Ok, this virus is apparently spreading like wild fire. However, other than propagating itself very quickly, what damage is it doing and/or is it capable of?

See Symantec's writeup here:

http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html

There is also another thread on this here:

http://boards.straightdope.com/sdmb/showthread.php?threadid=23522

You know what boggles my mind is that this virus, like the Melissa virus, takes advantage of loopholes in MS Outlook, and people say that it can infect ANYBODY! The media in general (TV, Radio, Newspapers) doesn't take that into account and ends up blowing the whole thing out of proportion.

Everyone where I work was paranoid about this virus bringing down our system and they didn't even bother to notice that we don't use Outlook. What's the deal with that?

You know what boggles my mind is that this virus, like the Melissa virus, takes advantage of loopholes in MS Outlook, and people say that it can infect ANYBODY! The media in general (TV, Radio, Newspapers) doesn't take that into account and ends up blowing the whole thing out of proportion.

Everyone where I work was paranoid about this virus bringing down our system and they didn't even bother to notice that we don't use Outlook. What's the deal with that?


It can infect anyone who has can get email and is on a Windows-based system.

The virus can only propagate itself through Outlook Express's address book.

If I understand correctly, if you get the virus, it edits your registry so that it loads each time the system is started, it kills all your .mp3s and .jpgs (among others) and creates copies of itself with the name of your files (Myphoto.jpg @ 123K becomes Myphoto.jpg.vbs at 11K). It then checks out your Outlook express address book and, if you have one, it mails itself to everyone in the address book. So even if you don't use Outlook, you're still vulnerable, but you're not contagious.

Fenris

Ahem...


5.4.2000

Dear MacConnect Customer,

Many of you may have heard that yet another virus is circulating on the Net - the ILOVEYOU virus. This virus, like any virus, is designed to do some damage to the systems of those it infects.

Take heart, however, in that you are using a Macintosh! The ILOVEYOU virus relies on .exe files found in the Windows universe and therefore can do nothing to your trusty Mac. Should you get an email message with the subject "I LOVE YOU", just delete it and go about your business. No harm
done.

Thank you for your continued support of MacConnect. Happy surfing!

Drew Linsalata
President/CEO
MacConnect - Connecting the Mac OS to the World
http://www.macconnect.com

Fenris, said
It can infect anyone who has can get email and is on a Windows-based system.
I'm not sure that's true, however it is better to be safe than sorry. The attached file is a ".VBS" file. The email client would have to run the script file to get infected. I don't think all Windows email clients do that. However, I think the rest of what you say is true.

There is something that you can do even if you have Outlook or Outlook Express besides the obvious "Don't open suspicious email attachments". (20 people didn't all of a sudden fall in love with you and decided to send you the exact same email). There is a security setting in Outlook Express that sets the "Security Zone" to be used for email. I set mine to "Restricted Zone" which turns off almost all scripting and puts it into "High Alert" mode.

I believe that was one of the recommendations from Microsoft when Melissa was first going around. Of course they don't bother to make it the default.

Jim

Take heart, however, in that you are using a Macintosh!


Current score: <50 to >50,000 ...


Mac viruses to PC viruses... as in golf, lower scores are preferable!

Take heart, however, in that you are using a Macintosh!


Current score: <50 to >50,000 ...


Mac viruses to PC viruses... as in golf, lower scores are preferable!


Hear hear!

Seems like it is going through businesses and businesses that do business with the gov't. What a gutless thing to do. What are the chances that this dope will be caught?

Pretty good, I'd think - they've already identified the four sites (actually, four locations on a single site) where the worm goes to for updates (and the ISP responsible for that site has already been knocked off of the Internet, presumably until those four locations are scrubbed), and it sounds like there were a number of other clues left behind.

If there is a silver lining to this fiasco, it's that maybe it stopped the spam from getting into my inbox today. Usually by this time of day I have about 20 junk mail messages, but I haven't gotten a single one today! :)

Sometimes I wonder what all the excitement is about because you can get a Virus Creation Lab on the net then Create your own viruses & spread them....As a matter of fact, you can get the viruses on the net as files, you know, a pure virus file to release into the internet. Shucks, those things are free everywhere, Im surprised they aren't used more than they say.

