MOTM

I got slammed with this today.  About 29,000 people in my Exchange 
organization, all sending this thing around.

Steve

Here is a "fix" that infosec put out:

Manual Clean Before Reboot: 
In the Windows directory (C:\WINDOWS or C:\WINNT): delete the Win32DLL.vbs file
In the Windows System directory (e.g. C:\WINNT\SYSTEM32): delete the 
MSKernel32.vbs file
in c:\Windows directory (e.g. WINNT) delete \SYSTEM32\LOVE-LETTER-FOR-
YOU.TXT.vbs
in c:\Windows directory (e.g. WINNT) delete \SYSTEM32\LOVE-LETTER-FOR-YOU.HTM

In the Registry delete these keys: 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DL
L

Then reboot your system. Now the worm should no longer be active...

Manual Clean After Reboot: 
In the Windows directory (C:\WINDOWS or C:\WINNT): delete the Win32DLL.vbs file
in c:\Windows directory (e.g. WINNT) delete \SYSTEM32\LOVE-LETTER-FOR-
YOU.TXT.vbs
in c:\Windows directory (e.g. WINNT) delete \SYSTEM32\LOVE-LETTER-FOR-YOU.HTM

In the Registry delete these keys: 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DL
L

Then reboot your system. 
Then In the Windows System directory (e.g. C:\WINNT\SYSTEM32): delete the 
MSKernel32.vbs file

Now the worm should no longer be active...



Quoting Hugo Haesaert <hugo.haesaert@...>:

> Hi All !
> 
> On telly news i saw a webpage that likened this virus to the clarissa 
> virus .  It is my understanding that if this is the case, only people 
> that use Outlook express or other MS mail software are concerned . ;^P
> 
> True or false ?
> 
> Steve, i searched, but could not find :
> 
> >start/settings/add new software/accessories
> 
> More info would be welcome, i'm somewhat windoze-challenged at times 
> ;-)
> 
> Thanks .
> 
> 
> Keep 'em oscillating :)
> 
> 
> Hugo
> =
>