VIRUS ALERT - ILOVEYOU

What does it do? We got an alert from our network folks this a.m., but they did not say what it does. Also, one of my co-workers received it and opened it before he got the alert - no problems yet.........

VIRUS ALERT - ILOVEYOU

I no more than finished reading this, when I got that email. Spooky... This one was from, of all people, Roger Pence. Maybe News/400 is spreading it. HA HA HA! Just kidding. It was from Roger though. Must be replicating itself and going through his address book or something.

VIRUS ALERT - ILOVEYOU

Joe - It is (apparently) a VB Script virus that uses Outlook (surprised?) to replicate itself as an e-mail chain letter. You can get more info at http://www.networkassociates.com (their site appears to be swamped, I kept timing out trying to get there) or http://www.f-secure.com/v-descs/love.htm (this has a good description of what is does). Several companies here in town have had problems with it this morning (at least 5) and I have gotten calls or e-mail from 3 or 4 others saying "do not open ILOVEYOU". Just one more reason to "Practice safe hex". HTH, Steve

VIRUS ALERT - ILOVEYOU

We got it where I am, once you open it you are infected, but most of the damage is pending until you reboot. Once you reboot your in trouble. There is a fix, so far it is manual. If you reboot all your .jpeg,mpeg ... files are renamed and the .VBS files are copied in their place, if you open the image file it starts all over again. Amoung other things. Oh well, another day...

VIRUS ALERT - ILOVEYOU

Here's a news story about the virus from MSNBC: href="http://www.msnbc.com/news/403350.asp">http://www.msnbc.com/news/403350.as p Most sites with information about the virus are too busy to get to.

VIRUS ALERT - ILOVEYOU

One of our affliated companies already got the virus. Isn't it incredible what people open though E-mail? As for me, any crap that I get that has to do with "free love", "how to earn a million bucks", etc. etc. etc....... gets tossed in the cyberspace trash bucket ASAP. I haven't got a virus yet.

VIRUS ALERT - ILOVEYOU

The virus also resets your internet explorer home page to https://www.skyinet.net/~young1s/HJK...7345gvsdf7679n jbvYT/WIN-BUGSFIX.exe I have not been brave enough to debug this. I was going to send it to the virus watchers but all of their sites are swamped. Two of our computers were hit. And they rebooted. I haven't seen any problems, but they don't have any .jpg or .mp3 files on their systems. Gosh, I love my job!

VIRUS ALERT - ILOVEYOU

Here's a lot of details about this virus. Isn't amazing how some people devot their time and talent to destructive stuff like this?!?! __________________________________________________ ____________________ To all, Please review the following information and distribute to your teams. As we learn more about this worm, the bulletin will be updated. " VBS_Loveletter" Worm 04 May 2000 Virus Control Alias: Loveletter, VBS/Loveletter Discovery Date: 04 May 2000 Likelihood: High Characteristics: The worm uses the Outlook e-mail application to spread. LoveLetter is also an overwriting VBS virus, and it spreads itself using mIRC client as well. The LoveLetter worm is a VBS script, that propagates itself using Microsoft Outlook and mIRC. Description: Once executed this computer worm modifies the registry and drops files for it to spread. It replicates via Microsoft Outlook by sending an email with an attachment file ?LOVE-LETTER-FOR-YOU.TXT.vbs? to all email addresses listed in the address list. It also propagates using mIRC by modifying the ?script.ini.? After connecting to a chat server using mIRC, the virus initiates a DCC send to all the users in the current channel and sends a copy of itself. It is also capable of infecting files with specific extensions. The message that it sends will be as follows: Subject: ILOVEYOU Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Infection: Once executed, this virus drops the following files: :windowsWin32DLL.vbs :windowssystemMSKernel32.vbs :windowssystemLOVE-LETTER-FOR-YOU.TXT.vbs. It also modifies the following registry entries so that the virus is run at each Windows starts up: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows CurrentVersionRunMSKernel32", :windowssystem MSKernel32.vbs HKEY_LOCAL_MACHINESoftwareMicrosoftWindows CurrentVersionRunServicesWin32DLL?, :windows\Win32DLL.vbs. Payload: It searches for a file named WinFAT32.exe in the :windowssystem folder. If the file exists, then it modifies Internet Explorer?s startup page with one of the following sites: http://www.skyinet.net/~young1s/ HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf 7679njbvYT/ WIN-BUGSFIX.exe http://www.skyinet.net/~angelcat/skl...wetryDGFikjUIy qwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/ WIN-BUGSFIX.exe http://www.skyinet.net/~koichi/ jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3V bvg/ WIN-BUGSFIX.exe http://www.skyinet.net/~chu/sdgfhjks...kKLHjkqwtuHJBh AFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmads hfgqw 237461234iuy7thjg/WIN-BUGSFIX.exe It also searches for a file named WIN-BUGSFIX.exe in the :windowssystem folder. If the file does not exists, then it modifies Internet Explorer?s startup page with ?about:blank? page and modifies the registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows CurrentVersionRunWIN-BUGSFIX, WIN-BUGSFIX.exe Detection/Removal: Users should delete any messages from both the Inbox and Deleted items folder with the following attributes: Subject line of the email messages contains the words "ILOVEYOU" Text in the body of the message includes the words "kindly check the attached LOVELETTER coming from me" There is an attachment file in the message with the title, "LOVE-LETTER-FOR-YOU.TXT.vbs" Prevention: Users should delete any messages from both the Inbox and Deleted items folder with the following attributes: Subject line of the email messages contains the words "ILOVEYOU" Text in the body of the message includes the words "kindly check the attached LOVELETTER coming from me" There is an attachment file in the message with the title, "LOVE-LETTER-FOR-YOU.TXT.vbs" Never open executable file attachments, such as .exe, .com, .bat, .shs, and .vbs. If an attachment is received unexpectedly, even from a person you trust, ask the sender before opening. Never open attachments received from unknown sources. Delete the e-mail from both your Inbox and Deleted Items folders. Ensure that you are running anti-virus software with the latest signature update.

