RootsWeb: USGenWeb-NW-L [USGenWeb-NW] Fw: VBS/LoveLet-A Virus Alert

USGenWeb-NW-L Archives

Archiver > USGenWeb-NW > 2000-05 > 0957476361

From: "Lynn" <>
Subject: [USGenWeb-NW] Fw: VBS/LoveLet-A Virus Alert
Date: Thu, 4 May 2000 16:39:21 -0500

This came from my ISP, and I have their permission to forward it to any and all lists!! This contains an easy check to see if you are infected, and step by step instructions on how to remove it if you are!! Lynn -----Original Message----- From: System Manager <> To: <> Date: Thursday, May 04, 2000 1:38 PM Subject: VBS/LoveLet-A Virus Alert >Dear friends and customers, > >It has come to our attention at Internet Nebraska that new virus exists called >VBS/LoveLetter. This virus spreads itself as an email chain letter, and >is very quick to proliferate itself. The virus spreads through the >Microsoft Outlook email client and the mIRC Internet relay chat client. >An infected person will automatically send the virus to everyone in >their email address book. > >We are doing what we can to disallow entry of this virus onto our system. >Those of you unfortunate enough to have already downloaded a copy should >do the following: > >o If you have not run the attached file, delete the message immediately; > >o If you have run it follow these steps to remove it: > >1. If Outlook is running, turn it off now! There is still a chance >that the messages in your Outbox were not sent yet. Unplug your >network adapter/modem to ensure that you cannot accidentally >connect, open Outlook again, and delete all entries from your >Outbox. > >2. Close Outlook. > >3. Run regedit.exe (Click Start->Run, enter 'regedit' and click OK). > >4. Go to HKEY_CURRENT_USER->Software->Microsoft->Windows Script >Host->Settings. If there is an entry for Timeout, delete it. I did >not have this, but the source code looks like it may exist. > >5. Go to HKEY_CURRENT_USER->Software->Microsoft->Internet >Explorer->Main. Scroll down until you see an entry for Start Page. >Double click on it, and edit it so it reflects the correct start >page (Such as http://www.inebraska.com). > >6. Go to >HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion-> >Run. Delete the entry for MSKernel32. > >7. Go to >HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion-> >RunServices. Delete the entry for Win32DLL. > >8. Go to HKLM\Software\Microsoft\Windows\CurrentVersion\Run. If there >is an entry for WIN-BUGSFIX, delete it. > >9. Go to >HKEY_CURRENT_USER->Software->Microsoft->Windows->CurrentVersion-> >Explorer->Doc Find Spec MRU. This entry contains all of the most >recently used files. It would be a good idea to delete all of the >entries. > >10. Open Windows Explorer (Start->Programs->Windows Explorer). Go to >c:\windows\system (or c:\winnt\system32) and delete >MSKernel32.vbs, LOVE-LETTER-FOR-YOU.HTM, and >LOVE-LETTER-FOR-YOU.TXT.vbs. Also, delete Win32DLL.vbs from the >Windows directory. > >11. This is the most painful part. This virus replaces every file with >the following file extensions: vbs, vbe, js, jse, css, wsh, sct, >hta, jpg, jpeg, mp3, mp2. You can't get the files back, but you >can at least delete them pretty easily. Do a search for all files >with the .vbs or .vbe extension (Start->Find and enter '*.vbs >*.vbe' in the Named field, then click Find Now). Select all of the >results, and hit delete. > >12. Finally, you will need to do a search for a couple of other misc. >files that may be on your machine now. Search for WIN-BUGSFIX.exe >or WIN_BUGSFIX-32.exe (if you opened Internet Explorer after >getting the bug) script.ini (if you use mIRC), and possibly >WinFAT32.exe. If you have any of these two files, delete them. > >13. When all of the files are deleted, it would be a good idea to >empty your recycle bin. > >Aside from adding several keys to the Windows registry, the virus >changes Internet Explorer's default home page to a local file called >WIN-BUGSFIX.exe which causes that file to be run when Internet Explorer >is started. This virus is classified as a trojan horse, and can easily >be identified in your incoming email by the following: > >Subject: ILOVEYOU >Body: kindly check the attached LOVELETTER coming from me. >Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs > >The worm also creates a HTML file, "LOVE-LETTER-FOR-YOU.HTM", to the >Windows System directory. This file contains the worm, and it will be sent >using mIRC whenever the user joins an IRC channel. > >The virus then searches for certain file types on all folders on all local >and remote drives and overwrites them with its own code. The files that are >overwritten have either "vbs" or "vbe" extension. > >For the files with the following extensions: ".js", ".jse", ".css", ".wsh", >".sct" and ".hta", the virus will create a new file with the same name, but >using the extension ".vbs". The original file will be deleted. > >Next the the virus locates files with ".jpg", ".jpeg", ".mp3" or ".mp2", >adds a new file next to it and deletes the original file. For example, a >picture named "pic.jpg" will cause a new file called "pic.jpg.vbs" >to be created. > >LoveLetter was found globally in-the-wild on May 4th, 2000. It looks like the >virus is Philippine origin. >-- >Internet Nebraska System Manager - >0019 >

This thread:

[USGenWeb-NW] Fw: VBS/LoveLet-A Virus Alert by "Lynn" <>