FYI:

Haven't seen this confirmed anywhere else yet, but I've heard this today from the network support people at my company:

Update:
We have found two new variants of the Loveletter virus.
The b variant has the subject "Susitikim shi vakara kavos puodukui..." The DOC is the same.
The c variant has the subject "Joke" and the DOC is called VeryFunny.vbs. They are basically
the same, but do have some minor changes.

I got this from a Reuters news article on Yahoo! News:
`The e-mail appears to be a confirmation of an order for 'Mother's Day diamond special,'and the attached file mothersday.vbs is portrayed as if it were an invoice. With only eight days to go until Mother's Day, this attack is quite credible,'' he said. F-Secure has identified five variants so far in its efforts to keep pace with the worldwide assault.

This includes the "Joke" one mentioned by Arnold, but I don't know about the others. It looks like it's going to be a while before this one gets under control

Jim

"Current score: <50 to >50,000 ...


Mac viruses to PC viruses... as in golf, lower scores are preferable! "

Hmmm....I should probably fire up my old CP/M boat anchor. No one's attacking those! Just got to get away from the human race and be a hermit.

Downloading the .vbs file and executing it will ruin all sorts of files on your machine, but thanks to MS 'innovations' just clicking on it (which shows it in the preview panel in Outlook) will set it off. This is almost *exactly* how Melissa worked.

Outlook is unbelievably unsecure, be it from this visual basic loophole or the built in HTML and Active X controls. I can't stress how anyone who values their data and privacy should not use any MS mailers, in fact you should disable ActiveX if you're using IE and remove Microsoft services (ports 137-139) from your TCP/IP protocol unless you use it often. There are some great *free* and non-free mailers out there, but too many IT managers and end users are in love with MS's brand name. After Melissa I can't feel any sympathy for them.

Right now I'm sure a few thousand people are working on the next big MS exploit, wanna protect yourself stop using unsecure MS products.

Horselover, you're dead on for the most part, but it's part of the toil of building the Tower of Babel. The main reason why other platforms are not as exploited is because they aren't as well used. In some cases, they aren't as well used because they aren't as flexible. In others, it is a case of lemmings off the cliff. And then there is that little bit about *ahem* trust violations. But the crux of the matter is that if you want to roam, you must do as the roamers do, or risk being sacked.

All right. I've degraded to puns. Time to pass out. [lurk mode ON]

::sigh::... Mac lovers... always missing the painfully obvious...

The point of a computer virus is to cause as much damage as possible. The reason nobody makes a virus for a Mac is 'cuz nobody WANTS to. That's like declaring war with Antarctica.

Sorry to get off topic, but such "missing-the-point"-ness must be addressed.

ON TOPIC... computer viruses (viri...? nevermind) will always be aimed at the biggest target... that is, the non-computer-savvy teenage PC-user, mostly, and/or their parents. People like that are more likely to be gullible, and would probably use Outlook to make their E-mail easier. And most people don't really know how to use a computer that well, anyway (I once had to spend ten minutes teaching someone how to delete files).

A computer virus is the disease of the ignorant... not one for us 'Dopers here, right?

The other reason viruses for Windows are so popular is that Windows allows programs to do almost whatever they want with the system. Time and again I will walk up to a public library, or mall computer, and despite having had almost everything that makes up an operating system disabled, be able to edit the config.pol file, or run telnet, or open a command prompt.

There are no real permission levels, which is probably why viruses don't spread as easily on a WinNT network, and even fewer Linux viruses, despite them being written for the same chipset.

I've heard the reason Windows 95/98/2000 home edition are not secure is only because of games. Apparently game performance depends on direct access to system hardware.

Hm. On the other hand, Macs aren't terribly secure either (although OSX may be changing that). A quick net search indicates estimates of between two and three hundred Mac viruses.

Well, despite being safe due to using Linux, I would just like this opportunity to say.

*STUPID STUPID USERS!* What were you thinking? This is just the same as the melissa virus! Delete strange attachments, do not run or view them! E-mail the person asking them what it was!
Heck, I delete all my spam/strange mail in pine, just so that Netscape doesn't parse the cgi/cookie requests and encourage spammers.

Ok. Done ranting.

Yeah i was getting all these wierd emails with innocent enough looking names but all the contents were empty and there were attachments. I deleted them so i dont know if they were anything though. Funny enough, I don't value my data or my privacy, just my time

I posted something similar over in the Pit, but thought I'd post a quick defense here. Please, everyone who opened one of those attachments isn't 'stupid'. A friend of mine received an e-mail from her daughter's e-mail addy. The 'ILOVEYOU' was attached. With Mother's Day coming up, my friend assumed this was something sweet and loving from her daughter, and opened it.

According to McAfee, there is also a variant that claims to be a virus update from Symantec! I believe that when I checked this morning, there were 8 variants listed.

*STUPID STUPID USERS!* What were you thinking? This is just the same as the melissa virus! Delete strange attachments, do not run or view them! E-mail the person asking them what it was!



Considering Outlook runs the .vbs file in the preview pane and the mail will come from someone you know (it uses address books) its not the user's fault, for the most part. Their only fault is using Outlook, it is not secure and MS targets new computer users with their advertising.

Really? Never having used outlook I wouldn't know, but I imagined the preview pane to be a preview of the attachment.
Even if an executable comes from a friend I still ask them what it was and where they got it before running it. Some of my friends would forward pretty much anything.

Another contributing factor is MS's belief that everything has to have a scripting language buried in it somewhere. Hence, you get viruses transmitted by things like word doc's and excel spread sheets which, to the casual user, seem like read-only things which ought to be "safe".

I fully understand how such features get proposed - it provides sort of an "ultimate escape hatch" to allow people to do all kinds of stuff you couldn't explicitly provide functionality for, and probably wouldn't have thought of in the first place. I've made arguments like that myself.

Trouble is, it can be very difficult to keep such a mechanism in desired boundaries, or even define what those boundaries are. For instance, it might be useful for me to be able to provide a word doc for you that is tailored using information obtained by looking at configuration files on your system, rather than having to say "go look at foo.config, and if it says 'farblesnarb' do this ..." ... but giving the word doc access to the file system, even read-only access, may be a bad idea.

If we're really going to operate in an interconnected environment like this, both OS security and users are going to have to grow up. Something which talks to the outside world, like a mailer or a browser really needs to provide a "playpen" for its attachments to run in, there needs to be a negotiated contract with the attachment concerning the sorts of communication / system access services it needs, and the user should be prepared to have some picture of what this implies ("do you want to let this attachment read files on your machine ...?"). Off the top of my head, in the current Windows environment, I would provide "permission aware" DLL's and a special linkage operation for running things like viewers and helper app's out of mailers which would keep them from using the normal Windows SDK. They'd run slower, but more securely ("naughty attachment! I didn't tell you you could write files ...").

I've heard a lot of people sniff and say the virus code is amatuerish and simple, but in looking at it I think it has several clever points. It showed me some things I could do with VBS that I didn't know about. In fact, I lifted some of the code to make a couple cool utilities for myself.

And if someone with my limited skills can do that, how many copycats will there be?

I agree with all of the following points, however:
1) Don't open strange attachments, etc.
2) Windows and Outlook have huge security holes, etc.
3) The disruption caused by it was awful, and the creator was lame. At least they could have pretended to have a Cause or something, not "i hate go to school". Yup, no way are you a loser.

The other reason viruses for Windows are so popular is that Windows allows programs to do almost whatever they want with the system. Time and again I will walk up to a public

Which is why linux/unix/etc rocks. *grin*


*STUPID STUPID USERS!* What were you thinking? This is just the same as the melissa virus! Delete strange attachments, do not run or view them! E-mail the person asking them what it was!
Heck, I delete all my spam/strange mail in pine, just so that Netscape doesn't parse the cgi/cookie requests and encourage spammers.
Ok. Done ranting.


