VIRUS ALERT-I LOVE YOU

Miscellaneous and Personal Stuff I Must Share
21

This virus is spreading all over my work. I work for an insurance company and we have offices and sub offices in every county in the State of Kansas. This virus is being sent to everyone because of our global distribution lists. I’ve received about 20 of them so far this morning.

Like JohnLarrigan said, disable the Preview Pane or Auto Preview in your Outlook!

I wish they would catch the creep who created this virus and throw his ass in jail for about 20 years. Think of all the time and money being wasted because people’s e-mail systems are down and so is the productivity and communication. It’s throwing my work off because I can’t communicate with people in the offices outside of my county! What a pain in the ass!

22

Incidentally, do you think it would have spread faster if it had been called IKISSYOU?

23

New warning from computer services…don’t reboot if you get infected. It apparently only makes it worse…more as I get it.

24

Yeah. The news is jumping the gun again. As of a few minutes ago, Solomon’s (Computer Associates) claims to have virus definitions for it, but Symantec does not.

It does delete image files and MP3, among others, overwriting them with a similarly named VB file.

It writes to your registry, causing it to run each time your computer is rebooted. Therefore, if you reboot, it resends itself to your address book again.

25

Everyone is saying that it targets MS Outlook. Is it as potent in Outlook Express?

I run Outlook Express at work and received the message this morning. I didn’t open it, but had my preview pane active and I saw the text of the message. I deleted it as soon as I got it, but I am a little worried now.

26

I heard it deletes files from your hard drive, also. All files? A few files chosen at random? Anybody know?

27

Well, I’ll weigh in with another major company hit. Our Outlook server has been down since about 9 this morning, but we were already heavily infected by then. Some people are reporting over 100 copies in their inbox. It got our companywide e-mail list and sent it to everyone.

My Outlook Express access to my ISP mail is still up and I haven’t seen any copies of the message there. Maybe my ISP is filtering it upstream. Or, maybe nobody loves me. :frowning:

28

This virus can go through firewalls too. I don’t know how?

29

Yeppers, my company got it too. Most people knew not to open the attachment, so we’re okay so far. Symantec hasn’t released the patch yet…our network admin said he’d tell us when they had.

However, our OTHER network admin sent this out, and I thought it might be helpful for the Teeming Millions:
Hi everyone,

If you get this virus at home and need to clean it off here is the procedure. Note that once the antivirus software folks have a fix, it is probably better to use theirs, but this is the down and dirty way to get it done.

  1. Do a find files for the word “love” (no quotes) and delete all the files you find.
  2. Do a find files for *.vbs on your local hard disks. delete the following: mskernel32.vbs and win32dll.vbs. Make sure that they have the file extension of vbs as there are critical system files with the same name, just a different three letter extension.
  3. Go to start —> Run. Then type regedit into the popup window. Go to edit —> Find, and type in MSkernel32.vbs, and click the “Find Next” button. delete any entries that the progam finds. After deleteing the first entry press F3 to continue the search. When you get a message that the system has finished searching the registry, reboot the PC.
  4. You are now clean.

If you get an error while trying to delete the files, perform step three, reboot and re-do steps one and two.

30

I personally am getting a big laugh out of this. Windows Security = Oxymoron. :slight_smile:
I think we’re seeing the death throes of Windows, and it’s going to happen because they have wood for embedded programming languages and macros. ActiveX, VBScript, VBA, all of this stuff is bad bad bad. You don’t need a full-featured programming language in your e-mail client.

This thing could be better than the Morris Worm. :slight_smile: And I applaud whoever did it.

Funny aside to this whole thing: my company’s network is down worldwide, from what I can tell.

31

P.S.
Psycat, we love you too.

32

anyone getting it on a mac? or with outlook express?

33

Thanks for the warning. I am blocking all of my mail until this blows over.

34

Here’s some information and preliminary fixes. Please, do yourself a favor, read all of the links below, and consider carefully before taking matters into your own hands. It is possible that an undelete program will be created soon that will fix this problem for you.

http://www.thepope.org/index.pl?node_id=140
http://www.tech-report.com/
http://www.teq-international.com/

–note that these do not address the huge list of files it overwrites or hides, unless they have been updated.

The files it overwrites are files that end in these extensions:

.mp2
.mp3
.vbs
.vbe
.js
.jse
.css
.wsh
.sct
.hta
.jpg
.jpeg

As I said, there may be an undelete program out that will fix these, so you might want to sit tight before you flush all that porno.

35

Well, our office has been lucky. We were destined to migrate from Lotus cc:Mail to MSOutlook today, which is being done; so nobody had access to e-mail. We just got notification from the LAN that FAA HQ had shut down the server due to this fun little bug but as far as I know nobody here got hit with it. (Hi lachesis! K Street Doper here… :slight_smile: )

36

we are just now getting warnings about it at work. Thanks for the heads-up.

37

I have one report that says .jpg, .jpeg, .mp3 and .mp2 files are merely emulated. The virus gives itself an identical name with the extension .vbs tacked on at the end, perhaps in the hope that it will mistakenly be clicked on.

Hey, Olentzero, can you hear that wailing noise coming from due west? I can hear it from DuPont.

It’s the sound of half a million IT people cursing over in Fairfax.

