TUCoPS :: Malware :: ciack039.htm

VBS.LoveLetter.A Worm
VBS.LoveLetter.A Worm Privacy and Legal Notice

CIAC INFORMATION BULLETIN

K-039e: VBS.LoveLetter.A Worm

May 5, 2000 00:00 GMT
[Revision A 5/5/2000 added .C variant Very Funny]
[Revision B 5/8/2000 added more variants]
[Revision C 5/8/2000 cleaning Microsoft Exchange]
[Revision D 5/11/2000 clarifications on deleting WSH]
[Revision E 5/18/2000 added more variants]
PROBLEM:       A new worm program named VBS.LoveLetter.A is spreading rapidly
               around the Internet using a variety of propagation methods.
               Multiple variants are also spreading.
PLATFORM:      Windows systems. To spread using e-mail requires Microsoft
               Outlook.
DAMAGE:        Mail servers are clogged with thousands of messages. All files
               of the following types are destroyed: .VBS, .VBE, .JS, .JSE,
               .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG. Files of type .MP2 and
               .MP3 have been replaced but the original files are still there
               but hidden. Some of the variants destroy .DLL, .INI, .EXE, and
               .COM files which render systems unbootable.
SOLUTION:      If you receive an e-mail message with the subject: "ILOVEYOU"
               with an attachment named: "LOVE-LETTER-FOR-YOU.TXT.vbs" do not
               open the attachment. If you have already run the attachment,
               shut the system down until you have a method for cleaning your
               system. Be sure your system is disconnected from the network
               before starting it up for cleaning.
               See the list below for files to watch for in the variants.

VULNERABILITY The risk is HIGH. This worm is spreading rapidly throughout the ASSESSMENT: Internet.

The VBS.LoveLetter.A Worm

CIAC has information that the VBS.Loveletter. A worm is spreading rapidly around the Internet. This worm uses multiple methods for spreading itself, making disinfection and removal a difficult process. If you have received this e-mail message and opened it but have not yet opened the attachment, you are not infected. Simply delete the e-mail message and the attachment. If you have opened the attachment, the safest thing to do is to shut down your system until you are prepared to clean up the worm. Be sure the system is disconnected from any network before starting it up for cleaning.

Variants

VBS.LoveLetter.A
The original worm, see description below.
Subject: ILOVEYOU
Message Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG
Hidden Files: .MP2, .MP3
Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe, script.ini
VBS.LoveLetter.B, Lithuania, Susitikim
Subject: Susitikim shi vakara kavos puodukui...
  (translated: Let's meet this evening for a cup of coffee)
Message Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG
Hidden Files: .MP2, .MP3
Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe, script.ini
VBS.LoveLetter.C, Very Funny, Joke
The variant is identical to the .A variant but changes the name of the attached file and the contents and subject of the e-mail message.
Subject: fwd: Joke
Message Body: -nothing-
Attachment: Very Funny.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG
Hidden Files: .MP2, .MP3
Other Files: Very Funny.HTM, WIN-BUGSFIX.exe, script.ini
VBS.LoveLetter.D, BugFix
This one has an error in the registry entry that loads the Trojan program. The entry points to WIN- BUGSFIX.exe instead of WIN-BUGSFIX.exe.
Subject: ILOVEYOU
Message Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG
Hidden Files: .MP2, .MP3
Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe, script.ini
VBS.LoveLetter.E, Mothers Day
This version destroys .INI and .BAT files making systems unbootable. You will have to reinstall your system to clean this variant.
Subject: Mothers Day Order Confirmation
Message Body: We have proceeded to charge your credit card
  for the amount of $326.92 for the mothers day diamond
  special. We have attached a detailed invoice to this email.
  Please print out the attachment and keep it in a safe place.
  Thanks Again and Have a Happy Mothers Day!
  mothersday@subdimension.com
Attachment: mothersday.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .INI, .BAT
Hidden Files: .MP2, .MP3
Other Files: mothersday.HTM
VBS.LoveLetter.F, Virus Warning
Subject: Dangerous Virus Warning
Message Body: There is a dangerous virus circulating. Please
click attached picture to view it and learn to avoid it.
Attachment: virus_warning.jpg.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG
Hidden Files: .MP2, .MP3
Other Files: Urgent_virus_warning.htm, WIN-BUGSFIX.exe, script.ini
VBS.LoveLetter.G, Virus Alert
This variant has a long body that purports to be a warning message from Symantec. The attachment installs the worm instead of cleaning it. This variant also does not try to download and install the Trojan program but instead changes the Internet Explorer start page to point to a porno site and changes the search pages to other sites. Note that this infection also destroys .COM and .BAT files, likely making the infected system unbootable. You will have to reinstall your system after being infected with this variant.
Subject: Virus ALERT!!!
Message Body: (long)
************************************
Dear Symantec customer,

