Blue Team Labs- ILOVEYOU

This would be our ninth write-up for the Blue Team labs challenge series, we’ll start with the ILOVEYOU challenge.

Brief overview of ILOVEYOU virus.

ILOVEYOU is also known as the “love letter virus” and the “love bug worm.” Although commonly referred to as a computer virus, ILOVEYOU is actually a worm (A computer worm is a malicious piece of software that replicates itself from one computer to another without human interaction).

This virus comes in an email with “ILOVEYOU” in the subject line and contains an attachment that, when opened, results in the message being re-sent to everyone in the recipient’s Microsoft Outlook address book. Perhaps more seriously, it results in the loss of every JPEG, MP3 and certain other files on all recipients’ hard disks. The attachment in the ILOVEYOU virus is a VBScript program that recipients at the time mistook for a simple text file.

Reference- https://searchsecurity.techtarget.com/definition/ILOVEYOU-virus

Given Scenario,

ILOVEYOU the 3 magical words which have an impact in most of the people’s life.
On the other hand, these 3 words don’t need any introduction for the people in the Infosec industry.

Let’s relive history by analysing the ‘ILOVEYOU’ malware.

In order to solve this challenge, a zip file would be available to download, named “Malware Sample Password”, Password to access this zip and the inner folder is given in the picture below.

NOTE- My suggestion would be to open this infected file in a VM machine(Linux preferably), or you will be affected with these three magical words ;’)

Tools/Utility used-

  1. Text Editor

Q. What is the text present as part of email when the victim received this malware?

A. kindly check the attached LOVELETTER coming from me.

Q. What is the domain name that was added as the browser’s homepage?

A. http://www.skyinet.net/

Q. The malware replicated itself into 3 locations, what are they?

A. C:\Windows\System32\MSKernel32.vbs, C:\Windows\System32\LOVE-LETTER-FOR-YOU.TXT.vbs, C:\Windows\Win32DLL.vbs

Q. What is the name of the file that looks for the filesystem?

A. WinFAT32.exe

Q. Which file extensions, beginning with m, does this virus target?

A. mp3, mp2

Q. What is the name of the file generated when the malware identifies any Internet Relay Chat service?

A. script.ini

Q. What is the name of the password stealing trojan that is downloaded by the malware?

A. BAROK

Q. What is the name of the email service that is targeted by the malware?

A. HKEY_CURRENT_USER\Software\Microsoft\WAB\

Q. What is the registry entry responsible for reading the contacts of the logged in email account?

A. outlook

Q. What is the value that is stored in the registry to remember that an email was already sent to a user?

A. 1

--

--

--

Trying to secure the world!!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Matemág: Dobrodružné u?ení! CZ Hack Free Resources Generator

A Non-Coercive Security Design for Electronic Voting (E-Voting)

Happy New Year!

{UPDATE} Tank Sherman Fury Hack Free Resources Generator

A Deep Dive into Solana Account Model (3) — Associated Token Account

Venmo Introduces Cryptocurrency Trading

{UPDATE} Desert Worms Hack Free Resources Generator

How to hack your girlfriend’s Facebook or Instagram

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aditya Sharma

Aditya Sharma

Trying to secure the world!!

More from Medium

The Colony — General Information

UT Report — Memorise App

Goblin Coin: The gateway to the metaverse

MetaBlox – Your Trusted DID-enabled Network to Access Web3 & Metaverse