What Happens When You Download a Computer Virus?
This article is available in video format:
This article is a rundown of exactly what happens when you download a virus, the virus I’m going to use to explain is called ILOVEYOU.
The ILOVEYOU virus is a particular type of virus known as a worm. It was created by a university student from the phillipines in 2000. The goal of the virus was to steal internet users’ passwords to make internet access free for everyone.
Now you have a basic understanding of ILOVEYOU here is the second by second break down.
[-10s]
Imagine this — you are browsing the web and suddenly receive an email from someone you know.
[-5s]
It’s titled ILOVEYOU, and contains an attachment.
[0s]
Intrigued you click on it and open the attachment.
LOVE-LETTER-FOR-YOU.TXT.vbs.
[1s]
Now you’ve opened it and it turns out not to be a text file and definitely not a love letter, you’ve in fact activated a script written in a programming language known as visual basic.
[2s]
ILOVEYOU then copies itself onto your windows system as two files, MSKernal32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs
[5s]
It also copies itself to the windows directory as Win32DLL.vbs
[6s]
Next it copies itself to the windows registry which is a database that stores settings for your device’s operating system, this means that it will then be executed when the system is restarted.
[7s]
The Browser homepage is replaced with a link to a program called WIN-BUGSFIX.exe meaning when you click on your browser it is downloaded and also added to windows registry. This program when activated is an attack known as a trojan horse attack which in this case is programed to steal passwords.
[10s]
You’ve noticed something wrong with your computer but are unaware of what and where stuff has just been downloaded to so you decide to restart your computer… a fatal flaw
[1 minute]
Your computer has successfully restarted, or so you thought, all of a sudden the virus starts taking action, it initially starts by looking for a hidden window named BAROK… if present the trojan will exit but if not the trojan will look for something called WinFAT32 and if it is not there it will create it and copies itself onto the directory as WINFAT32.EXE this allows the trojan to be active everytime the computer is ran.
[1 minute and 1s]
The trojan sets the browser homepage to about:blank and deletes several keys that help prevent it from accessing passwords
[1 minute and 2s]
The Trojan creates a hidden widow titled BAROK… so it can remain resident in windows as a hidden application.
[1 minutes and 3s]
The trojan now steals all the passwords and sends a specific types of password called RAS passwords to an email address entitled mailme@super.net.ph in an email entitiled ‘Barok… email.passwords.sender.trojan’ along with some text that reads ‘barok …I hate go to school suck’ .
[1 minute and 4s]
After that a HTML file called LOVE-LETTER-FOR-YOU.HTM is created which contains the worm the html file is what details the email that will be sent to the next victim with a subject line of ILOVEYOU and some text reading kindly check the attached love letter coming from me.
[1 minute and 5s]
Furthermore, the virus searches for certain file types and either deletes them or overwrites them. It will create files with the same name but with a .vbs extension
Within 1 minute and 5s the virus has done it’s job and has now sent itself to all your contacts
This particular virus used this technique to infect what has been approximated to be 50 million computers which at the time was representative of 10% of the global computers with some being part of the CIA or the pentagon. The total damage came out to be as much as $15 Billion and is obvious why it is considered one of the worst computer related disasters in history.
If you enjoyed read this article you should consider subscribing to my cybersecurity newsletter.
