|
PROBLEM: A new worm program named VBS.LoveLetter.A is spreading rapidly around the Internet using a variety of propagation methods. Multiple variants are also spreading. PLATFORM: Windows systems. To spread using e-mail requires Microsoft Outlook. DAMAGE: Mail servers are clogged with thousands of messages. All files of the following types are destroyed: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG. Files of type .MP2 and .MP3 have been replaced but the original files are still there but hidden. Some of the variants destroy .DLL, .INI, .EXE, and .COM files which render systems unbootable. SOLUTION: If you receive an e-mail message with the subject: "ILOVEYOU" with an attachment named: "LOVE-LETTER-FOR-YOU.TXT.vbs" do not open the attachment. If you have already run the attachment, shut the system down until you have a method for cleaning your system. Be sure your system is disconnected from the network before starting it up for cleaning. See the list below for files to watch for in the variants.
VULNERABILITY The risk is HIGH. This worm is spreading rapidly throughout the ASSESSMENT: Internet.
CIAC has information that the VBS.Loveletter. A worm is spreading rapidly around the Internet. This worm uses multiple methods for spreading itself, making disinfection and removal a difficult process. If you have received this e-mail message and opened it but have not yet opened the attachment, you are not infected. Simply delete the e-mail message and the attachment. If you have opened the attachment, the safest thing to do is to shut down your system until you are prepared to clean up the worm. Be sure the system is disconnected from any network before starting it up for cleaning.
Subject: ILOVEYOU Message Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe, script.ini
Subject: Susitikim shi vakara kavos puodukui... (translated: Let's meet this evening for a cup of coffee) Message Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe, script.ini
Subject: fwd: Joke Message Body: -nothing- Attachment: Very Funny.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: Very Funny.HTM, WIN-BUGSFIX.exe, script.ini
Subject: ILOVEYOU Message Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe, script.ini
Subject: Mothers Day Order Confirmation Message Body: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place. Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com Attachment: mothersday.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .INI, .BAT Hidden Files: .MP2, .MP3 Other Files: mothersday.HTM
Subject: Dangerous Virus Warning Message Body: There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it. Attachment: virus_warning.jpg.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: Urgent_virus_warning.htm, WIN-BUGSFIX.exe, script.ini
Subject: Virus ALERT!!! Message Body: (long) ************************************ Dear Symantec customer, Symantec's AntiVirus Research Center began receiving reports regarding VBS.LoveLetter.A virus early morning on May 4, 2000 GMT. This worm appears to originate from the Asia Pacific region. Distribution of the virus is widespread and hundreds of thousands of machines are re ported infected. The VBS.LoveLetter.A is an Internet worm that uses Microsoft Outlook to e-mail itself as an attachment. The subject line of the e-mail reads ILOVEYOU, with the attachment titled LOVE-LETTER-FOR-YOU.TXT.VBS. Once the attachment is opened, the virus replicates and sends an e-mail to all e-mail addresses listed in the address book. The virus also spreads itself via Internet relay chat and infects files on local and remote drives including files with extensions vbs, vbe, js, sje, css, wsh, sct, hta, jpg, jpeg, mp3, mp2. Users should exercise caution when opening e-mails with this subject line, even if the e-mail is from someone they know, as that is how the virus is spread. Symantec Corp. today announced availability of the virus definition to detect, repair and protect users against the VBS.LoveLetter.A virus. This definition is available now via Symantec's LiveUpdate and can also be downloaded from the following web sites: http://www.symantecstore.com/AF74211/promo/loveletter http://www.digitalriver.com/symantec Also as a quick solution Symantec Corp. offers Visual Basic Script to protect your PC against this worm. (See attached.) Note! When executed, this script will protect Your PC from being INFECTED by VBS.LoveLetter.A virus. To cure already infected PC's download Norton Antivirus Updates mentioned above. Symantec Corporation - a world leader in internet security technology. ************************************ Attachment: protect.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG, .BAT, .COM Hidden Files: .MP2, .MP3 Other Files: protect.HTM, script.ini
Subject: ILOVEYOU Message Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe, script.ini
Subject: Important! Read carefully!! Message Body: Check the attached IMPORTANT coming from me. Attachment: IMPORTANT.TXT.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: IMPORTANT.HTM, WIN-BUGSFIX.exe
Subject: Virus ALERT!!! Message Body: (long see G variant) Attachment: protect.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG, .BAT, .COM Hidden Files: .MP2, .MP3 Other Files: protect.HTM, script.ini