38

/ hijack! /

howdy from Crystal City, over/under 95 from the Puzzle Palace. once on a time i worked around 17th & K. first gov’y job was at DOT.

/ end hijack /

and our Outlook is still squashed. not sure if it’s crossed into all DOD yet, but if we’ve already been infested, i’d say it’s nearly inevitable. brings a Heinlein quote that was a sig (on my other list) to mind:

“When in trouble or in doubt
Run in circles, scream and shout”

39

I just made the decision to shut down my division’s external data communications.
It hit our email servers about an hour ago and took out two of my Exchange Servers…

Frckin bastards…I wanted to do other things today…not this.

We’re about to take our entire system offline and scan the whole thing for .vbx extensions…

SONOFABITCH…

-SS

40

First off, this IS NOT A VIRUS. It’s a worm. All it does is replicate itself quickly. Unfortunately, a side effect of the rapid replication is that servers get flooded.

Here is the official BUGTRAQ write-up:

A quick update with some more information and quick fixes. I am reproducing
my original message in full bellow as some people are filtering messages
with a subject line of ILOVEYOU.

There is a good description of how to disinfect a system manually at
http://www.thepope.org/index.pl?node_id=140

skyinet.net seems to be off the net. It seems they are being blackholed
by someone.

The worm has a comment that may or may not indicate the author:

rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines

I did not make it clear, but the worm does infect files in mapped
network drives, so it can spread across the network via file shares
by infecting the files I reported. When someone opens those files
the worm will execute and infect their system.

It seems the WIN-BUGFIX.exe file will email any cached passwords to
MAILME@SUPER.NET.PH.

To stop the spread download updates for your antivirus product
for your vendor. They all have some type of fix by now, but most
antivirus vendor websites seems to be unavailable under the
high load. Some I could reach:

NAI: http://download.mcafee.com/extrafiles/love-4.zip
Datafellows: http://www.datafellows.com/download-purchase/updates.html
TrendMicro: http://www.antivirus.com/download/pattern.asp
Sophos: http://www.sophos.com/downloads/ide/index.html#loveleta

You should also not open visual basic attachments in email (.VBS),
not accept DCC’s on IRC from strangers (or friends for that matter)
unless you known what you are receiving.

If you control your mail server you should try to configure it to
stop messages with attachments ending in .vbs. There seems to be
some patches to sendmail from when Melissa came out that does this.
You may also want to filter all email going out to MAILME@SUPER.NET.PH
and stop the download of WIN-BUGFIX.exe in your HTTP proxy.

  • Elias Levy (aleph1@SECURITYFOCUS.COM) [000504 17:02]:
    > A new VB worm is on the loose. This would normally not be bugtraq
    > material as it exploits no new flaws but it has spread enough that it
    > warrants some coverage. This is a quick and dirty analysis of what it does.
    >
    > The worm spreads via email as an attachments and via IRC as a DCC download.
    >
    > The first thing the worm does when executed is save itself to three
    > different locations. Under the system directory as MSKernel32.vbs and
    > LOVE-LETTER-FOR-YOU.TXT.vbs and under the windows directory as
    > Win32DLL.vbs.
    >
    > It then creates a number of registry entries to execute these programs
    > when the machine restarts. These entries are:
    >
    > HKEY_LOCAL_MACHINE\Software\Microsoft
    \Windows\CurrentVersion\Run\MSKernel32

> HKEY_LOCAL_MACHINE\Software\Microsoft
\Windows\CurrentVersion\RunServices\Win32DLL
>
> It will also modify Internet Explorer’s start page to point to a web page
> that downloads a binary called WIN-BUGSFIX.exe. It randomly selects between
> four different URLs:
>
> 1
> 2
> 3
> 4
>
> I’ve not been able to obtain copy of the binary to figure out what it does.
> This does mean the worm has a dynamic components that may change its
> behavior any time the binary is changed and a new one downloaded.
>
> The worm then changes a number of registry keys to run the downloaded binary
> and to clean up after itself.
>
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
> about:blank
>
> The worm then creates an HTML file that helps it spread,
> LOVE-LETTER-FOR-YOU.HTM. This is the file DCC’ed to others on IRC.
>
> The worm then spreads to all addresses in the Windows Address Book by
> sending the file LOVE-LETTER-FOR-YOU.TXT.vbs as an attachment. The
> email starts:
>
> kindly check the attached LOVELETTER coming from me.
>
> Then the virus searches for attached drives looking for files with
> certain extensions. It overwrites files ending with vbs, and vbe.
> It overwrites files ending with js, jse, css, wsh, sct, and hta, and
> then renames them to end with vbs. It overwrites files ending with jpg
> and jpeg and appends .vbs to their name. It finds files with the name
> mp3 and mp3, creates vbs files with the same name and sets the hidden
> attribute in the original mp* files.
>
> The it looks for the mIRC windows IRC client and overwrites the script.ini
> file if found. It modifies this file to that it will DCC the
> LOVE-LETTER-FOR-YOU.HTM file to any people that join a channel the
> client is in.
>
> You can find the source of the worm at:
>
> here
>
> –
> Elias Levy
> SecurityFocus.com
> http://www.securityfocus.com/
> Si vis pacem, para bellum


Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

[Edited to fix overly long lines.]