DeTomaso Mailing List: May 2000, Message #168
![[previous topic]](../images/prev_topic.gif)
![[index]](../images/index.gif)
![[next topic]](../images/next_topic.gif)
| From: | "H.P. Brelsford" <bford@hal-pc.org> |
| Subject: | FW: Woody's Office Watch #5.21 - 'I Love You' virus special issue |
| Date: | Fri, 5 May 2000 03:41:42 -0400 |
More than you ever wanted to know about the 'I love you' virus!
HPB
-----Original Message-----
From: bounce-wow-2637223@lists.woodyswatch.com
[mailto:bounce-wow-2637223@lists.woodyswatch.com]On Behalf Of Woody's
Office Watch
Sent: Thursday, May 04, 2000 4:42 PM
To: bford@hal-pc.org
Subject: Woody's Office Watch #5.21 - 'I Love You' virus special issue
--==>> WOW -- WOODY's OFFICE WATCH <<==--
(your own Microsoft Word & Office guru every week!)
4 May 2000 Vol 5 No 21
'I Love You' Email worm - special issue
IN THIS ISSUE: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Only hours after this week's issue of WOW was sent, there
appeared a new email virus that's spreading across the
Internet. Major companies have been caught and even the
British Parliament's computers ground to a halt.
So WOW's editor has pulled an 'all nighter' to bring you
these details on what's happened and what you can do to
protect yourself.
If all this sounds too overwhelming, the next issue of
Woody's Office for Mere Mortals will go through the basics
of email virus protection. Make sure you don't miss it by
clicking on this link
http://woodyswatch.com/2mm.cgi?e=bford@hal-pc.org
or send email to wowmm@woodyswatch.com
1. I LOVE YOU
2. INSIDE VBS/LoveLetter.A - WHAT IT DOES
WHAT COMPUTERS ARE AFFECTED?
WHAT IT DOES
3. AM I INFECTED?
4. WHAT TO DO IF YOU'RE INFECTED
CHECK YOUR MESSAGES
REGISTRY CHANGES
INTERNET EXPLORER CHANGES
FILES TO REMOVE
RESTORING LOST FILES
5. AN ANTI-VIRUS FIX FROM F-PROT
6. THANKS
* WOODY's CONTACTS in North America or Australia
* ADMINISTRIVIA, subscribing, unsubscribing etc
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. I LOVE YOU
If you saw an email message with the subject 'ILOVEYOU'
then you should be suspicious at the best of times. Unless
you're an incurable romantic <g>.
But thousands, if not millions, of people have received
just such an email in the last few hours and many of them
have done the one thing they are told NOT to do. They
opened the attachment that came with the message.
And thus the 'I Love You' email worm (officially called
VBS/LoveLetter.A or something similar) is spreading across
the world. The attachment is a VB Script file that sends a
copy of itself to everyone in your Outlook address book.
It does that not just once, but everything you start
Windows thereafter.
People are arriving at work with hundreds of copies of the
message in their Inbox - mostly from within the same
company but also from anyone who has you in their address
book.
We'll go into the details of what this new virus / worm
does below. As usually there's plenty of ill-informed
rumor running around. We've attempted to glean the facts
for you.
But the solution is simple, if you get a message with a
.VBS attachment - even if it's from someone you know then
DELETE IT. Play it safe - don't open it or save it to your
hard drive - just hit the Delete key.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2. INSIDE VBS/LoveLetter.A - WHAT IT DOES
This worm behaves similarly to the famous Melissa virus
that struck last year. However it has been written very
differently, it does more than 'Melissa' did and avoids
some of the mistakes made in Melissa.
'I Love You' has spread so quickly partly because of the
sophistication they've used combined with the sad fact that
people have let down their guard in the months after the
Melissa scare. In addition there are more VBScript-enabled
machines than there were Word 97-enabled machines two years
ago, when Melissa appeared.
The big difference from 'Melissa' is that this virus can do
real damage to your computer (deleting important files) as
well as overload email networks.
WHAT COMPUTERS ARE AFFECTED?
There are two parts to this answer. Many machines can be
infected by the virus and have damage caused to their
computer. Other people get that damage and can spread the
virus automatically to others.
