VIRUS ALERT!! IT'S TRUE: IT WORKS

greenspun.com : LUSENET : Unofficial Newcastle United Football Club BBS : One Thread

Don't open an e mail with " I love you" as the title.

-- Anonymous, May 04, 2000

Answers

That'll cramp Gav's style a bit.

And does it apply to those you send yourself ? -)

-- Anonymous, May 04, 2000


We've just had that one and are currently resending each other about 50 emails a minute. Strange.

-- Anonymous, May 04, 2000

Things to do (so far!):

delete C:\WINNT\Win32DLL.vbs

Delete also C:\winnt\system32\LOVE-LETTER-FOR-YOU.TXT.vbs

In NT (not sure about 95/98) kill the WScript.exe process

You might also want to delete the following registry key - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServic es\Win32DLL (although obviously pissin' about with yer registry is a dodgy thing to be doing in yer lunch break).

-- Anonymous, May 04, 2000


Dougal,
Thanks for the warning, sweety, disappointed though - thought my luck had changed at last.

-- Anonymous, May 04, 2000

10% of businesses down cos of this virus, incl a few biggies in the city

-- Anonymous, May 04, 2000


More virus fun and games...ILOVEYOU:

Drops in the Windows System MSKernel32.vbs

in Windows dir Win32DLL.vbs

in windows system LOVE-LETTER-FOR-YOU.TXT.vbs

in the internet download dir WinFAT32.EXE

in the internet download dir WIN-BUGSFIX.EXE

Infects files with the extensions:

vbs,vbe,js,jse,css,wsh,sct,hta

jpg,jpeg

mp3,mp2 >

Drops the file

script.ini >

so that it worms out via mIRC

Sends itself to all users in the Addr book of Outlook with: >

Subject: ILOVEYOU >

Body: >

kindly check the attached LOVELETTER coming from me. >

And attachment:

LOVE-LETTER-FOR-YOU.TXT.vbs

-- Anonymous, May 04, 2000


Yep we had it. Closed off the LAN for an hour after limiting attchaments to 10kb. What was that you put in Scratchy, impressed the hell out of me, but what was it in pillocks terms?

-- Anonymous, May 04, 2000

in pillock terms, if you get it, you're screwed (we've 11,500 mails stacked up in the exchange server).
In short, it attaches itself to your mail, and reproduces itself by sending to everyone in your address book - similar to the Melissa virus. The difference with this one is that it attaches itself to your browser (it adds the code to your homepage so when you open it up the virus repopulates itself on your system - so if you've deleted everything bar the browser stuff and think you're ok and then open up your browser you're buggered).
The symantec homepage (the Norton boys) will have further details, but as a million IS people are trying to access the site to see WTF is happening you're not likely to get much more other than gossip like this :o).

-- Anonymous, May 04, 2000

Call me a plum (you probably do anyway!), but, if we receive it, can we just delete it without opening it? Or does the fact that you have clicked on it, even with the delete button mean that you`ve let it in, so to speak? And don`t come back at me with any of that computer pi r squared type stuff - `cos I won`t understand! (:o)

Also, if we don`t get it - should we take it personally! (:o)

-- Anonymous, May 04, 2000


Sometimes it's nice to not be loved! ;-)

does this only infect the systems of people using Outlook?

-- Anonymous, May 04, 2000



Didn`t see your latest posting Scratchy - I was too busy posting myself! So the answer `no` - you can`t just delete it? (:o|

-- Anonymous, May 04, 2000

You can just delete the email without opening it.

-- Anonymous, May 04, 2000

Thank you Geordie! I`m still awfully wet behind the cyber-ears! (:o)

-- Anonymous, May 04, 2000

Just got this on our IntraNet page.

Virus alert! Destructive new e-mail virus

A destructive new virus called VBS.LoveLetter.A has appeared, initially in Europe, and is expected to spread rapidly. It spreads by asking e-mail recipients to detach a file called LOVE-LETTER-FOR-YOU.TXT.vbs from a message titled ILOVEYOU.

There is no virus definition for it at this time, although one should be forthcoming. If you receive the email and the attachment, it is important that you delete the email. Do not open the attachment under any circumstances: this is a malevolent virus that destroys files.

So, according to this, it requires that you open the attachment. I would assume therefore that if you delete the note without opening the attachment, you should be OK.

Ah! As I type, we have just had a tannoy announcement telling us to delete any such notes before opening them.

-- Anonymous, May 04, 2000


They've got to the tannoy as well? Is nothing safe anymore? This is worse than the Nam...

-- Anonymous, May 04, 2000


I heard no Tannoy! ;-))

It's opening the attachment that is the problem so you can happily open email but not attachments. I don't know of a mail reader that automatically opens attachments .... does anyone? bliddy stupid if it does.

-- Anonymous, May 04, 2000


Galaxy,

"Call me a plum "

Does that mean we have to call Yelli Little Plum the red Indian plumber? Or is she more like Brown Fox, the tricky Fulchester winger? :-)

-- Anonymous, May 04, 2000


I agree Geordie. You were probably in the pub when the Tannoy announcement was done - or you thought it was the usual fire alarm check and just ignored it.

