More information on repair:
If you have gotten this virus DO NOT RESTART YOUR PC!!!
The purpose of this email is three-fold -
1) To explain the ILOVEYOU virus
2) To explain how to remove it from your system
3) To provide you with information to send to the people on
your mailing list
Explanation
Most of the information below is taken from
<http://www.europe.datafellows.com/v-descs/love.htm>.
VBS/LoveLetter (AKA - ILOVEYOU) is a VBScript worm. It spreads thru email as
a chain letter.
The worm uses the Outlook e-mail application to spread by sending to
everyone in your address book and contact list. LoveLetter is also an
overwriting VBS virus, and it spreads itself using mIRC client as well.
When it is executed, it first copies itself to Windows System directory as:
- MSKernel32.vbs
- LOVE-LETTER-FOR-YOU.TXT.vbs
and to Windows directory:
- Win32DLL.vbs
Then it adds itself to registry, so it will be executed when the system is
restarted. The registry keys that it adds are:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win
32DLL
Next the worm replaces the Internet Explorer home page with a link that
points to an executable program, "WIN-BUGSFIX.exe". If the file is
downloaded, the worm adds this to registry as well; causing that the program
will be executed when the system is restarted.
Then the worm will use Outlook to mass mail itself to everyone in each
address book. The message that it sends will be as follows:
Subject: ILOVEYOU
Body: kindly check the attached LOVELETTER
coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.
LoveLetter sends the mail once to each recipient. After a mail has been
sent, it adds a
marker to the registry and does not mass mail itself any more.
The virus then searches for certain filetypes on all folders on all local
and remote drives
and overwrites them with its own code. The files that are overwritten have
either "vbs" or
"vbe" extension.
For the files with the following extensions: ".js", ".jse", ".css", ".wsh",
".sct" and ".hta",
the virus will create a new file with the same name, but using the extension
".vbs". The
original file will be deleted.
Next the the virus locates files with ".jpg", ".jpeg", ".mp3" or ".mp2",
adds a new file
next to it and deletes the original file. For example, a picture named
"pic.jpg" will cause
a new file called "pic.jpg.vbs" to be created.
Removal
WARNING - UNLESS YOU FEEL CONFIDENT THAT YOU KNOW WHAT YOU ARE DOING, ASK A
GEEK FRIEND TO HELP YOU!!! I AM NOT RESPONSIBLE FOR ANY DAMAGE CAUSED FROM
THE FOLLOWING INSTRUCTIONS.
There are several ways to remove this virus
1) Update your virus definition files and do a full scan of
your machine
2) Manual removal. If the virus is found, you should go
through this list anyway to be certain the virus is gone
a. Search all hard drives on your PC for *.vbs.
b. Sort the results by date
c. Delete any files that have a date of 5/4/00
d. Also search for WINFAT32.EXE and, if found,
delete it.
e. Open up your Control Panel
f. Open up Internet Options
g. On the General Tab, make sure that the
Address for your Home Page does not have the text "WIN-BUGSFIX.exe"
h. Go to your Start Button and Select "Run"
i. Type in "regedit" (without the quotes)
WARNING - EDITING YOUR REGISTRY CAN CAUSE YOUR PC TO NOT FUNCTION OR
FUNCTION INCORRECTLY. UNLESS YOU FEEL CONFIDENT THAT YOU KNOW WHAT YOU ARE
DOING, ASK A GEEK FRIEND TO HELP YOU!!! I AM NOT RESPONSIBLE FOR ANY DAMAGE
CAUSED FROM THE FOLLOWING INSTRUCTIONS.
j. Look for the following entries and delete
the following FOLDERS (folders are on the LeftHand side of the window).
i.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
ii.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win
32DLL
iii.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run-
iv.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices-
k. After deleting these keys, you should be
safe from the virus.
If you have restarted your PC before checking the above, talk to your sys
admin or a geek friend and ask them to help you.
Notification
The following link provides information about this virus -
<http://www.europe.datafellows.com/v-descs/love.htm>. You may, although you
might want to check with Rebecca, forward this email on to people that
you've sent in your contact list. |
