SOUTHBOROUGH, MASS. (05/05/2000) - Passing unnoticed through corporate firewalls as an e-mail attachment, the so-called "I Love You" virus has deleted critical systems files and infected others around the globe.
One victim had hundreds of file names appended with a ".vbs" extension. Another victim's system was infected when accessing a server that had been previously infected.
According to Symantec Corp.'s Antivirus Research Center, the "VBS.LoveLetter.A" is an extremely fast-spreading computer virus, known as a worm, that uses mIRC and Microsoft Outlook to e-mail itself as an attachment.
Symantec's engineers report that VBS.LoveLetter.A appears as an attachment with the subject line "ILOVEYOU" along with an attachment called "LOVE-LETTER-FOR-YOU.TXT.vbs."
Tips on eradicating the virus
From Symantec: The quick fix for now is for network or e-mail administrators to set a filter for the attachment name (LOVE-LETTER-FOR-YOU.TXT.vbs) and subject line (ILOVEYOU) immediately.
From a user suggestion: Reboot the infected PC and roll back to a previous version of the Windows registry. ITworld.com has step-by-step instructions for rolling back the registry (see sidebar below).
Various antivirus vendors including Symantec, McAfee and Panda Software all are set to post remedies to their Web sites.
The Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University in Pittsburgh said that it had received more than 150 reports of the virus as of 10 a.m. yesterday. Experienced managers at CERT said this is an unusually high number of reports for an e-mail virus.
The following information was obtained from the U.S. Military:
VBS/LoveLetter is a VBScript worm. It spreads thru e-mail as a chain letter.
The worm uses the Outlook e-mail application to spread. LoveLetter is also a overwriting VBS virus, and it spreads itself using mIRC client as well. When it is executed, it first copies itself to Windows System directory as:
MSKernel32.vbs
LOVE-LETTER-FOR-YOU.TXT.vbs
and to Windows directory:
Win32DLL.vbs
Then it adds itself to registry, so it will be executed when the system is restarted. The registry keys that it adds are:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLLNext the worm replaces the Internet Explorer home page with a link that points to an executable program, "WIN-BUGSFIX.exe." If the file is downloaded, the worm adds this to registry as well; causing that the program will be executed when the system is restarted.
After that, the worm creates a HTML file, "LOVE-LETTER-FOR-YOU.HTM," to the Windows System directory. This file contains the worm, and it will be sent using mIRC whenever the user joins an IRC channel. Then the worm will use Outlook to mass mail itself to everyone in each address book. The message that it sends will be as follows:
Subject: ILOVEYOU
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
LoveLetter sends the mail once to each recipient. After a mail has been sent, it adds a marker to the registry and does not mass mail itself any more.
The virus then searches for certain filetypes on all folders on all local and remote drives and overwrites them with its own code. The files that are overwritten have one of these extensions: ".vbs", ".vbe", ".js", ".jse", ".css", ".wsh", ".sct", ".hta".
The virus also tries to use companion techniques, adding a secondary file next to existing file - hoping that the user will click on the wrong file. This is done so that the virus locates files with jpg, jpeg, mp3 and mp2 and adds a new file next to it. For example, a picture named "pic.jpg" will cause a new file called "pic.jpg.vbs" to be created.
ERADICATE THE LOVE BUG
How to restore a previous registry version One method for eliminating some of the damage that can be caused by the "ILOVEYOU" virus is to go back to a time before a computer was infected. This can sometimes be accomplished by restoring a previous version of the Windows registry. Fortunately, Windows keeps several copies of the registry and rolling a system back to any one of those is very simple. Just follow these few steps.
To restore a previous Windows Registry on systems running Windows 98Reboot the computer.
As the boot process begins, hold down the Control key (Ctrl).
When the boot-up menu appears, select option 5, "Command Prompt Only."
When the C:> prompt appears, type "scanreg" and press the Enter key. This invokes the scanreg utility program.
Scan the current registry.
Choose the "View backups" option to display a list of recent backups of the Windows registry.
Scroll and highlight the version of the registry you wish to restore from.
Choose "restore."
When the restore process is complete, the scanreg utility displays a dialog box with the title "You have restored a good registry."
Choose "Restart" to reboot the computer with the selected registry version.
Editor's note: This process will not eliminate all problems, such as appending the file extension .vbs to existing files. But it should, in most instances, allow the system to be rebooted cleanly.
Disclaimer: ITworld.com Inc. cannot and does not assume responsibility for any loss resulting from use of this procedure. Any process that involves the Windows registry should be undertaken only by IT professionals with experience in this technical discipline.
For additional help, visit ITworld.com's Expert Advice, the Web's meeting place where IT professionals go to get expert answers to technical questions.
(Joel Shore is the Editor of ITworld.com.)