Warning - "ILoveYou" Emails
Guest
Posts: n/a
Still nothing available from Norton to detect
the name (subject) etc. @ 2110Z
My Mark 1 eyeball caught one email with it from someone named Robert Nylander!?
Any suggestions how to update Norton A-V to detect 'Iloveyou' in email while downloading mail?
the name (subject) etc. @ 2110Z
My Mark 1 eyeball caught one email with it from someone named Robert Nylander!?
Any suggestions how to update Norton A-V to detect 'Iloveyou' in email while downloading mail?
Guest
Posts: n/a
BA - I suspect that Symantec/Norton server for LiveUpdate for Norton AV must be running white hot at the moment - Remember that the US has now woken up (in more ways than one) to Love Bug.
I tried to download an updated virus definition file at about 15h00Z, but it failed halfway through, and I haven't been able to get into the site since.
I'll live with that for the time being - the characteristics are now known, and any more messages with the subject "ILOVEYOU" will be into the bit bucket faster than you can say "sh*t a brick!"
What is really worrying about this virus (trojan actually) is that it seems to activate just by opening the infected mail - that certainly happened to me, and it sounds like it happened to Velvet Strokes as well.Seem to remember that Bubbleboy did just that too. Not a good omen.
I just scanned my disk for *.jpg.vbs and found more than 10 000 (yes TEN THOUSAND) files with that signature ... At which stage Find said "Enough!" and quit looking. And it re-set the home addresses for both IE and Netscape - this is a Real Nasty Bugger.
-------
Feline
(Sitting, Watching and certainly NOT Smilin')
[This message has been edited by Feline (edited 04 May 2000).]
I tried to download an updated virus definition file at about 15h00Z, but it failed halfway through, and I haven't been able to get into the site since.
I'll live with that for the time being - the characteristics are now known, and any more messages with the subject "ILOVEYOU" will be into the bit bucket faster than you can say "sh*t a brick!"
What is really worrying about this virus (trojan actually) is that it seems to activate just by opening the infected mail - that certainly happened to me, and it sounds like it happened to Velvet Strokes as well.Seem to remember that Bubbleboy did just that too. Not a good omen.
I just scanned my disk for *.jpg.vbs and found more than 10 000 (yes TEN THOUSAND) files with that signature ... At which stage Find said "Enough!" and quit looking. And it re-set the home addresses for both IE and Netscape - this is a Real Nasty Bugger.
-------
Feline
(Sitting, Watching and certainly NOT Smilin')
[This message has been edited by Feline (edited 04 May 2000).]
Guest
Posts: n/a
Update; (apologies in advance if the format is screwed up)
"I Love You" virus has "Very Funny" new name
May 4, 2000, 2:55 p.m. PT http://home.cnet.com/category/0-1003-200-1815107.html
Network administrators warn that the "I Love You" virus is circulating under the new name "Very Funny," potentially evading the filtering efforts of those battling the worm.
One network administrator said he first spotted the renamed virus in an email with the subject header "Fwd: Joke" around noon today.
Antivirus software aimed at neutralizing I Love You may not work against Very Funny, administrators said. Utilities written to filter out I Love You based on name alone will not work.
Some security software providers are issuing new patches designed to include protection against the Very Funny variant.
"It seems to be that someone has changed the name of the attachment and the subject line," said Nerender Mangalan, director of security strategy for Computer Associates. "Basically it's the exact same file, and it does the exact same thing, but it's renamed so people looking out for I Love You would open it."
Computer Associates said it would post its updated patch by around 3 p.m. PT.
Representatives from Microsoft said they had no information about the new variation of the virus.
Some network administrators said other software patches were effective against Very Funny.
"We deleted all the emails with I Love You in the header," said Carmelo Lisciotto, director of network operations for online auction site uBid. "We got the first email this morning, and we ran some command-line utilities to delete anything with that header."
Those filters failed to detect Very Funny.
But Lisciotto said antivirus software designed by Microsoft and Symantec for I Love You did work against Very Funny.
The origin of Very Funny, like that of I Love You, remains obscure. But Lisciotto and others were skeptical that the virus was written to rename itself.
"Personally, I think someone re-sent it," Lisciotto said.
bugger.
"I Love You" virus has "Very Funny" new name
May 4, 2000, 2:55 p.m. PT http://home.cnet.com/category/0-1003-200-1815107.html
Network administrators warn that the "I Love You" virus is circulating under the new name "Very Funny," potentially evading the filtering efforts of those battling the worm.
