I love you virus

Salutations,
For anyone that has been in the dark, the I love you Virus has hit today taking out a large number of computers, get an update from your anti-virus people. Here is the info on it:
Name: VBS/LoveLet-A
Aliases: The Love Bug
Type: Visual Basic Script worm
Detection: Detected by Sophos Anti-Virus version 3.34 or later. An update (IDE file) is available for earlier versions from the Latest virus identities section.

This virus has been very widely reported in the wild.

Please note: We have updated the IDE for this virus to detect a minor variant that has also been seen in the wild.

Comments: This is a virus which tries to spread itself in several ways. Most commonly, it sends itself as an attachment to an email.

Infected emails have the subject line:


ILOVEYOU
The message text is:


kindly check the attached LOVELETTER coming from me.
The attachment is called LOVE-LETTER-FOR-YOU.TXT.vbs, which has a double-extension. Mailers which suppress well-known extensions such as .vbs may present this file as LOVE-LETTER-FOR-YOU.TXT, which appears more innocent.

Because the virus arrives in a VBS file, it requires the Windows Scripting Host (WSH) in order to work. If you disable WSH, the viral attachment will be rendered harmless.

The virus also drops an HTM file which can spread the virus, and a mIRC script which tries to distribute it.

The virus checks the Internet Explorer Download Directory for the presence of the file WinFAT32.exe. If that file does not exist the virus randomly picks one of four websites and changes the registry to set it as the Start Page for Internet Explorer. The websites point to an EXE file, WIN-BUGSFIX.exe, which is then downloaded and the registry is modified to run the file on reboot. This file is detected as Troj/LoveLet-A.

The Internet Explore Start Page is also set to blank.

The virus copies itself to two places in the system directory where they are executed each time the computer reboots.

The email component of the virus requires Microsoft Outlook to work. If you are using Outlook it will try to send itself to each entry in your Windows Address Book.

The virus also searches all local and networked drives for files that end with the extensions VBS, VBE, JS, JSE, CSS, WSH, SCT or HTA. These files are overwritten with the virus and their extension is renamed to .VBS.

Any JPG or JPEG files are also overwritten by the virus but have the extension .VBS added to the existing filename.

Any MP2 or MP3 files are overwritten by the virus but are also copied to a new file that has the .VBS extension added. The original files are set as hidden.

If the virus determines that mIRC is installed on the system it will drop a mIRC script that will send the virus on via mIRC.

That's pretty nasty...
I heard about it but have not run across it yet - we sill see in the next few days.

I did run across a CIH blown machine last week.

I know a company that got it. It took out over 80 computers including their NT mail server. The worse part is their program they are writing is writtin in Visual Basic. CNN has said it has hit Some of the governments in europe.

Thanks Danrak,

I guess I'm one of those people with their head in the dark! I get most of my news off the internet, both on windrivers and other sources, so until I turn on ( and windrivers is my home, by the by ) I probably don't know the latest until I check for Anti virus updates! Thanks again for pulling my head out of the dark!

GLSmith

The company that prints our pay cheques sent their staff home today. their IS dept. though they had caught the worm early and only reported 2 machines infected. An hour later all ther servers had flatlined....hope I get my next pay cheque!

For those not happy editing the registry, the files in this ZIP will edit it for you. It reroutes VBscript files to notepad. Virii like the love thing will not function as a result.
http://www.batzx.com/~weasel/FT/killVBS.zip

What is so bad/good about VBscript anyway?

System admins should make backups of the registry...etc etc. You have been warned.

saw it at 9:00am in the state of minnesota usa in the good old boondocks. was sent to me by the county mis manager.
recognized the vbs ext and deleted it right away

[This message has been edited by oldman (edited May 04, 2000).]

It hit hard here in Florida. It hit our power company, hospitals, and a few other large companys. The store I work for has a small ISP and we were able to shutdown the mail server before anyone got hit, but we still had the phone ringing like crazy with people asking if they can get it. For anyone that is interested www.techrepublic.com has a vbscript that they wrote that is supposed to counter act the virus or something like that.

