MOTM

Usually I do not condone people sending "alert" type emails, however being
a network administator for a company who's entire network was just crippled
by this virus, I feel the need to alert everyone I know. If you recieve an
email from ANYONE with I LOVE YOU in the subject or with a file attached
called LOVE LETTER FOR YOU.vbs, DO NOT OPEN IT!!! The file is a VB Script
which will damage your windows registry and redistribute the email to
everyone in your address book. As of 12:30EST AVERT has yet to find a fix
for this virus, and no Antivirus software will catch it! Stay safe! -Nate


Of course, those of you using Solaris, SGI, LINUX, UNIX or Mac systems
don't need to worry, this virus is only made to attack Win32 (Windows 95,
98, NT & 2000) systems.

THIS IS INAPPROPRIATE FOR THIS MAILING LIST!!!!!!!!!!!!!!!!!
YOU ARE WASTING MY TIME AND MANY OTHER PEOPLE'S TIME!!!!!!!!
QUIT SENDING ANY VIRUS-RELATED MESSAGES IMMEDIATELY!!!!!!!!!
--Todd

> -----Original Message-----
> From: Nathan Hunsicker [mailto:nate@...]
> Sent: Thursday, May 04, 2000 12:34 PM
> To: motm@egroups.com
> Subject: [motm] Watch out for the I LOVE YOU virus
>
>
> Usually I do not condone people sending "alert" type emails, however being
> a network administator for a company who's entire network was
> just crippled
> by this virus, I feel the need to alert everyone I know. If you recieve an
> email from ANYONE with I LOVE YOU in the subject or with a file attached
> called LOVE LETTER FOR YOU.vbs, DO NOT OPEN IT!!! The file is a VB Script
> which will damage your windows registry and redistribute the email to
> everyone in your address book. As of 12:30EST AVERT has yet to find a fix
> for this virus, and no Antivirus software will catch it! Stay safe! -Nate
>
>
> Of course, those of you using Solaris, SGI, LINUX, UNIX or Mac systems
> don't need to worry, this virus is only made to attack Win32 (Windows 95,
> 98, NT & 2000) systems.
>
>
>
> ------------------------------------------------------------------------
> You have a voice mail message waiting for you at iHello.com:
> http://click.egroups.com/1/3555/3/_/529958/_/957458212/
> ------------------------------------------------------------------------
>
>
>

I got slammed with this today.  About 29,000 people in my Exchange 
organization, all sending this thing around.

Steve

Here is a "fix" that infosec put out:

Manual Clean Before Reboot: 
In the Windows directory (C:\WINDOWS or C:\WINNT): delete the Win32DLL.vbs file
In the Windows System directory (e.g. C:\WINNT\SYSTEM32): delete the 
MSKernel32.vbs file
in c:\Windows directory (e.g. WINNT) delete \SYSTEM32\LOVE-LETTER-FOR-
YOU.TXT.vbs
in c:\Windows directory (e.g. WINNT) delete \SYSTEM32\LOVE-LETTER-FOR-YOU.HTM

In the Registry delete these keys: 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DL
L

Then reboot your system. Now the worm should no longer be active...

Manual Clean After Reboot: 
In the Windows directory (C:\WINDOWS or C:\WINNT): delete the Win32DLL.vbs file
in c:\Windows directory (e.g. WINNT) delete \SYSTEM32\LOVE-LETTER-FOR-
YOU.TXT.vbs
in c:\Windows directory (e.g. WINNT) delete \SYSTEM32\LOVE-LETTER-FOR-YOU.HTM

In the Registry delete these keys: 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DL
L

Then reboot your system. 
Then In the Windows System directory (e.g. C:\WINNT\SYSTEM32): delete the 
MSKernel32.vbs file

Now the worm should no longer be active...



Quoting Hugo Haesaert <hugo.haesaert@...>:

> Hi All !
> 
> On telly news i saw a webpage that likened this virus to the clarissa 
> virus .  It is my understanding that if this is the case, only people 
> that use Outlook express or other MS mail software are concerned . ;^P
> 
> True or false ?
> 
> Steve, i searched, but could not find :
> 
> >start/settings/add new software/accessories
> 
> More info would be welcome, i'm somewhat windoze-challenged at times 
> ;-)
> 
> Thanks .
> 
> 
> Keep 'em oscillating :)
> 
> 
> Hugo
> =
>

One thing you must be careful of, even if you do remove the worm. after a
reboot the worm will download a file from a server in the philippinescalled
WIN-BUGFIX.EXE, this file is another worm used to collect IP and password
data from your computer and email it back to the creator of this worm. This
is similar but not the same as the clarissa virus, And users of Lotus Notes
and other non MS mail programs still have to worry about the other effects.
-Nate

>
>Hi All !
>
>
>
>On telly news i saw a webpage that likened this virus to the clarissa
>
>virus .  It is my understanding that if this is the case, only people
>
>that use Outlook express or other MS mail software are concerned . ;^P
>
>
>
>True or false ?
>
>
>
>Steve, i searched, but could not find :
>
>
>
>>start/settings/add new software/accessories
>
>
>
>More info would be welcome, i'm somewhat windoze-challenged at times
>
>;-)
>
>
>
>Thanks .
>
>
>
>
>
>Keep 'em oscillating :)
>
>
>
>
>
>Hugo
>
>=
>
>
>
>

Hi All !

On telly news i saw a webpage that likened this virus to the clarissa 
virus .  It is my understanding that if this is the case, only people 
that use Outlook express or other MS mail software are concerned . ;^P

True or false ?

Steve, i searched, but could not find :

>start/settings/add new software/accessories

More info would be welcome, i'm somewhat windoze-challenged at times 
;-)

Thanks .


Keep 'em oscillating :)


Hugo
=

I know this is the MOTM list, but please bear with those of us who are 
destroyed by this crap.  There is a GREAT page on the cleanup at: 
http://www.thepope.org/index.pl?node_id=140

So far only a few instances of actual infection here, however this cleanup 
procedure contained EXACTLY what we found on infected machines.

HTH
Steve

> One thing you must be careful of, even if you do remove the worm. after a
> reboot the worm will download a file from a server in the philippinescalled
> WIN-BUGFIX.EXE, this file is another worm used to collect IP and password
> data from your computer and email it back to the creator of this worm. This
> is similar but not the same as the clarissa virus, And users of Lotus Notes
> and other non MS mail programs still have to worry about the other effects.
> -Nate
>