Window titled BAROK., and remains resident in
Next, the Trojan sets the Internet Explorer startup page to.The above registry key modification makes the Trojan become WINFAT32.EXE, and then runs the file from that If the "WinFAT32" subkey key is not found, the Trojan creates it,Ĭopies itself to the \Windows\System\ directory as HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run The Trojan checksįor the "WinFAT32" subkey in the following registry key: Immediately if not, the main routine takes control. Trojan tries to find a hidden window namedīAROK. The executable part that the ILOVEYOU worm downloads from the This to the registry as well, causing the program to execute when you Home page with a link that points to an executable program called Next, the worm replaces the Microsoft Internet Explorer.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 Then it adds itself to the registry, so it will beĮxecuted when the system is restarted.
When it is executed, ILOVEYOU first copies itself to the Windows.It spreads itself using the mIRC (Internet Relay Chat) client as well. ILOVEYOU is also an overwriting VBS virus, and Through email as a chain letter, using the Outlook emailĪpplication. This Knowledge Base document is divided into the following sections:
Information here may no longer be accurate, and links may no longer be available or reliable. This content has been archived, and is no longer maintained by Indiana University.
0 kommentar(er)