To be infected:
All you need is a computer that has Windows Scripting Host
(WSH) installed. That means Windows 98, 2000 or even
Windows ME if you're a beta tester.
Windows 95 and NT systems which have Internet Explorer 5.x
will most likely have WSH (it's part of the default
installation). WSH can also be downloaded from the
Microsoft web site and installed onto any Windows 95/NT
system.
If unsure then you should assume that any Windows 95, 98,
NT or 2000 machine can be infected and damaged.
It doesn't matter which email program you are running, for
if you open the virus attachment you'll be infected. That
includes all forms of Outlook, Outlook Express and other
non-Microsoft email programs.
Macintosh systems and other operating systems cannot be
infected.
To spread the virus:
The primary method for the virus to spread is to send
itself to other computers via email, for that you must have
either Outlook 98 or Outlook 2000 (NOT Outlook 97)
The only way other email programs could spread the virus is
if you're silly enough to manually send the infected
attachment in one of your messages.
However any email software can receive an infected
attachment and if you have one of the above versions of
Windows then your system can be damaged even if it can't
spread to other computers.
The virus can also be spread by Internet Relay Chat (if you
have mIRC) or by overwriting VBS, JS, etc. files on remote
network drives.
WHAT IT DOES
The virus usually arrives as an attachment to an email message:
The current message circulating is:
SUBJECT: ILOVEYOU
BODY: kindly check the attached LOVELETTER coming from me.
ATTACHMENT: LOVE-LETTER-FOR-YOU.TXT.vbs
Note that the message will appear to come from someone you
know. Also note the subject line has no spaces between the
words.
If you're using Internet Relay Chat (IRC) watch out for a
file called LOVE-LETTER-FOR-YOU.HTM .
That's the way the virus is currently circulating however
past experience suggests that copy-cat variants of this
virus will soon appear. There are already unconfirmed
reports of the same virus being spread with a slightly
different subject in the email message, so be on the
lookout for similar suspicious messages.
The attachment is usually called
'LOVE-LETTER-FOR-YOU.TXT.vbs'. Because the default Windows
settings suppress the .vbs extension what is left displayed
makes it look like a harmless text file.
But as soon as you open the attachment it will start
Windows Scripting Host and do its dirty work:
- it copies itself onto your hard drive and sets up the
registry to run again each time you boot your computer.
Not content with setting up one copy of the virus it does
it twice.
In the Windows system directory it calls itself both
MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs .
In the Windows directory it creates a file called Win32DLL.vbs
- It also tries to send copies of itself via the Internet
Relay Chat (IRC) system if you have mIRC running on your
computer.
- It tries to download and run a file called
WIN-BUGSFIX.exe from the Internet. Far from fixing any
bugs, this separate program will apparently scan the
computer memory for network passwords and send them out
to the maker of the virus. When we tried to access the
file, the whole domain given as the source was
unavailable. Hopefully this is a sign that the owners are
taking remedial action or perhaps the site has been
totally overloaded with the file requests from the virus.
If the virus does get the program from the Internet then
it sets up to run when you next restart Windows.
- It will check all local and network drives connected to
your computer and overwrite many files with copies of the
virus. The exact actions depend on the file extension:
Any files with the extensions .js, .jse, .css, .wsh,
.sct, .hta, .jpg, .jpeg are deleted and replaced with
copies of the virus using the name of the deleted file
plus the .vbs extension eg foobar.css becomes foobar.vbs.
Files with the extensions .jpg, .jpeg are deleted and
replaced with copies of the virus using the full name of
the deleted file plus the .vbs extension eg foobar.jpg
becomes foobar.jpg.vbs.
For .mp2 or .mp3 files are replaced with copies of the
virus using the full name of the deleted file plus the
.vbs extension eg foobar.mp3 becomes foobar.mp3.vbs . In
addition these files are changed to Hidden status.
For .vbs and .vbe files they keep their full name and
extension but are replaced with the virus code and any
existing script is lost.
- It also scans all your Outlook address books and sends an
infected email message to all contacts. It only does this
if the Outlook Address Book has more addresses than the
Windows Address Book, but that's usually the case for
Outlook users. (The virus doesn't send itself to any
addresses in the Windows Address Book)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3. AM I INFECTED?
If your computer has been infected you can tell by
searching your entire hard drive for a file called
LOVE-LETTER-FOR-YOU.TXT.vbs There will be at least one
copy in the Windows system folder (usually called
/Windows/System or /Windows/System32).
If that seems too much trouble or you're at all uncertain
then go to your anti-virus software maker and get their
latest update -- most times the software has an update
facility in it. Then run the anti-virus software. It will
check for any viruses including this latest one.
Important: the anti-virus software must check ALL files on
your computer, not just certain types of files like
'Program Files only'.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4. WHAT TO DO IF YOU'RE INFECTED
The easiest way to get rid of this, or any other virus is
to update your anti-virus software and do a full scan of
your computer. All the major anti-virus companies have
updates available now that cover this virus. This should
remove the virus from your hard drive.
The only problem in the short term is that the anti-virus
companies are overwhelmed with people downloading the
update - so you may have to be patient.
Once you've done the scan, there are some things that the
anti-virus software may not fix:
CHECK YOUR MESSAGES
Most AV software does NOT check the messages in Outlook
individually. If that's the case then the infected
attachment could still be in Outlook most likely in the
Inbox, Deleted Items or Sent Items folders. Check those
folders and delete any copies of the infection message.
You'll find a lot of infected messages in your 'Sent Items'
folder because a copy of each message sent by the virus is
saved there.
TIP - Shift + Delete will fully delete a message, not just
move it to the 'Deleted Items' folder.
REGISTRY CHANGES
When you restart Windows you may get some error messages
about missing files. This is because the AV software has
removed the infected files, but the settings to run those
files remains. Don't worry about those errors. If the
target files have been removed then you're in good shape.
All you have to do is remove the startup registry entries
using Regedit:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win
32DLL
You should remove the following two keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinFAT32=Wi
nFAT32.EXE
The following key is also created or altered by the virus:
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout
On most computers this key doesn't exist and it was created
by the virus. Therefore you can delete this key unless you
believe that some program might have created a timeout
value.
The value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
Directory is read by the virus but not changed.
INTERNET EXPLORER CHANGES
The virus also may have changed an Internet Explorer setting:
Your Start Page (the first page you see when you start IE)
is changed to a blank page. To fix that open up the start
page you want in the browser then go to Tools | Internet
Options | General and click on the 'Use Current' button.
FILES TO REMOVE
Your anti-virus program should have removed infected files
but it pays to double-check. Search your hard drive for
files called:
LOVE-LETTER-FOR-YOU.HTM
LOVE-LETTER-FOR-YOU.TXT.vbs
Make sure you check all files, including hidden files. If
you find any files with those names, delete them.
RESTORING LOST FILES
You'll have to restore from your backups all the files that
were damaged by the virus. That means files with one of
the following extensions .vbs, .vbe, .jpeg, .mp3, .mp2,.jpg
.js, .jse, .css, .wsh, .sct, and .hta
Remember that .mp3 and .mp2 files were changed to 'Hidden'
by the virus.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5. AN ANTI-VIRUS FIX FROM F-PROT
If you don't have any anti-virus software then we have
step-by-step instructions for downloading and running some
protection.
1) Download the latest version of F-PROT from
ftp://ftp.complex.is/pub/fp-307b.zip
2) Unpack the archive to a folder where you want the
product to be reside.
3) Download the latest virus definition databases from
ftp://ftp.complex.is/pub/fp-def.zip
ftp://ftp.complex.is/pub/macrdef2.zip
and unpack them to the same folder where you have
installed F-PROT.
4) Exit to DOS. If the virus has succeeded to start the
file WIN-BUGSFIX.exe, it won't be possible to delete
this file while Windows is running.
5) Run F-PROT and instruct it to scan all files (regardless
of their extension) and to delete automatically the
infected files it finds:
f-prot /hard /disinf /auto /dumb
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
6. THANKS
Many many thanks to both Claude Almer and Dr Vesselin
Bontchev from FRISK Software International http://www.complex.is/
who shared their considerable knowledge at short
notice to help with this article. Barry Simon also had
some useful info and Phil Young did last minute checking as
soon as he woke up in Sydney.
Naturally any errors or omissions are the responsibility of
WOW - not our helpers. We believe we've covered all the
major facts as best we can at short notice. Of course
we'll keep a close eye on the situation and make sure all
WOW readers are kept up to date.
Much of the general anti-virus in our famous Melissa virus
issue also applies now. See
http://www.woodyswatch.com/office/archtemplate.asp?v4-n14
to get a copy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WOODY's CONTACTS in North America or Australia ~~~~~~
WOODY products are available from authorized outlets:
North America:
Advanced Support Group,
11900 Grant Place, Des Peres, Missouri 63131
Ph:(314)965-5630 Fax:(314)966-1833
mailto:km@imktg.com
Australia, New Zealand, Asia:
My Computer Company
1 Allen St (PO Box 114)
Glebe NSW 2037 Australia
Ph: (02) 9692-9322 mailto:sales@mcc.com.au
Fax: (02) 9692-9485 http://mcc.com.au/
All Woody's books and software are available from his
Aussie outlet.
Sales of Woody's books and software help support the considerable costs of
writing and distributing WOW as a free bulletin each week. Help keep WOW
alive and free by buying Woody's products.
ADMINISTRIVIA, subscribing, unsubscribing etc ~~~~~~~~~~
This copy of WOW was originally sent to: [ bford@hal-pc.org ]
Join, Leave or change address from our Web site
http://www.woodyswatch.com/
Email:
Subscribe: wow@wopr.com Unsubscribe: LeaveWOW@woodyswatch.com
Note: replying to any issue of WOW to unsubscribe or comment will NOT work
and your message will not be read by a human. Use the appropriate address
or web page above instead.
Back issues: http://www.woodyswatch.com/windows/archives.asp
Current Issue: http://www.woodyswatch.com/office/archtemplate.asp?current
and also at the Zdnet Help Channel
http://chkpt.zdnet.com/chkpt/hud0007500a/www.zdnet.com/zdhelp/filters/office
/wow/
In Association with
Amazon.com:
http://www.amazon.com/exec/obidos/redirect-home/woodsoffiwatcwoo
Amazon.co.UK:
http://www.amazon.co.uk/exec/obidos/redirect-home/woodsoffiwatcw08
Amazon, Germany:
http://www.amazon.de/exec/obidos/redirect-home/woodyswatch
WOW reader comments: to the appropriate columnist or
mailto:wow-feedback@woodyswatch.com
ADVERTISING:
Reach Office and Windows users throughout the world at very reasonable
rates ... mailto:ads@woodyswatch.com?subject=WOW and Phil will send you
details.
WOW's FAMILY
WOW is the first of Woody's series of free email newsletters, to join at
the same address this issue of WOW was sent to click on these links:
* WOODY's OFFICE for MERE MORTALS
http://woodyswatch.com/2mm.cgi?e=bford@hal-pc.org or
mailto:wowmm@woodyswatch.com
* Woody's WINDOWS Watch
http://mcc.com.au/www/wow2www.cgi?email=bford@hal-pc.org (or
mailto:www@woodyswatch.com)
* Woody's ACCESS Watch
http://woodyswatch.com/2waw.cgi?e=bford@hal-pc.org (or
mailto:waw@woodyswatch.com)
* Woody's PROJECT Watch
http://woodyswatch.com/2wpw.cgi?e=bford@hal-pc.org (or
mailto:wpw@woodyswatch.com)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WOODY's OFFICE WATCH - Copyright 2000 ISSN 1328-1674
Pinecliffe International and Peter Deegan. All rights reserved.
REDISTRIBUTION is allowed only with permission. You may
circulate copies of WOW by _manually_ forwarding it,
providing (1) you forward the issue in its entirety,
(2) no fee is involved, and (3) you forward no more than three issues to
any one individual.
After that, please encourage your correspondents to send e-mail to
wow@wopr.com to get their own *free*
subscription.
Everyone is welcome! Tell your friends about WOW!
======================================================
W-O-O-D-Y-S--O-F-F-I-C-E--W-A-T-C-H
---
To unsubscribe, forward (not reply) this message to
leave-wow-2637223N@lists.woodyswatch.com [bford@hal-pc.org]