, reset the value to the original value if applicable:

      "CheckedValue" = "1"

  16. Navigate to the subkey:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Policies\System

  17. In the right pane, reset the value to the original value if applicable:

      "DisableRegistryTools" = "1"

  18. Exit the Registry Editor.