VIRUS ALERT - ILOVEYOU

HI All - we are testing a repair strategy now (11:15AM Pacific). If it cleans up the problem we will post it here. Should know in about 30 minutes. In the mean time we can all call Roger and razz him about it.....

VIRUS ALERT - ILOVEYOU

Don your HAZMAT suits. This is what I have done for a clean up. Don't know if it is right, but it appeared to work. In Windows go into Windows Explorer. Search for *.VBS in all directories. You will see a bunch of them with the date of the infection. Delete all of these and empty your recycle bin. One file, MSKernel32.VBS will be in use so you cannot delete it. Reboot your machine and press F8 to get to the command line. Do a DIR *.vbs /s to find all remaining scripts. Some that you just deleted will have reappeared. Delete the remaining VBS files. Reboot your machine. Check the properties on Internet Explorer and reset the home page. Now check your network drives for *.VBS and clean them. At this point you should be clean, at least as far as I can tell. This was done on a Win/98 machine. I did not find the registry entries mentioned in the previous post. If you are in Win/95 these procedures may vary. Good luck. John Panzenhagen

VIRUS ALERT - ILOVEYOU

You don't need to obtain a virus to do PC damage. AOL has reported that in certain rare instances, installing AOL 5.0 on a PC with Win/98 second edition, will wipe out the boot sector, effectively wiping out everything! Dave

VIRUS ALERT - ILOVEYOU

Here is a procedure we are using. Its like the previous one posted only it deals with reinfection and partial infections (the website shut down part of the problem.) This is working here but is tuned to our environment. System Wide Changes 1) Shut Down Mail (Prevents re-infection while you are fixing this.) 2) Change firewall to block *.VBS attachments 3) Close all Outlook Clients Desktop Procedures 1) Find all files = *.TXT.VBS - Delete them if they exist. This desktop is infected. If they do not exist the Desktop is not infected. Go to 14. 2) Find all files = *.JPG.VBS - Delete them if they exist. 3) Find all files = *.JPEG.VBS - Delete them if they exist. 4) Find all files = *.MP2.VBS - Delete them if they exist. 5) Find all files = *.MP3.VBS - Delete them if they exist. 6) Find Win-BugsFix.EXE - Delete 7) Find WINFAT32.exe - Delete 6 & 7 came from the web site and may not be present. Site was shut down prior to 8:00 Pacific. 8) Find Mskernel32.VBS - Delete 9) Find Win32dll.vbs - Delete 10) Delete Registry Keys HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentV ersionRunMskernel32 HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentV ersionRunServicesWin32DL L 11) Look for *.VBS files where size = 11K and Modified date = Today. Delete. 12) Purge Recycle Bin. 13) Run Internet Explorer. Delete Temporary Internet files. ToolsInternet OptionsGeneral Tab - "Delete Files" button. Reset Home Page 14) Reboot 15) Run Outlook, purge Inbox, Outbox & Sent folder of I love you message. 16) Delete items from Deleted folder in Outlook. Once this is done to all affected desktops restart Mail Server, purging all messages prior to restart. (Prevents re-infection.) Software on the Desktop that uses JPG (splash screens, etc.) will have to be re-installed. Software that uses a replaced VBS will have to be re-installed.

VIRUS ALERT - ILOVEYOU

Kyle - Didn't you forget one additional step? 17) Remove Outlook (AKA Typhoid Mary) from every desktop in the company. ;-) Steve

VIRUS ALERT - ILOVEYOU

Be aware of the following: the virus can (we could not determine any system) create VB Scripts (*.vbs) in Windows/Temp folder. It is wise to clear it and purge the Recycle Bin, if it's used. Deleting files from the Temporary Internet Files folder through Tools menu DOES NOT delete VBS files!!! We went the safe route and cleared this folder completely by searching for *.* in Windows/Temporary Internet Files. Again, the Recycle Bin should be purged. Sergey Gorovoy