Kaspersky Warns Of FireBurn ILOVEYOU Variant

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

Kaspersky Warns Of FireBurn ILOVEYOU Variant By Sylvia Dennis, Newsbytes MOSCOW, RUSSIA, 31 May 2000, 8:00 AM CST Kaspersky Lab has warned over a dangerous new variant of the ILOVEYOU virus called FireBurn. The Russian IT security firm said that copies of the worm have been discovered "in the wild."

Eugene Kaspersky, head of anti-virus research with the company, said that over the last month, the vogue of creating new variations of the ILOVEYOU virus has not diminished amongst virus creators.

Kaspersky that the firm's latest research suggests that the incidence of ILOVEYOU virus variants is now starting to increase, rather than tail off.

Known officially as I-Worm.FireBurn, the FireBurn worm spreads as a VBS (visual basic) file attached to e-mail messages. To send infected messages the worm uses MS Outlook. The worm also is able to send copies of itself to IRC (Internet relay chat) channels by affecting a mIRC client.

Kaspersky Lab said that when the worm file is activated (by double click on attached file in infected messages, or accepted as an IRC download), it installs itself into the system by copying its code to the Windows directory with the name RUNDLL32.VBS and registering it in the auto-run section in the Windows registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunMSrundll32 = rundll32.vbs

As a result, the firm said, the worm then activates each time Windows starts.

While mailing its copies, the worm connects to MS Outlook, gains access to the address book and sends copies of itself to all addresses listed in there. Depending on the system configuration the message has a different subject and body.

Interestingly, two versions of the subject and body appear in this worm variant. Under the German version of MS-Windows, the message looks like follows:

Subject: Moin, alles klar? Body: Hi, wie geht's dir? Guck dir mal das Photo im Anhang an, ist echt geil ;) bye, bis dann..

Under non-German versions of MS-Windows, it reads as follows:

Subject: Hi, how are you? Body: Hi, look at that nice Pic attached ! Watching it is a must ; cu later...)

Kaspersky Lab said that the attached file name is randomly selected from eight variants:

Ultra-Hardcore-Bondage.JPG.vbs Christina__NUDE!!!.JPG.vbs CuteJany__B**T***!.GIF.vbs MyGirlfriend__NUDE!.JPG.vbs Aguiliera__NUDE!!.JPG.vbs !Jany__Gets-f***ed!.GIF.vbs cute__EmmaPeel!!!.JPG.vbs Julie17__xxx.GIF.vbs

In addition, a copy of the worm with the same (randomly selected) name is also created in the Windows directory (this is the exact copy that is attached to the infected messages).

The payload routine of the FireBurn worm is activated on June 20, when it will displays the message: "I'm proud to say that you are infected by FireburN," while disabling the keyboard and mouse by modifying two system registry keys.

The worm also changes the "Registered Owner" field in "MyComputer/Properties", the new value is "FireburN". This is done by modifying the registry key.

Kaspersky Lab's Web site is at http://www.kasperskylabs.com .

Reported by Newsbytes.com, http://www.newsbytes.com .

08:00 CST

http://www.newsbytes.com/pubNews/00/149831.html

-- Martin Thompson (mthom1927@aol.com), May 31, 2000


Moderation questions? read the FAQ