Blue Team Labs- ILOVEYOU

This would be our ninth write-up for the Blue Team labs challenge series, we’ll start with the ILOVEYOU challenge.

Brief overview of ILOVEYOU virus.

ILOVEYOU is also known as the “love letter virus” and the “love bug worm.” Although commonly referred to as a computer virus, ILOVEYOU is actually a worm (A computer worm is a malicious piece of software that replicates itself from one computer to another without human interaction).

This virus comes in an email with “ILOVEYOU” in the subject line and contains an attachment that, when opened, results in the message being re-sent to everyone in the recipient’s Microsoft Outlook address book. Perhaps more seriously, it results in the loss of every JPEG, MP3 and certain other files on all recipients’ hard disks. The attachment in the ILOVEYOU virus is a VBScript program that recipients at the time mistook for a simple text file.

Reference- https://searchsecurity.techtarget.com/definition/ILOVEYOU-virus

Given Scenario,

ILOVEYOU the 3 magical words which have an impact in most of the people’s life.
On the other hand, these 3 words don’t need any introduction for the people in the Infosec industry.

Let’s relive history by analysing the ‘ILOVEYOU’ malware.

In order to solve this challenge, a zip file would be available to download, named “Malware Sample Password”, Password to access this zip and the inner folder is given in the picture below.

NOTE- My suggestion would be to open this infected file in a VM machine(Linux preferably), or you will be affected with these three magical words ;’)

Tools/Utility used-

1. Text Editor

Q. What is the text present as part of email when the victim received this malware?

A. kindly check the attached LOVELETTER coming from me.

Q. What is the domain name that was added as the browser’s homepage?

A. http://www.skyinet.net/

Q. The malware replicated itself into 3 locations, what are they?

A. C:\Windows\System32\MSKernel32.vbs, C:\Windows\System32\LOVE-LETTER-FOR-YOU.TXT.vbs, C:\Windows\Win32DLL.vbs

Q. What is the name of the file that looks for the filesystem?

A. WinFAT32.exe

Q. Which file extensions, beginning with m, does this virus target?

A. mp3, mp2

Q. What is the name of the file generated when the malware identifies any Internet Relay Chat service?

A. script.ini

Q. What is the name of the password stealing trojan that is downloaded by the malware?

A. BAROK

Q. What is the name of the email service that is targeted by the malware?

A. HKEY_CURRENT_USER\Software\Microsoft\WAB\

Q. What is the registry entry responsible for reading the contacts of the logged in email account?

A. outlook

Q. What is the value that is stored in the registry to remember that an email was already sent to a user?

A. 1