RootsWeb Mailing List Archives

RootsWeb.com Mailing Lists

Home

Results for list 'ohknox'

Sender

Subject

Content

Total: 1/1

1. Fw: [OHWOOD] Fw: VBS/LoveLet-A Virus Alert
2. Ila L. LaRue
3. ----- Original Message ----- From: Lynn <cestus3@inetnebr.com> To: <OHWOOD-L@rootsweb.com> Sent: Thursday, May 04, 2000 5:39 PM Subject: [OHWOOD] Fw: VBS/LoveLet-A Virus Alert > This came from my ISP, and I have their permission to forward it to any and > all lists!! > This contains an easy check to see if you are infected, and step by step > instructions on how to remove it if you are!! > Lynn > > -----Original Message----- > From: System Manager <manager@inetnebr.com> > To: all@inebraska.com <all@inebraska.com> > Date: Thursday, May 04, 2000 1:38 PM > Subject: VBS/LoveLet-A Virus Alert > > > >Dear friends and customers, > > > >It has come to our attention at Internet Nebraska that new virus exists > called > >VBS/LoveLetter. This virus spreads itself as an email chain letter, and > >is very quick to proliferate itself. The virus spreads through the > >Microsoft Outlook email client and the mIRC Internet relay chat client. > >An infected person will automatically send the virus to everyone in > >their email address book. > > > >We are doing what we can to disallow entry of this virus onto our system. > >Those of you unfortunate enough to have already downloaded a copy should > >do the following: > > > >o If you have not run the attached file, delete the message immediately; > > > >o If you have run it follow these steps to remove it: > > > >1. If Outlook is running, turn it off now! There is still a chance > >that the messages in your Outbox were not sent yet. Unplug your > >network adapter/modem to ensure that you cannot accidentally > >connect, open Outlook again, and delete all entries from your > >Outbox. > > > >2. Close Outlook. > > > >3. Run regedit.exe (Click Start->Run, enter 'regedit' and click OK). > > > >4. Go to HKEY_CURRENT_USER->Software->Microsoft->Windows Script > >Host->Settings. If there is an entry for Timeout, delete it. I did > >not have this, but the source code looks like it may exist. > > > >5. Go to HKEY_CURRENT_USER->Software->Microsoft->Internet > >Explorer->Main. Scroll down until you see an entry for Start Page. > >Double click on it, and edit it so it reflects the correct start > >page (Such as http://www.inebraska.com). > > > >6. Go to > >HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion-> > >Run. Delete the entry for MSKernel32. > > > >7. Go to > >HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion-> > >RunServices. Delete the entry for Win32DLL. > > > >8. Go to HKLM\Software\Microsoft\Windows\CurrentVersion\Run. If there > >is an entry for WIN-BUGSFIX, delete it. > > > >9. Go to > >HKEY_CURRENT_USER->Software->Microsoft->Windows->CurrentVersion-> > >Explorer->Doc Find Spec MRU. This entry contains all of the most > >recently used files. It would be a good idea to delete all of the > >entries. > > > >10. Open Windows Explorer (Start->Programs->Windows Explorer). Go to > >c:\windows\system (or c:\winnt\system32) and delete > >MSKernel32.vbs, LOVE-LETTER-FOR-YOU.HTM, and > >LOVE-LETTER-FOR-YOU.TXT.vbs. Also, delete Win32DLL.vbs from the > >Windows directory. > > > >11. This is the most painful part. This virus replaces every file with > >the following file extensions: vbs, vbe, js, jse, css, wsh, sct, > >hta, jpg, jpeg, mp3, mp2. You can't get the files back, but you > >can at least delete them pretty easily. Do a search for all files > >with the .vbs or .vbe extension (Start->Find and enter '*.vbs > >*.vbe' in the Named field, then click Find Now). Select all of the > >results, and hit delete. > > > >12. Finally, you will need to do a search for a couple of other misc. > >files that may be on your machine now. Search for WIN-BUGSFIX.exe > >or WIN_BUGSFIX-32.exe (if you opened Internet Explorer after > >getting the bug) script.ini (if you use mIRC), and possibly > >WinFAT32.exe. If you have any of these two files, delete them. > > > >13. When all of the files are deleted, it would be a good idea to > >empty your recycle bin. > > > >Aside from adding several keys to the Windows registry, the virus > >changes Internet Explorer's default home page to a local file called > >WIN-BUGSFIX.exe which causes that file to be run when Internet Explorer > >is started. This virus is classified as a trojan horse, and can easily > >be identified in your incoming email by the following: > > > >Subject: ILOVEYOU > >Body: kindly check the attached LOVELETTER coming from me. > >Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs > > > >The worm also creates a HTML file, "LOVE-LETTER-FOR-YOU.HTM", to the > >Windows System directory. This file contains the worm, and it will be sent > >using mIRC whenever the user joins an IRC channel. > > > >The virus then searches for certain file types on all folders on all local > >and remote drives and overwrites them with its own code. The files that are > >overwritten have either "vbs" or "vbe" extension. > > > >For the files with the following extensions: ".js", ".jse", ".css", ".wsh", > >".sct" and ".hta", the virus will create a new file with the same name, but > >using the extension ".vbs". The original file will be deleted. > > > >Next the the virus locates files with ".jpg", ".jpeg", ".mp3" or ".mp2", > >adds a new file next to it and deletes the original file. For example, a > >picture named "pic.jpg" will cause a new file called "pic.jpg.vbs" > >to be created. > > > >LoveLetter was found globally in-the-wild on May 4th, 2000. It looks like > the > >virus is Philippine origin. > >-- > >Internet Nebraska System Manager - manager@inebraska.com > >0019 > > > >
05/04/2000 03:15:12