One network administrator said he first spotted the renamed virus in an email with the subject header "Fwd: Joke" around noon today.
Antivirus software aimed at neutralizing I Love You may not work against Very Funny, administrators said. Utilities written to filter out I Love You based on name alone will not work.
Some security software providers are issuing new patches designed to include protection against the Very Funny variant.
"It seems to be that someone has changed the name of the attachment and the subject line," said Nerender Mangalan, director of security strategy for Computer Associates. "Basically it's the exact same file, and it does the exact same thing, but it's renamed so people looking out for I Love You would open it."
Computer Associates said it would post its updated patch by around 3 p.m. PT.
Representatives from Microsoft said they had no information about the new variation of the virus.
Some network administrators said other software patches were effective against Very Funny.
"We deleted all the emails with I Love You in the header," said Carmelo Lisciotto, director of network operations for online auction site uBid. "We got the first email this morning, and we ran some command-line utilities to delete anything with that header."
Those filters failed to detect Very Funny.
But Lisciotto said antivirus software designed by Microsoft and Symantec for I Love You did work against Very Funny.
The origin of Very Funny, like that of I Love You, remains obscure. But Lisciotto and others were skeptical that the virus was written to rename itself.
"Personally, I think someone re-sent it," Lisciotto said.
bugger.
Guest
Posts: n/a
Can't take all the credit, VelvetStrokes beat me by a whole two hours, but put it in this forum. I thought it worthy of wider attention, hence R&N.
A number of people have talked about "lost" files. As someone heavily involved in this area, I cannot overstate the importance of taking regular copies of your critical files.
There are various ways of doing this, dependant upon your technology, so I won't specify any particular product. However, it is good practice to take copies at regular intervals. I set parameters to take a backup of a file whlst I am editing it, but of course this probably would not protect you if you were "infected". At least once a week I copy to an external backup device. These files may be restored once you are absolutely sure your machine has been disinfected.
Will try and post more when I have more time, funnily enough I am in great demand today!
A number of people have talked about "lost" files. As someone heavily involved in this area, I cannot overstate the importance of taking regular copies of your critical files.
There are various ways of doing this, dependant upon your technology, so I won't specify any particular product. However, it is good practice to take copies at regular intervals. I set parameters to take a backup of a file whlst I am editing it, but of course this probably would not protect you if you were "infected". At least once a week I copy to an external backup device. These files may be restored once you are absolutely sure your machine has been disinfected.
Will try and post more when I have more time, funnily enough I am in great demand today!
Guest
Posts: n/a
Counting the cost:
Finally managed to download Norton A-V update. Scanned 39681 files - 11251 infected, almost all .jpg files.Norton deleted 9931 as unrecoverable, but the remaining 1320 aren't any good either, and have had to be deleted.
A lot of the infected files were in the caches of my three browsers (IE, Netscape, Opera), so no pain there. Quite a lot from graphics type applications (eg. PhotoDeluxe) and web authoring packages (NetFusion, Trellix). I suspect that these are things like buttons and templates, so packages may need to be re-installed.
Vast majority where from graphics libraries (I use a digital camera for work), some of which were backed up onto CD-ROM, so I have lost some work, and will need to spend a lot of time recovering individual files. What P*ss*s me off is the sheer waste of time which could otherwise be used to generate revenue!
------------------
Feline
(I Sit, I Watch, I Smile)
Finally managed to download Norton A-V update. Scanned 39681 files - 11251 infected, almost all .jpg files.Norton deleted 9931 as unrecoverable, but the remaining 1320 aren't any good either, and have had to be deleted.
A lot of the infected files were in the caches of my three browsers (IE, Netscape, Opera), so no pain there. Quite a lot from graphics type applications (eg. PhotoDeluxe) and web authoring packages (NetFusion, Trellix). I suspect that these are things like buttons and templates, so packages may need to be re-installed.
Vast majority where from graphics libraries (I use a digital camera for work), some of which were backed up onto CD-ROM, so I have lost some work, and will need to spend a lot of time recovering individual files. What P*ss*s me off is the sheer waste of time which could otherwise be used to generate revenue!
