Warning - "ILoveYou" Emails
 

Urgent message to all.

If you receive an Email, where the subject of the message is "ILoveYou", DO NOT OPEN IT, especially if it comes from someone you know.

This virus replicates when you open the mail and contents, and sends a similar message to all the people on your address book. It has hit most of UK business, and will take some time to eradicate. Because of the volume of messages created, the email system has virtually come to a halt.

Description at:
http://www.sophos.co.uk/virusinfo/an...sloveleta.html

Because of the large number of people looking at the above URL, you may not get through first time.



[This message has been edited by newswatcher (edited 04 May 2000).]

Seen it today and looked through the source(curious registry entries, opens all your mp3 mp2 jpeg, vbs, js, css etc files and appends some text, creates some files in your system dir, may change your ie homepage, opens a self-generated web page, copies itself to all your ICQ contacts and then emails itself to everyone in your MAPI address book!!).

But the version I saw comes as a .txt.vbs attachment and replicates itself as such so only someone who a) cuts the .txt part out and imports it into excel and then runs it and b) has people who will do similarly daft things in his outlook addressbook will be able to spread it.

Hmph. I only get "Eff off and die" emails. No one sends me any love emails!!
Oh well, can't win'em all! :)

------------------
reddo..."stuff'em if they can't take a joke"

Reddo,

If I sent you something saying 'I Love You' would you open it?

Since the URL given previously is causing problems, here is the text it contains:

Name: VBS/LoveLet-A
Type: Visual Basic Script worm
Detection: Detected by Sophos Anti-Virus version 3.34 or later. An update (IDE file) is available for earlier versions from the Latest virus identities section.

This virus has been very widely reported in the wild. Further IDEs will follow with a fuller analysis.

Comments: This is a virus which tries to spread itself in several ways. Most commonly, it sends itself as an attachment to an email.

Infected emails have the subject line:


ILOVEYOU
The message text is:
kindly check the attached LOVELETTER coming from me.

The attachment is called "LOVE-LETTER-FOR-YOU.TXT.vbs", which has a "double extension". Mailers which suppress well-known extensions such as .vbs may present this file as "LOVE-LETTER-FOR-YOU.TXT", which appears more innocent. Do not be misled by a trick like this.

Because the virus arrives in a VBS file, it requires the Windows Scripting Host (WSH) in order to work. If you disable WSH, the viral attachment will be rendered harmless.

The virus also drops an HTM file which can spread the virus, and a mIRC script which tries to distribute it. It also tries to download a file called WIN-BUGSFIX.exe from the internet, and injects two copies of its VBS script into the system directory where they are executed each time the computer reboots.

The email component of the virus requires Microsoft Outlook to work. If you are using Outlook it will try to send itself to each entry in your Windows Address Book.

Note that following the Sophos Guidelines for Safe Hex will render you almost immune to this attack. If you do not read unusual or unlikely emails and if you have disabled the WSH, then you are unlikely to become infected.

Newsie,

I was about to post the same as you in R & N
but with the Norton URL.

I see the thread is closed @ R&N and has been moved here.......... what sheer, bloody stupidity!

There is no patch yet from ANY company,
hence the need to post the info in R & N & Downunder.

This is one very serious BAD virus.
Subject of e-mail: ILOVEYOU
Name of attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Size of attachment: 10307 http://www.symantec.com/avcenter/ven...eletter.a.html

McAfee, Norton and Trendmicro (http://www.trendmicro.de/support/pattern.html - German) have "cures" ready for it.

The b@st@rd thing has just collapsed the email server in my office :mad:

This is a very serious problem. If any of the PPRuNe Admin team are reading this, I really do think you should put this tread back on the main R&N forum (I don't want to tell you how to do your job, but.....)

F-Secure also have a description of the virus, with a few screen-shots too:
http://www.f-secure.com/v-descs/love.htm

I have just spent 4 hours eradicating the virus, and it keeps coming. It really is serious. It send 540 emails in only a few minutes. It also sent one back to my email box for every one sent, plus the ones it put in my sent box. BASTARDS

It destroyed my office links, my outlook mail box was shot to hell. I also spent time re-establishing my internet and intranet access. At the moment, I still dealing with the surface implications, god knows what others problems I face.


The only way to stop was to switch off and crash the machine. Exiting outlook failed to stop the sending. Certainly, I wasn't expecting it and only opened the email not the attachment. The mails came from apparently trusted colleagues, and those I've sent it to will feel the same.

VBS_Loveletter" Worm
04 May 2000
Virus Control

Alias: Loveletter, VBS/Loveletter
Discovery Date: 04 May 2000
Likelihood: High
Characteristics: The worm uses the Outlook e-mail application to spread. LoveLetter is also an overwriting VBS virus, and it spreads itself using mIRC client as well. The LoveLetter worm is a VBS script, that propagates itself using Microsoft Outlook and mIRC.

Description:

Once executed this computer worm modifies the registry and drops files for it to spread. It replicates via Microsoft Outlook by sending an email with an attachment file “LOVE-LETTER-FOR-YOU.TXT.vbs” to all email addresses listed in the address list. It also propagates using mIRC by modifying the “script.ini.” After connecting to a chat server using mIRC, the virus initiates a DCC send to all the users in the current channel and sends a copy of itself. It is also capable of infecting files with specific extensions.

The message that it sends will be as follows:

Subject: ILOVEYOU
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

Infection:

Once executed, this virus drops the following files:
<root>:\windows\Win32DLL.vbs
<root>:\windows\system\MSKernel32.vbs
<root>:\windows\system\LOVE-LETTER-FOR-YOU.TXT.vbs.

It also modifies the following registry entries so that the virus is run at each Windows starts up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\MSKernel32",
<root>:\windows\system \MSKernel32.vbs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\Win32DLL”,
<root>:\windows\\Win32DLL.vbs.

Payload:

It searches for a file named WinFAT32.exe in the <root>:\windows\system folder. If the file exists, then it modifies Internet Explorer’s startup page with one of the following sites:
http://www.skyinet.net/~young1s/
HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/
WIN-BUGSFIX.exe
http://www.skyinet.net/~angelcat/skl...wetryDGFikjUIy
qwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/
WIN-BUGSFIX.exe
http://www.skyinet.net/~koichi/
jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/
WIN-BUGSFIX.exe http://www.skyinet.net/~chu/sdgfhjks...kKLHjkqwtuHJBh
AFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw
237461234iuy7thjg/WIN-BUGSFIX.exe

OK. I have posted on R&N a link to this thread. We are trying to be discipline dabout forum content but as this seems to be a little bigger than the usual virus ´scare´I will stick my neck out and make an exception.

Cheers,

WWW

The B*ST*RD responsible for this bit of work deserves to thrown out of an aircraft from 33000 feet - it overwites each and every jpeg file it can find. Don't know whether there is any way of recovering them - I have just lost man-months of work. Some of the images are backed up, but just working out which are the latest images available will take a month of Sundays. B*ST*RD!

------------------
Feline
(I Sit, I Watch, I Smile)

Apparently all files with the extensions .js, .css, .wsh, .sct, .jpg, .jpeg or .hta are deleted by the virus. What you have left are copies of the executable virus with the same file names as the deleted files, just with the added extension .vbs

So it looks like all files are lost. :mad:

Thanks to newswatcher, pprune and all posters. I got the warning early, advised the company and they shut down the incoming and outgoing mail servers. I think we're ok so far. Great info Velvet.
News is reporting USD100 million in damages so far (it's early yet).

Question: They seem to be able to track down hackers effectively these days. How are they at tracking down these scum bucket worm farmers?

[This message has been edited by Rollingthunder (edited 04 May 2000).]

Not sure how, but <A HREF="http://www.theregister.co.uk"" TARGET=_blank>The Register</A> says:

According to Rob Eatwell, business development manager for anti-virus at Network Associates, the Iloveyou virus is believed to have originated in Manila. "We have the name of who we think it is, but we're not saying," he said.

[This message has been edited by Voidhawk (edited 04 May 2000).]

Newswatcher goes straight to the top of my christmas card list. Logged onto PPruNe this morning, read his post and then walked over to another PC in the office. Lo and behold: more infected than a sailor on a run ashore. Thanks for the early warning. I work in an organisation whose role it is to protect against these attacks. Can you imagine the embarrassment of infecting their network!
:) Thanks :)

Good day.......

Just logged on Down Under, there is a fix at McAfee for their ActiveShield and Viruscan, they have rated this virus as the highest threat I have ever seen them rate one......

Be careful.......

"lame"

Read in one of the reports that quite apart from all the other damage that it does, it also captures the infected user's details (user login, passwords, IP address) and e-mails them to an account in the Philipines. Not nice, not nice at all!
The only small crumb of comfort I take from that is that this guy's account must be reeling under the weight of all the e-mails received. Can't help but feel that his ISP will soon be asking some fairly pointed questions.

-------
Feline
(Sitting, Watching and certainly NOT Smilin')

Now Slasher, I have a couple of questions. When will you next be passing through the Philipines? And how high can you get your 737? And (general question) where can one find the highest density of sharks in that part of the world?

BASTARD!

VERY IMPRESSED......This is the first time I have looked at this forum and I will certainly come here again. Not being a computer buff I came here to see if I could get some technical help/advice regarding the virus that someone was talking about in the bar at White Waltham Aero Club. I did not expect to find so much usefull and helpfull information......THANK YOU ALL.

I cannot believe that the thread started by newswatcher in R&N was closed down so early today.

Don't you moderators ever listen to the news?
:mad: