.

[This message has been edited by SThompson (edited 10-25-2000).]

Thanks Sean. My daughter forwarded a message about this. Also it was on the TV news tonight.

I had a copy sitting on my computer when I woke up this morning. Since I never open attachments unless I request one, I automatically deleted it. I then found out 15 minutes later about the bug. My "attachment policy" payed off once again!

Another Architect friend of mine had 3 copies on his computer this morning. This one spread like wildfire.

---

Rod Watson

Thanks for the info.. Will keep a lookout for it.

Rusty

CBS just reported that not only the words "ILOVEYOU" are infected, but also the word "JOKE"..on the e-mail subject line. F.Y.I

I understand that it is mutating at a fast rate.

Moby

Thanks Sean for the information. Unfortunately, as with many other organizations throughout the world, our computer system within our network was affected. It got into our system through e-mail sent to us from a company we deal with all the time (National Public Radio). Our e-mail address (www.bbnradio.org) was in their Microsoft Outlook contacts file. When they were infected, any addresses in their Outlook also received the virus. Then, our internal e-mail system was infected as well, very rapidly. Talk about a snowball affect!

Tim - Keeping the flame lit...

Is it true that the ILOVEYOU Virus only comes through Microsoft Outlook? Does AOL screen these virus messages out when they attempt to go through their mail system? It seems everytime there is an actual virus threat it always involves Microsoft Outlook. Is this true?

Bob

Bob if that is true then it seems more like an indirect attack on Microsoft.I was working in an office in Charlotte when I first heard of it.It was also an architech`s office,they in turn called another firm in Chapel Hill to warn them, but it was too late.I always knew the power of "love"was widespread. Terry

The little nasty is tied into the association between a file arriving by E-mail (the virus) and a program on your computer that can execute that file if you double click on the attachment. (don't) This is caused by an association between the extension of the file (in this case '.vbs' - a visual basic script) and the program that executes it. The program already resides on your computer - the virus is code for it to run.

Thus, viruses don't have to be executables on their own (.exe extension). MS-Word documents for example can contain viruses as macros which get launched when you open the file in Word.

But, yeah its half-way amusing that this thing shows up just as the airways are inundated with pudgy Steve Balmer schmoozing us on behalf of MS. 'Course virus authors will write for those platforms where their work will find the greatest exposure - an today thats Weendoze. On the other hand, you don't see too much of this nastiness in the Unix world. So be happy, run Linux. :-)

To answer Bob's question - no the virus can be an attachment to any E-mail. It doesn't have to come through Outlook.

Below is a repost of a message from the Much Ado About Nothing forum...

EVERYONE should have virus protection software on their computers at home. Thats simply one of those unfortunate facts of life in the digital age. The top two packages are from McAfee and Symantec. I use the former on my NT machines both at home and at work.

Check this link for updates on the recent ILOVEYOU virus and its variants: McAfee.Com

Here's information that came out early yesterday...
-------------------------------------
Profile

Virus Name
VBS/Loveletter
Variants
None

Date Added
5/4/00

Virus Information
Discovery Date: 5/4/00
Origin: Phillipines
Type: Virus
SubType: VbScript
Risk Assessment: High-Outbreak
Minimum Dat: 4077
Minimum Engine: 4.0.35

Virus Characteristics
This is a VBScript worm with virus qualities. This worm will arrive in an email message with this format:

Subject "ILOVEYOU"
Message "kindly check the attached LOVELETTER coming from me."
Attachment "LOVE-LETTER-FOR-YOU.TXT.vbs"

If the user runs the attachment the worm runs using the Windows Scripting Host program. This is not normally present on Windows 9x or Windows NT unless Internet Explorer 5 is installed.

When the worm is first run it drops copies of itself in the following places :

C:\WINDOWS\SYSTEM\MSKERNEL32.VBS
C:\WINDOWS\WIN32DLL.VBS
C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS

It also adds the registry keys :

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32DLL=C:\WINDOWS\Win32DLL.vbs

in order to run the worm at system startup.

The worm replaces the following files:

*.JPG
*.JPEG
*.MP3
*.MP2

with copies of itself and it adds the extension .VBS to the original filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would contain the worm.

The worm also overwrites the following files:

*.VBS
*.VBE
*.JS
*.JSE
*.CSS
*.WSH
*.SCT
*.HTA

with copies of itself and renames the files to *.VBS.

The worm creates a file "LOVE-LETTER-FOR-YOU.HTM" which contains the worm and this is then sent to the IRC channels if the mIRC client is installed. This is accomplished by the worm replacing the file SCRIPT.INI.

After a short delay the worm uses Microsoft Outlook to send copies of itself to all entries in the address book. The mails will be of the same format as the original mail.

This worm also has another trick up it's sleeve in that it tries to download and install an executable file called WIN-BUGSFIX.EXE from the Internet. This exe file is a password stealing program that will email any cached passwords to the mail address MAILME@SUPER.NET.PH

In order to facilitate this download the worm sets the start-up page of Microsoft Internet Explorer to point to the web-page containing the password stealing trojan.

The email sent by this program is as follows :

-------------copy of email sent-----------
From: goat1@192.168.0.2To: mailme@super.net.ph
Subject: Barok... email.passwords.sender.trojan
X-Mailer: Barok... email.passwords.sender.
trojan---by: spyder
Host: [machine name]
Username: [user name]
IP Address: [victim IP address]

RAS Passwords:...[victim password info]
Cache Passwords:...[victim password info]
-------------copy of email sent-----------

The password stealing trojan is also installed via the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX

to autorun at system startup. After it has been run the password stealing trojan copies itself to WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key with

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
WinFAT32=WinFAT32.EXE


Symptoms
VirusScan 4.0.3+
Toolkit 8


Method Of Infection
VirusScan 4.0.3+
Toolkit 8


Removal Instructions
Script,Batch,Macro and non memory-resident:
Use specified engine and DAT files for detection and removal.

Note- It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

----------------------

Slightly dated info as there are now several variants. Get that anti-virus software folks - do it now!


Rgds,
Saint Innoculant
[This message has been edited by JTimothyA (edited 05-05-2000).]

MegaDittos Tim. I've spent nearly every waking hour since last Thursday night disinfecting/inoculating/rebuilding my customer's PC's from this worm. It's nasty alright!

Why do these virus (virii?) seem to pick Microsoft Outlook?

1) Outlook is used so widely, therefore a virus can spread quickly through millions of machines.
2) Outlook is susceptible because a virus author can figure out how outlook is structure (i.e. they can figure out how to make the recipient resend the virus to other users on the recipient's mail list)
3) There is an undercurrent of anti-Microsoft attitude among crackers and hackers - if you can write a small program that reveals shortcomings in the huge program written by the world's biggest software company, the author feels he/she is 'greater than' the giant.

Rod's policy is mine - I don't even OPEN any email from someone I don't know whether it has an attachment or not. If you want ME to read an email you send, 1) it better have a subject that relates to something I might have interest in and 2) Your email address ought to make sense and you've got two strikes against you if it is either @hotmail.com (now a Microsoft company) or @yahoo.com. I know some Forum users have these address extensions, but if I recognize their name or subject matter as pertinent, I'll open the email.

Sad to say this one got past the firewalls and arrived before it was virus proofed.
It loved .jpeg files so I can only hope, you guys have(had) your stuff backed up.
On my domain it just mainly caused downtime, stoppage of email, but luckily no real losses. This is the first virus to get through all our precautions even though we discovered it within 15 minutes of the start of the workday. 12 of 125 users opened it, even after being told continuosly about the what's been discussed above.

Hey Tim and John,... Thanks for the computer lesson! I wished you lived closer, Tim. You could be my computer guy. A former neighbor dba "Lighthouse Computers" (a little irony there) moved away from my area to take a position with a large company. He was my "ace-in-the-hole" if I had a problem. Luckily, I've been problem free.

We often say there's a wealth of information at this forum. No truer words were ever spoken.

Bob

And if you've got any sort of permanent or 'always on' connection to the net, such as a Cable Modem, DSL, or a T1 line - get yourself a firewall. After anti-virus software, personal firewalls will soon be a necessity.

Here's a good one: BlackIce Defender

Rgds,
Saint Backdraft

I've been using Zonelab's firewall for about 6 months now, Tim. Do you know whether there's is sufficient enough? or do you suggest I switch to BlackIce or another? Just curious of your opinion.

ZoneLabs


[This message has been edited by Rod Watson (edited 05-11-2000).]

For a professional evaluation of ZoneLabs vs. BlackIce: http://www.infoworld.com/cgi-bin/deletef...plivingston.xml

This LOVE virus also attackss all jpeg picture files. It is truly devastating. It did a number on my PC at work, but I was able to avoid catastrophe at home. I suggest Norton's anti-virus product.
Len Ariagno

Thanks for the tip about ZoneLabs. I hadn't seen that one, so I can't really comment. Price is right - though not sure I'd buy anything based on Livingston's column or (particularly) Steve Gibson's recommendation alone. Gibson used to be an Infoworld hack and he's pretty buddy buddy with their staff. Their 'articles' are too often gussied up press releases, often the case across all the industry rags. Not to say Zonelabs isn't a good product - I'll check around and see what experiences I can find. Thanks.

__
/im

Moved the Firewall discussion to the off-topic forum...

__
/