------------------
Feline
(I Sit, I Watch, I Smile)
Guest
Posts: n/a
Pragmatic Advice:
If you haven't got a good anti-virus package (and without implied criticism I would strongly advise you to invest in one Real Soon Now if you haven't got one - I use Norton Anti Virus), then the following should help to get rid of LoveBug -
Use the "Find" facility from the Start Menu:
Search for MSKernel32.vbs - delete it by hitting the delete button (it will be in a Windows folder, but the name of the folder will vary depending on whether you are using Win 95/98 or NT)
Search for Win32DLL.vbs - delete it
Search for LOVE-LETTER-FOR-YOU.* - this should bring up two, possibly three files - delete them
Search for *.*.vbs - this will bring up all the infected files (LoveBug uses a double extension). Delete them all (may be quite a lot)
Purge the Recycle Bin (Right Click and choose Empty)
Search for wscript.exe (should be in the Windows folder) and re-name it wscript.xex (that disables it - LoveBug needs this file to run the vb script). You can re-name it at a later stage if you actually need it.
You will also need to reset the home page for your browser (it nobbled IE5 and Netscape on my system - didn't find Opera)
Hope that helps - LoveBug may also have nobbled your system registry but I don't have a fix for that at this time (in any case - messing around with the registry is not for the faint hearted and better left to experts).
Hope that helps - Good Luck!
------------------
Feline
(I Sit, I Watch, I Smile)
If you haven't got a good anti-virus package (and without implied criticism I would strongly advise you to invest in one Real Soon Now if you haven't got one - I use Norton Anti Virus), then the following should help to get rid of LoveBug -
Use the "Find" facility from the Start Menu:
Search for MSKernel32.vbs - delete it by hitting the delete button (it will be in a Windows folder, but the name of the folder will vary depending on whether you are using Win 95/98 or NT)
Search for Win32DLL.vbs - delete it
Search for LOVE-LETTER-FOR-YOU.* - this should bring up two, possibly three files - delete them
Search for *.*.vbs - this will bring up all the infected files (LoveBug uses a double extension). Delete them all (may be quite a lot)
Purge the Recycle Bin (Right Click and choose Empty)
Search for wscript.exe (should be in the Windows folder) and re-name it wscript.xex (that disables it - LoveBug needs this file to run the vb script). You can re-name it at a later stage if you actually need it.
You will also need to reset the home page for your browser (it nobbled IE5 and Netscape on my system - didn't find Opera)
Hope that helps - LoveBug may also have nobbled your system registry but I don't have a fix for that at this time (in any case - messing around with the registry is not for the faint hearted and better left to experts).
Hope that helps - Good Luck!
------------------
Feline
(I Sit, I Watch, I Smile)
Guest
Posts: n/a
At the moment I work in the IT dept. for an international pharmaceutical giant, and we had to shut down every company mail server and gateway around the world in an attempt to stop it growing exponentially and grinding the system to a halt. At the last count, there were 6000 of these 'Love you' virus messages queued up in our system!
The following info may help...
"Please be aware that there may be the following variants of the "ILOVEYOU" Virus, if you see any messages with the following subjects just delete.
FWD JOKE
Susitikim shi vakara kavos puodukul
VERY FUNNY.VBS
LOVE-LETTER-FOR-YOU.VBS
LOVE BUG "
Regards
Jetset
The following info may help...
"Please be aware that there may be the following variants of the "ILOVEYOU" Virus, if you see any messages with the following subjects just delete.
FWD JOKE
Susitikim shi vakara kavos puodukul
VERY FUNNY.VBS
LOVE-LETTER-FOR-YOU.VBS
LOVE BUG "
Regards
Jetset
Guest
Posts: n/a
Here are the fixes for the Windows Registry:
Delete the following registry keys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RUN\MSKernel32.VBS
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RUN Services\win32DLL.vbs
Do NOT attempt to fix the Registry unless you know what you're doing - you may cause more damage than you fix! Get someone who knows what they are doing to help you.
------------------
Feline
(I Sit, I Watch, I Smile)
Delete the following registry keys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RUN\MSKernel32.VBS
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RUN Services\win32DLL.vbs
Do NOT attempt to fix the Registry unless you know what you're doing - you may cause more damage than you fix! Get someone who knows what they are doing to help you.
------------------
Feline
(I Sit, I Watch, I Smile)
Guest
Posts: n/a
You can download a fix from here http://www.telnetworks.com/downloads
It looks as though it cleared an infected machine here and recovered some damaged JPG files.
It looks as though it cleared an infected machine here and recovered some damaged JPG files.
Guest
Posts: n/a
Also, I don't know if anyone else has mentioned it, but after disinfecting, run a 'find and search' for *.vbs files and then delete them all. I found over 1000 in my local drives.
