Description
Win32.HLLM.LoveLorn is a mass-mailing worm written in Borland C++. It affects computers running under Windows 95/98/Me/NT/2000/XP. The worm\'s size is 102,400 bytes.
Launching
To secure its automatic launching at every Windows start up the worm adds the value
\"explorer = \"%\\SYSTEM%\\explorer.exe\"
to the registry entry
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
Spreading
The worm propagates to all the addresses found in the local Windows address book (WAB). It generates mail messages sent from the infected computer using its own SMTP engine.
The worm inserts the yahoo.com - based sender`s address, for example, love_lorn@yahoo.com, thuyquyen@yahoo.com or lovelorn@yahoo.com to the From: filed.
The subjects of the messages formed by the worm vary and may be the followin:
Read this file Help... Re:baby!your friend send this file to you ! HELP??- Enjoy Read File attach . Re:Get Password mail... There\'re some Passwords here Re:Binladen_Sexy.jpg The Sexy story and 4 sexy picture of BINLADEN ! Souvenir for you from file attach... See the Greeting-card . Re:I Love You...OKE! A Greeting-card for you . Read file attach I like Sexy with you. Re:Kiss you.. Guide to fuck ... Play the game from file attach Help. Re:Baby! 2000USD,Win this game...The texts accompanying messages may be the following:
Read this file Help... Enjoy Read File attach . run File Attach to extract:BinladenSexy.jpg... Enjoy! BINLADEN:SEXY.. Souvenir for you from file attach... See the Greeting-card . I like Sexy with you. Play the game from file attachThe attachment names to all message types are entitled as %%%.KISS.OK.EXE or %%%.HTM, where % is a variable and may be, for example, lovelorn, love_lorn or thuyguyen.
Action
Being released on a computer the worm drops to the %System% folder (in Windows 9x and Windows ME it is C:\\Windows\\System, in Windows NT/2000 it is C:\\WINNT\\System32, in Windows XP it is C:\\Windows\\System32) several files:
