Urgent message to all.

If you receive an Email, where the subject of the message is "ILoveYou", DO NOT OPEN IT, especially if it comes from someone you know.

This virus replicates when you open the mail and contents, and sends a similar message to all the people on your address book. It has hit most of UK business, and will take some time to eradicate. Because of the volume of messages created, the email system has virtually come to a halt.

Description at:
http://www.sophos.co.uk/virusinfo/analyses/vbsloveleta.html

Because of the large number of people looking at the above URL, you may not get through first time.



[This message has been edited by newswatcher (edited 04 May 2000).]

Seen it today and looked through the source(curious registry entries, opens all your mp3 mp2 jpeg, vbs, js, css etc files and appends some text, creates some files in your system dir, may change your ie homepage, opens a self-generated web page, copies itself to all your ICQ contacts and then emails itself to everyone in your MAPI address book!!).

But the version I saw comes as a .txt.vbs attachment and replicates itself as such so only someone who a) cuts the .txt part out and imports it into excel and then runs it and b) has people who will do similarly daft things in his outlook addressbook will be able to spread it.

Hmph. I only get "Eff off and die" emails. No one sends me any love emails!!
Oh well, can't win'em all! :)

------------------
reddo..."stuff'em if they can't take a joke"

Reddo,

If I sent you something saying 'I Love You' would you open it?

Since the URL given previously is causing problems, here is the text it contains:

Name: VBS/LoveLet-A
Type: Visual Basic Script worm
Detection: Detected by Sophos Anti-Virus version 3.34 or later. An update (IDE file) is available for earlier versions from the Latest virus identities section.

This virus has been very widely reported in the wild. Further IDEs will follow with a fuller analysis.

Comments: This is a virus which tries to spread itself in several ways. Most commonly, it sends itself as an attachment to an email.

Infected emails have the subject line:


ILOVEYOU
The message text is:
kindly check the attached LOVELETTER coming from me.

The attachment is called "LOVE-LETTER-FOR-YOU.TXT.vbs", which has a "double extension". Mailers which suppress well-known extensions such as .vbs may present this file as "LOVE-LETTER-FOR-YOU.TXT", which appears more innocent. Do not be misled by a trick like this.

Because the virus arrives in a VBS file, it requires the Windows Scripting Host (WSH) in order to work. If you disable WSH, the viral attachment will be rendered harmless.

The virus also drops an HTM file which can spread the virus, and a mIRC script which tries to distribute it. It also tries to download a file called WIN-BUGSFIX.exe from the internet, and injects two copies of its VBS script into the system directory where they are executed each time the computer reboots.

The email component of the virus requires Microsoft Outlook to work. If you are using Outlook it will try to send itself to each entry in your Windows Address Book.

Note that following the Sophos Guidelines for Safe Hex will render you almost immune to this attack. If you do not read unusual or unlikely emails and if you have disabled the WSH, then you are unlikely to become infected.

Newsie,

I was about to post the same as you in R & N
but with the Norton URL.

I see the thread is closed @ R&N and has been moved here.......... what sheer, bloody stupidity!

There is no patch yet from ANY company,
hence the need to post the info in R & N & Downunder.

This is one very serious BAD virus.
Subject of e-mail: ILOVEYOU
Name of attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Size of attachment: 10307 http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html

McAfee, Norton and Trendmicro (http://www.trendmicro.de/support/pattern.html - German) have "cures" ready for it.

The b@st@rd thing has just collapsed the email server in my office :mad:

This is a very serious problem. If any of the PPRuNe Admin team are reading this, I really do think you should put this tread back on the main R&N forum (I don't want to tell you how to do your job, but.....)

F-Secure also have a description of the virus, with a few screen-shots too:
http://www.f-secure.com/v-descs/love.htm

I have just spent 4 hours eradicating the virus, and it keeps coming. It really is serious. It send 540 emails in only a few minutes. It also sent one back to my email box for every one sent, plus the ones it put in my sent box. BASTARDS

It destroyed my office links, my outlook mail box was shot to hell. I also spent time re-establishing my internet and intranet access. At the moment, I still dealing with the surface implications, god knows what others problems I face.


The only way to stop was to switch off and crash the machine. Exiting outlook failed to stop the sending. Certainly, I wasn't expecting it and only opened the email not the attachment. The mails came from apparently trusted colleagues, and those I've sent it to will feel the same.

VBS_Loveletter" Worm
04 May 2000
Virus Control

Alias: Loveletter, VBS/Loveletter
Discovery Date: 04 May 2000
Likelihood: High
Characteristics: The worm uses the Outlook e-mail application to spread. LoveLetter is also an overwriting VBS virus, and it spreads itself using mIRC client as well. The LoveLetter worm is a VBS script, that propagates itself using Microsoft Outlook and mIRC.

Description:

Once executed this computer worm modifies the registry and drops files for it to spread. It replicates via Microsoft Outlook by sending an email with an attachment file “LOVE-LETTER-FOR-YOU.TXT.vbs” to all email addresses listed in the address list. It also propagates using mIRC by modifying the “script.ini.” After connecting to a chat server using mIRC, the virus initiates a DCC send to all the users in the current channel and sends a copy of itself. It is also capable of infecting files with specific extensions.

The message that it sends will be as follows:

Subject: ILOVEYOU
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

Infection:

Once executed, this virus drops the following files:
<root>:\windows\Win32DLL.vbs
<root>:\windows\system\MSKernel32.vbs
<root>:\windows\system\LOVE-LETTER-FOR-YOU.TXT.vbs.

It also modifies the following registry entries so that the virus is run at each Windows starts up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\MSKernel32",
<root>:\windows\system \MSKernel32.vbs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\Win32DLL”,
<root>:\windows\\Win32DLL.vbs.

Payload:

It searches for a file named WinFAT32.exe in the <root>:\windows\system folder. If the file exists, then it modifies Internet Explorer’s startup page with one of the following sites:
http://www.skyinet.net/~young1s/
HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/
WIN-BUGSFIX.exe
http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIy
qwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/
WIN-BUGSFIX.exe
http://www.skyinet.net/~koichi/
jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/
WIN-BUGSFIX.exe http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBh
AFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw
237461234iuy7thjg/WIN-BUGSFIX.exe

OK. I have posted on R&N a link to this thread. We are trying to be discipline dabout forum content but as this seems to be a little bigger than the usual virus ´scare´I will stick my neck out and make an exception.

Cheers,

WWW

The B*ST*RD responsible for this bit of work deserves to thrown out of an aircraft from 33000 feet - it overwites each and every jpeg file it can find. Don't know whether there is any way of recovering them - I have just lost man-months of work. Some of the images are backed up, but just working out which are the latest images available will take a month of Sundays. B*ST*RD!

------------------
Feline
(I Sit, I Watch, I Smile)

Apparently all files with the extensions .js, .css, .wsh, .sct, .jpg, .jpeg or .hta are deleted by the virus. What you have left are copies of the executable virus with the same file names as the deleted files, just with the added extension .vbs

So it looks like all files are lost. :mad:

Thanks to newswatcher, pprune and all posters. I got the warning early, advised the company and they shut down the incoming and outgoing mail servers. I think we're ok so far. Great info Velvet.
News is reporting USD100 million in damages so far (it's early yet).

Question: They seem to be able to track down hackers effectively these days. How are they at tracking down these scum bucket worm farmers?

[This message has been edited by Rollingthunder (edited 04 May 2000).]

Not sure how, but <A HREF="http://www.theregister.co.uk"" TARGET=_blank>The Register</A> says:

According to Rob Eatwell, business development manager for anti-virus at Network Associates, the Iloveyou virus is believed to have originated in Manila. "We have the name of who we think it is, but we're not saying," he said.

[This message has been edited by Voidhawk (edited 04 May 2000).]

Newswatcher goes straight to the top of my christmas card list. Logged onto PPruNe this morning, read his post and then walked over to another PC in the office. Lo and behold: more infected than a sailor on a run ashore. Thanks for the early warning. I work in an organisation whose role it is to protect against these attacks. Can you imagine the embarrassment of infecting their network!
:) Thanks :)

Good day.......

Just logged on Down Under, there is a fix at McAfee for their ActiveShield and Viruscan, they have rated this virus as the highest threat I have ever seen them rate one......

Be careful.......

"lame"

Read in one of the reports that quite apart from all the other damage that it does, it also captures the infected user's details (user login, passwords, IP address) and e-mails them to an account in the Philipines. Not nice, not nice at all!
The only small crumb of comfort I take from that is that this guy's account must be reeling under the weight of all the e-mails received. Can't help but feel that his ISP will soon be asking some fairly pointed questions.

