I love you virus

[Danrak]

Salutations,
For anyone that has been in the dark, the I love you Virus has hit today taking out a large number of computers, get an update from your anti-virus people. Here is the info on it:
Name: VBS/LoveLet-A
Aliases: The Love Bug
Type: Visual Basic Script worm
Detection: Detected by Sophos Anti-Virus version 3.34 or later. An update (IDE file) is available for earlier versions from the Latest virus identities section.

This virus has been very widely reported in the wild.

Please note: We have updated the IDE for this virus to detect a minor variant that has also been seen in the wild.

Comments: This is a virus which tries to spread itself in several ways. Most commonly, it sends itself as an attachment to an email.

Infected emails have the subject line:


ILOVEYOU
The message text is:


kindly check the attached LOVELETTER coming from me.
The attachment is called LOVE-LETTER-FOR-YOU.TXT.vbs, which has a double-extension. Mailers which suppress well-known extensions such as .vbs may present this file as LOVE-LETTER-FOR-YOU.TXT, which appears more innocent.

Because the virus arrives in a VBS file, it requires the Windows Scripting Host (WSH) in order to work. If you disable WSH, the viral attachment will be rendered harmless.

The virus also drops an HTM file which can spread the virus, and a mIRC script which tries to distribute it.

The virus checks the Internet Explorer Download Directory for the presence of the file WinFAT32.exe. If that file does not exist the virus randomly picks one of four websites and changes the registry to set it as the Start Page for Internet Explorer. The websites point to an EXE file, WIN-BUGSFIX.exe, which is then downloaded and the registry is modified to run the file on reboot. This file is detected as Troj/LoveLet-A.

The Internet Explore Start Page is also set to blank.

The virus copies itself to two places in the system directory where they are executed each time the computer reboots.

The email component of the virus requires Microsoft Outlook to work. If you are using Outlook it will try to send itself to each entry in your Windows Address Book.

The virus also searches all local and networked drives for files that end with the extensions VBS, VBE, JS, JSE, CSS, WSH, SCT or HTA. These files are overwritten with the virus and their extension is renamed to .VBS.

Any JPG or JPEG files are also overwritten by the virus but have the extension .VBS added to the existing filename.

Any MP2 or MP3 files are overwritten by the virus but are also copied to a new file that has the .VBS extension added. The original files are set as hidden.

If the virus determines that mIRC is installed on the system it will drop a mIRC script that will send the virus on via mIRC.

[shawnMt]

That's pretty nasty...
I heard about it but have not run across it yet - we sill see in the next few days.

I did run across a CIH blown machine last week.

[Danrak]

I know a company that got it. It took out over 80 computers including their NT mail server. The worse part is their program they are writing is writtin in Visual Basic. CNN has said it has hit Some of the governments in europe.

[Shard92]

Thanks Danrak,

I guess I'm one of those people with their head in the dark! I get most of my news off the internet, both on windrivers and other sources, so until I turn on ( and windrivers is my home, by the by ) I probably don't know the latest until I check for Anti virus updates! Thanks again for pulling my head out of the dark!

GLSmith

[Damned Angel]

The company that prints our pay cheques sent their staff home today. their IS dept. though they had caught the worm early and only reported 2 machines infected. An hour later all ther servers had flatlined....hope I get my next pay cheque!

[cordon]

For those not happy editing the registry, the files in this ZIP will edit it for you. It reroutes VBscript files to notepad. Virii like the love thing will not function as a result.
http://www.batzx.com/~weasel/FT/killVBS.zip

What is so bad/good about VBscript anyway?

System admins should make backups of the registry...etc etc. You have been warned.

[oldman]

saw it at 9:00am in the state of minnesota usa in the good old boondocks. was sent to me by the county mis manager.
recognized the vbs ext and deleted it right away

[This message has been edited by oldman (edited May 04, 2000).]

