Many companies and ISPs have pulled internet access to email during this
email virus outbreak. I'm getting tons of messages bouncing back...
Check out:
http://www.us.sophos.com/virusinfo/analyses/vbsloveleta.html
and
http://foxnews.com/vtech/050400/bug.sml
-Dave
SherwoodK@xxxxxxx wrote:
> I just received a call from Gary Goers informing me that he can't
> retrieve
> his email. He suggested to me that I use snail mail until he can get
> the
> problem solved.
Sophos Alert System wrote:
> ---------------------------------------------------------------
> Please note: The subject line of these alerts will change to
> 'Sophos Anti-Virus IDE alert: virusname' on 12th June 2000.
> ---------------------------------------------------------------
>
> *** Virus Alert! ***
>
> Name: VBS/LoveLet-A
> Aliases: The Love Bug
> Type: Visual Basic Script worm
> Date: 4 May 2000
>
> This virus has been very widely reported in the wild.
>
> Description:
>
> This is a virus which tries to spread itself in several ways.
> Most commonly, it sends itself as an attachment to an email.
>
> Infected emails have the subject line:
>
> ILOVEYOU
>
> The message text is:
>
> kindly check the attached LOVELETTER coming from me.
>
> The attachment is called LOVE-LETTER-FOR-YOU.TXT.vbs, which has
> a double-extension. Mailers which suppress well-known extensions
> such as .vbs may present this file as LOVE-LETTER-FOR-YOU.TXT,
> which appears more innocent.
>
> Because the virus arrives in a VBS file, it requires the Windows
> Scripting Host (WSH) in order to work. If you disable WSH, the
> viral attachment will be rendered harmless.
>
> The virus also drops an HTM file which can spread the virus, and
> a mIRC script which tries to distribute it.
>
> The virus checks the Internet Explorer Download Directory for
> the presence of the file WinFAT32.exe. If that file does not
> exist the virus randomly picks one of four websites and changes
> the registry to set it as the Start Page for Internet Explorer.
> The websites point to an EXE file, WIN-BUGSFIX.exe, which is
> then downloaded and the registry is modified to run the file on
> reboot. This file is detected as Troj/LoveLet-A.
>
> The Internet Explore Start Page is also set to blank.
>
> The virus copies itself to two places in the system directory
> where they are executed each time the computer reboots.
>
> The email component of the virus requires Microsoft Outlook to
> work. If you are using Outlook it will try to send itself to
> each entry in your Windows Address Book.
>
> The virus also searches all local and networked drives for files
> that end with the extensions VBS, VBE, JS, JSE, CSS, WSH, SCT or
> HTA. These files are overwritten with the virus and their
> extension is renamed to .VBS.
>
> Any JPG or JPEG files are also overwritten by the virus but have
> the extension .VBS added to the existing filename.
>
> Any MP2 or MP3 files are overwritten by the virus but are also
> copied to a new file that has the .VBS extension added. The
> original files are set as hidden.
>
> If the virus determines that mIRC is installed on the system it
> will drop a mIRC script that will send the virus on via mIRC.
>
> Note that following the Sophos Guidelines for Safe Hex will
> render you almost immune to this attack. If you do not read
> unusual or unlikely emails and if you have disabled the WSH,
> then you are unlikely to become infected.
>
> Read the list of recent virus alerts at
> http://www.sophos.com/downloads/ide
|
|
Back to the Home of the Forward Look Network