Symantec's AntiVirus Research Center began receiving reports regarding
VBS.LoveLetter.A virus early morning on May 4, 2000 GMT.

This worm appears to originate from the Asia Pacific region. Distribution
of the virus is widespread and hundreds of thousands of machines are re
ported infected.
The VBS.LoveLetter.A is an Internet worm that uses Microsoft Outlook to
e-mail itself as an attachment.
The subject line of the e-mail reads ILOVEYOU, with the attachment titled
LOVE-LETTER-FOR-YOU.TXT.VBS.
Once the attachment is opened, the virus replicates and sends an e-mail to
all e-mail addresses listed in the address book.
The virus also spreads itself via Internet relay chat and infects files on
local and remote drives including files with extensions vbs, vbe, js,
sje, css, wsh, sct, hta, jpg, jpeg, mp3, mp2.
Users should exercise caution when opening e-mails with this subject line,
even if the e-mail is from someone they know, as that is how the virus
is spread.

Symantec Corp. today announced availability of the virus definition to
detect, repair and protect users against the VBS.LoveLetter.A virus.
This definition is available now via Symantec's LiveUpdate and can also be
downloaded from the following web sites:

http://www.symantecstore.com/AF74211/promo/loveletter
http://www.digitalriver.com/symantec

Also as a quick solution Symantec Corp. offers Visual Basic Script to
protect your PC against this worm. (See attached.)

Note! When executed, this script will protect Your PC from being INFECTED
by VBS.LoveLetter.A virus.
To cure already infected PC's download Norton Antivirus Updates mentioned
above.

