Data Doctors
Recycle your Computers & Technology with us.

Virus Alert Update! Latest info on the LoveBug worm/virus outbreak!

Posted By : of Data Doctors on May 5, 2000

Follow us on Facebook   Follow us on Twitter   Follow us on LinkedIn

Let Data Doctors be your personal IT department today

Book an Appointment

Virus Alert!!! ILOVEYOU VBS worm/virus spreading quickly! (5/4/2000)

This question was answered on May 5, 2000. Much of the information contained herein may have changed since posting.

UPDATED 7:00pm PST 5/4/2000 - A Copycat virus of the LoveBug a.k.a ILOVEYOU worm has been found It has "Joke" in the subject line and the attached file is called "Very Funny.vbs" In all other ways it is the same as the ILOVEYOU strain..

<a href="http://www.computerproblems.com/answer.cfm?AnswerID=9601&QuestionID=9663&CatID=41"><font color="#003399">>(click here for the latest copycats)</font></a>

----------------------------------------------------------------------

A new variation of the VBS family of worm/virus has been spreading at an alarming rate Infections started in Asia and Europe yesterday and is expected to hit the U.S today.

The basics of this strain as we know it at this point are as follows:

Affected Operating Systems: Windows 95/NT/98/2000

Affected E-mail programs: Outlook and Outlook Express

Possible Carriers: Any E-mail program can be a carrier

The infected file is an attached file named "LOVE-LETTER-FOR-YOU.TXT.vbs."

If you receive any messages from anyone, including people you trust, DO NOT OPEN THE ATTACHMENT! If you have already opened the file, do not use your e-mail program until you have disinfected your system Check the website for your anti-virus program to see if an update has been posted for this strain.

If you have nothing protecting your system, you can get an evaluation version of Dr Soloman that has the patch for this virus at:

<a href="http://chkpt.zdnet.com/chkpt/zdnnrla/www.zdnet.co.uk/software/specials/2000/05/iloveyou/"><font color="#003399">http://chkpt.zdnet.com/chkpt/zdnnrla/www.zdnet.co.uk/software/specials/2000/05/iloveyou/</font></a>

BE SURE TO UNINSTALL ANY PREVIOUS ANTI-VIRUS PROGRAMS IF YOU PLAN TO CHANGE TO THE ABOVE (DR SOLOMON) PROGRAM!

===================================================================

According to McAfee this is what the virus does:

Virus Characteristics

This is a VBScript worm with virus qualities This worm will arrive in an email message with this format:

Subject "ILOVEYOU"

Message "kindly check the attached LOVELETTER coming from me."

Attachment "LOVE-LETTER-FOR-YOU.TXT.vbs"

If the user runs the attachment the worm runs using the Windows Scripting Host program This is not normally present on Windows 9x or Windows NT unless Internet Explorer 5 is installed.

When the worm is first run it drops copies of itself in the following places :

C:\WINDOWS\SYSTEM\MSKERNEL32.VBS

C:\WINDOWS\WIN32DLL.VBS

C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS

It also adds the registry keys :

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunMSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesWin32DLL=C:\WINDOWS\Win32DLL.vbs

in order to run the worm at system startup.

The worm replaces the following files:

*.JPG

*.JPEG

*.MP3

*.MP2

with copies of itself and it adds the extension .VBS to the original filename So PICT.JPG would be replaced with PICT.JPG.VBS and this would contain the worm.

The worm also overwrites the following files:

*.VBS

*.VBE

*.JS

*.JSE

*.CSS

*.WSH

*.SCT

*.HTA

with copies of itself and renames the files to *.VBS.

The worm creates a file "LOVE-LETTER-FOR-YOU.HTM" which contains the worm and this is then sent to the IRC channels if the mIRC client is installed This is accomplished by the worm replacing the file SCRIPT.INI.

After a short delay the worm uses Microsoft Outlook to send copies of itself to all entries in the address book The mails will be of the same format as the original mail.

This worm also has another trick up it's sleeve in that it tries to download and install an executable file called WIN-BUGSFIX.EXE from the Internet This exe file is a password stealing program that will email any cached passwords to the mail address [email protected]

In order to facilitate this download the worm sets the start-up page of Microsoft Internet Explorer to point to the web-page containing the password stealing trojan.