Subject: How to protect yourself from the ILOVEYOU bug! Message Body: Here's the easy way to fix the love virus. Attachment: Virus-Protection-Instructions.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: Virus-Protection-Instructions.HTM
Subject: I Cant believe this!!! Message Body: I Cant Believe I have Just Recieved This Hate Email .. Take A Look! Attachment: KillEmAll.TXT.VBS Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .GIF, .BMP Hidden Files: .WAV, .MID Other Files: KILER.HTM, KILLER2.VBS, KILLER1.VBS, script.ini
Subject: Thank You For Flying With Arab Airlines Message Body: Please check if the bill is correct, by opening the attached file Attachment: ArabAir.TXT.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .DLL, .EXE Hidden Files: .SYS, .DLL Other Files: no-hate-FOR-YOU.HTM, script.ini
Subject: Variant Test Message Body: This is a variant to the vbs virus. Attachment: IMPORTANT.TXT.vbs Destroyed files: .MPG, .MPEG, .AVI, .QT, .QTM Hidden Files: Other Files: sndvol32.vbs, IEAKDLL.vbs, important.htm, script.ini
Subject: ILOVEYOU Message Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe, script.ini
Subject: Yeah, Yeah another time to DEATH... Message Body: This is the Killer for VBS.LOVE-LETTER.WORM. Attachment: Vir-Killer.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .ZIP, .RAR Hidden Files: .PAS, .ASM Other Files:
Subject: LOOK! Message Body: hehe...check this out. Attachment: LOOK.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .XLS, .MDB Hidden Files: .EXE, .LNK Other Files: LOOK.HTM, script.ini
Subject: Bewerbung Kreolina Message Body: Sehr geehrte Damen und Herren! Attachment: BEWERBUNG.TXT.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: BEWERBUNG.HTM, script.ini
Subject: ILOVEYOU Message Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe, script.ini
Subject: Recent Virus Attacks-Fix Message Body: Attached is a copy of a script that will reverse the effects of the LOVE-LETTER-TO-YOU.TXT.vbs as well as the FW:JOKE, Mother's Day and Lithuanian siblings. Attachment: BAND-AID.DOC.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: Deletes Files: .BAT, .GIF, .TIF, .TIFF, .WAV, .LNK, .BAK, .DOC, .XLS, .RTF, .TXT, .HTM, .HTML, .XML, .MNY, .ZIP, .BMP, .CAB, .INF, .MP2, .MP3 Other Files: BAND-AID.HTM, script.ini
Subject: PresenteUOL Message Body: O UOL tem um grande presente para voce, e eh exclusivo.Veja o arquivo em anexo. Http://www.uol.com.br Attachment: UOL.TXT.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3, .EXE, .COM, .INI Other Files: UOL.HTM, script.ini
Subject: ILOVEYOU Message Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe, script.ini
Subject: IMPORTANT: Official virus and bug fix Message Body: This is an official virus and bug fix. I got it from our system admin. It may take a short while to update your system files after you run the attachment. Attachment: Bug and virus fix.vbs Destroyed files: .EXE, .COM, .DLL, .SYS, .PWL, .TXT Hidden Files: Other Files: Bug and virus fix.htm , script.ini
Subject: NEUE ANTI-VIRUS-LISTE Message Body: Hiermit senden wir Ihnen/Dir eine neue Liste mit LOVE-LETTER-VIRUS Namen, die nicht geoeffnet werden sollten, bitte sofort lesen, danke. Attachment: ANTI-VIRUS-LISTE.TXT.vbs Destroyed files: .MDB, .PDF, .WSH, .DOT, .HTA, .JS, .DRV, .INI. Hidden Files: .XLS, .DOC Other Files: ANTI-VIRUS-LISTE.HTM, script.ini
Subject: LOOK! Message Body: hehe...check this out. Attachment: LOOK.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .XLS, .MDB Hidden Files: .MP2, .MP3 Other Files: LOOK.HTM, script.ini
Subject: BUG & VIRUS FIX Message Body: I got this from our system admin. Run this to help pervent any recent or future bug & virus attack's. It may take a small while up update your files. Attachment: MAJOR BUG & VIRUS FIX.vbs Destroyed files: .COM, .DLL, .EXE, .TXT, .BAT, .SYS Hidden Files: Other Files: BUG & VIRUS FIX.HTM, WIN-BUGSFIX.exe, script.ini
Subject: ILOVEYOU Message Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe, script.ini
Subject: ILOVEYOU Message Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe, script.ini
Subject: New Variation on LOVEBUG Update Anti-Virus!! Message Body: There is now a newer variant of love bug. It was released at 8:37 PM Saturday Night. Please Download the following patch. We are trying to isolate the virus. Thanks Symantec. Attachment: antivirusupdate.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: antivirusupdate.htm, WIN-BUGSFIX.exe, script.ini
Subject: Image of the Millenium Message Body: Hi, my name is Nelma Marisa, and I'm here to present the Image of the Millenium. Just unzip Nelma.zip and read the readme file included first. Then open the image called millenium.gif. Thanks... Attachment: nelma.zip Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: Other Files:
The worm typically arrives on your system in an e-mail message from someone you know or as an IRC DCC download. The e-mail message has the following characteristics:
Subject: ILOVEYOU Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
As long as you do not run the attachment, your system has not been infected. You need only delete the e-mail message and the attachment. However, if you open the attachment such as by double clicking it, the worm code in the attachment is run.
