From the Free republic message board - The little pencil-necked geeks are at it again.
http://www.freerepublic.com/forum/a391196413f22.htm#1
Basic Information on "I LOVE YOU" Macro Virus
Source: DOD
Received through my computer geeks
There is currently no fix for the "ILOVEYOU" macro worm that's been going around this morning. If you have opened the
"Loveletter.txt.vbs" you will have to turn off your computer until a fix is found because it infects your system registry and can cause other damage when restarted.
We will implement the fix as soon as it becomes available. Most DOD sites have been affected and as a result external mail connectivity has been shut off until a fix is found.
Below is the latest information we have on the virus:
*********
The DOD-CERT is aware of the "A-Love-Letter-For-You" email with the attachment of LOVELETTER.TXT.VBS. We are currently working with both Symantec and Network Associates. The current signatures and .dat files do not detect this virus (worm). In the meantime, if you do receive this email, PLEASE DELETE IT. DO NOT OPEN OR VIEW THE ATTACHMENT. Check back here often, as we will post the remedy when we get it from the vendor.
The information we have on LoveLetter is as follows: VBS/LoveLetter is a VBScript worm. It spreads thru email as a chain letter. The worm uses the Outlook e-mail application to spread. LoveLetter is also a overwriting VBS virus, and it spreads itself using mIRC client as well. When it is executed, it first copies itself to Windows System directory as:
- MSKernel32.vbs
- LOVE-LETTER-FOR-YOU.TXT.vbs
and to Windows directory:
- Win32DLL.vbs
Then it adds itself to registry, so it will be executed when the system is restarted. The registry keys that it adds are:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
Next the worm replaces the Internet Explorer home page with a link that points to an executable program, "WIN-BUGSFIX.exe". If the file is downloaded, the worm adds this to registry as well; causing that the program will be executed when the system is restarted. After that, the worm creates a HTML file, "LOVE-LETTER-FOR-YOU.HTM", to the Windows System directory. This file contains the worm, and it will be sent using mIRC whenever the user joins an IRC channel. Then the worm will use Outlook to mass mail itself to everyone in each address book. The message that it sends will be as follows:
Subject: ILOVEYOU
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
LoveLetter sends the mail once to each recipient. After a mail has been sent, it adds a marker to the registry and does not mass mail itself any more. The virus then searches for certain filetypes on all folders on all local and remote drives and overwrites them with its own code. The files that are overwritten have one of these extensions: ".vbs", ".vbe", ".js", ".jse", ".css", ".wsh", ".sct", ".hta" The virus also tries to use companion techniques, adding a secondary file next to existing file - hoping that the user will click on the wrong file. This is done so that the virus locates files with jpg, jpeg, mp3 and mp2 and adds a new file next to it. For example, a picture named "pic.jpg" will cause a new file called "pic.jpg.vbs" to be created. LoveLetter was found globally in-the-wild on May 4th, 2000. It looks like the virus is Philippine origin. At the beginning of the code, the virus contains the following text:
rem barok -loveletter(vbe) < i hate go to school>
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
-- 30 --
One other member wrote: "Also, My IS department said to not even click on it as the preview window will trigger it, also not to delete it either--just stop using the box until further notice."
Those who use Macs or Sun UltraSPARC workstations appear to be immune.
------------------
The New World Order has a Third Reich odor.
http://www.freerepublic.com/forum/a391196413f22.htm#1
Basic Information on "I LOVE YOU" Macro Virus
Source: DOD
Received through my computer geeks
There is currently no fix for the "ILOVEYOU" macro worm that's been going around this morning. If you have opened the
"Loveletter.txt.vbs" you will have to turn off your computer until a fix is found because it infects your system registry and can cause other damage when restarted.
We will implement the fix as soon as it becomes available. Most DOD sites have been affected and as a result external mail connectivity has been shut off until a fix is found.
Below is the latest information we have on the virus:
*********
The DOD-CERT is aware of the "A-Love-Letter-For-You" email with the attachment of LOVELETTER.TXT.VBS. We are currently working with both Symantec and Network Associates. The current signatures and .dat files do not detect this virus (worm). In the meantime, if you do receive this email, PLEASE DELETE IT. DO NOT OPEN OR VIEW THE ATTACHMENT. Check back here often, as we will post the remedy when we get it from the vendor.
The information we have on LoveLetter is as follows: VBS/LoveLetter is a VBScript worm. It spreads thru email as a chain letter. The worm uses the Outlook e-mail application to spread. LoveLetter is also a overwriting VBS virus, and it spreads itself using mIRC client as well. When it is executed, it first copies itself to Windows System directory as:
- MSKernel32.vbs
- LOVE-LETTER-FOR-YOU.TXT.vbs
and to Windows directory:
- Win32DLL.vbs
Then it adds itself to registry, so it will be executed when the system is restarted. The registry keys that it adds are:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
Next the worm replaces the Internet Explorer home page with a link that points to an executable program, "WIN-BUGSFIX.exe". If the file is downloaded, the worm adds this to registry as well; causing that the program will be executed when the system is restarted. After that, the worm creates a HTML file, "LOVE-LETTER-FOR-YOU.HTM", to the Windows System directory. This file contains the worm, and it will be sent using mIRC whenever the user joins an IRC channel. Then the worm will use Outlook to mass mail itself to everyone in each address book. The message that it sends will be as follows:
Subject: ILOVEYOU
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
LoveLetter sends the mail once to each recipient. After a mail has been sent, it adds a marker to the registry and does not mass mail itself any more. The virus then searches for certain filetypes on all folders on all local and remote drives and overwrites them with its own code. The files that are overwritten have one of these extensions: ".vbs", ".vbe", ".js", ".jse", ".css", ".wsh", ".sct", ".hta" The virus also tries to use companion techniques, adding a secondary file next to existing file - hoping that the user will click on the wrong file. This is done so that the virus locates files with jpg, jpeg, mp3 and mp2 and adds a new file next to it. For example, a picture named "pic.jpg" will cause a new file called "pic.jpg.vbs" to be created. LoveLetter was found globally in-the-wild on May 4th, 2000. It looks like the virus is Philippine origin. At the beginning of the code, the virus contains the following text:
rem barok -loveletter(vbe) < i hate go to school>
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
-- 30 --
One other member wrote: "Also, My IS department said to not even click on it as the preview window will trigger it, also not to delete it either--just stop using the box until further notice."
Those who use Macs or Sun UltraSPARC workstations appear to be immune.
------------------
The New World Order has a Third Reich odor.
*whine!* Bye for now, TFL!