Excellent advise in any case, but rarely followed through on except by paranoid nutcases like us. *innocent look*

I got this straight off the bugtraq archives, I'm posting it in its entirety despite it being a bit long - those who understand it can talk about it, those who don't can ask about it, but information is always good to have.

And 'cause I'm too lazy to type the whole explanation out.

-Elthia

------------------------------

"ILOVEYOU" virus analysis

Forum: Denial of service attack against tcpdump
Date: May 04, 17:22
From: Steve Wolfe <telomere@INCONNECT.COM>

A brief analysis of the "iloveyou" virus that's now hitting quite a few
people....


------------------------------------------------------------
Disclaimer: This is information provided in good-faith, with the intent to
assist those afflicted by the virus. I am not responsible for any
consequence of reading or using this information.
------------------------------------------------------------

"iloveyou" is a virus/trojan that is spreading very prolifically, and
creating a headache for many IT employees. It is written in VBScript, and
proliferates itself via email.


Introduction. The virus proliferates itself via email, sending letters
with the subject "ILOVEYOU", and in the body, "kindly check the attached
LOVELETTER coming from me."

Attached is a VBScript file called "I-LOVE-YOU.TXT.vbs". The
capitalization is apparently an attempt to fool users if they are not
looking carefully, upon seeing the ".TXT", they think the file is a (safe)
text file, and run it.

Once executed, the script does the following:

1. If the key "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout" is set to a positive number in the registry, it is
set to zero. If it is not present, it is not affected.

2. The VBScript then saves a copy of itself to:

(a). \%%WINDIR%%\Win32DLL.vbs
(b). \%%SYSDIR%%\MSKernel32.vbs
(c). \%%SYSDIR%%\LOVE-LETTER-FOR-YOU.TXT.vbs

3. Sets the appropriate registry entries to start it on boot:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
=> (b)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Wi
n32DLL => (a)

4. Changes the MSIE home page to a presumably malicious URL. If the file
"WinFAT32.exe" exists, then it sets the startup page (contained in the
registry setting (HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page) to one of the following URL's:

http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw65873
45gvsdf7679njbvYT/WIN-BUGSFIX.exe
http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786
324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe
http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgE
R67b3Vbvg/WIN-BUGSFIX.exe
http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwe
rasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe

I haven't looked at those executables, but persumably, they are also of
malicious intent. The sites above were not reachable, I assume that the
onslaught has brought their web servers to their knees, or the
administrators have simply shut them down/blocked traffic.

5. If the "WIN-BUGSFIX.exe" file exists, it then sets it to run at boot:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFI
X = > (download directory)\win-bugsfix.exe

and also sets the MSIE startup page to about:blank (a blank page).

6. It then prints out HTML, containing these messages:

This HTML file need ActiveX Control
To Enable to read this HTML file
- Please press #-#YES#-# button to Enable ActiveX

7. The ActiveX then sets the registry entries to make it run at boot, as
in step #3, and writes the files as in step 2.

8. The virus spreads itself. It opens up a MAPI connection to your
Outlook address list, and sends a copy of itself to each of the entries.

9. Enumerates disk drives and infects files.

In infecting the files, it searches each of the drives found, and does
the following:

(A) Any file with the extensions .vbs, .vbe, .js, .jse, .css, .wsh,
.sct, .hta, .jpg, or .jpeg are relaced with a copy of the virus. Then, it
appears that a copy of the virus is also written to the name of the file
with ".vbs" attached - for example, "logo.jpg" would be replaced with the
virus, and a file called "logo.jpg.vbs" would be created as well.

(B) If any file with the extensions .mp2 or .mp3 is encountered, it
will mark that file as hidden, then it will create a copy of itself with
that name with the .vbs extensions - for example, "macarena.mp3" would be
hidden, and a copy of the virus written to "macarena.mp3.vbs".

(C) If mirc32.exe, mirc.ini, script.ini, mirc.hlp or mlink32.exe is
encountered, it will write to the script.ini in that directory, and modify
it so that anyone joining a channel will be automatically sent a copy of
LOVE-LETTER-FOR-YOU.htm, containing the virus.


