Hello guys and gals Mahmood har and welcome to another episode of virus investigations last week we had the nerdiest episode ever which is building gaming virtual machines far more excessive than expected anyone so for those people actually did sit through the video thank you very much but ladies and gentlemen today we’re back down to earth with what virus.
Investigations really is a look into malware and today the theme.
Is love yes ladies and gentlemen today we’re talking about love letters the dangerous kind and love letters come in all ways shapes.
And forms this one however ranges up to about 10 billion dollars worth of love that has been caused now I’m sure it’ll we’ve all experienced love at some point I have you have it’s a common emotion and a common feeling that people put themselves into and love is one of those things that causes the most intelligent man or woman to make the stupidest of decisions in record time and boy have.
Stupid decisions have been made which has causes virus to spread the way that it has so basically today we’re talking about an email worm now I know we’ve been talking about malware and all that and.
A lot of these things class themselves pretty much well into each other there is no shame in a virus taking advantages of multiple different types of viruses out there.
A Trojan may not specifically always be a Trojan a worm.
These are malicious programs that are coated in ways.
To utilize the best advantages sometimes and in some situations these can also evolve it’s it’s kind of biologically.
Weird if you think about it but.
Let me continue on so today’s love-letter virus is basically an email worm and the key difference between sort of a virus and a worm for those of you who really want the easiest explanation possible is replication with a virus a lot of the replication sort of happens with human interaction with a worm such as this a lot of the replication happens from the actual program itself it’s capable of constantly.
Delivering itself without any more human interaction than that first seed so let me get into.
Touch with how this works the virus isn’t exactly super intensive when.
It comes to spreading itself basically an email virus will spread itself.
By first of all infecting one user with that user it’ll have a contact list of all the email addresses.
That you have so for example in my phone I have a contact book right or you might contact book on your PC or something of the sort you may have contact email stork for multiple people your friends your family your business relationships you get the point an email worm only has to look at who you have stored.
In your email who who you who you have stored in your contact addresses who’ve been sending emails to you who you’ve been sending emails to and once it’s figured out all these and catalogued them it’ll just send itself using bullshit messages that it has coded into it hardwired and basically.
Spread itself like that and as soon as it reaches somebody else’s mailbox the.
Cycle repeats and eventually it can spread so quickly within a matter of even a day or two that 10 billion dollars worth of damages can estimate it to be reported because so many people have been infected all of the sudden you get what I’m saying basically a virus you are sending it out yourself I guess but with a worm once you set a.
Go man computers they they function fast human beings we have a ton of things on our mind computers whatever is programmed with it’s going to do day in day night no sleep no rain and no whatever it’s gonna go all all out doing whatever you set it through now this exact malware is one of the earliest ones out there in fact it’s attacked quite a quite a massive amount of targets.
In pretty record time and will cover them as we progress through with the episode but the virus.
Basically what we did for the analysis was we got into Windows 98 we made a virtual machine of course and because the email servers are sort of iffy for it you could technically make a local one and say your Outlook to work or exchange whatever it was called back then I think it was outlook right outlook Microsoft net.
But whatever the heck basically if you use the email client of that era and you basically credited a local intranet within yourself and hosted an email server you could basically set up a bunch of four or five email contacts.
And let love-letter do what it needs to but the payload is pretty much local system independent see what love-letters capable of doing is basically in fact in the computer sending the homepage to automatically download a malware tool that it has set asides from itself somewhere stored off on the Internet beyond that it also can override files change files extensions to dot VBS which is what the virus itself is coded in and so.
On and so forth so pretty I guess you could say damaging malicious things but.
That’s kind of the case for worms in general now we had a Windows 98 machine and we basically set the system so that we got the source code for the original love-letter virus who basically compiled it in virtual visual basic and visual VB scripting and just launched it that way so we have an analysis over here let’s go check that out and then I’ll come back and talk.
To you about the aftermath of such a dangerous endeavor so for this analysis actually I have Windows 98 installed I usually have a.
Bad experience with like 95 vistas you all know standard VM installation we got it running up over here so quickly to put it into perspective I have just windows 98 installed I have winzip installed onto it I put Firefox into it for some.
I wanted to see how the internet looked in the days of volt so if anybody had that by the way you can actually go to google.com and it is still accessible in Windows 98 so you can actually just type in any random search and it’ll actually come through so yeah try to access YouTube right now ladies and gentlemen and it’s just not gonna.
Happen so windows 98 is not is it is it supported oh you got to be kidding when they open up a video no YouTube does not actually.
Have any support wow that was shocking but anyways back to the video so here I have a love letter I.
Actually zipped it up and I copied it over here to start off with now I have love letter available right here one of the things you want to do when you’re trying to run virus is on the old classic windows is enable the file type so you want to go into my computer and where it says view you want to go to folder options and you want to go to view and you want to make sure you always uncheck hide file extensions for known file types usually that is.
Always enabled on any version of.
Windows and that’s just used to mask sort of how the computer works but if you ever wonder why you can’t see the dot VBS or the dot text file at the end it’s.
Will deliberately always hide it so if you hide that then you know just look like your text document there’s no reason to not have it like this I just do it that.
Way so everything is uniform I actually like seeing my file extensions but I guess that’s just me so here we have the VBS file normally you.
Would receive this via an email as an attachment but since we cannot use Outlook we unfortunately have to deal with it in a similar fashion so first things first we’re gonna launch it over here it’s actually a compilation error okay that ain’t good look URI second so ladies.
And gentlemen quick little thing because the source code is so readily available for a love letter you can actually just ctrl copy the entire hub you can actually select alt ctrl copy this whole source code and basically go.
Into your text editor real quickly and all you really have to do is just paste it and then save it as select all files and you can call it love data VBS make sure it’s.
A VBS and all you got to do is launch it a couple times I don’t know why my sample isn’t working it contains the exact same code anyways but yeah if you want to get the source code it’s all it’s already readily available for you so now that we’ve launched it you.
May not notice things initially but if.
You start digging around into let’s say your windows directory for instance right which let’s access really.
Quickly by going to my computer.
One of the things that wow that actually kind of freaked me out for a second but one of the things that I’m gonna go to is I’m gonna go to the C Drive real quick and I’m gonna go to Windows and one of the things that should basically be a little fucky at this point it’s sort of your system directory looking to.
To just keep showing the files goddammit.
If you start looking around it’s basically gonna replace files or at least begin the process of starting to replace certain files now as that’s run I’m not sure exactly where it’s supposed to be but I know at some point your system files are gonna be sort of played around with if we check around our internet explorer see one of the things you’ll notice is sky.
And net dotnet has changed so we’ll go to files for a second and we’re gonna go to properties one of the things the reason why sky in it sort of sounds weird of course as a header is that it’s slowly changing like angel cat is actually a well known uh what is it like hosting service basically what’s going on is Windows is losing its mind it’s basically changed.
This my home web page which would have been msn.