Re: flexfax: ILOVEYOU

[Bill Campbell <bill@celestial.com>]

I got the attached tips this morning from one of my ISP customers, and
am passing it on to the list with the permission of the author.  It
sounds reasonable to me, but I know very little about Windows since I
don't install viruses on my machines.

Bill
--
INTERNET:   bill@Celestial.COM  Bill Campbell; Celestial Systems, Inc.
UUCP:               camco!bill  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/

Instead of giving money to found colleges to promote learning, why don't
they pass a constitutional amendment prohibiting anybody from learning
anything?  If it works as good as the Prohibition one did, why, in five
years we would have the smartest race of people on earth.
		-- The Best of Will Rogers
> -----Original Message-----
> From: James Womack [mailto:jlw@direclynx.net]
> Sent: Thursday, May 04, 2000 9:44 AM
> To: usonline@exp.net
> Subject: [USO] Re: [USO] Re: [USO] New Virus
>

>The ILOVEYOU virus is a VBScript file that runs on Windows platforms that
>have the Windows Scripting Host installed. Wizzy Design's software team has
>examined the virus code and determined what it does. Below are some simple
>"quick-fix" actions users can take to slow down the spread of the virus.

>If the VBS file is double-clicked, either within an email message or on the
>hard-disk, then the virus is activated and this is what happens:

>Your Internet Explorer home page is changed to a site at www.skyinet.net.
>This will attempt to download an executable file. The Windows regsitry is
>altered to run the program at the next boot.  A file called LOVE-LETTER-
>FOR-YOU.HTM is created on your hard disk. Do not view it!  Files called
>WIN32DLL.VBS and MSKERNEL32.VBS are created. The windows registry is
>altered so these are executed at the next boot.  Your jpg, jpeg, css, hta,
>vbs, whs, js, jsa, jse, sct, mp2 and mp3 files are deleted and new files
>that have the same name with a .VBS extention are created.

>If you have the IRC software MIRC installed, the .INI files for it are
>altered to try and send the LOVE-LETTERS-FOR-YOU.HTM file to other users in
>the chat room.  An email message containing the virus file is emailed to
>all of the people in your Windows Address Book.  The Windows Scriping Host
>timeout feature is disabled.

>Quick-fix steps:

>Use these simple steps to slow down the spread of the virus until a full
>cleaning program is available from your Anti-virus software supplier:

>Do not reboot!

>Delete all the suspect .VBS files on all your hard drives. (Generally VBS
>files in the inetpub directory should be left alone)

>Right-click on the Internet Explorer icon on your desktop, go into the
>properties for it and change the home page to the blank page (about:blank).

>Delete all the files in Outlook's "Outbox" folder.

>Delete the MIRC .INI files and reinstall the application.

>Advanced users can use REGEDIT to make further fixes. You should check the
>following registry keys for references to .VBS files and delete them:

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
>
> (the keys may be slightly different for NT users)

>You should only attempt to use REGEDIT if you understand how to safely
>modify the registry.
>