**NOTE** Althougth the code tries to replace .jpg files and .jpeg files as
well, on the infected system I looked at, they did not appear to have been
replaced by analyzing content, modification date, and size. I can't see
anything in the code that would make it break, so I have no clue why they
were not affected.

---------------------
Removal

Removing the virus is easy enough, but as another author said ("The
Pope"), it is painful, and if you have useful VBScript, WSH or other files
of similar nature (listed below), you may have already lost very valuable
data. The steps are:

1. Remove the registry entries

HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Wi
n32DLL
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
remove *all* instance of the following files:

LOVE-LETTER-FOR-YOU.HTM
*.vbs
*.vbs
*.vbe
*.js
*.jse
*.css
*.wsh
*.sct
*.hta

Find hidden files of .mp2 and .mp3 extensions, and remove the "hidden"
bit.

It is also a good idea to clear the "documents" folder.

Now, for .jpg and .jpeg files... technically, they should be removed.
However, since jpg's are not executable, I do not see how they could affect
anything, but then again, I'm not all-knowing. Also, they did not appear
to have been infected on the machine I looked at, but that doesn't mean
that they won't be infected on your machine. The safest bet is to remove
them as well.

----------------------------
Prevention:

Delete the email if you receive it, and are using one of the MS Outlook
programs, do not open it if you receive it via IRC.

----------------------------
Overall comments

This virus doesn't really represent any new technology or technique, just
a mix of some commonly-known methods. The single semi-unique aspect is
using VBScript. By using unique capitalization of files
(LOVE-LETTER-FOR-YOU.TXT.vbs), it is possible to make many people think
that it's just a regular text file.

As to the origin of the virus, a commen section in the code claims
creation by "spyder", giving an email address, what appears to be a
company, and "Manila,Philippines". Whether the author would actually put a
real email address and location is questionable.


steve

Kyberneticist wrote:


Hm. On the other hand, Macs aren't terribly secure either (although OSX may be changing that). A quick net search indicates estimates of between two and three hundred Mac viruses.


According to the Macintosh Virus FAQ:


http://www.icsa.net/html/communities/antivirus/faqs/macfaq.shtml



6.0 How many viruses affect the Macintosh?
===========================================

There are around 40 Mac-specific viruses and related threats.




SPOOFE Bo Diddly writes:


::sigh::... Mac lovers... always missing the painfully obvious...

The point of a computer virus is to cause as much damage as possible. The reason nobody makes a virus for a Mac is 'cuz nobody WANTS to.


Who's missing what??? It doesn't matter **WHY** the Mac is less susceptible. It only matters, to me anyway, that it **IS**!!!

However, your assessment is not entirely correct. Desire and targetability are not the only reasons Mac viruses are not popular. Viruses for the Mac are much more difficult to propagate because the OS was designed to guard against them.


That's like declaring war with Antarctica.


More like Switzerland, I'd say.


Back on topic...

I remember, many years ago, when I first started hearing about email viruses. The conventional wisdom, at the time, was that all email viruses were hoaxes because no one would be stupid enough to build a mail program with an embedded programming language... Microsoft, once again, proved that they were up to the challenge and did what the experts said shouldn't be done...

For me, this clearly falls into the realm of "what were they thinking?!". The time is really ripe for this kind of attack, because so many computer users now have MS Outlook pre-installed and most average users don't know how dangerous that software really is... after all, if you can't trust Microsoft to look out for your best interest, who can you trust?

I predict, now that so many people have seen how easy it is to wreak this kind of havoc, there will be a continuing outbreak of cut & paste terrorism.

The I Love You Virus has the following effects:

1) Will mail itself to everyone in your address list if you use Outlook.

2) Changes the homepage of your browser to an ISP in the Phillipines where it would download password capture software to your pc (the pages in the Phillipines have been shutdown by that ISP so this no longer works).

3) The program deletes all files with the following extensions and creates a file with the same name but with a VBS extension in its place: vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg Also, all MP3 and MP2 files will be hidden and a new file with the same name but a VBS (instead of MP3) extension will be created.