-------
Feline
(Sitting, Watching and certainly NOT Smilin')

Now Slasher, I have a couple of questions. When will you next be passing through the Philipines? And how high can you get your 737? And (general question) where can one find the highest density of sharks in that part of the world?

BASTARD!

VERY IMPRESSED......This is the first time I have looked at this forum and I will certainly come here again. Not being a computer buff I came here to see if I could get some technical help/advice regarding the virus that someone was talking about in the bar at White Waltham Aero Club. I did not expect to find so much usefull and helpfull information......THANK YOU ALL.

I cannot believe that the thread started by newswatcher in R&N was closed down so early today.

Don't you moderators ever listen to the news?
:mad:

Still nothing available from Norton to detect
the name (subject) etc. @ 2110Z

My Mark 1 eyeball caught one email with it from someone named Robert Nylander!?

Any suggestions how to update Norton A-V to detect 'Iloveyou' in email while downloading mail?

BA - I suspect that Symantec/Norton server for LiveUpdate for Norton AV must be running white hot at the moment - Remember that the US has now woken up (in more ways than one) to Love Bug.
I tried to download an updated virus definition file at about 15h00Z, but it failed halfway through, and I haven't been able to get into the site since.

I'll live with that for the time being - the characteristics are now known, and any more messages with the subject "ILOVEYOU" will be into the bit bucket faster than you can say "sh*t a brick!"

What is really worrying about this virus (trojan actually) is that it seems to activate just by opening the infected mail - that certainly happened to me, and it sounds like it happened to Velvet Strokes as well.Seem to remember that Bubbleboy did just that too. Not a good omen.

I just scanned my disk for *.jpg.vbs and found more than 10 000 (yes TEN THOUSAND) files with that signature ... At which stage Find said "Enough!" and quit looking. And it re-set the home addresses for both IE and Netscape - this is a Real Nasty Bugger.

-------
Feline
(Sitting, Watching and certainly NOT Smilin')

[This message has been edited by Feline (edited 04 May 2000).]

Feline, thanks for that info.

I didn't realise that just by opening the email to see who sent it, it launches itself.... Strewth.

Norton launches ok, but says 'no need to update' as I recently updated [on Sunday] ..... huh?

Update; (apologies in advance if the format is screwed up)

"I Love You" virus has "Very Funny" new name

May 4, 2000, 2:55 p.m. PT http://home.cnet.com/category/0-1003-200-1815107.html

Network administrators warn that the "I Love You" virus is circulating under the new name "Very Funny," potentially evading the filtering efforts of those battling the worm.

One network administrator said he first spotted the renamed virus in an email with the subject header "Fwd: Joke" around noon today.

Antivirus software aimed at neutralizing I Love You may not work against Very Funny, administrators said. Utilities written to filter out I Love You based on name alone will not work.

Some security software providers are issuing new patches designed to include protection against the Very Funny variant.

"It seems to be that someone has changed the name of the attachment and the subject line," said Nerender Mangalan, director of security strategy for Computer Associates. "Basically it's the exact same file, and it does the exact same thing, but it's renamed so people looking out for I Love You would open it."

Computer Associates said it would post its updated patch by around 3 p.m. PT.

Representatives from Microsoft said they had no information about the new variation of the virus.

Some network administrators said other software patches were effective against Very Funny.

"We deleted all the emails with I Love You in the header," said Carmelo Lisciotto, director of network operations for online auction site uBid. "We got the first email this morning, and we ran some command-line utilities to delete anything with that header."

Those filters failed to detect Very Funny.

But Lisciotto said antivirus software designed by Microsoft and Symantec for I Love You did work against Very Funny.

The origin of Very Funny, like that of I Love You, remains obscure. But Lisciotto and others were skeptical that the virus was written to rename itself.

"Personally, I think someone re-sent it," Lisciotto said.


bugger.

Norton have finally released a live update.
Check your virus list after updating for VBS.LoveLetter.A
(content 177k)

Can't take all the credit, VelvetStrokes beat me by a whole two hours, but put it in this forum. I thought it worthy of wider attention, hence R&N.

A number of people have talked about "lost" files. As someone heavily involved in this area, I cannot overstate the importance of taking regular copies of your critical files.

There are various ways of doing this, dependant upon your technology, so I won't specify any particular product. However, it is good practice to take copies at regular intervals. I set parameters to take a backup of a file whlst I am editing it, but of course this probably would not protect you if you were "infected". At least once a week I copy to an external backup device. These files may be restored once you are absolutely sure your machine has been disinfected.

Will try and post more when I have more time, funnily enough I am in great demand today!

Counting the cost:

Finally managed to download Norton A-V update. Scanned 39681 files - 11251 infected, almost all .jpg files.Norton deleted 9931 as unrecoverable, but the remaining 1320 aren't any good either, and have had to be deleted.

A lot of the infected files were in the caches of my three browsers (IE, Netscape, Opera), so no pain there. Quite a lot from graphics type applications (eg. PhotoDeluxe) and web authoring packages (NetFusion, Trellix). I suspect that these are things like buttons and templates, so packages may need to be re-installed.

Vast majority where from graphics libraries (I use a digital camera for work), some of which were backed up onto CD-ROM, so I have lost some work, and will need to spend a lot of time recovering individual files. What P*ss*s me off is the sheer waste of time which could otherwise be used to generate revenue!

------------------
Feline
(I Sit, I Watch, I Smile)

Pragmatic Advice:

If you haven't got a good anti-virus package (and without implied criticism I would strongly advise you to invest in one Real Soon Now if you haven't got one - I use Norton Anti Virus), then the following should help to get rid of LoveBug -

Use the "Find" facility from the Start Menu:

Search for MSKernel32.vbs - delete it by hitting the delete button (it will be in a Windows folder, but the name of the folder will vary depending on whether you are using Win 95/98 or NT)

Search for Win32DLL.vbs - delete it

Search for LOVE-LETTER-FOR-YOU.* - this should bring up two, possibly three files - delete them

Search for *.*.vbs - this will bring up all the infected files (LoveBug uses a double extension). Delete them all (may be quite a lot)

Purge the Recycle Bin (Right Click and choose Empty)

Search for wscript.exe (should be in the Windows folder) and re-name it wscript.xex (that disables it - LoveBug needs this file to run the vb script). You can re-name it at a later stage if you actually need it.

You will also need to reset the home page for your browser (it nobbled IE5 and Netscape on my system - didn't find Opera)

Hope that helps - LoveBug may also have nobbled your system registry but I don't have a fix for that at this time (in any case - messing around with the registry is not for the faint hearted and better left to experts).

Hope that helps - Good Luck!



------------------
Feline
(I Sit, I Watch, I Smile)

At the moment I work in the IT dept. for an international pharmaceutical giant, and we had to shut down every company mail server and gateway around the world in an attempt to stop it growing exponentially and grinding the system to a halt. At the last count, there were 6000 of these 'Love you' virus messages queued up in our system!

The following info may help...

"Please be aware that there may be the following variants of the "ILOVEYOU" Virus, if you see any messages with the following subjects just delete.

FWD JOKE
Susitikim shi vakara kavos puodukul
VERY FUNNY.VBS
LOVE-LETTER-FOR-YOU.VBS
LOVE BUG "

Regards
Jetset

Here are the fixes for the Windows Registry:

Delete the following registry keys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RUN\MSKernel32.VBS
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RUN Services\win32DLL.vbs

Do NOT attempt to fix the Registry unless you know what you're doing - you may cause more damage than you fix! Get someone who knows what they are doing to help you.


------------------
Feline
(I Sit, I Watch, I Smile)

You can download a fix from here http://www.telnetworks.com/downloads

It looks as though it cleared an infected machine here and recovered some damaged JPG files.

Also, I don't know if anyone else has mentioned it, but after disinfecting, run a 'find and search' for *.vbs files and then delete them all. I found over 1000 in my local drives.


Not sure what the little b*ggers do, but I'm not taking any chances any more. This, after spending hours yesterday and today searching my drives for ILOVEYOU attachments that had somehow hidden themselves in obscure places.



[This message has been edited by VelvetStrokes (edited 05 May 2000).]

More updates arrived from Norton A-V overnight (178Kb) 2 days of updates in a row !!! :)

MANILA, May 6 (Reuters) - Philippine police said on Saturday they were awaiting a judge's warrant to arrest the hacker suspected of creating the "Love Bug" virus which has crippled computers worldwide. "They informed me that there was no judge available,although we are trying our best to contact one," National Bureau of Investigation Director Federico Opinion told
Reuters by telephone."Nothing will happen until tomorrow (Sunday) morning," Nelson Bartoleme, the head of the Bureau's anti-fraud and computer crimes division, told reporters. But he indicated Bureau agents had placed the suspect,believed to be a 23-year-old man living in a crowded Manila suburb, under watch. "Our operatives are out in the field for surveillance," he said. Police and Internet service providers (ISPs) earlier confirmed the suspect lived in the Manila suburb of Pandacan, but Bureau officials said they had not yet confronted him and would not say why.Some Bureau officials privately said the man had been identified, but would give no further details. Only one man is at the focus of their investigations, they said.

