Many companies and ISPs have pulled internet access to email during this email virus outbreak. I'm getting tons of messages bouncing back... Check out: http://www.us.sophos.com/virusinfo/analyses/vbsloveleta.html and http://foxnews.com/vtech/050400/bug.sml -Dave SherwoodK@xxxxxxx wrote: > I just received a call from Gary Goers informing me that he can't > retrieve > his email. He suggested to me that I use snail mail until he can get > the > problem solved. Sophos Alert System wrote: > --------------------------------------------------------------- > Please note: The subject line of these alerts will change to > 'Sophos Anti-Virus IDE alert: virusname' on 12th June 2000. > --------------------------------------------------------------- > > *** Virus Alert! *** > > Name: VBS/LoveLet-A > Aliases: The Love Bug > Type: Visual Basic Script worm > Date: 4 May 2000 > > This virus has been very widely reported in the wild. > > Description: > > This is a virus which tries to spread itself in several ways. > Most commonly, it sends itself as an attachment to an email. > > Infected emails have the subject line: > > ILOVEYOU > > The message text is: > > kindly check the attached LOVELETTER coming from me. > > The attachment is called LOVE-LETTER-FOR-YOU.TXT.vbs, which has > a double-extension. Mailers which suppress well-known extensions > such as .vbs may present this file as LOVE-LETTER-FOR-YOU.TXT, > which appears more innocent. > > Because the virus arrives in a VBS file, it requires the Windows > Scripting Host (WSH) in order to work. If you disable WSH, the > viral attachment will be rendered harmless. > > The virus also drops an HTM file which can spread the virus, and > a mIRC script which tries to distribute it. > > The virus checks the Internet Explorer Download Directory for > the presence of the file WinFAT32.exe. If that file does not > exist the virus randomly picks one of four websites and changes > the registry to set it as the Start Page for Internet Explorer. > The websites point to an EXE file, WIN-BUGSFIX.exe, which is > then downloaded and the registry is modified to run the file on > reboot. This file is detected as Troj/LoveLet-A. > > The Internet Explore Start Page is also set to blank. > > The virus copies itself to two places in the system directory > where they are executed each time the computer reboots. > > The email component of the virus requires Microsoft Outlook to > work. If you are using Outlook it will try to send itself to > each entry in your Windows Address Book. > > The virus also searches all local and networked drives for files > that end with the extensions VBS, VBE, JS, JSE, CSS, WSH, SCT or > HTA. These files are overwritten with the virus and their > extension is renamed to .VBS. > > Any JPG or JPEG files are also overwritten by the virus but have > the extension .VBS added to the existing filename. > > Any MP2 or MP3 files are overwritten by the virus but are also > copied to a new file that has the .VBS extension added. The > original files are set as hidden. > > If the virus determines that mIRC is installed on the system it > will drop a mIRC script that will send the virus on via mIRC. > > Note that following the Sophos Guidelines for Safe Hex will > render you almost immune to this attack. If you do not read > unusual or unlikely emails and if you have disabled the WSH, > then you are unlikely to become infected. > > Read the list of recent virus alerts at > http://www.sophos.com/downloads/ide
|