This is the mail archive of the
xsl-list@mulberrytech.com
mailing list .
I LOVE YOU virus
- To: xsl-list at mulberrytech dot com
- Subject: I LOVE YOU virus
- From: "Betty L. Harvey" <harvey at eccnet dot eccnet dot com>
- Date: Thu, 4 May 2000 12:13:38 -1000 (HST)
- Reply-To: xsl-list at mulberrytech dot com
I have received the virus from at least 6 different sources
this morning. I have spoken to individuals from pretty
large organizations that the mail systems are currently
shut down because of it. I am attaching the CERT Alert.
CSRT ALERT VBS.LoveLet Vandal
A new VBScript worm vandal is circulating right now. It has already
infected tens of thousands of PCs around the world, all in a matter of
hours and has caused many mail servers to crash.
The vandal is called VBS.LoveLet (Or VBS.ILoveYou.Worm).
The most important thing right now is not to open any e-mail with the
subject: "I love you"
or "ILOVEYOU" or "love letter for you" or a variant of that text.
The e-mail contains a VisualBasicScript named "LOVE-LETTER-FOR-YOU.vbs" that
arrives as an e-mail
attachment. It can sometimes arrive with a TXT, JPG, MP3 or other extensions
as well (this is called
"double extension") which makes it look more innocent, however it is just as
dangerous. This vandal
can also spread using mIRC chat programs.
The vandal activity:
1. Attempt to send itself to all the e-mails in the address book.
2. On Windows 98 machines it will attempt to download and execute a virus
named "WIN-BUGSFIX.exe" from several web sites.
3. It will set the homepage of Internet Explorer to a blank page.
4. It will search all the connected drives and infect VBScript, JavaScript,
JScript, and the following
file types vbs, vbe, js, jse, css, wsh, sct, hta
5. It will search for all mp3, mp2, jpg, and jpeg files, create a VBS file
with the infected file name
and a VBS extension. For example, if it finds a file named mysong.mp3 it
will create an infected file
with the name mysong.mp3.vbs. If this file is run it will infect the
system.
6. It will try to send an infected HTML file, named
"LOVE-LETTER-FOR-YOU.htm" to mIRC clients.
Actions
1. Do not open an e-mail with the subject line: "ILoveYou", "ILOVEYOU" or
"love letter for you". The body
of the message will say " kindly check the attached LOVELETTER coming
from me.".
2. If you suspect you were infected, search and delete the following files:
MSKernel32.vbs
Win32DLL.vbs
LOVE-LETTER-FOR-YOU.vbs
LOVE-LETTER-FOR-YOU.htm
WinFAT32.exe in Windows download directory
WIN-BUGSFIX.exe in Windows download directory
script.ini in the mIRC
3. eSafe Gateway users should filter the attachment with "VBS" extensions.
Also block mails with the subject
lines "ILoveYou", "ILOVEYOU" or "love letter for you".
4. eSafe Enterprise and Desktop customers should download HOT Update that
will be posted on
www.esafe.com/update.html website.
Aladdin CSRT - Content Security Response Team
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list