ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: VIRUS WARNING

2000-05-04 09:40:04
from [Scot Mc Pherson] [Permanent Link] 
In addition to what has been posted by me earlier and what has been reported
on Symantec's site, I have learned the following.

When the virus is contracted (DONOT shut down the computer or reboot) The
worm is designed to propagate fully during system startup.

It should be noted that you should do a file search based on all files
created or modified the day the worm was downloaded...NOTE that the
timestamp is irrelevent, I found files that were created at a time when the
computer was not turned on so the worm is able to create modify this info...

In the registry file all references to the five files listed on your website
should also be deleted (key and folder) You will find most of the references
within the keys that control the system tray and startup control (Not the
program folder)

The Worm also creates an href for IE startup page which downloads the virus
again...THis should be changed AFTER all the above has been accomplished

Thw Worm also creates an HTML page LOVE-LETTER-FOR-YOU.TXT.html on your
local drive which contains ActiveX scripts which redistributes the worm..
Delete this file.

This worm seems to be a sort of application that creates the other files for
some sort of source code that utilizes applicaitons already installed on the
local drive to rewrite the worm into various forms.

I believe I have wiped out the virus, but I will keep checking...One method
of checking this status is the look at the mail que of your mail server and
look for e-mail without controls.


I have received an e-mail from someone else saying these additinal sites
with information regarding ILOVEYOU, I have yet to visit them.

http://www.securityfocus.com
http://www.datafellows.com/v-descs/love.htm



-----Original Message-----
From: Scot Mc Pherson [mailto:smcpherson(_at_)clearaccess(_dot_)net]
Sent: Thursday, May 04, 2000 10:35 AM
To: isp-wireless(_at_)isp-wireless(_dot_)com; ietf(_at_)ietf(_dot_)org; Brian 
Duddy (E-mail);
Kevin Speilman (E-mail); Michael F. Young (E-mail); Perry Lewis
(E-mail); Robert E Sollmann (E-mail); Roger Shepheard (E-mail)
Subject: RE: VIRUS WARNING


The file subject: ILOVEYOU
Name of attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

DO NOT OPEN THE ATTACHMENT.

At this time very little is known about the virus. If you have opened the
file, please see your network administrator for help.

The following link to Symantec has info on what the file does to your
system.

http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html



Since the webpage is too busy to access I am copying the text portions of
the webpage here

VBS.LoveLetter.A
This is an email worm, mIRC worm, and file infector.

Also known as:

Category: Worm

Infection length: 10307

Virus definitions: Pending

Threat assessment:


Damage:
High
Distribution:
High
Wildness:
High


Wild

Number of infections: More than 1000
Number of sites: More than 10
Geographic distribution: High
Threat containment: Moderate
Removal: Moderate


Damage Payload:

Large scale e-mailing: All the addresses in Microsoft Outlook address book
Degrades performance: May clog mail servers
Distribution

Subject of e-mail: ILOVEYOU
Name of attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Size of attachment: 10307
Technical description:

This is a preliminary writeup. The information contained within is to
provide as much information as possible at this time.

VBS.LoveLetter.A is an email worm, mIRC worm, and a file infector.
VBS.LoveLetter.A will use Microsoft Outlook and email itself out as an
attachment with the above subject line and attachment name. The body of the
message will be

kindly check the attached LOVELETTER coming from me.

The virus will also infect files with the following extensions: vbs, vbe,
js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, and mp2

The virus will insert the following files:

MSKernel32.vbs in the Windows System directory


Win32DLL.vbs in the Windows directory

LOVE-LETTER-FOR-YOU.TXT.vbs in the Windows System directory

WinFAT32.EXE in the Internet download directory

WIN-BUGSFIX.EXE in the Internet download directory

script.ini in the mIRC directory

SARC recommends Administrators filter on the attachment name and Subject
line immediately.

This writeup will be verified and formalized within the hour.

Removal:

Delete found infected files.



Write-up by: Eric Chien
Updated: May 4, 2000
  Tell a Friend about this Write-Up






-----Original Message-----
From: Scot Mc Pherson [mailto:smcpherson(_at_)clearaccess(_dot_)net]
Sent: Thursday, May 04, 2000 9:27 AM
To: isp-wireless(_at_)isp-wireless(_dot_)com; ietf(_at_)ietf(_dot_)org
Subject: VIRUS WARNING


The is an e-mail virus going around. The subject of the e-mail is
ILOVEYOU...I suggest you delete it the moment you receive it.

-Scot Mc Pherson, N2UPA
-Sr. Network Analyst
-ClearAccess Communications
-Ph: 941.744.5757 ext. 210
-Fax: 941.744.0629
-mailto:smcpherson(_at_)clearaccess(_dot_)net
-http://www.clearaccess.net
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: VIRUS WARNING, Keith Moore
Next by Date:  RE: VIRUS WARNING, Vernon Schryver
Previous by Thread:  RE: VIRUS WARNING, Scot Mc Pherson
Next by Thread:  Re: VIRUS WARNING, Donald E. Eastlake 3rd
Indexes:  [Date] [Thread] [Top] [All Lists]