Symantec Corporation - a world leader in internet security technology.
************************************
Attachment: protect.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG, .BAT, .COM
Hidden Files: .MP2, .MP3
Other Files: protect.HTM, script.ini
VBS.LoveLetter.H, No Comments
This one is the same as variant A but has the comment lines at the beginning of the worm code removed.
Subject: ILOVEYOU
Message Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG
Hidden Files: .MP2, .MP3
Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe, script.ini
VBS.LoveLetter.I, Important! Read carefully!!, Brainstorm
Subject: Important! Read carefully!!
Message Body: Check the attached IMPORTANT coming from me.
Attachment: IMPORTANT.TXT.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG
Hidden Files: .MP2, .MP3
Other Files: IMPORTANT.HTM, WIN-BUGSFIX.exe
VBS.LoveLetter.J
This variant is largely the same as the G variant. Note that this infection also destroys .COM and .BAT files, likely making the infected system unbootable.
Subject: Virus ALERT!!!
Message Body: (long see G variant)
Attachment: protect.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG, .BAT, .COM
Hidden Files: .MP2, .MP3
Other Files: protect.HTM, script.ini
VBS.LoveLetter.K, Unnamed
Subject: How to protect yourself from the ILOVEYOU bug!
Message Body: Here's the easy way to fix the love virus.
Attachment: Virus-Protection-Instructions.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG
Hidden Files: .MP2, .MP3
Other Files: Virus-Protection-Instructions.HTM
VBS.LoveLetter.L, I Cant Believe This!!!
Subject: I Cant believe this!!!
Message Body: I Cant Believe I have Just Recieved This Hate Email .. Take A Look!
Attachment: KillEmAll.TXT.VBS
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .GIF, .BMP
Hidden Files: .WAV, .MID
Other Files: KILER.HTM, KILLER2.VBS, KILLER1.VBS, script.ini
VBS.LoveLetter.M, Arab Air
This variant destroys .EXE and .DLL files so the system will likely not be bootable after the infection.
Subject: Thank You For Flying With Arab Airlines
Message Body: Please check if the bill is correct, by opening the attached file
Attachment: ArabAir.TXT.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .DLL, .EXE
Hidden Files: .SYS, .DLL
Other Files: no-hate-FOR-YOU.HTM, script.ini
VBS.LoveLetter.N, Variant Test
Subject: Variant Test
Message Body: This is a variant to the vbs virus.
Attachment: IMPORTANT.TXT.vbs
Destroyed files: .MPG, .MPEG, .AVI, .QT, .QTM
Hidden Files:
Other Files: sndvol32.vbs, IEAKDLL.vbs, important.htm, script.ini
VBS.LoveLetter.O
Same as A variant but with a different script.ini.
Subject: ILOVEYOU
Message Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG
Hidden Files: .MP2, .MP3
Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe, script.ini
VBS.LoveLetter.P, Yeah Yeah
Subject: Yeah, Yeah another time to DEATH...
Message Body: This is the Killer for VBS.LOVE-LETTER.WORM.
Attachment: Vir-Killer.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .ZIP, .RAR
Hidden Files: .PAS, .ASM
Other Files:
VBS.LoveLetter.Q, LOOK!
Subject: LOOK!
Message Body: hehe...check this out.
Attachment: LOOK.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .XLS, .MDB
Hidden Files: .EXE, .LNK
Other Files: LOOK.HTM, script.ini
VBS.LoveLetter.R, Bewerbung
Subject: Bewerbung Kreolina
Message Body: Sehr geehrte Damen und Herren!
Attachment: BEWERBUNG.TXT.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG
Hidden Files: .MP2, .MP3
Other Files: BEWERBUNG.HTM, script.ini
VBS.LoveLetter.S
Same as variant A but with some more comment lines in the code.
Subject: ILOVEYOU
Message Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG
Hidden Files: .MP2, .MP3
Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe, script.ini
VBS.LoveLetter.T, BAND-AID
