Estatística de visitas -Visit statistics
Back to my home page

In Portuguese

Page one Virus spirits in the week of 25 May to 03 of Juny 2001«----Page two

Information about new virus and how they work
This information is actualized periodicly
I Love you
A new worm (kind of virus), in VBScript, is circuling through the Net.
In few hours hundreds of computers were infected, and dozens of e-mail servers sufered. The name of the worm is VBS.LoveLet - specialists named him VBS.ILoveYou.Worm.

The most important thing to do is not to open an e-mail with the subject
("I love you" or "ILOVEYOU" or "love letter for you", or any variant of that text. The e-mail may contain a Visual Basic script known as
"LOVE-LETTER-FOR-YOU.vbs", that comes attached to the message. In some cases, it may come as a TXT, JPG, MP3, as well as other type. the virus uses a dangerous technique called "doube extension". This technique makes the attach appear innocent by hiding his original extension from the user. The worm LoveLet
may also spread through chat applications as mIRC.

How LoveLet works:

1) First he attempts to spread to all the e-mail addresses that are in his Book address
2) In Windows 98 machines, he will try to do the download and execute the virus
called "WIN-BUGSFIX.exe". To do that LoveLet accesses severall sites on the Web.
3) The inicial page of Internet Explorer becomes blank. 4) The worm will search all the connected drives and infect VBScripts, JavaScripts, JScripts, through the extensions VBS, VBE, JS, JSE, CSS, WSH, SCT and HTA.
5) He will also search for all the MP3, MP2, JPG and JPGE archives, and create an VBS archive with the corresponding name and extension using the "doube extension", technique. For example, if LoveLet finds an archive called "mysong.mp3", he will turn him into an infected archive with the name "mysong.mp3.vbs". If that archive is executed it will infect the system.
6) The LoveLet will try to send an infected HTML archive, under the name
"LOVE-LETTER-FOR-YOU.htm" through mIRC users.

What to do:

1) Don't open any e-mail under the subject "ILoveYou", "ILOVEYOU" or
"love letter for you". The text body will say "kindly check the attached
LOVELETTER coming from me."

2) If you suspect it to be infected you should find and eliminate from your systemall the archives below:

"MSKernerl32.vbs"
"Win32DLL.vbs"
"LOVE-LETTER-FOR-YOU.vbs"
"LOVE-LETTER-FOR-YOU.htm"
"WinFAT32.exe" in the Windows download directory
"WIN-BUGSFIX.exe" also in the Windows download directory
"script.ini" in the mIRC archive

3) The Networks that have the eSafe Gateway may filter the attaches with VBS extensions
as well as block the e-mails with the lines "ILoveYou", "ILOVEYOU" or
"love letter for you" on the subject.

4) Users of eSafe Desktop (e Enterprise) may download it from the HOT
Update, in Aladdin's site,:or using the "Update", of the eSafe Desktop.Click here

eSafe Desktop is totally free! :)

Procedure in case of infection

For those who are infected with the
I loveyou virus


Below is how to clear the I LOVE YOU virus.
Clear procedure:
1. Delete MSKERNEL32.VBS file in the directory
c:\windows\system if your system is using Windows 95/98. If your system is using
Windows NT Workstation the file is in the directory
c:\winnt\system32.
2. Open Regedit and go to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Run and delete the key
MSKERNEL32.VBS pointing c:\windows\system.
Obs.: That's the file (MSKERNEL32.VBS) that triggers the whole proccess
of e-mail reply and changes in the Windows.
3. The virus also changes your Internet main page placing the address
Skynet.net\...etc. To change it, click with the mouse's right button
on the Internet Explorer's on your desktop. On tab General, change the
address Skynet to About:Blank or to your favourite page and click OK.
4. It is recomended to create rules in the Outlook/Gropwise etc. to
ignore e-mails with the subject I LOVE YOU.

Reboot your computer and repeate the operation if necessary


Felipe Moniz
Security Analyst (AKS-BR)
Aladdin CSRT
Content Security Response Team


 To block the access to your system and remove I Loveyou and his mutations, you only need a small free program. Do it's  Download   here.

New mutations

New mutations (B, C and D) of the "I Love You" virus were found in the Net.
The new mutations are similar to the original worm.
- The VBS.LoveLet.B - comes with an e-mail under the subject "fwd: Joke" and an attach called "Very Funny.vbs"
- The VBS.LoveLet.C - comes with an e-mail under the subject "Susitikim shi vakara kavos puodukui..."
- The VBS.LoveLet.D - comes with an e-mail under the subject "Mothers Day Order Confirmation" and an attach called "motherday.vbs".
The virus creates the following keys in the Windows records, that should be deleted to prevent their automatic execution:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKerne l32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices \Win32DLL

To check if your computer is contaminated do the following:
1- On the Windwous desktop click with the mouse's right button on the Internet Explorer's icon.
2- Click with the mouse's left button on the word Properties. 3- It will appear a window titled Internet Properties.
4- On the aba General, see if the home page configuration is correct.

The problem's correction is already available here. Mcafee version.


Detailed information about the LOVELETTER «----- Click here
If you suspect you are infected with some of these virus and you are having problems, write to   Virus doctor   It's a free service.
Need detailed information about the terrible  TROJAN  

To print, hold the mouse's left button pressed selecting the text. Next hold the mouse's right button on the text and click on print.

Visits

 

Copyright-CT1ZRFor more information contact me