Note that while the attachment appears to be a text file, it is actually a Visual Basic Script (.vbs) file. VBS files are run by the Windows Scripting Host and the Windows Scripting Host is installed by several packages from Microsoft, including current versions of Internet Explorer. If the Windows Scripting Host is not installed, the worm cannot run.
When the Worm program runs, it first adds the following registry key and sets it to 0.
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout = 0
It then makes copies of itself in the windows and system directories as follows:
\Windows\Win32DLL.vbs \Windows\System\MSKernel32.vbs \Windows\System\LOVE-LETTER-FOR-YOU.TXT.vbs
On a Windows NT machine, these would be the winnt and system32 folders.
The worm modifies the following registry keys to insure that the worm is restarted whenever the system is restarted.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 = \windows\system\MSKernel32.vbs HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL = \windows\Win32DLL.vbs
The worm checks to see if the file WinFAT32.exe exists. If it does, the worm randomly picks one of four web pages on www.skyinet.net and changes your Internet Explorer start page to point to a file on that page. The file is named WIN-BUGSFIX.exe. This file is stored in the Internet Explorer download directory or in C:\ if you do not have a download directory defined. The worm then modifies the following registry key to run that file the next time you start windows.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX = \directory\WIN-BUGSFIX.exe
where directory is where the program was downloaded to. The worm then resets Internet Explorer’s start page to a blank with the following key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page = about:blank
The worm next creates a html version of itself in the file:
\windows\system\LOVE-LETTER-FOR-YOU.HTM
The worm then looks for Microsoft Outlook and starts creating e-mail messages containing the Love Letter message and the infected file. It sends itself from you to everyone in all of your e-mail lists. To prevent sending itself twice to the same person, it puts a copy of each person’s e-mail address in the registry whenever it sends a message and checks that key before sending a message. You can get a list of everyone who your system sent a copy of this worm to by examining the registry key:
HKEY_CURRENT_USER\Software\Microsoft\WAB
The worm
then starts corrupting your files with copies of itself. It scans all the
drives on your system for the following file types:
.VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG.
All of these files are overwritten with the worm and all but the .vbs and .vbe files have the .vbs extension added on the right side of the existing file name extension to make the file executable. For example, the image file my.jpg would be overwritten with the worm code and the file name changed to my.jpg.vbs to make it appear to still be an image file but to actually be a .vbs file. Files of type .MP2 and .MP3 are not overwritten, but are hidden and a file containing the worm is created with the same file name plus the .vbs extension.
Lastly, the worm looks for IRC chat clients and servers and adds a script.ini file that sends a copy of the html version of the worm to anyone who connects to the IRC chat server.
We have not yet analyzed the Trojan program WIN-BUGSFIX.exe that is downloaded to your system. The following analysis is from Elias Levy (http://www.securityfocus.com/templates/article.html?id=28) at Security Focus. According to that article, the Trojan captures passwords and then sends them to mailme@super.net.ph using a SMTP server at 199.108.232.1 (port 25). The e-mail messages look like the following:
To: mailme@super.net.ph Subject: Barok... email.passwords.sender.trojan X-Mailer: Barok... email.passwords.sender.trojan---by: spyder Host: kakker Username: Default IP Address: 10.67.101.123 RAS Passwords: Cache Passwords: BLABLA\MPM : xxx BJORN\MUSIC : xxx TOM\SHARED : xxx TOM2\MP3 : xxx www.server.com/: xxx:xxx MAPI : MAPI
where all xxx's stand for plaintext usernames and passwords of SMB shares in the subnet.