Not sure what the little b*ggers do, but I'm not taking any chances any more. This, after spending hours yesterday and today searching my drives for ILOVEYOU attachments that had somehow hidden themselves in obscure places.
[This message has been edited by VelvetStrokes (edited 05 May 2000).]
Not sure what the little b*ggers do, but I'm not taking any chances any more. This, after spending hours yesterday and today searching my drives for ILOVEYOU attachments that had somehow hidden themselves in obscure places.
[This message has been edited by VelvetStrokes (edited 05 May 2000).]
Guest
Posts: n/a
MANILA, May 6 (Reuters) - Philippine police said on Saturday they were awaiting a judge's warrant to arrest the hacker suspected of creating the "Love Bug" virus which has crippled computers worldwide. "They informed me that there was no judge available,although we are trying our best to contact one," National Bureau of Investigation Director Federico Opinion told
Reuters by telephone."Nothing will happen until tomorrow (Sunday) morning," Nelson Bartoleme, the head of the Bureau's anti-fraud and computer crimes division, told reporters. But he indicated Bureau agents had placed the suspect,believed to be a 23-year-old man living in a crowded Manila suburb, under watch. "Our operatives are out in the field for surveillance," he said. Police and Internet service providers (ISPs) earlier confirmed the suspect lived in the Manila suburb of Pandacan, but Bureau officials said they had not yet confronted him and would not say why.Some Bureau officials privately said the man had been identified, but would give no further details. Only one man is at the focus of their investigations, they said.
SWEDISH EXPERT POINTS TO GERMAN In Sweden, however, a computer expert said on Saturday he believed an 18-year-old German exchange student in Australia was responsible for the virus. The originator went under the name of "Michael" and had left traces on Internet user groups, according to Fredrik Bjorck, a Stockholm University researcher in data systems. "I have good reasons for saying I have probably found the originator of the Love Letter virus," Bjorck told the Swedish news agency TT.
The Washington Post newspaper said in its Saturday editions that the FBI had traced the virus to the Philippines through a fairly obvious electronic trail and was ready to seize computers used in the attack once it got court permission.
PRIOR HACKING BID SKY Internet said on Friday the virus was brought into its network by someone who had previously attempted to hack into its system. The virus was routed through a fake account at Impact, another ISP. SKY said it had given its audit trails of the virus to the NBI, the FBI and Interpol. Both Access Net and SKY said the information would be enough to track down the originator of the virus.
Experts said the virus was likely to engender more variants in the coming weeks. Some copycat variants already detected took the form of Mother's Day gift notices, jokes, and anti-virus warnings.
[This message has been edited by Rollingthunder (edited 06 May 2000).]
Reuters by telephone."Nothing will happen until tomorrow (Sunday) morning," Nelson Bartoleme, the head of the Bureau's anti-fraud and computer crimes division, told reporters. But he indicated Bureau agents had placed the suspect,believed to be a 23-year-old man living in a crowded Manila suburb, under watch. "Our operatives are out in the field for surveillance," he said. Police and Internet service providers (ISPs) earlier confirmed the suspect lived in the Manila suburb of Pandacan, but Bureau officials said they had not yet confronted him and would not say why.Some Bureau officials privately said the man had been identified, but would give no further details. Only one man is at the focus of their investigations, they said.
SWEDISH EXPERT POINTS TO GERMAN In Sweden, however, a computer expert said on Saturday he believed an 18-year-old German exchange student in Australia was responsible for the virus. The originator went under the name of "Michael" and had left traces on Internet user groups, according to Fredrik Bjorck, a Stockholm University researcher in data systems. "I have good reasons for saying I have probably found the originator of the Love Letter virus," Bjorck told the Swedish news agency TT.
The Washington Post newspaper said in its Saturday editions that the FBI had traced the virus to the Philippines through a fairly obvious electronic trail and was ready to seize computers used in the attack once it got court permission.
PRIOR HACKING BID SKY Internet said on Friday the virus was brought into its network by someone who had previously attempted to hack into its system. The virus was routed through a fake account at Impact, another ISP. SKY said it had given its audit trails of the virus to the NBI, the FBI and Interpol. Both Access Net and SKY said the information would be enough to track down the originator of the virus.
Experts said the virus was likely to engender more variants in the coming weeks. Some copycat variants already detected took the form of Mother's Day gift notices, jokes, and anti-virus warnings.
[This message has been edited by Rollingthunder (edited 06 May 2000).]
Guest
Posts: n/a
Symantec has identified nine variants of VBS.LoveLetter.A. This
information is current as of May 6, 2000 at 7:30am (PST)
1.VBS.LoveLetter.A
Norton AntiVirus detects as: VBS.LoveLetter.A(1)
ATTACHMENT: LOVE-LETTER-FOR-YOU.TXT.vbs
SUBJECT LINE: ILOVEYOU
MESSAGE BODY: kindly check the attached
LOVELETTER coming from me.
2.VBS.LoveLetter.B (also known as Lithuania)
Norton AntiVirus detects as: VBS.LoveLetter.B(1)
ATTACHMENT: same as A
SUBJECT LINE: Susitikim shi vakara kavos puodukui...
MESSAGE BODY: same as A
3.VBS.LoveLetter.C (also known as Very Funny)
Norton AntiVirus detects as: VBS.LoveLetter.C(1)
ATTACHMENT: Very Funny.vbs
SUBJECT LINE: fwd: Joke
MESSAGE BODY: empty
4.VBS.LoveLetter.D (also known as BugFix)
Norton AntiVirus detects as: VBS.LoveLetter.A(1)
ATTACHMENT: same as A
SUBJECT LINE: same as A
MESSAGE BODY: same as A
MISC. NOTES: registry entry: WIN- -BUGSFIX.exe instead
of WIN-BUGSFIX.exe
5.VBS.LoveLetter.E (also known as Mother's Day)
Norton AntiVirus detects as: VBS.LoveLetter.Variant.E
ATTACHMENT:mothersday.vbs
SUBJECT LINE: Mothers Day Order Confirmation
MESSAGE BODY: We have proceeded to charge your
credit card for the amount of $326.92 for the mothers day
diamond special. We have attached a detailed invoice to
this email. Please print out the attachment and keep it in a
safe place.Thanks Again and Have a Happy Mothers Day!
[email protected]
MISC. NOTES: mothersday.HTM sent in IRC, & comment:
rem hackers.com, & start up page to hackes.com,
l0pht.com, or 2600.com
6.VBS.LoveLetter.F (also known as Virus Warning)
Norton AntiVirus detects as: VBS.LoveLetter.Variant.F
ATTACHMENT: virus_warning.jpg.vbs
SUBJECT LINE: Dangerous Virus Warning
MESSAGE BODY: There is a dangerous virus circulating.
Please click attached picture to view it and learn to avoid
it.
MISC. NOTES: Urgent_virus_warning.htm
7.VBS.LoveLetter.G (also known as Virus ALERT!!!)
Norton AntiVirus detects as: VBS.LoveLetter.Variant or
VBS.LoveLetter.G
ATTACHMENT: protect.vbs
SUBJECT LINE: Virus ALERT!!!
MESSAGE BODY: a long message regarding
VBS.LoveLetter.A
MISC. NOTES: FROM [email protected]. This
variant also overwrites files with .bat and .com extensions.
8.VBS.LoveLetter.H (also known as No Comments)
Norton AntiVirus detects as: VBS.LoveLetter.A
ATTACHMENT: same as A
SUBJECT LINE: same as A
MESSAGE BODY: same a A
MISC. NOTES: the comment lines at the beginning of the
worm code have been removed.
9.VBS.LoveLetter.I (also known as Important! Read
carefully!!)
Norton AntiVirus detects as: VBS.LoveLetter.Variant
ATTACHMENT: Important.TXT.vbs
SUBJECT LINE: Important! Read carefully!!
MESSAGE BODY: Check the attached IMPORTANT
coming from me!
MISC. NOTES: new comment line at the beginning: by:
BrainStorm / @ElectronicSouls. It also copies the files
ESKernel32.vbs & ES32DLL.vbs, and MIRC script
comments referring to BrainStorm and ElectronicSouls and
sends IMPORTANT.HTM to the chat room.
Also known as: Lovebug, I-Worm.LoveLetter, VBS/LoveLetter.A,
VBS/LoveLet-A
Category: Worm
information is current as of May 6, 2000 at 7:30am (PST)
1.VBS.LoveLetter.A
Norton AntiVirus detects as: VBS.LoveLetter.A(1)
ATTACHMENT: LOVE-LETTER-FOR-YOU.TXT.vbs
SUBJECT LINE: ILOVEYOU
MESSAGE BODY: kindly check the attached
LOVELETTER coming from me.
2.VBS.LoveLetter.B (also known as Lithuania)
Norton AntiVirus detects as: VBS.LoveLetter.B(1)
ATTACHMENT: same as A
SUBJECT LINE: Susitikim shi vakara kavos puodukui...