Here's hat Aunty Beeb is saying:

I love you

-- Anonymous, May 04, 2000


OK - so how many of you s@d b@st@rds haven't had an E-mail with the title "I love you"? Disappointing, ain't it.

-- Anonymous, May 04, 2000

If I was a really cruel mother (which I am not), I would show you all a picture of Yelli dressed up as a red indian! I think she was about six years old at the time! So yes, I guess Little Plum would be highly appropriate! (:o)

-- Anonymous, May 04, 2000

Oooooohhh! Vicious. The number of times members of my family insisted on showing people pictures of me wearing nothing but sunglasses and a smile...mind you, I was 26 at the time ba da ba da boom tish.

-- Anonymous, May 04, 2000

Softie, I got one of those piccies of you last time you had a few too many sherbets. I did think it was a bit OTT to do it in Trafalgar Square mind. Fortunately, the one of Dr Bill didn't come out as it was a bit over-exposed.

-- Anonymous, May 04, 2000

Tannoy done! They obviously reckon us Hursley folk are intelligent enough not to open weird attachments! You Manchester bods cleary need every bit of help you can get ;)

-- Anonymous, May 04, 2000

The abovementioned piccie of Softie can be seen on thegallowgate page! ;-))

-- Anonymous, May 04, 2000

Ooh no Steph. Not the one I'm tslking aboot. That will remain secret, or until next time I get rat-@rsed.

-- Anonymous, May 04, 2000

Profile Virus Name VBS/Loveletter

Aliases VBS.Loveletter.a

Variants None

Date Added 5/4/00

Virus Information

Discovery Date: 5/4/00

Origin: Phillipines

Type: Virus

SubType: VbScript

Risk Assessment: High-Outbreak

Minimum Dat: 4077

Minimum Engine: 4.0.35

Virus Characteristics This is a VBScript worm with virus qualities. This worm will arrive in an email message with this format:

Subject "ILOVEYOU" Message "kindly check the attached LOVELETTER coming from me." Attachment "LOVE-LETTER-FOR-YOU.TXT.vbs"

If the user runs the attachment the worm runs using the Windows Scripting Host program. This is not normally present on Windows 9x or Windows NT unless Internet Explorer 5 is installed.

When the worm is first run it drops copies of itself in the following places :

C:\WINDOWS\SYSTEM\MSKERNEL32.VBS C:\WINDOWS\WIN32DLL.VBS C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS

It also adds the registry keys :

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServic es\

Win32DLL=C:\WINDOWS\Win32DLL.vbs

in order to run the worm at system startup.

The worm replaces the following files:

*.JPG *.JPEG *.MP3 *.MP2

with copies of itself and it adds the extension .VBS to the original filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would contain the worm.

The worm also overwrites the following files:

*.VBS *.VBE *.JS *.JSE *.CSS *.WSH *.SCT *.HTA

with copies of itself and renames the files to *.VBS.

The worm creates a file "LOVE-LETTER-FOR-YOU.HTM" which contains the worm and this is then sent to the IRC channels if the mIRC client is installed. This is accomplished by the worm replacing the file SCRIPT.INI.

After a short delay the worm uses Microsoft Outlook to send copies of itself to all entries in the address book. The mails will be of the same format as the original mail.

This worm also has another trick up it's sleeve in that it tries to download and install an executable file called WIN-BUGSFIX.EXE from the Internet. This exe file is a password stealing program that will email any cached passwords to the mail address MAILME@SUPER.NET.PH

In order to facilitate this download the worm sets the start-up page of Microsoft Internet Explorer to point to the web-page containing the password stealing trojan.

The email sent by this program is as follows :

-------------copy of email sent----------- From: goat1@192.168.0.2To: mailme@super.net.ph Subject: Barok... email.passwords.sender.trojan X-Mailer: Barok... email.passwords.sender. trojan---by: spyder Host: [machine name] Username: [user name] IP Address: [victim IP address]

RAS Passwords:...[victim password info] Cache Passwords:...[victim password info] -------------copy of email sent-----------

The password stealing trojan is also installed via the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-B UGSFIX

to autorun at system startup. After it has been run the password stealing trojan copies itself to WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key with

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ WinFAT32=WinFAT32.EXE

Symptoms VirusScan 4.0.3+ Toolkit 8

Method Of Infection VirusScan 4.0.3+ Toolkit 8

Removal Instructions Script,Batch,Macro and non memory-resident: Use specified engine and DAT files for detection and removal.

Note- It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

PE,Trojan,Internet Worm and memory resident: Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use an emergency boot diskette and use the command line scanner such as "SCANPM C: /CLEAN /ALL"

DAT not yet available: In the event you have this virus, trojan or Internet worm on your system(s) and the specified DAT is not yet available, refer to the documentation posted for submitting a sample to McAfee AVERT for resolution.

Further info @ http://vil.nai.com/villib/dispVirus.asp?virus_k=98617



-- Anonymous, May 05, 2000


Moderation questions? read the FAQ