Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Politics : PRESIDENT GEORGE W. BUSH -- Ignore unavailable to you. Want to Upgrade?

To: greenspirit who wrote (18123)	5/4/2000 4:21:00 PM
From: one_less	Read Replies (1) \| Respond to of 769667

LOVE LETTER: The virus is an attachment to email. No hoax. It hit all over the world today. I got several of them myself. The attachments were "LOVE-LETTER-FOR-YOU.TXT.vbs" and were supposedly sent by various members of my organization. If you get any do not open them.

To: greenspirit who wrote (18123)	5/4/2000 4:22:00 PM
From: DMaA	Respond to of 769667

Only one guy in our office got it - so far. Some info I collected on the "Love Bug" today: The DOD-CERT is aware of the "A-Love-Letter-For-You" email with the attachment of LOVELETTER.TXT.VBS. We are currently working with both Symantec and Network Associates. The current signatures and .dat files do not detect this virus (worm). In the meantime, if you do receive this email, PLEASE DELETE IT. DO NOT OPEN OR VIEW THE ATTACHMENT. Check back here often, as we will post the remedy when we get it from the vendor. The information we have on LoveLetter is as follows: VBS/LoveLetter is a VBScript worm. It spreads thru email as a chain letter. The worm uses the Outlook e-mail application to spread. LoveLetter is also a overwriting VBS virus, and it spreads itself using mIRC client as well. When it is executed, it first copies itself to Windows System directory as: - MSKernel32.vbs - LOVE-LETTER-FOR-YOU.TXT.vbs and to Windows directory: - Win32DLL.vbs Then it adds itself to registry, so it will be executed when the system is restarted. The registry keys that it adds are: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL Next the worm replaces the Internet Explorer home page with a link that points to an executable program, "WIN-BUGSFIX.exe". If the file is downloaded, the worm adds this to registry as well; causing that the program will be executed when the system is restarted. After that, the worm creates a HTML file, "LOVE-LETTER-FOR-YOU.HTM", to the Windows System directory. This file contains the worm, and it will be sent using mIRC whenever the user joins an IRC channel. Then the worm will use Outlook to mass mail itself to everyone in each address book. The message that it sends will be as follows: Subject: ILOVEYOU Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs LoveLetter sends the mail once to each recipient. After a mail has been sent, it adds a marker to the registry and does not mass mail itself any more. The virus then searches for certain filetypes on all folders on all local and remote drives and overwrites them with its own code. The files that are overwritten have one of these extensions: ".vbs", ".vbe", ".js", ".jse", ".css", ".wsh", ".sct", ".hta" The virus also tries to use companion techniques, adding a secondary file next to existing file - hoping that the user will click on the wrong file. This is done so that the virus locates files with jpg, jpeg, mp3 and mp2 and adds a new file next to it. For example, a picture named "pic.jpg" will cause a new file called "pic.jpg.vbs" to be created. LoveLetter was found globally in-the-wild on May 4th, 2000. It looks like the virus is Philippine origin. At the beginning of the code, the virus contains the following text: rem barok -loveletter(vbe) < i hate go to school> rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines Here is the fix from Trend Micro (http://www.antivirus.com/pc-cillin/.../default5.asp?VName=VBS_LOVELETTER 1.click start/run. type REGEDIT and hit enter key 2.in the left panel, click the "+" to the left of the following: HKEY_LOCAL_MACHINE software microsoft windows currentversion run 3.in the right panel, search for the registry key that contains the data value of :...\MSKernel32.vbs and WIN-BUGSFIX.exe. These are the registry keys that grant the capability to load the worm whenever Windows starts up 4. in the right windown highlight the regiestry key that loads the file and prss the DELETE key. Answer YES to delete the entry. 5.search for the registry key that contains the data value of Win32DLL.vbs. This is the registry key that enables the worm to run each time Windows is started. 6.in the right window, highlight hte registry keythat loads the file and press teh DELETE key. Answer YES to delete the entry. 7. Exit the Registry 8. Click start/shutdown. choose "Restart in MS-DOS mode"and click ok. 9. After the computer has restarted go to directory C:/. 10. subsequently type DEL win-bugsfix.exe. 11. Press Ctl-alt-del to allow windows to restart. That is all I know. I wish that I could help more. I would recommend if you have further problems to go to the web site listed above I posted this on the other threads but it is appropriate here too The office I work in in the military has been researching the virus trail a little -- Here is a little history we have been able to put together so far. IT is now fairly certain (about 70%) that this originated in the Phillipines - sometime yesterday ET. From there it made it's way to corporate computers in Hong Kong Yesterday afternoon (Actually This Afternoon, or last night our time but thats a time zone thing) - Once on HK it spread throughout the Corporate and Financial sectors of Hong Kong Since most of the Firms in Hong Kong have Home offices or subsidiary offices worldwide - the E-mail systems chugged merrily along filling Corporate E-mails worldwide. As people came to work this morning -- Eur-Asia, Europe, UK then finally US -- the thing hopscotched and blossomed (remember it was already sent from Hong Kong offices to these offices) -- so as people fired up thier emails and saw this and opened it it continued on it's way. THINK OF THE OLD COMMERCIAL - I TOLD 2 FRIENDS and THEY TOLD 2 FRIENDS and so on. So by the time people in NY, Wash etc got to work this morning thier e-mails were already saturated - they then added to the mess. By this time it had found a .MIL address and jumped to the DoD world (We have pinpointed our base entry point but it recieved the e-mail from another base) - From there it did not take long to spread from BASE TO BASE. By all accounts this virus is maybe 12-18 hours old and it is already completely around the world. Corporate Headquarters, Military Bases, Financial Centers all have thier E-mail systems either down or Isolated. Basically almost all E-Commerce and E-mail traffic has been brought to a standstill -- IN 18 HOURS!!!!!!!!!!!! Anyone out there who still questions the ability and threat Cyber-Terrorism poses!!!!