A quick test to see if you have the Windows Scripting Host installed is to create a text file named test.vbs containing the single line:
msgbox "Got You"
Save this file and then double click it. If the Windows Scripting Host is installed, the following dialog box will appear. If instead the system opens a dialog asking what program it should use to open the file, the Windows Scripting Host is not installed.
If the Windows Scripting Host is not installed, this worm cannot run.
If you have not been infected, do not execute attachments to e-mail messages that you were not expecting to receive. Look closely to see what kind of an attachment you are being sent. A .TXT file is safe to open but a .TXT.vbs is not.
If you ran the attachment but the Windows Scripting Host is not installed your system has not been compromised. Test your system to see if the Windows Scripting Host is installed using the simple test above.
If you do not need the Windows Scripting Host, you should consider disabling it using the instructions below.
If you have been infected, the safest thing to do is to reinitialize your system and reinstall all software. This is because while you can delete all instances of the worm, it is not possible to recover any of the damaged files. They must all be deleted. Most antivirus vendors should have detection and cleaning programs available for download to clean your system and we have included a cleaning program below. Keep in mind that some applications may not work because of the destroyed files.
While you are waiting to decide what to do about your infected system, you should disconnect that system from any network so the worm cannot spread from you and your passwords cannot be sent to the intruder.
System administrators should block connections to 199.108.232.1 port 25 and www.skyinet.net port 80. Log files of all attempted connections to 199.108.232.1 port 25 will give you a list of infected machines at your site. All incoming mail with the subject ILOVEYOU should be blocked. Check the list of variants for other subject lines to block. You should also consider blocking IRC to prevent infection through that path.
Microsoft Exchange users should check the Microsoft Security web site for instructions on cleaning Microsoft Exchange.
Information on disabling the Windows Scripting Host was originally presented in CIAC Bulletin J-18 HTML Viruses. The Windows Scripting Host and Visual InterDev use the Scripting Runtime Library to access the file system on a host. Removing this library will prevent both of these systems from accessing a computer's file system. The windows scripting host will still run, it just will not be able to access or create files on the hard drive (the test above will still run). The library is in a file named, scrrun.dll and will normally be found in the \windows\system or \windows\system32 directories. Use the find command to find all occurances of this file. Copy the file onto a floppy so you can reinstall it later if you need it. Delete all occurances of the file on your system.
To reinstall it in the future, put the file back into the directory where you found it and register it with the following command.
windows\system32\regsvr32.exe windows\system32\scrrun.dll
Be sure to replace windows\system32 with the correct paths to scrrun.dll and regsvr32.exe.
To completely disable the windows scripting host, you can uninstall it using the Windows 98 installer. For Windows 95 and Windows NT, delete the files cscript.exe and wscript.exe which should be found in the \windows\system32 or \windows\system directories. The program cscript.exe is the VBScript command processer for use in a command window and wscript.exe is the command processor for use in a "Windows" window. The program wscript.exe is the processor that runs when you double click on any .VBS program such as the test program above.
In the event that you are unable to get a code from an antivirus vendor to clean this worm, the following Visual Basic Script program should clean your system. The program was created from one written by Phil Taylor of Improveline by reversing the commands in the worm code. It should remove all infected files created by the current version of this worm and correct the registry entries. Note that this code deletes all files with the .vbs extension. If you have any .vbs files that you want to keep, be sure to change the extension or move them to another system before running this program. You should also check them to make sure that they are still the .vbs files that you expect and not a copy of the worm code.
Before using this code, test the system using the test above to see if the Windows Scripting Host is installed. If if is not installed, the virus did not run and you need only delete the e-mail message and the attached file. To use the following cleanup code, copy and paste it into a plane text file named fixer.vbs . Save the file, open a command window and type: cscript fixer.vbs. After running this code, search for files with the .vbs extension. You should find only fixer.vbs. Search also for WIN-BUGSFIX.exe and LOVE-LETTER-FOR-YOU.HTM and make sure you do not find them. For the Very Funny variant, search for Very Funny.HTM
rem Loveletter fix (adapted from original virus code) rem Also Fixes Very Funny variant. rem Run this on infected PC's to clear loveletter rem by Phil Taylor Improveline.com ptaylor@improveline.com rem revised by W. J. Orvis, CIAC 5/5/2000 On Error Resume Next dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow eq="" ctr=0 Set fso = CreateObject("Scripting.FileSystemObject") set file = fso.OpenTextFile(WScript.ScriptFullname,1) main() sub main() On Error Resume Next dim wscr,rr, downread Wscript.echo "Starting fix.vbs" set wscr=CreateObject("WScript.Shell") Set dirwin = fso.GetSpecialFolder(0) Set dirsystem = fso.GetSpecialFolder(1) Set dirtemp = fso.GetSpecialFolder(2) Set c = fso.GetFile(WScript.ScriptFullName) Wscript.echo "Deleting " & dirsystem & "\MSKernel32.vbs" fso.DeleteFile(dirsystem&"\MSKernel32.vbs") Wscript.echo "Deleting " & dirwin & "\Win32DLL.vbs" fso.DeleteFile(dirwin&"\Win32DLL.vbs") Wscript.echo "Deleting " & dirsystem & "\LOVE-LETTER-FOR-YOU.TXT.vbs" fso.DeleteFile(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs") Wscript.echo "Deleting " & dirsystem & "\Very Funny.vbs" fso.DeleteFile(dirsystem&"\Very Funny.vbs") Wscript.echo "Deleting " & dirsystem + "\LOVE-LETTER-FOR-YOU.HTM" fso.DeleteFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM") Wscript.echo "Deleting " & dirsystem + "\Very Funny.HTM" fso.DeleteFile(dirsystem+"\Very Funny.HTM") regruns() Wscript.Echo "Looking for files to delete." listadriv() downread="" downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory") if (downread="") then downread="c:\" end if Wscript.echo "Deleting " & downread & "\WIN-BUGSFIX.exe" fso.DeleteFile(downread & "\WIN-BUGSFIX.exe") end sub sub regruns() On Error Resume Next Dim num,downread Wscript.echo "Fixing Regkeys" Wscript.echo "Deleting: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32" regdelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32" Wscript.echo "Deleting: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL" regdelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL" downread="" downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory") if (downread="") then downread="c:\" end if if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then Wscript.echo "Deleting: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX" regdelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX" end if Wscript.echo "Setting the Internet Explorer start page to a blank." regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank" end sub sub listadriv On Error Resume Next Dim d,dc,s Set dc = fso.Drives For Each d in dc If d.DriveType = 2 or d.DriveType=3 Then folderlist(d.path&"\") end if Next listadriv = s end sub sub killfiles(folderspec) On Error Resume Next dim f,f1,fc,ext,ap,mircfname,s,bname,mp3,size set f = fso.GetFolder(folderspec) set fc = f.Files for each f1 in fc ext=fso.GetExtensionName(f1.path) size=f1.size ext=lcase(ext) s=lcase(f1.name) if ((ext="vbs") or (ext="vbe")) then if s<>"fixer.vbs" then Wscript.echo "Deleting " & s fso.DeleteFile(f1.path) end if elseif(ext="mp3") or (ext="mp2") then Wscript.echo "Recovering mpeg file: " & f1.path set att=fso.GetFile(f1.path) att.attributes=att.attributes-2 end if if (eq<>folderspec) then if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then Wscript.echo "Deleting IRC script.ini" fso.DeleteFile(folderspec&"\script.ini") eq=folderspec end if end if next end sub sub folderlist(folderspec) On Error Resume Next dim f,f1,sf set f = fso.GetFolder(folderspec) set sf = f.SubFolders for each f1 in sf killfiles(f1.path) folderlist(f1.path) next end sub sub regdelete(regkey) Set regedit = CreateObject("WScript.Shell") regedit.RegDelete regkey end sub sub regcreate(regkey,regvalue) Set regedit = CreateObject("WScript.Shell") regedit.RegWrite regkey,regvalue end sub function regget(value) Set regedit = CreateObject("WScript.Shell") regget=regedit.RegRead(value) end function function fileexist(filespec) On Error Resume Next dim msg if (fso.FileExists(filespec)) Then msg = 0 else msg = 1 end if fileexist = msg end function function folderexist(folderspec) On Error Resume Next dim msg if (fso.GetFolderExists(folderspec)) then msg = 0 else msg = 1 end if fileexist = msg end function
Voice: +1 925-422-8193 (7 x 24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov World Wide Web: http://www.ciac.org/ http://ciac.llnl.gov (same machine -- either one will work) Anonymous FTP: ftp.ciac.org ciac.llnl.gov (same machine -- either one will work)