Over here in the UK we have been alerted to a new VB/macro virus. Called something like "ILOVEYOU" or "LOVEBUG" etc etc.

Delete it as soon as possible.

IT firms here are very concerned. It is NOT being picked up by Virus Checkers yet.

Be warned......

Trust No-one

Lee.

Ever since I turned 30 I can't even trust myself.

This could be a bad one folks! We have some users who have already recieved 80+ copies of it and it's less than 8 hours old. Looks like it started in Switzerland or Germany.

*************************

Alias: Loveletter, VBS/Loveletter
Discovery Date: 04 May 2000
Likelihood: High
Characteristics: The worm uses the Outlook e-mail application to spread. LoveLetter is also an overwriting VBS virus, and it spreads itself using mIRC client as well. The LoveLetter worm is a VBS script, that propagates itself using Microsoft Outlook and mIRC.

Description:

Once executed this computer worm modifies the registry and drops files for it to spread. It replicates via Microsoft Outlook by sending an email with an attachment file “LOVE-LETTER-FOR-YOU.TXT.vbs” to all email addresses listed in the address list. It also propagates using mIRC by modifying the “script.ini.” After connecting to a chat server using mIRC, the virus initiates a DCC send to all the users in the current channel and sends a copy of itself. It is also capable of infecting files with the following extensions: vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, and mp2.

The message that it sends will be as follows:

Subject: ILOVEYOU
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

Infection:

Once executed, this virus drops the following files:
<root>:\windows\Win32DLL.vbs
<root>:\windows\system\MSKernel32.vbs
<root>:\windows\system\LOVE-LETTER-FOR-YOU.TXT.vbs.

It also modifies the following registry entries so that the virus is run at each Windows starts up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\MSKernel32",
<root>:\windows\system \MSKernel32.vbs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\Win32DLL”,
<root>:\windows\\Win32DLL.vbs.

Payload:

It searches for a file named WinFAT32.exe in the <root>:\windows\system folder. If the file exists, then it modifies Internet Explorer’s startup page with one of the following sites:
http://www.skyinet.net/~young1s/
HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf 7679njbvYT/
WIN-BUGSFIX.exe
http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIy
qwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/
WIN-BUGSFIX.exe
http://www.skyinet.net/~koichi/
jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3V bvg/
WIN-BUGSFIX.exe http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBh
AFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmads hfgqw
237461234iuy7thjg/WIN-BUGSFIX.exe

It also searches for a file named WIN-BUGSFIX.exe in the <root>:\windows\system folder. If the file does not exists, then it modifies Internet Explorer’s startup page with “about:blank” page and modifies the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\WIN-BUGSFIX, \WIN-BUGSFIX.exe
**********************************

[This message has been edited by MadMatt (edited 05-04-2000).]

Just hit us here at work! Exchange servers are down for at least two hours.

Watchit folks!

I know of at least one company in the U.S. which was probably hit.

It came in through e-mail and got into all of their servers worldwide!

We're checking our systems now.

Yep, it is serious...

http://news.bbc.co.uk/hi/english/uk/newsid_736000/736080.stm

Stan

Yep.. we all got it here. West coast is coming in to work and it's hitting hard...

I work for a large company in Cincinnati, OH and we just got hit with it this morning...

More annoying than troublesome at this point....

[This message has been edited by Anakhonda (edited 05-04-2000).]

So I guess my warning above helped some out then?

Lee.

Is anyone even close to a fix yet?

I just got a copy of it - deleted it without opening -

strange thing is - I can't get to www.symantec.com (http://www.symantec.com) to get any norton anti-v definitions..... anyone else having that problem?

I think McAffee has a fix up, but (as usual) symantec is lagging. And, yeah, their site is swamped.

Server overload at Symantec. McAfee has an inoculation for it already.

Anybody got that link?

I checked Symantec thru the "live update" and there are no new definitions available.
(as of the time of this post).
Dave

This is not a Hoax

There is a Melissa type virus infecting networks around the world with a
subject of "I LOVE YOU". Immediately delete the file and make sure NOT to
open the Attachment. Doing so sends the e-mail to everyone in your Name
and Address Book. It also will replicate the virus onto any JPG and MP3
file, and will corrupt DLL's like MSLernel32 and Win32DLL.

You can now get the fix from the Symantec FTP site. I think their website is still swamped, so try the FTP site at
ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/

This is where I download my definitions from. You may need to switch directories depending on location and language.

[This message has been edited by nilknarf (edited 05-04-2000).]

Ok i know this is serious but seeing how this virus effects MP3's wouldn't Metallica's Revenge have been a better name. http://sysopt.earthweb.com/forum/wink.gif

More Info- www.f-secure.com/v-descs/love.htm (http://www.f-secure.com/v-descs/love.htm)

Another Fix- www.drsolomons.com/home/home.cfm (http://www.drsolomons.com/home/home.cfm)

McAfee fix: http://download.mcafee.com/extrafiles/love-4.zip

Symantec's site is still hosed. Sure hope nobody has their nest egg invested in that stock....

Conspiracy theory:

a few days before UCITA was passed, several DDOS attacks against prestigious US sites

a few days before the UK RIP (covert electronic surveillance, mandatory disclosure of encryption keys) Bill gets a reading in parliament, VB worm hoses government mail servers across Europe

The truth is out there

U-96

PS Sharpy I like the Metallica theory! However as the files targetted were mp3 (pirated music) and jpg (porn), I think Tipper Gore knows more than she is letting on http://sysopt.earthweb.com/forum/wink.gif Parental Advisory! Unclean file!

Why don't you guys do like I did, Delete IO and Outlook, then you won't have to worry about catching a virus, at least in those applications. There are alot of other email services. With all the bad mouthing of Microsoft and all the problems with Outlook, I can't understand why anyone would use them.

the pickel

lol Pickel, tell that to thousands of I.S .VP's in the country who swore a blood allegiance to Mr Gates and Company.. http://sysopt.earthweb.com/forum/wink.gif

i heard it was tracked at the PI (philippines). They assume it's a 15 year old by the FBI. I got this information from MSN.

What's happenin' Toadman??? Yeah, once bitten , twice bitten ,those fools will never learn.
And it's amazing how many people don't even realize about anti-virus software or are too cheap to buy and install it. Let them suffer.
How many times have the "Screensavers" emphasised keep your anti-virus software up to date and NEVER open email attachments!!!!!
Even from a friend , unless you verify that it was actually sent by them. Have a good one

the pickel

And just so you all know...the I Love You Virus is now being masked under a new e-mail that's out.

The Subject Reads: Joke
And the Attached File is called: Very Funny.vbs

That one is old news.

Here is the up to date listing:

Subject: ILOVEYOU
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs


Subject: Susitikim shi vakara kavos puodukui...
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs


Subject: fwd: Joke
Attachment: Very Funny.vbs


Subject: Mothers Day Order Confirmation
Body: We have proceeded to charge your credit card for the
amount of $326.92 for the mothers day diamond special.
We have attached a detailed invoice to this email.
Please print out the attachment and keep it in a safe
place.Thanks Again and Have a Happy Mothers Day!
mothersday@subdimension.com
Attachment: mothersday.vbs


Subject: Dangerous Virus Warning
Body: There is a dangerous virus circulating. Please click
attached picture to view it and learn to avoid it.
Attachment: virus_warning.jpg.vbs


Subject: Virus ALERT!!!
From: support@symantec.com
Body: Dear Symantec customer,

Symantec's AntiVirus Research Center began receiving
reports regarding VBS.LoveLetter.A virus early morning on
May 4, 2000 GMT.
This worm appears to originate from the Asia Pacific
region. Distribution of the virus is widespread and
hundreds of thousands of machines are reported infected.
The VBS.LoveLetter.A is an Internet worm that uses
Microsoft Outlook to e-mail itself as an attachment.
The subject line of the e-mail reads ILOVEYOU, with the
attachment titled LOVE-LETTER-FOR-YOU.TXT.VBS. Once the
attachment is opened, the virus replicates and sends an
e-mail to all e-mail addresses listed in the address book.
The virus also spreads itself via Internet relay chat and
infects files on local and remote drives including files
with extensions vbs, vbe, js, sje, css, wsh, sct, hta, jpg,
jpeg, mp3, mp2.
Users should exercise caution when opening e-mails with
this subject line, even if the e-mail is from someone they
know, as that is how the virus is spread.
Symantec Corp. today announced availability of the virus
definition to detect, repair and protect users against the
VBS.LoveLetter.A virus.
This definition is available now via Symantec's LiveUpdate
and can also be downloaded from the following web sites:
http://www.symantecstore.com/AF74211/promo/loveletter
http://www.digitalriver.com/symantec

Also as a quick solution Symantec Corp. offers Visual Basic
Script to protect your PC against this worm. (See
attached.)

Note! When executed, this script will protect Your PC from
being INFECTED by VBS.LoveLetter.A virus.

To cure already infected PC's download Norton Antivirus
Updates mentioned above.

Symantec Corporation - a world leader in internet security technology.

Attachment: protect.vbs


Subject: Important ! Read carefully !!
Body: Check the attached IMPORTANT coming from me !
Attachment: IMPORTANT.TXT.vbs


Subject: How to protect yourself from the IL0VEY0U bug!
Body: Here's the easy way to fix the love virus.
Attachment: Virus-Protection-Instructions.vbs


Subject: Thank You For Flying With Arab Airlines
Body: Please check if the bill is correct, by opening the
attached file.
Attachment: ArabAir.TXT.vbs

You can get all the details about the virus at http://www.f-secure.com/v-descs/love.htm


Several of the new variants are nasty when it comes to the files they delete.

The Mother's Day version deletes .ini and .bat files.
The one that appears to come from Symantec deletes .com and .bat files.
The Arab Airlines one will delete .exe. and .dll files, and wil hide .sys files.

Anyone that knows much about computers knows that no PC can function without these system files. So beware!!!


[This message has been edited by nilknarf (edited 05-08-2000).]

Ok the Virus has hit my Dad's server and network hard. The "so called IT manager" claimed that the virus only modified image files (just shows how ******g stupid she is) and they were actually stupid enough to open the ******g thing!!! Apparently, it's completly ****ed the webpage I designed for them (the copy on the HDD). They have another convenient little Virus which Randomly inserts "Triple Word Score - 20points" into Documents in Word. These people are so ******* stupid and should all be sacked!! [/rant]

F-Secure is now listing variants A-W !

I guess the copycats are still going strong.

For details go to
http://www.f-secure.com/v-descs/love.htm