Symantec has released virus definitions late last night (5-4-2000) to detect and remove this worm. If you use Norton AntiVirus, you can update your signatures and be protected against this one.



------------------
R. Bret Walker, CNE

All I can say is, Flyers win in 5th Overtime!!!

Let me get this straight in case I am wrong. All that this virus does to the individial PC is rename MP3's, Delete jpegs, and do some stuff you you jave stuff. Does it accually prevent a user from useing their PC for work functions? I dont' think it does. Isn't the biggest threat to mail servers that re overloaded when it sends from everybodies outlook?
Just wondering as the papers and news are talkign about files being deleted and operting files and that sort of thing adn seem to be blowing it WAY out of proportion.....

Had to laugh at the news last night....so much hype....like y2k all over again. one news cast even stated that experts found that it mailed all your passwords and that you should change them all immediatly..just waiting them to tell us that we should start rioting in the streets https://forums.windrivers.com/images.../2000/09/1.gif

Get this! In Canada, the government agency responsible for technology was hit so hard, it simply crashed their whole Canada-wide network. Poof! Gone...
Yup, our AV scanner is up to date, yup...DUH!

------------------
Who needs a life, I have Internet!
Jim & Sue's Free Files | Jim's Modems

I'm really not one for spreading panic about viruses. I think that when the news reports on these things, they are acting in a completely irresponsible manner, alerting people who should not be alerted and causing widespread panic. As long as the IT managers have the situation under control, leave it alone. Problem is, news programs want to generate interest in their own programs and nobody wants to be scooped. If one station runs the story, they all do. Nobody wants to be the last to report a story.
That having been said, what I find ridiculous is that the WORM (not virus) comes to you in the form of a .vbs file attached to an email message. Anyone who is stupid enough to double-click a Visual Basic Script file without checking on the source deserves everything they get.
I was reading the thread and wanted to let people know that Symantec has updated virus definitions that detect and disinfect this worm. I didn't really view that as propagating a silly story. And the payload of this worm IS potentially damaging. For more information on it, go to http://www.sarc.com/avcenter/venc/da...eletter.a.html

Something else I find comical is that this is yet another worm that exploits a security hole in Outlook and mIRC. My favorite thing to do on days like this is to soothe my clients' fears by patiently explaining to them that this will have absolutely no effect on them because they use GroupWise, and the VBS script was written specifically for Outlook. I get to say that a lot (-:


------------------
R. Bret Walker, CNE

All I can say is, Flyers win in 5th Overtime!!!

Hey Pcshark since you stressed how it's a WORM ( not a virus ), what's the difference. I know I should know this and I heard it once before, but being mostly self taught, and having mush for brains when it comes to "proper" terminology, and being forgetful in general, I would appreciate some enlightenment. I'm sure there are others who read this who might like to know also but are didn't want to be the one who asked. Thanks for any and all info.

GLSmith

It's really a combo Script Virus and Worm.

From antivirus.com:

Script viruses (VBScript, JavaScript, HTML)
Script viruses are written in script programming languages, such as VBScript and JavaScript. VBScript (Visual Basic Script) and JavaScript viruses make use of Microsoft's Windows Scripting Host (WHS) to activate themselves and infect other files. Since WHS is available on Windows 98 and Windows 2000, the viruses can be activated simply by double-clicking the *.vbs or *.js file from the Windows Explorer.

Read all about different types here: http://www.antivirus.com/pc-cillin/v...o/glossary.asp

I do agree with everyone about the general hype bull that outbreaks create.



[This message has been edited by shawnMt (edited May 05, 2000).]

I agree that the press is guilty of over doing things in reference to computer issues. The more hype, the more viewers, readers, and listeners I guess.