Of the above JPG are probably the most common (JPG files are pictures).

Some of the new variants have slightly different payloads but I'm not sure of the differences between each one. I do know that the relatively rare Mother's Day variant will delete INI files from your PC which can very possibly force the user to rebuild their PC from scratch (depending on how good the user has been with backing up system files).

JoeyBlades wrote:
According to the Macintosh Virus FAQ:
http://www.icsa.net/html/communities/antivirus/faqs/macfaq.shtml
6.0 How many viruses affect the Macintosh?
===========================================

There are around 40 Mac-specific viruses and related threats.


That's a little bizaare, since when I counted the ones listed in that FAQ, I came up with 54. Furthermore, as the FAQ notes, that is only major strains, not variants (and most viruses have many variants which accounts for the high Windows number, particularly with virus toolkits)


However, your assessment is not entirely correct. Desire and targetability are not the only reasons Mac viruses are not popular. Viruses for the Mac are much more difficult to propagate because the OS was designed to guard against them.

How was MacOS designed to guard against viruses? I am a little curious. From the fiddling I've done with it, it is, like Windows, very much a single user type platform. Since WinNT actually has some concept of file rights and security, one claim it was designed to guard against viruses too, but that was hardly it's primary function.
In any case, I wrote a simple virus for the Power architecture in our Assembly class. I didn't see much that made it harder. (except for the pain of having to do in 5 instructions what x86 CISC would allow us to do in 2)

BTW, I said two or three hundred after reading here:
http://emt.doit.wisc.edu/macvir/macvir.(06).html

I tried checking Apple's site for more info, but their search engine, as usual, was crap. No real FAQs on viruses that I could find.
Reminded me of the time I had to get info on what the different bomb numbers meant by visiting a Mac fan website since there was nothing on Apple's.
Well, OSX is BSD from what I here, so we can hope for a change.
At the moment, I love the PowerPCs... when running Yellow Dog Linux.

JoeyBlades:

Microsoft, once again, proved that they were up to the challenge and did what the experts said shouldn't be done...

What is it that you think Microsoft shouldn't have done? Design an email program that will run attachments if you double-click them? That is the only way this particular virus will spread.

posted by hardcore:
What is it that you think Microsoft shouldn't have done? Design an email program that will run attachments if you double-click them? That is the only way this particular virus will spread.

harcore, your statement is incorrect. Please verify your statements before posting, because with computer viruses, giving false information can have unintended consequences.
From an article in Computerworld, "Love" virus includes password-stealing Trojan Horse, By Ann Harrison, 05/04/2000 (http://www.computerworld.com/home/print.nsf/all/000504DC02):

The virus targets Microsoft's Outlook e-mail program, automatically sending messages with the virus to everyone in the address book of the infected user. Microsoft said Outlook users can protect themselves simply by not opening the messages.

But for users who have both Outlook and a companion product called Windows Scripting Host, simply previewing the message is enough to activate the virus, CERT (Computer Emergency Response Team) reported. "Advice to avoid clicking on unsolicited mail doesn't help in this case, though it does help users of e-mail programs other than Outlook," CERT said in a statement.

I must confess that since I haven't used windows in a while I am not that qualified to speak on this, but I have been reading up on .vbs files and Windows Scripting Host.
http://msdn.microsoft.com/library/periodic/period98/cutting0698.htm

It appears the WSH module is necessary to run the .vbs file, it is not at all clear that running it will happen accidently.
This article still claims it will take a double-click to run a .vbs file. Previewing an attachment normally launches some application that tries to do something with it. That is a more active role on the user's part then simply clicking on an e-mail.
Again, the question is why people would even touch a .vbs, or any other attachment aside from a text or image file without adequate explanation of what it does.

I am somewhat confused... I use Outlook Express 5. In Tools/options/security I can set it to "internet" or "restricted" (this seems to work in conjunction with IE5 settings). If I set it to "restricted" will it prevent it from running VBS attachments in preview mode?