MESSAGE BODY: same as A
3.VBS.LoveLetter.C (also known as Very Funny)
Norton AntiVirus detects as: VBS.LoveLetter.C(1)
ATTACHMENT: Very Funny.vbs
SUBJECT LINE: fwd: Joke
MESSAGE BODY: empty
4.VBS.LoveLetter.D (also known as BugFix)
Norton AntiVirus detects as: VBS.LoveLetter.A(1)
ATTACHMENT: same as A
SUBJECT LINE: same as A
MESSAGE BODY: same as A
MISC. NOTES: registry entry: WIN- -BUGSFIX.exe instead
of WIN-BUGSFIX.exe
5.VBS.LoveLetter.E (also known as Mother's Day)
Norton AntiVirus detects as: VBS.LoveLetter.Variant.E
ATTACHMENT:mothersday.vbs
SUBJECT LINE: Mothers Day Order Confirmation
MESSAGE BODY: We have proceeded to charge your
credit card for the amount of $326.92 for the mothers day
diamond special. We have attached a detailed invoice to
this email. Please print out the attachment and keep it in a
safe place.Thanks Again and Have a Happy Mothers Day!
[email protected]
MISC. NOTES: mothersday.HTM sent in IRC, & comment:
rem hackers.com, & start up page to hackes.com,
l0pht.com, or 2600.com
6.VBS.LoveLetter.F (also known as Virus Warning)
Norton AntiVirus detects as: VBS.LoveLetter.Variant.F
ATTACHMENT: virus_warning.jpg.vbs
SUBJECT LINE: Dangerous Virus Warning
MESSAGE BODY: There is a dangerous virus circulating.
Please click attached picture to view it and learn to avoid
it.
MISC. NOTES: Urgent_virus_warning.htm
7.VBS.LoveLetter.G (also known as Virus ALERT!!!)
Norton AntiVirus detects as: VBS.LoveLetter.Variant or
VBS.LoveLetter.G
ATTACHMENT: protect.vbs
SUBJECT LINE: Virus ALERT!!!
MESSAGE BODY: a long message regarding
VBS.LoveLetter.A
MISC. NOTES: FROM [email protected]. This
variant also overwrites files with .bat and .com extensions.
8.VBS.LoveLetter.H (also known as No Comments)
Norton AntiVirus detects as: VBS.LoveLetter.A
ATTACHMENT: same as A
SUBJECT LINE: same as A
MESSAGE BODY: same a A
MISC. NOTES: the comment lines at the beginning of the
worm code have been removed.
9.VBS.LoveLetter.I (also known as Important! Read
carefully!!)
Norton AntiVirus detects as: VBS.LoveLetter.Variant
ATTACHMENT: Important.TXT.vbs
SUBJECT LINE: Important! Read carefully!!
MESSAGE BODY: Check the attached IMPORTANT
coming from me!
MISC. NOTES: new comment line at the beginning: by:
BrainStorm / @ElectronicSouls. It also copies the files
ESKernel32.vbs & ES32DLL.vbs, and MIRC script
comments referring to BrainStorm and ElectronicSouls and
sends IMPORTANT.HTM to the chat room.
Also known as: Lovebug, I-Worm.LoveLetter, VBS/LoveLetter.A,
VBS/LoveLet-A
Category: Worm
Guest
Posts: n/a
parallel posted from topic in JB:
Seems like a lot of folks are pretty smug about this - those not using MS Outlook - having escaped this particular mess (self included).
It was just too damn easy for a relatively non-expert type to create this thing. He/She/They certainly made every last headline and actually history.
Even bumped Elian off the main topic (thx).
What's next? We couldn't stop the last one. Next one will be built better,larger, more destructive, will capture Netscape and Eudora etc.etc.
Heads up everyone and
--------------
check six
Seems like a lot of folks are pretty smug about this - those not using MS Outlook - having escaped this particular mess (self included).
It was just too damn easy for a relatively non-expert type to create this thing. He/She/They certainly made every last headline and actually history.
Even bumped Elian off the main topic (thx).
What's next? We couldn't stop the last one. Next one will be built better,larger, more destructive, will capture Netscape and Eudora etc.etc.
Heads up everyone and
--------------
check six
Guest
Posts: n/a
Rollingthunder - Already commented on you parallel post in JB.
I've been involved with viruses from the days when people used to find it amusing if you talked about computer viruses (My! How attitudes change!)