The email sent by this program is as follows :

-------------copy of email sent-----------

From: [email protected]: [email protected]

Subject: Barok.. email.passwords.sender.trojan

X-Mailer: Barok.. email.passwords.sender.

trojan---by: spyder

Host: [machine name]

Username: [user name]

IP Address: [victim IP address]

RAS Passwords:...[victim password info]

Cache Passwords:...[victim password info]

-------------copy of email sent-----------

The password stealing trojan is also installed via the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX

to autorun at system startup After it has been run the password stealing trojan copies itself to WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key with

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunWinFAT32=WinFAT32.EXE

*******************************************************************

FROM thepope.org site

INSTRUCTIONS FOR MANUAL REMOVAL (FOR ADVANCED USERS ONLY!)

Close Outlook

Run regedit.exe (Click Start->Run, enter 'regedit' and click OK)

Go to HKEY_CURRENT_USER->Software->Microsoft->Windows Script Host->Settings If there is an entry for Timeout, delete it I did not have this, but the source code looks like it may exist

Go to HKEY_CURRENT_USER->Software->Microsoft->Internet Explorer->Main Scroll down until you see an entry for Start Page Double click on it, and edit it so it reflects the correct start page (Ideally slashdot.org or thepope.org :) )

Go to HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion->Run Delete the entry for MSKernel32

Go to HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion->RunServices Delete the entry for Win32DLL

Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run If there is an entry for WIN-BUGSFIX, delete it

Go to HKEY_CURRENT_USER->Software->Microsoft->Windows->CurrentVersion->Explorer->Doc Find Spec MRU This entry contains all of the most recently used files It would be a good idea to delete all of the entires

Open Windows Explorer (Start->Programs->Windows Explorer) Go to c:\windows\system (or c:\winnt\system32) and delete MSKernel32.vbs, LOVE-LETTER-FOR-YOU.HTM, and LOVE-LETTER-FOR-YOU.TXT.vbs Also, delete Win32DLL.vbs from the Windows directory

This is the most painful part This virus replaces every file with the following file extensions: vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, mp2 You can't get the files back, but you can at least delete them pretty easily

First a search for all files with the .vbs or .vbe extension and which containt the text "LOVEYOU" (Start->Find and enter '*.vbs *.vbe' in the Named field, enter "LOVEYOU" in the Containing Text field, then click Find Now) Select all of the results, and hit delete

Make sure you include "LOVEYOU" in the contained text field This will help prevent files that were not infected from getting deleted Now, you can go back and fix any files that were renamed, but not infected Do the exact same search, but do not include the "LOVEYOU" criteria You will see all (if any) files that were renamed but not infected Now you just need to start going through and rename all of the files to their original names (just remove the .vbs extension)

UpdateIt looks like mp3 files are merely marked as hidden, not completely deleted

Finally, you will need to do a search for a couple of other misc files that may be on your machine now Search for WIN-BUGSFIX.exe or WIN_BUGSFIX-32.exe (if you opened Internet Explorer after getting the bug) script.ini (if you use mIRC), and possibly WinFAT32.exe If you have any of these two files, delete them

When all of the files are deleted, it would be a good idea to empty your recycle bin.

About the author

Posted by of Data Doctors on May 5, 2000

Need Help with this Issue?

We help people with technology! It's what we do.
Contact or Schedule an Appointment with a location for help!

Free Help

Articles & Advice

Video News

Newsletter

Approved Software

Ask a Question
Call the Repair Hotline at

855-328-2362

Newsletter

Sign up for our newsletter and get free tips and tricks to keep your computer running great!

Start by entering your
Videos In the Press
Videos In the Press
Radio Tech Tips
Radio Tech Tips

For non-tech people, find tips from us on a station nearby!

Categories
Virus Alerts

Data Doctors
Newsletter

Subscribe Today

Customer Support Customer Support

Our customers are the most important part of our business and we empower our friendly, trained staff to spoil you. In addition, we have a dedicated Customer Support team standing by to help when needed.

If you're not satisfied, we're not done! We guarantee satisfaction.

365 Day Warranty 365 Day Warranty

We provide a 1 year warranty on new parts and computers we sell. We'll quickly diagnose and replace defective parts used during the original repair. Please keep in mind that this warranty does not cover damage you cause (such as broken screens) or water damage done to your device after the initial repair. Refurbished parts generally carry a 90 day warranty.

Satisfaction Guarantee Satisfaction Guarantee

We've been helping people with technology for nearly 30 years. We were fixing computers when break dancing was cool! We spend time with you at check-out to make sure it's exactly the way you want. Data Doctors sets the gold standard when it comes to customer satisfaction. That's why we've received more awards for customer service and satisfaction than anyone else in the business.

Book Appointment