Personally, I look at the outbreaks of worms and viruses much like I look at an electrical storm------when a puter gets messed up somebodys gotta PAY somebody to fix em!!! That's where I come in....(:


WildTech

------------------
I shoulda been born rich!!

[This message has been edited by WildTech (edited May 05, 2000).]

Hello all. I thought I would give you a little first hand experience with the Virus and how fast it can spread from a network admin point of view.

5 copies of the virus enters the company at 8:06 from one outside source.
Virus read at 8:18 - One person infects their computer. It starts pulling names out of Outlook starting with “All company” distribution list and moving down the list picking up all personal and global addresses. Spaming of the e-mail continued until 8:29 when I stopped our exchange server.

To make a very long story short, 30 desktops out of 500 were infected. From those 30 computers, in 11 min there were 11,000 e-mails sent out. In addition of over righting of JPEG’s, e-mails and contaminated computers we have cleaned over 50,000 copies of the virus as of tonight. By the time we are done I am guessing we well have killed close to 100,000 copies.

To add one more twist. Wednesday night, we updated all desktop and servers Norton anti virus with the most current definitions.

Yes we got bent over by this virus. We could have done a few things difrent but hind sight is 20\20!!

sj


[This message has been edited by sj (edited May 06, 2000).]

In response to GLSmith's query, a virus is so named because of the way it acts like a human virus. The two things a virus does is infect and replicate. By infect, I mean the virus actually inserts or adds its own code to a file that exists on the system. Replication is performed usually when the virus executes, loads itself into memory, and infects more files on the system. When these infected files are shared, the virus spreads to other systems.
Conversely, the worm spreads itself through replication but does not infect files on the system. A worm copies code into the startup routine of a computer so that it is loaded into memory when the computer starts, and then spreads itself through some sort of replication routine. In the case of this particular worm, it spreads itself by sending the visual basic script file through email to anyone in the local address book.
There is also such a thing as a Trojan Horse, or Trojan. A Trojan is neither a worm or a virus. A Trojan is, just as its name implies, a piece of destructive code hidden inside an executive program that appears useful. For example, the Doom II trojan that was circulating years ago was packaged as a WAD editor, and would in fact allow the user to edit wads and create Doom II levels, but when the program was exited the user would find that his/her first hard drive had been formatted. Trojans don't have replication engines, but people who receive them occasionally send them to others without realizing the harm they are doing.
Symantec estimates that there are 10-15 new viruses realeased into the wild daily. Of these, a small percentage are actually Trojans or worms, and a high percentage are macro viruses. Very few boot and exe/com viruses are written anymore.


------------------
R. Bret Walker, CNE

All I can say is, Flyers win in 5th Overtime!!!

Could some1 pls send me this "Love Bug". I am learning Visual Basic, and like to see how it was written and what it does(myself) I have an old stand alone desktop, I will run it on that machine. I am not kidding either.
Thanks.

Thank you Mr. Walker,

Like I said I remember reading the difference once but I've never been good with remembering "official" terminology. I also haven't been around ( In the computer business that is) that long. The scary thing is I'm one of the few people around this area that seems to know what to do with viruses. Well at least one of the few that the general public can get access to. Thanks again!! With computers the learning never stops!!!

GLSmith

Hey folks,
I posted a request to send me the "Love Bug".
I got a copy from a friend. I realized it probably was not appropriate for me to post something like that on a public form. Sorry...

I should say not! Especially since as of May 9, there are 29 variants of this pesky little critter! It doesn't mutate itself, it takes an amateur VB programmer with too much time on her/his hands.
Symantec is releasing virus definitions almost daily now. All I can say is I hope my clients (the ones that aren't set up for automatic updates, and there are a few) are updating themselves! It sure is keeping me busy here, but so far, none has gotten in. I've got a log a mile long of attempted intrusions, but our Exchange agent is killing it before it gets to the clients (-:

Have I mentioned how much I like Norton? (-;



------------------
R. Bret Walker, CNE

Flyers Win the Eastern Semifinals! New Jersey is next!