While I certainly don't think anyone should relax, I do think that it will be difficult for anyone to pull this particular stunt off again.
For one thing, a whole lot of people (corporates in particular) will have switched off host scripting which is what enabled this little booger to execute. Also, all the anti-virus software will now be looking for any mail attachment which is a Visual Basic Script, and hopefully, A-V software will also look for any activity which starts using a MAPI compliant mailing list in an unusual way.
What really added to the rate of propagation of LoveBug was the fact that it mailed to the ENTIRE mailing list on the computers that it hit (Melissa, by contrast, only mailed to the first fifty entries, and propagated a lot slower). Also, it travelled from East to West (most viruses seem to hit the U.S. first, which gives people in other time zones a bit of time to get the word and batten down the hatches).
So, one hell of a lot of stable doors have been bolted after the horse has gone, but that will serve people in good stead in the future.
I'm not saying that it couldn't or won't happen again, but a virus using the same mechanisms won't get too far.
What is perhaps more worrying is the possibility that someone could re-code it so that it propagates stealthily and only triggers the destructive payload somewhat later. Also, if it starts overwriting files other than the ones it does (some of the later variants do just that - going after files with different file extensions).
Apart from some of the options that have already been mentioned in this and other forums (with varying degress of patronage), like "Use an AppleMac" and "Don't open attachments" (I didn't but still got clobbered), it might be worth thinking of other alternatives. For example, I am thinking of installing a parallel hard drive and copying my the contents of my active HD to the backup HD as part of my power down routine. Another possibility is to use a physically separate system purely for e-mail (that gets a bit inconvenient if one is receiving files as attachments that are then used by other applications). Both these solutions add degrees of complexity (and cost), but could be worthwhile alternatives to certain users in certain circumstances.
Anyway, that's my two penn'th (for what it's worth). I am glad to announce that I am beginning to regain my sense of humour (gravely missed over the last few days) and am now viewing the whole episode somewhat more philosophically.
As others have been heard to post (albeit it JB), Fark 'em All!
------------------
Feline
(I Sit, I Watch, I Smile)
I've been involved with viruses from the days when people used to find it amusing if you talked about computer viruses (My! How attitudes change!)
While I certainly don't think anyone should relax, I do think that it will be difficult for anyone to pull this particular stunt off again.
For one thing, a whole lot of people (corporates in particular) will have switched off host scripting which is what enabled this little booger to execute. Also, all the anti-virus software will now be looking for any mail attachment which is a Visual Basic Script, and hopefully, A-V software will also look for any activity which starts using a MAPI compliant mailing list in an unusual way.
What really added to the rate of propagation of LoveBug was the fact that it mailed to the ENTIRE mailing list on the computers that it hit (Melissa, by contrast, only mailed to the first fifty entries, and propagated a lot slower). Also, it travelled from East to West (most viruses seem to hit the U.S. first, which gives people in other time zones a bit of time to get the word and batten down the hatches).
So, one hell of a lot of stable doors have been bolted after the horse has gone, but that will serve people in good stead in the future.
I'm not saying that it couldn't or won't happen again, but a virus using the same mechanisms won't get too far.
What is perhaps more worrying is the possibility that someone could re-code it so that it propagates stealthily and only triggers the destructive payload somewhat later. Also, if it starts overwriting files other than the ones it does (some of the later variants do just that - going after files with different file extensions).
Apart from some of the options that have already been mentioned in this and other forums (with varying degress of patronage), like "Use an AppleMac" and "Don't open attachments" (I didn't but still got clobbered), it might be worth thinking of other alternatives. For example, I am thinking of installing a parallel hard drive and copying my the contents of my active HD to the backup HD as part of my power down routine. Another possibility is to use a physically separate system purely for e-mail (that gets a bit inconvenient if one is receiving files as attachments that are then used by other applications). Both these solutions add degrees of complexity (and cost), but could be worthwhile alternatives to certain users in certain circumstances.
Anyway, that's my two penn'th (for what it's worth). I am glad to announce that I am beginning to regain my sense of humour (gravely missed over the last few days) and am now viewing the whole episode somewhat more philosophically.
As others have been heard to post (albeit it JB), Fark 'em All!
------------------
Feline
(I Sit, I Watch, I Smile)
Guest
Posts: n/a
Feline,
From various posts I gather that you are "pretty hot on computers" so I wonder at your comment that you "didn't open the file and still got clobbered". Although I know it is possible to put HTML into a Word document that may be able to do this sort of damage, do you have any clues as to what happened here?