Subject: Recent Virus Attacks-Fix
Message Body: Attached is a copy of a script that will reverse the
effects of the LOVE-LETTER-TO-YOU.TXT.vbs as well as the FW:JOKE,
Mother's Day and Lithuanian siblings.
Attachment: BAND-AID.DOC.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG
Hidden Files:
Deletes Files: .BAT, .GIF, .TIF, .TIFF, .WAV, .LNK, .BAK, .DOC,
               .XLS, .RTF, .TXT, .HTM, .HTML, .XML, .MNY, .ZIP,
               .BMP, .CAB, .INF, .MP2, .MP3
Other Files: BAND-AID.HTM, script.ini
VBS.LoveLetter.U, Presente
Subject: PresenteUOL
Message Body: O UOL tem um grande presente para voce, e eh
exclusivo.Veja o arquivo em anexo. Http://www.uol.com.br
Attachment: UOL.TXT.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG
Hidden Files: .MP2, .MP3, .EXE, .COM, .INI
Other Files: UOL.HTM, script.ini
VBS.LoveLetter.V
Same as variant A with more comment lines in the code.
Subject: ILOVEYOU
Message Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG
Hidden Files: .MP2, .MP3
Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe, script.ini
VBS.LoveLetter.W
Subject: IMPORTANT: Official virus and bug fix
Message Body: This is an official virus and bug fix. I got it
from our system admin. It may take a short while to update
your system files after you run the attachment.
Attachment: Bug and virus fix.vbs
Destroyed files: .EXE, .COM, .DLL, .SYS, .PWL, .TXT
Hidden Files:
Other Files: Bug and virus fix.htm , script.ini
VBS.LoveLetter.X, ANTI-VIRUS-LISTE
Subject: NEUE ANTI-VIRUS-LISTE
Message Body: Hiermit senden wir Ihnen/Dir eine
neue Liste mit LOVE-LETTER-VIRUS Namen, die nicht
geoeffnet werden sollten, bitte sofort lesen, danke.
Attachment: ANTI-VIRUS-LISTE.TXT.vbs
Destroyed files: .MDB, .PDF, .WSH, .DOT, .HTA, .JS, .DRV, .INI.
Hidden Files: .XLS, .DOC
Other Files: ANTI-VIRUS-LISTE.HTM, script.ini
VBS.LoveLetter.Y, LOOK!2
Similar to Q variant.
Subject: LOOK!
Message Body: hehe...check this out.
Attachment: LOOK.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .XLS, .MDB
Hidden Files: .MP2, .MP3
Other Files: LOOK.HTM, script.ini
VBS.LoveLetter.Z, BUG & VIRUS FIX
Subject: BUG & VIRUS FIX
Message Body: I got this from our system admin. Run this
to help pervent any recent or future bug & virus attack's.
It may take a small while up update your files.
Attachment: MAJOR BUG & VIRUS FIX.vbs
Destroyed files: .COM, .DLL, .EXE, .TXT, .BAT, .SYS
Hidden Files:
Other Files: BUG & VIRUS FIX.HTM, WIN-BUGSFIX.exe, script.ini
VBS.LoveLetter.AA
Same as variant A but with some more comment lines in the code.
Subject: ILOVEYOU
Message Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG
Hidden Files: .MP2, .MP3
Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe, script.ini
VBS.LoveLetter.AB
Same as variant A but with some comment lines removed from the code.
Subject: ILOVEYOU
Message Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG
Hidden Files: .MP2, .MP3
Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe, script.ini
VBS.LoveLetter.AC, antivirusupdate
Subject: New Variation on LOVEBUG Update Anti-Virus!!
Message Body: There is now a newer variant of love bug.
It was released at 8:37 PM Saturday Night. Please
Download the following patch. We are trying to isolate
the virus. Thanks Symantec.
Attachment: antivirusupdate.vbs
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG
Hidden Files: .MP2, .MP3
Other Files: antivirusupdate.htm, WIN-BUGSFIX.exe, script.ini
VBS.LoveLetter.AD
Subject: Image of the Millenium
Message Body: Hi, my name is Nelma Marisa, and I'm here to present the Image
of the Millenium. Just unzip Nelma.zip and read the readme file included
first. Then open the image called millenium.gif. Thanks...
Attachment: nelma.zip
Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA,
                 .JPG, .JPEG
Hidden Files:
Other Files:

Original Worm Operation

The worm typically arrives on your system in an e-mail message from someone you know or as an IRC DCC download. The e-mail message has the following characteristics:

Subject: ILOVEYOU
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

As long as you do not run the attachment, your system has not been infected. You need only delete the e-mail message and the attachment. However, if you open the attachment such as by double clicking it, the worm code in the attachment is run.

Note that while the attachment appears to be a text file, it is actually a Visual Basic Script (.vbs) file. VBS files are run by the Windows Scripting Host and the Windows Scripting Host is installed by several packages from Microsoft, including current versions of Internet Explorer. If the Windows Scripting Host is not installed, the worm cannot run.

When the Worm program runs, it first adds the following registry key and sets it to 0.

HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout = 0

It then makes copies of itself in the windows and system directories as follows:

\Windows\Win32DLL.vbs
\Windows\System\MSKernel32.vbs
\Windows\System\LOVE-LETTER-FOR-YOU.TXT.vbs

On a Windows NT machine, these would be the winnt and system32 folders.

The worm modifies the following registry keys to insure that the worm is restarted whenever the system is restarted.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 = \windows\system\MSKernel32.vbs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL = \windows\Win32DLL.vbs

The worm checks to see if the file WinFAT32.exe exists. If it does, the worm randomly picks one of four web pages on www.skyinet.net and changes your Internet Explorer start page to point to a file on that page. The file is named WIN-BUGSFIX.exe. This file is stored in the Internet Explorer download directory or in C:\ if you do not have a download directory defined. The worm then modifies the following registry key to run that file the next time you start windows.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX = \directory\WIN-BUGSFIX.exe

where directory is where the program was downloaded to. The worm then resets Internet Explorer’s start page to a blank with the following key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page = about:blank

The worm next creates a html version of itself in the file:

\windows\system\LOVE-LETTER-FOR-YOU.HTM

The worm then looks for Microsoft Outlook and starts creating e-mail messages containing the Love Letter message and the infected file. It sends itself from you to everyone in all of your e-mail lists. To prevent sending itself twice to the same person, it puts a copy of each person’s e-mail address in the registry whenever it sends a message and checks that key before sending a message. You can get a list of everyone who your system sent a copy of this worm to by examining the registry key:

HKEY_CURRENT_USER\Software\Microsoft\WAB

The worm then starts corrupting your files with copies of itself. It scans all the drives on your system for the following file types:

.VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG.

All of these files are overwritten with the worm and all but the .vbs and .vbe files have the .vbs extension added on the right side of the existing file name extension to make the file executable. For example, the image file my.jpg would be overwritten with the worm code and the file name changed to my.jpg.vbs to make it appear to still be an image file but to actually be a .vbs file. Files of type .MP2 and .MP3 are not overwritten, but are hidden and a file containing the worm is created with the same file name plus the .vbs extension.

Lastly, the worm looks for IRC chat clients and servers and adds a script.ini file that sends a copy of the html version of the worm to anyone who connects to the IRC chat server.

The Trojan Program

We have not yet analyzed the Trojan program WIN-BUGSFIX.exe that is downloaded to your system. The following analysis is from Elias Levy (http://www.securityfocus.com/templates/article.html?id=28) at Security Focus. According to that article, the Trojan captures passwords and then sends them to mailme@super.net.ph using a SMTP server at 199.108.232.1 (port 25). The e-mail messages look like the following:

To: mailme@super.net.ph
Subject: Barok... email.passwords.sender.trojan
X-Mailer: Barok... email.passwords.sender.trojan---by: spyder

Host: kakker
Username: Default
IP Address: 10.67.101.123

RAS Passwords:

Cache Passwords:

BLABLA\MPM : xxx
BJORN\MUSIC : xxx
TOM\SHARED : xxx
TOM2\MP3 : xxx
www.server.com/: xxx:xxx
MAPI : MAPI

where all xxx's stand for plaintext usernames and passwords of SMB shares in the subnet.

Quick Test for the Windows Scripting Host

A quick test to see if you have the Windows Scripting Host installed is to create a text file named test.vbs containing the single line:

msgbox "Got You"

Save this file and then double click it. If the Windows Scripting Host is installed, the following dialog box will appear. If instead the system opens a dialog asking what program it should use to open the file, the Windows Scripting Host is not installed.

If the Windows Scripting Host is not installed, this worm cannot run.

What You Should Do

If you have not been infected, do not execute attachments to e-mail messages that you were not expecting to receive. Look closely to see what kind of an attachment you are being sent. A .TXT file is safe to open but a .TXT.vbs is not.

If you ran the attachment but the Windows Scripting Host is not installed your system has not been compromised. Test your system to see if the Windows Scripting Host is installed using the simple test above.