I have never received a VBS attachment so I do not know what it does. I know I can see JPG and GIF graphics in preview mode but in my experience all other attachments need to be opened, including TIF graphics.

Can anyone clarify this for me? Word and Excel have a setting that will preven running macros. I should thing OE would have a similar security feature.

Arnold, I posted a reply to you in the other thread that you posted this same response in. Basically, you need some evidence to back up your theory. All of my experiments refute your assertion that vbs files will run automatically.

sailor, OE 5.0 won't run vbs attachments in the preview panel regardless of your security settings.

Kyberneticist wrote:


That's a little bizaare, since when I counted the ones listed in that FAQ, I came up with 54


Some of those listed are trojan horses. I don't put trojan horses in the same class as viruses.


Furthermore, as the FAQ notes, that is only major strains, not variants (and most viruses have many variants which accounts for the high Windows number, particularly with virus toolkits)
[quote]

In the Mac world, almost all of the 'variants' are identical except for the name of the resource. Few of them are true variants, in the sense that the virus code has been modified.


[quote]
How was MacOS designed to guard against viruses?


This is not the ideal place to explain this and I am not the ideal person to explain it. However, suffice it to say that the Macintosh has a very restricted and controlled mechanism for executing code and file I/O. Because of this, antivirus software for the Mac doesn't need to know about every strain of every virus, it only needs to close all of the back doors, which Disinfectant did more than three years ago.

The Mac OS can't do anything special to guard against Microsoft macro viruses because Microsoft built in the flexibility and power to let users do practically anything they want.



In any case, I wrote a simple virus for the Power architecture in our Assembly class.


You developed this virus on the Mac? If so, I'm impressed. I have a hard enough time getting the Mac INIT and VBL mechanisms to do what they were designed for, much less tricky stuff like virus propagation. As for the PowerPC architecture, I don't think it has any mechanisms to guard against virus attacks itself.



Reminded me of the time I had to get info on what the different bomb numbers meant by visiting a Mac fan website since there was nothing on Apple's.


You probably just didn't know where to look. Error code listings have been available on the Apple developer sites since the introduction of the Lisa (precursor to the Mac).


hardcore wrote:


Basically, you need some evidence to back up your theory. All of my experiments refute your assertion that vbs files will run automatically.


This is a very reckless way to live your life, my son. A number of reputable virus experts have said that the vbs files can run automatically if you have "Windows Scripting Host" running with MS Outlook and possibly "Active Scripting" in Internet Explorer. This has been verified already by the CERT at Carnegie Mellon Software Engineering Institute. Sorry, but I find them to be infinitely more credible...

I have all that installed on several computers. Go to the CERT site and see if you can find anything there that backs up your assertion. I can't.

http://news.cnet.com/news/0-1003-200-1823347.html?tag=st


If any of THAT is true...

OK, fair enough. They never use the words "automatic launch" however it is implied by

(1) Their instructions to disable "Windows Scripting Host" and "Active Scripting".

(2) They reference the "Sophos" site which does indicate the execution is automatic.


I've seen a couple of other trusted sites that claim that the virus can launch automatically. Plus, a number of sys admins at my company claim that they were infected, even though they never opened the message...


However, Microsoft's official position is:


It’s important to note that the virus payload cannot run by itself. In order for it to run, the recipient must open the mail, launch the payload by double-clicking on it, and answer "yes" to a dialogue that warns of the dangers of running untrusted programs.


So now I don't know who to believe.

As the cnet article pointed out, the Love virus doesn't use scripts buried in html, although I'm surprised it didn't. I briefly mentioned in the other thread on this topic at http://boards.straightdope.com/sdmb/showthread.php?threadid=23703
how this could be done, but I didn't want to give anybody any ideas.

JoeyBlades, the Sophos site says this about the Love virus:

But can't I get infected just by reading or even deleting the email?
No! Some people are saying so. But as with most email viruses, you have to activate the attachment by double-clicking on it.

Again, this particular virus doesn't propagate simply by viewing the email, regardless of the preview pane. But it is technically possible to create one embedded in html code that would execute if you didn't have Active Scripting disabled in Outlook.