Could it be from showing the "preview pane" in Outlook? When this little s0d hit the web I switched off the preview pane as a precaution (don't know if this would have made any difference as it appears that nobody loved me enough to send the Bug to me, or any of it's variants!) I guess that Outlook has to run the full code if the "attachement" is actually "embedded" if the preview is on. It's a bl00dy nuicance not having preview, but at least I can check the origin/title etc before double-clicking on the mail to read it!
(Should I dust off that old "promo" box of Lotus Smartsuite
)
The tip about scripting was appreciated - I immediately did it on my machine and passed the word around the office for everyone else to do the same!
Anyone else out there got any ideas? A friend of mine in ZA was passing out "Pretty Park" to all his best mates and swears he did not open it either. Fortunately, we have a lot of common friends and I ICQd them all within an hour of my ZA mate mailing me!
[This message has been edited by ExSimGuy (edited 11 May 2000).]
From various posts I gather that you are "pretty hot on computers" so I wonder at your comment that you "didn't open the file and still got clobbered". Although I know it is possible to put HTML into a Word document that may be able to do this sort of damage, do you have any clues as to what happened here?
Could it be from showing the "preview pane" in Outlook? When this little s0d hit the web I switched off the preview pane as a precaution (don't know if this would have made any difference as it appears that nobody loved me enough to send the Bug to me, or any of it's variants!) I guess that Outlook has to run the full code if the "attachement" is actually "embedded" if the preview is on. It's a bl00dy nuicance not having preview, but at least I can check the origin/title etc before double-clicking on the mail to read it!
(Should I dust off that old "promo" box of Lotus Smartsuite
)The tip about scripting was appreciated - I immediately did it on my machine and passed the word around the office for everyone else to do the same!
Anyone else out there got any ideas? A friend of mine in ZA was passing out "Pretty Park" to all his best mates and swears he did not open it either. Fortunately, we have a lot of common friends and I ICQd them all within an hour of my ZA mate mailing me!
[This message has been edited by ExSimGuy (edited 11 May 2000).]
Guest
Posts: n/a
ExSimGuy
Didn't open it in the sense of opening the e-mail and double clicking on the attachment.
Noted name of attachment, then from Windows Explorer, copied it to diskette (single click from Windows Explorer which should ONLY select a file and not execute it);
Opened Notepad and looked at script (which again, should not execute a file). On quick glance, didn't like what I saw.
Sometime later, went back to Windows Explorer and selected original file and deleted it - but by that stage it appears that it had executed and screwed up all my jpeg files.
From which I deduce that simply "Selecting" the file in Windows Explorer was enough to execute it.
And I kind of confirm that because later on, after I had realised I had been hit and was trying to clear up the damage (and had also renamed the host scripting wscript.exe programme), I selected an infected file (single click not double click) and it promptly tried to run itself all over again (but couldn't because I had renamed the executable).
So, as far as I'm concerned, I took reasonable precautions, but the little booger still got me. Files should not execute when simply selected, but it seesm that .vbs scripts do (another little Microsoft "undocumented feature"?)
Don't know about the preview pane in Outlook - I use Eudora which doesn't have a preview pane.
------------------
Feline
(I Sit, I Watch, I Smile)
[This message has been edited by Feline (edited 11 May 2000).]
Didn't open it in the sense of opening the e-mail and double clicking on the attachment.
Noted name of attachment, then from Windows Explorer, copied it to diskette (single click from Windows Explorer which should ONLY select a file and not execute it);
Opened Notepad and looked at script (which again, should not execute a file). On quick glance, didn't like what I saw.
Sometime later, went back to Windows Explorer and selected original file and deleted it - but by that stage it appears that it had executed and screwed up all my jpeg files.
From which I deduce that simply "Selecting" the file in Windows Explorer was enough to execute it.
And I kind of confirm that because later on, after I had realised I had been hit and was trying to clear up the damage (and had also renamed the host scripting wscript.exe programme), I selected an infected file (single click not double click) and it promptly tried to run itself all over again (but couldn't because I had renamed the executable).
So, as far as I'm concerned, I took reasonable precautions, but the little booger still got me. Files should not execute when simply selected, but it seesm that .vbs scripts do (another little Microsoft "undocumented feature"?)
Don't know about the preview pane in Outlook - I use Eudora which doesn't have a preview pane.
------------------
Feline
(I Sit, I Watch, I Smile)
[This message has been edited by Feline (edited 11 May 2000).]
