TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TCLUG:17218] IHATEYOU
Here is what I have found in passing so far...
===========================================================================
> http://www.thepope.org/index.pl?node_id=140
===========================================================================
Here is the another suggestion from TrendMicro
(http://www.trendmicro.com). if you seeking for a solution
to remove LoveLetter
1.Click START|RUN
Type REGEDIT and hit ENTER key
2.In the left panel, click the "+" to the left of the following:
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
Run
3.In the right panel, search for the registry key that contains the data
value of ?:\Windows\System\MSKernel32.vbs" and ?\WIN-BUGSFIX.exe?.
These are the registry keys that grant the capability to load the worm
whenever Windows starts up.
4.In the right window, highlight the registry key that loads the file
and
press the DELETE key. Answer YES to delete the entry.
5.Search for the registry key that contains the data value
of ?:\Windows\System\ Win32DLL.vbs". This is the registry key that
enables the worm to run each time Windows is started.
6.In the right window, highlight the registry key that loads the file
and press
the DELETE key. Answer YES to delete the entry.
7.Exit the registry.
8.Click START|SHUTDOWN. Choose "Restart in MS-DOS mode" and click OK.
9.After the computer has restarted, the default directory should C:\.
10.Subsequently, type ?DEL WIN-BUGSFIX.exe?.
11.Press CTRL+ALT+DEL and allow Windows to restart.
12.You may also delete the file detected as VBS_LOVELETTER by Trend
antivirus
is to ensure re-infection does not occur.
===========================================================================
----------- From F-Secure Virus Information-----------------------
VBS/LoveLetter is a VBScript worm. It spreads thru email as a
chain letter.
The worm uses the Outlook e-mail application to spread.
LoveLetter is also a overwriting VBS virus, and it spreads itself
using mIRC client as well.
When it is executed, it first copies itself to Windows System
directory as:
- MSKernel32.vbs
- LOVE-LETTER-FOR-YOU.TXT.vbs
and to Windows directory:
- Win32DLL.vbs
Then it adds itself to registry, so it will be executed when the
system is restarted. The registry keys that it adds are:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVers
ion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVers
ion\RunServices\Win32DLL
Next the worm replaces the Internet Explorer home page with a link
that points to an executable program "WIN-BUGSFIX.exe". If the
file is downloaded, the worm adds this to registry as well; causing
that the program will be executed when the system is restarted.
After that, the worm creates a HTML file, "LOVE-LETTER-FOR-
YOU.HTM", to the Windows System directory. This file contains
the worm, and it will be sent using mIRC whenever the user joins
an IRC channel.
Then the worm will use Outlook to mass mail itself to everyone in
each address book. The message that it sends will be as follows:
Subject: ILOVEYOU
Body: kindly check the attached LOVELETTER coming from
me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
LoveLetter sends the mail once to each recipient. After a mail has
been sent, it adds a marker to the registry and does not mas s
mail itself any more.
The virus then searches for certain filetypes on all folders on all
local and remote drives and overwrites them with its own code. The
files that are overwritten have either "vbs" or "vbe" extension.
For the files with the following extensions: ".js", ".jse", ".css",
".wsh", ".sct" and ".hta", the virus will create a new file with the
same name, but using the extension ".vbs". The original file will be
deleted.
Next the the virus locates files with ".jpg", ".jpeg", ".mp3" or
".mp2", adds a new file next to it and deletes the original file.
For example, a picture named "pic.jpg" will cause a new file called
"pic.jpg.vbs" to be created.
LoveLetter was found globally in-the-wild on May 4th, 2000. It looks
like the virus is Philippine origin. At the beginning of the code, the
virus contains the following text:
rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group
/ Manila,Philippines
[Analysis: Katrin Tocheva, Mikko Hypponen and Sami
Rautiainen, F-Secure]
===========================================================================
===========================================================================
Bob Tanner wrote:
>
> Sorry, since many of you are probably filtering on the ILOVEYOU, I hate to
> change the subject.
>
> PLEASE don't flame me on this. :-)
>
> Anyone able to get to any of the anti-virus manufacturer's websites to grab
> the ILOVEYOU fix?
>
> I know it's not linux related. Sorry.
>
> --
> Bob Tanner <tanner@real-time.com> | Phone : (612)943-8700
> http://www.real-time.com | Fax : (612)943-8500
> Key fingerprint = 6C E9 51 4F D5 3E 4C 66 62 A9 10 E5 35 85 39 D9
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> For additional commands, e-mail: tclug-list-help@mn-linux.org
--
<a href="http://umn.edu/~john1536">Troy Johnson</a>
A cop stopped me for speeding. He said, 'Why were you going so
fast?' I said, 'See this thing my foot is on? It's called an
accelerator. When you push down on it, it sends more gas to the
engine. The whole car just takes right off. And see this thing?
This steers it'
-- Stephen Wright
- References:
- IHATEYOU
- From: Bob Tanner <tanner@real-time.com>