SWEDISH EXPERT POINTS TO GERMAN In Sweden, however, a computer expert said on Saturday he believed an 18-year-old German exchange student in Australia was responsible for the virus. The originator went under the name of "Michael" and had left traces on Internet user groups, according to Fredrik Bjorck, a Stockholm University researcher in data systems. "I have good reasons for saying I have probably found the originator of the Love Letter virus," Bjorck told the Swedish news agency TT.
The Washington Post newspaper said in its Saturday editions that the FBI had traced the virus to the Philippines through a fairly obvious electronic trail and was ready to seize computers used in the attack once it got court permission.

PRIOR HACKING BID SKY Internet said on Friday the virus was brought into its network by someone who had previously attempted to hack into its system. The virus was routed through a fake account at Impact, another ISP. SKY said it had given its audit trails of the virus to the NBI, the FBI and Interpol. Both Access Net and SKY said the information would be enough to track down the originator of the virus.

Experts said the virus was likely to engender more variants in the coming weeks. Some copycat variants already detected took the form of Mother's Day gift notices, jokes, and anti-virus warnings.

[This message has been edited by Rollingthunder (edited 06 May 2000).]

Symantec has identified nine variants of VBS.LoveLetter.A. This
information is current as of May 6, 2000 at 7:30am (PST)

1.VBS.LoveLetter.A

Norton AntiVirus detects as: VBS.LoveLetter.A(1)
ATTACHMENT: LOVE-LETTER-FOR-YOU.TXT.vbs
SUBJECT LINE: ILOVEYOU
MESSAGE BODY: kindly check the attached
LOVELETTER coming from me.

2.VBS.LoveLetter.B (also known as Lithuania)

Norton AntiVirus detects as: VBS.LoveLetter.B(1)
ATTACHMENT: same as A
SUBJECT LINE: Susitikim shi vakara kavos puodukui...
MESSAGE BODY: same as A

3.VBS.LoveLetter.C (also known as Very Funny)

Norton AntiVirus detects as: VBS.LoveLetter.C(1)
ATTACHMENT: Very Funny.vbs
SUBJECT LINE: fwd: Joke
MESSAGE BODY: empty

4.VBS.LoveLetter.D (also known as BugFix)

Norton AntiVirus detects as: VBS.LoveLetter.A(1)
ATTACHMENT: same as A
SUBJECT LINE: same as A
MESSAGE BODY: same as A
MISC. NOTES: registry entry: WIN- -BUGSFIX.exe instead
of WIN-BUGSFIX.exe

5.VBS.LoveLetter.E (also known as Mother's Day)

Norton AntiVirus detects as: VBS.LoveLetter.Variant.E
ATTACHMENT:mothersday.vbs
SUBJECT LINE: Mothers Day Order Confirmation
MESSAGE BODY: We have proceeded to charge your
credit card for the amount of $326.92 for the mothers day
diamond special. We have attached a detailed invoice to
this email. Please print out the attachment and keep it in a
safe place.Thanks Again and Have a Happy Mothers Day!
[email protected]
MISC. NOTES: mothersday.HTM sent in IRC, & comment:
rem hackers.com, & start up page to hackes.com,
l0pht.com, or 2600.com

6.VBS.LoveLetter.F (also known as Virus Warning)

Norton AntiVirus detects as: VBS.LoveLetter.Variant.F
ATTACHMENT: virus_warning.jpg.vbs
SUBJECT LINE: Dangerous Virus Warning
MESSAGE BODY: There is a dangerous virus circulating.
Please click attached picture to view it and learn to avoid
it.
MISC. NOTES: Urgent_virus_warning.htm

7.VBS.LoveLetter.G (also known as Virus ALERT!!!)

Norton AntiVirus detects as: VBS.LoveLetter.Variant or
VBS.LoveLetter.G
ATTACHMENT: protect.vbs
SUBJECT LINE: Virus ALERT!!!
MESSAGE BODY: a long message regarding
VBS.LoveLetter.A
MISC. NOTES: FROM [email protected]. This
variant also overwrites files with .bat and .com extensions.

8.VBS.LoveLetter.H (also known as No Comments)

Norton AntiVirus detects as: VBS.LoveLetter.A
ATTACHMENT: same as A
SUBJECT LINE: same as A
MESSAGE BODY: same a A
MISC. NOTES: the comment lines at the beginning of the
worm code have been removed.

9.VBS.LoveLetter.I (also known as Important! Read
carefully!!)

Norton AntiVirus detects as: VBS.LoveLetter.Variant
ATTACHMENT: Important.TXT.vbs
SUBJECT LINE: Important! Read carefully!!
MESSAGE BODY: Check the attached IMPORTANT
coming from me!
MISC. NOTES: new comment line at the beginning: by:
BrainStorm / @ElectronicSouls. It also copies the files
ESKernel32.vbs & ES32DLL.vbs, and MIRC script
comments referring to BrainStorm and ElectronicSouls and
sends IMPORTANT.HTM to the chat room.

Also known as: Lovebug, I-Worm.LoveLetter, VBS/LoveLetter.A,
VBS/LoveLet-A

Category: Worm

parallel posted from topic in JB:

Seems like a lot of folks are pretty smug about this - those not using MS Outlook - having escaped this particular mess (self included).

It was just too damn easy for a relatively non-expert type to create this thing. He/She/They certainly made every last headline and actually history.
Even bumped Elian off the main topic (thx).

What's next? We couldn't stop the last one. Next one will be built better,larger, more destructive, will capture Netscape and Eudora etc.etc.

Heads up everyone and

--------------
check six

Rollingthunder - Already commented on you parallel post in JB.

I've been involved with viruses from the days when people used to find it amusing if you talked about computer viruses (My! How attitudes change!)

While I certainly don't think anyone should relax, I do think that it will be difficult for anyone to pull this particular stunt off again.

For one thing, a whole lot of people (corporates in particular) will have switched off host scripting which is what enabled this little booger to execute. Also, all the anti-virus software will now be looking for any mail attachment which is a Visual Basic Script, and hopefully, A-V software will also look for any activity which starts using a MAPI compliant mailing list in an unusual way.

What really added to the rate of propagation of LoveBug was the fact that it mailed to the ENTIRE mailing list on the computers that it hit (Melissa, by contrast, only mailed to the first fifty entries, and propagated a lot slower). Also, it travelled from East to West (most viruses seem to hit the U.S. first, which gives people in other time zones a bit of time to get the word and batten down the hatches).

So, one hell of a lot of stable doors have been bolted after the horse has gone, but that will serve people in good stead in the future.

I'm not saying that it couldn't or won't happen again, but a virus using the same mechanisms won't get too far.

What is perhaps more worrying is the possibility that someone could re-code it so that it propagates stealthily and only triggers the destructive payload somewhat later. Also, if it starts overwriting files other than the ones it does (some of the later variants do just that - going after files with different file extensions).

Apart from some of the options that have already been mentioned in this and other forums (with varying degress of patronage), like "Use an AppleMac" and "Don't open attachments" (I didn't but still got clobbered), it might be worth thinking of other alternatives. For example, I am thinking of installing a parallel hard drive and copying my the contents of my active HD to the backup HD as part of my power down routine. Another possibility is to use a physically separate system purely for e-mail (that gets a bit inconvenient if one is receiving files as attachments that are then used by other applications). Both these solutions add degrees of complexity (and cost), but could be worthwhile alternatives to certain users in certain circumstances.

Anyway, that's my two penn'th (for what it's worth). I am glad to announce that I am beginning to regain my sense of humour (gravely missed over the last few days) and am now viewing the whole episode somewhat more philosophically.

As others have been heard to post (albeit it JB), Fark 'em All!

------------------
Feline
(I Sit, I Watch, I Smile)

Feline,

From various posts I gather that you are "pretty hot on computers" so I wonder at your comment that you "didn't open the file and still got clobbered". Although I know it is possible to put HTML into a Word document that may be able to do this sort of damage, do you have any clues as to what happened here?

Could it be from showing the "preview pane" in Outlook? When this little s0d hit the web I switched off the preview pane as a precaution (don't know if this would have made any difference as it appears that nobody loved me enough to send the Bug to me, or any of it's variants!) I guess that Outlook has to run the full code if the "attachement" is actually "embedded" if the preview is on. It's a bl00dy nuicance not having preview, but at least I can check the origin/title etc before double-clicking on the mail to read it!

(Should I dust off that old "promo" box of Lotus Smartsuite :) )

The tip about scripting was appreciated - I immediately did it on my machine and passed the word around the office for everyone else to do the same!

Anyone else out there got any ideas? A friend of mine in ZA was passing out "Pretty Park" to all his best mates and swears he did not open it either. Fortunately, we have a lot of common friends and I ICQd them all within an hour of my ZA mate mailing me!

[This message has been edited by ExSimGuy (edited 11 May 2000).]

ExSimGuy

Didn't open it in the sense of opening the e-mail and double clicking on the attachment.

Noted name of attachment, then from Windows Explorer, copied it to diskette (single click from Windows Explorer which should ONLY select a file and not execute it);

Opened Notepad and looked at script (which again, should not execute a file). On quick glance, didn't like what I saw.

Sometime later, went back to Windows Explorer and selected original file and deleted it - but by that stage it appears that it had executed and screwed up all my jpeg files.

From which I deduce that simply "Selecting" the file in Windows Explorer was enough to execute it.

And I kind of confirm that because later on, after I had realised I had been hit and was trying to clear up the damage (and had also renamed the host scripting wscript.exe programme), I selected an infected file (single click not double click) and it promptly tried to run itself all over again (but couldn't because I had renamed the executable).

So, as far as I'm concerned, I took reasonable precautions, but the little booger still got me. Files should not execute when simply selected, but it seesm that .vbs scripts do (another little Microsoft "undocumented feature"?)

Don't know about the preview pane in Outlook - I use Eudora which doesn't have a preview pane.


------------------
Feline
(I Sit, I Watch, I Smile)


[This message has been edited by Feline (edited 11 May 2000).]

Good posts Feline.
You scared me when you said you use Eudora.
I use Eudora and thought I was 'slightly' immune from the probs you had.
Oh well, back to using the trusted Mark 1 eyeball...... :)

More live-updates are available from Norton A-V today.
Sorry, I don't know anything about the other companies.

I read in the newspaper today that OnTrack latest recovery program (about $50) can recover your image files!!!! :) :) :)

Also read there is a new virus (damn - I can't remember the name!) which uses HTML as its propogation system - it runs as soon as you view the email - no need to open any atachment!!!! :mad: . :mad: . :mad:



------------------
Flight Sims, very expensive toys - but real fun to play with!

ESG, try hypnotism to recall the name please http://geocities.com/r337m0nk3y/net/lickout.gif

Feline,

Do you use a mouse driver that has an option "single click where you would normally double click"? eg MS Intellimouse.

At a guess, setting that option would just change a registry entry, which means that it would be easy for something like the I Love You virus to change as part of its payload in anticipation of post infection clean-up activities.

Maybe it's worth checking the registry for such changes?

AA

Ausatco
That's actually a very percipient post. As it so happens, I do use an MS Intellimouse, but have checked and the Clicksaver option isn't checked. Also, can't remember seeing a registry entry change for the intellimouse when I looked at the script.
I still rather think that for some reason, Visual Basic Scripts execute as soon as you single click them. As I think I've said before, that could simply be one of the "unpublished features" for which Windoze is renowned!

------------------
Feline
(I Sit, I Watch, I Smile)

I was just sent an email titled " ILoveYou" from a person called MileHighClub8. I'm not sure if it is the virus mentioned here, but since he is not my ' friend' and in serious need of some attitude correction in any case, I did not open it.
Any ideas how to return to sender? ;)
It may be a totally innocuous email, but since the w@nker has already offered to fight me on a thread in the cabin crew forum - I don't think he really loves me LOL.
Any thoughts on what I ought do about him?

Don't stuff around with it Tarantella - shift delete to deep six it. Don't try and return it to sender - if it is the LoveBug virus, you don't need it in your life - believe me!

If this joker is trying to rev you, I would suggest dropping an e-mail to the moderator of the forum with the facts, and asking to have the perpetrator banned from PPRuNe - slagging someone off in a forum is one thing, sending someone something which may or may not be a virus is something else entirely.

------------------
Feline
(I Sit, I Watch, I Smile)

Thanks for the advice Feline:
Email has been sent to admin.