[Danrak]

It hit hard here in Florida. It hit our power company, hospitals, and a few other large companys. The store I work for has a small ISP and we were able to shutdown the mail server before anyone got hit, but we still had the phone ringing like crazy with people asking if they can get it. For anyone that is interested www.techrepublic.com has a vbscript that they wrote that is supposed to counter act the virus or something like that.

[pcshark]

Symantec has released virus definitions late last night (5-4-2000) to detect and remove this worm. If you use Norton AntiVirus, you can update your signatures and be protected against this one.



------------------
R. Bret Walker, CNE

All I can say is, Flyers win in 5th Overtime!!!

[Xavier]

Let me get this straight in case I am wrong. All that this virus does to the individial PC is rename MP3's, Delete jpegs, and do some stuff you you jave stuff. Does it accually prevent a user from useing their PC for work functions? I dont' think it does. Isn't the biggest threat to mail servers that re overloaded when it sends from everybodies outlook?
Just wondering as the papers and news are talkign about files being deleted and operting files and that sort of thing adn seem to be blowing it WAY out of proportion.....

[Damned Angel]

Had to laugh at the news last night....so much hype....like y2k all over again. one news cast even stated that experts found that it mailed all your passwords and that you should change them all immediatly..just waiting them to tell us that we should start rioting in the streets

[ReBoot]

Get this! In Canada, the government agency responsible for technology was hit so hard, it simply crashed their whole Canada-wide network. Poof! Gone...
Yup, our AV scanner is up to date, yup...DUH!

------------------
Who needs a life, I have Internet!
Jim & Sue's Free Files | Jim's Modems

[pcshark]

I'm really not one for spreading panic about viruses. I think that when the news reports on these things, they are acting in a completely irresponsible manner, alerting people who should not be alerted and causing widespread panic. As long as the IT managers have the situation under control, leave it alone. Problem is, news programs want to generate interest in their own programs and nobody wants to be scooped. If one station runs the story, they all do. Nobody wants to be the last to report a story.
That having been said, what I find ridiculous is that the WORM (not virus) comes to you in the form of a .vbs file attached to an email message. Anyone who is stupid enough to double-click a Visual Basic Script file without checking on the source deserves everything they get.
I was reading the thread and wanted to let people know that Symantec has updated virus definitions that detect and disinfect this worm. I didn't really view that as propagating a silly story. And the payload of this worm IS potentially damaging. For more information on it, go to http://www.sarc.com/avcenter/venc/da...eletter.a.html

Something else I find comical is that this is yet another worm that exploits a security hole in Outlook and mIRC. My favorite thing to do on days like this is to soothe my clients' fears by patiently explaining to them that this will have absolutely no effect on them because they use GroupWise, and the VBS script was written specifically for Outlook. I get to say that a lot (-:


------------------
R. Bret Walker, CNE

All I can say is, Flyers win in 5th Overtime!!!

[Shard92]

Hey Pcshark since you stressed how it's a WORM ( not a virus ), what's the difference. I know I should know this and I heard it once before, but being mostly self taught, and having mush for brains when it comes to "proper" terminology, and being forgetful in general, I would appreciate some enlightenment. I'm sure there are others who read this who might like to know also but are didn't want to be the one who asked. Thanks for any and all info.

GLSmith

[shawnMt]

It's really a combo Script Virus and Worm.

From antivirus.com:

Script viruses (VBScript, JavaScript, HTML)
Script viruses are written in script programming languages, such as VBScript and JavaScript. VBScript (Visual Basic Script) and JavaScript viruses make use of Microsoft's Windows Scripting Host (WHS) to activate themselves and infect other files. Since WHS is available on Windows 98 and Windows 2000, the viruses can be activated simply by double-clicking the *.vbs or *.js file from the Windows Explorer.

Read all about different types here: http://www.antivirus.com/pc-cillin/v...o/glossary.asp

I do agree with everyone about the general hype bull that outbreaks create.



[This message has been edited by shawnMt (edited May 05, 2000).]