If you do not need the Windows Scripting Host, you should consider disabling it using the instructions below.

If you have been infected, the safest thing to do is to reinitialize your system and reinstall all software. This is because while you can delete all instances of the worm, it is not possible to recover any of the damaged files. They must all be deleted. Most antivirus vendors should have detection and cleaning programs available for download to clean your system and we have included a cleaning program below. Keep in mind that some applications may not work because of the destroyed files.

While you are waiting to decide what to do about your infected system, you should disconnect that system from any network so the worm cannot spread from you and your passwords cannot be sent to the intruder.

What Administrators Should Do

System administrators should block connections to 199.108.232.1 port 25 and www.skyinet.net port 80. Log files of all attempted connections to 199.108.232.1 port 25 will give you a list of infected machines at your site. All incoming mail with the subject ILOVEYOU should be blocked. Check the list of variants for other subject lines to block. You should also consider blocking IRC to prevent infection through that path.

Microsoft Exchange users should check the Microsoft Security web site for instructions on cleaning Microsoft Exchange.

Disabling The Windows Scripting Host

Information on disabling the Windows Scripting Host was originally presented in CIAC Bulletin J-18 HTML Viruses. The Windows Scripting Host and Visual InterDev use the Scripting Runtime Library to access the file system on a host. Removing this library will prevent both of these systems from accessing a computer's file system. The windows scripting host will still run, it just will not be able to access or create files on the hard drive (the test above will still run). The library is in a file named, scrrun.dll and will normally be found in the \windows\system or \windows\system32 directories. Use the find command to find all occurances of this file. Copy the file onto a floppy so you can reinstall it later if you need it. Delete all occurances of the file on your system.

To reinstall it in the future, put the file back into the directory where you found it and register it with the following command.

windows\system32\regsvr32.exe windows\system32\scrrun.dll

Be sure to replace windows\system32 with the correct paths to scrrun.dll and regsvr32.exe.

To completely disable the windows scripting host, you can uninstall it using the Windows 98 installer. For Windows 95 and Windows NT, delete the files cscript.exe and wscript.exe which should be found in the \windows\system32 or \windows\system directories. The program cscript.exe is the VBScript command processer for use in a command window and wscript.exe is the command processor for use in a "Windows" window. The program wscript.exe is the processor that runs when you double click on any .VBS program such as the test program above.

Cleaning Your System

In the event that you are unable to get a code from an antivirus vendor to clean this worm, the following Visual Basic Script program should clean your system. The program was created from one written by Phil Taylor of Improveline by reversing the commands in the worm code. It should remove all infected files created by the current version of this worm and correct the registry entries. Note that this code deletes all files with the .vbs extension. If you have any .vbs files that you want to keep, be sure to change the extension or move them to another system before running this program. You should also check them to make sure that they are still the .vbs files that you expect and not a copy of the worm code.

Before using this code, test the system using the test above to see if the Windows Scripting Host is installed. If if is not installed, the virus did not run and you need only delete the e-mail message and the attached file. To use the following cleanup code, copy and paste it into a plane text file named fixer.vbs . Save the file, open a command window and type: cscript fixer.vbs. After running this code, search for files with the .vbs extension. You should find only fixer.vbs. Search also for WIN-BUGSFIX.exe and LOVE-LETTER-FOR-YOU.HTM and make sure you do not find them. For the Very Funny variant, search for Very Funny.HTM

rem Loveletter fix (adapted from original virus code)
rem Also Fixes Very Funny variant.
rem Run this on infected PC's to clear loveletter
rem by Phil Taylor Improveline.com ptaylor@improveline.com
rem revised by W. J. Orvis, CIAC 5/5/2000
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
eq=""
ctr=0
Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
main()

