-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2000.05  --  AUSCERT ALERT
                           Love Letter Worm Virus
                                 05 May 2000

===========================================================================

PROBLEM:  

	  AusCERT has received recent reports of a new malicious virus/worm
          within Australia which uses email, the web, or IRC to propagate.
          AusCERT has also received information that this virus is
          currently active around the world.

          The VBS/LoveLetter worm is a VBScript worm which may send
          copies of itself to every email address listed in the MS
          Outlook address book.  It also attempts to send copies of
          itself via mIRC to every user who joins the IRC channel that
          the affected systems is connected to.
          
          The worm may attempt to install itself in several locations.
          It also attempts under some circumstances to reset the Internet
          Explorer Start Page, download arbitrary code and cause the system
          to execute this code upon reboot.

          The virus may also look for JPEG, MP2 and MP3 files and
          delete them from the affected system.  It may also attempt
          to overwrite all files with extensions of VBS, VBE, JS, JSE,
          CSS, WSH, SCT or HTA with itself and rename those files to a
          .VBS extension.


PLATFORM: 
          
          Systems with MS Outlook *or* mIRC *or* MS Internet Explorer
	  *or* most MS Windows-based email clients.


IMPACT:   

	  Affected systems may cause a Denial of Service to other
          systems or networks, may execute arbitrary code as the infected
          user and may delete files from the infected system.


RECOMMENDATIONS: 

          A. User Education

          System Administrators are urged to inform their users about
          proper precautions with regards to handling email attachments.

          AusCERT recommends that sites should update and check their
          virus defenses and either delete or do not open any email
          messages that resemble or are a variant of the following, even
          if sent from someone you know:

            Subject:    ILOVEYOU
            Body:       kindly check the attached LOVELETTER coming from me.
            Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

            Subject:    fwd: Joke
            Attachment: Very Funny.vbs

            URL:        LOVE-LETTER-FOR-YOU.HTM

            URL:        Very Funny.HTM

          B. Update Anti-Virus Packages

          System Administrators and Users are urged to ensure that the
          latest Anti-Virus software is installed and it is using the
          most current up-to-date virus databases.

          More information about this worm (including links to various
          Anti-Virus sites) may be found at:

            http://www.cert.org/current/current_activity.html#loveletter

	  AusCERT is continuing to monitor this problem. 

- ---------------------------------------------------------------------------

[AusCERT issues an alert when the risk posed by a vulnerability that may
not have been thoroughly investigated and for which a work-around or fix
may not yet have been developed requires notification.]

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
						       
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBORLbxCh9+71yA2DNAQFlcQQAjFVS/djN3LdJJeuQ9k//Lc9bZdhb6AKQ
ZfSKYB37VzEntIgZSlaU4knoHq8Bs1qMNO2IOz+Hu00sfURlz0O1jWO6QnNsuI7g
qQZAwsi4B+fttqpDsTTAGECmCWoItwr0K9drq7TjPpwHlzncK28A28xAZyD2sBYf
CICZsHU+KpM=
=ecRq
-----END PGP SIGNATURE-----