The little nasty is tied into the association between a file arriving by E-mail (the virus) and a program on your computer that can execute that file if you double click on the attachment. (don't) This is caused by an association between the extension of the file (in this case '.vbs' - a visual basic script) and the program that executes it. The program already resides on your computer - the virus is code for it to run.
Thus, viruses don't have to be executables on their own (.exe extension). MS-Word documents for example can contain viruses as macros which get launched when you open the file in Word.
But, yeah its half-way amusing that this thing shows up just as the airways are inundated with pudgy Steve Balmer schmoozing us on behalf of MS. 'Course virus authors will write for those platforms where their work will find the greatest exposure - an today thats Weendoze. On the other hand, you don't see too much of this nastiness in the Unix world. So be happy, run Linux. :-)
To answer Bob's question - no the virus can be an attachment to any E-mail. It doesn't have to come through Outlook.
Below is a repost of a message from the Much Ado About Nothing forum...
EVERYONE should have virus protection software on their computers at home. Thats simply one of those unfortunate facts of life in the digital age. The top two packages are from McAfee and Symantec. I use the former on my NT machines both at home and at work.
Check this link for updates on the recent ILOVEYOU virus and its variants:
McAfee.Com Here's information that came out early yesterday...
-------------------------------------
Profile
Virus Name
VBS/Loveletter
Variants
None
Date Added
5/4/00
Virus Information
Discovery Date: 5/4/00
Origin: Phillipines
Type: Virus
SubType: VbScript
Risk Assessment: High-Outbreak
Minimum Dat: 4077
Minimum Engine: 4.0.35
Virus Characteristics
This is a VBScript worm with virus qualities. This worm will arrive in an email message with this format:
Subject "ILOVEYOU"
Message "kindly check the attached LOVELETTER coming from me."
Attachment "LOVE-LETTER-FOR-YOU.TXT.vbs"
If the user runs the attachment the worm runs using the Windows Scripting Host program. This is not normally present on Windows 9x or Windows NT unless Internet Explorer 5 is installed.
When the worm is first run it drops copies of itself in the following places :
C:\WINDOWS\SYSTEM\MSKERNEL32.VBS
C:\WINDOWS\WIN32DLL.VBS
C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS
It also adds the registry keys :
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32DLL=C:\WINDOWS\Win32DLL.vbs
in order to run the worm at system startup.
The worm replaces the following files:
*.JPG
*.JPEG
*.MP3
*.MP2
with copies of itself and it adds the extension .VBS to the original filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would contain the worm.
The worm also overwrites the following files:
*.VBS
*.VBE
*.JS
*.JSE
*.CSS
*.WSH
*.SCT
*.HTA
with copies of itself and renames the files to *.VBS.
The worm creates a file "LOVE-LETTER-FOR-YOU.HTM" which contains the worm and this is then sent to the IRC channels if the mIRC client is installed. This is accomplished by the worm replacing the file SCRIPT.INI.
After a short delay the worm uses Microsoft Outlook to send copies of itself to all entries in the address book. The mails will be of the same format as the original mail.
This worm also has another trick up it's sleeve in that it tries to download and install an executable file called WIN-BUGSFIX.EXE from the Internet. This exe file is a password stealing program that will email any cached passwords to the mail address MAILME@SUPER.NET.PH
In order to facilitate this download the worm sets the start-up page of Microsoft Internet Explorer to point to the web-page containing the password stealing trojan.
The email sent by this program is as follows :
-------------copy of email sent-----------
From: goat1@192.168.0.2To: mailme@super.net.ph
Subject: Barok... email.passwords.sender.trojan
X-Mailer: Barok... email.passwords.sender.
trojan---by: spyder
Host: [machine name]
Username: [user name]
IP Address: [victim IP address]
RAS Passwords:...[victim password info]
Cache Passwords:...[victim password info]
-------------copy of email sent-----------
The password stealing trojan is also installed via the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
to autorun at system startup. After it has been run the password stealing trojan copies itself to WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key with
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
WinFAT32=WinFAT32.EXE
Symptoms
VirusScan 4.0.3+
Toolkit 8
Method Of Infection
VirusScan 4.0.3+
Toolkit 8
Removal Instructions
Script,Batch,Macro and non memory-resident:
Use specified engine and DAT files for detection and removal.
Note- It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.
----------------------
Slightly dated info as there are now several variants. Get that anti-virus software folks - do it now!
Rgds,
Saint Innoculant
[This message has been edited by JTimothyA (edited 05-05-2000).]