sub main()
On Error Resume Next
dim wscr,rr, downread
Wscript.echo "Starting fix.vbs"
set wscr=CreateObject("WScript.Shell")
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
Set c = fso.GetFile(WScript.ScriptFullName)
Wscript.echo "Deleting " & dirsystem & "\MSKernel32.vbs"
fso.DeleteFile(dirsystem&"\MSKernel32.vbs")
Wscript.echo "Deleting " & dirwin & "\Win32DLL.vbs"
fso.DeleteFile(dirwin&"\Win32DLL.vbs")
Wscript.echo "Deleting " & dirsystem & "\LOVE-LETTER-FOR-YOU.TXT.vbs"
fso.DeleteFile(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
Wscript.echo "Deleting " & dirsystem & "\Very Funny.vbs"
fso.DeleteFile(dirsystem&"\Very Funny.vbs")
Wscript.echo "Deleting " & dirsystem + "\LOVE-LETTER-FOR-YOU.HTM"
fso.DeleteFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM")
Wscript.echo "Deleting " & dirsystem + "\Very Funny.HTM"
fso.DeleteFile(dirsystem+"\Very Funny.HTM")
regruns()
Wscript.Echo "Looking for files to delete."
listadriv()
downread=""
downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory")
if (downread="") then
  downread="c:\"
end if
Wscript.echo "Deleting " & downread & "\WIN-BUGSFIX.exe"
fso.DeleteFile(downread & "\WIN-BUGSFIX.exe")
end sub

sub regruns()
On Error Resume Next
Dim num,downread
Wscript.echo "Fixing Regkeys"
Wscript.echo "Deleting: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32"
regdelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32"
Wscript.echo "Deleting: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL"
regdelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL"
downread=""
downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory")
if (downread="") then
  downread="c:\"
end if
if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then
  Wscript.echo "Deleting: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX"
  regdelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX"
end if
Wscript.echo "Setting the Internet Explorer start page to a blank."
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank"
end sub

sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc = fso.Drives
For Each d in dc
  If d.DriveType = 2 or d.DriveType=3 Then
    folderlist(d.path&"\")
  end if
Next
listadriv = s
end sub

sub killfiles(folderspec)
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3,size
set f = fso.GetFolder(folderspec)
set fc = f.Files
for each f1 in fc
  ext=fso.GetExtensionName(f1.path)
  size=f1.size
  ext=lcase(ext)
  s=lcase(f1.name)
  if ((ext="vbs") or (ext="vbe")) then
    if s<>"fixer.vbs" then
      Wscript.echo "Deleting " & s
      fso.DeleteFile(f1.path)
    end if
  elseif(ext="mp3") or (ext="mp2") then
    Wscript.echo "Recovering mpeg file: " & f1.path
    set att=fso.GetFile(f1.path)
    att.attributes=att.attributes-2
  end if
  if (eq<>folderspec) then
    if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then
      Wscript.echo "Deleting  IRC script.ini"
      fso.DeleteFile(folderspec&"\script.ini")
      eq=folderspec
    end if
  end if
next
end sub

sub folderlist(folderspec)
On Error Resume Next
dim f,f1,sf
set f = fso.GetFolder(folderspec)
set sf = f.SubFolders
for each f1 in sf
  killfiles(f1.path)
  folderlist(f1.path)
next
end sub

sub regdelete(regkey)
Set regedit = CreateObject("WScript.Shell")
regedit.RegDelete regkey
end sub

sub regcreate(regkey,regvalue)
Set regedit = CreateObject("WScript.Shell")
regedit.RegWrite regkey,regvalue
end sub


function regget(value)
Set regedit = CreateObject("WScript.Shell")
regget=regedit.RegRead(value)
end function

function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
  msg = 0
else
  msg = 1
end if
fileexist = msg
end function

function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
  msg = 0
else
  msg = 1
end if
fileexist = msg
end function

Thanks to Elias Levy of Security Focus for his analysis and Phil Taylor of Improveline for his repair script.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH