The 'LoveLetter' worm (also known as 'I Love You' and
'Love Bug') was discovered early on May 4,
2000. It travels through mass mailing to address book entries and carries
a destructive payload. Following are details on preventing, identifying and removing
the worm. A more detailed and technical explanation of this issue is
provided by the CERT
Coordination Center.
Many new variants have been
discovered. Some of these variants are known as 'Susitikim', 'FW: Joke' or
'VeryFunny', 'Mother's Day Order Confirmation', 'Important Attachment' and
'Dangerous Virus Warning'. There will likely be
more copy-cat versions in the future. See
McAfee's
article
or Symantec's
writeup on LoveLetter for the latest information. Watch out for anything resembling the description below. Click
here for information on the similar "NewLove" virus.
Who is at risk?
The worm will mostly affect computers running
Windows98. Computers with Windows95 or WindowsNT can be infected if
Microsoft Internet Explorer 5 is installed. There may be other
circumstances that will allow 95/NT machines to become infected. (Speaking
technically, any computer running Windows Scripting Host is at risk.) Macintosh computers are not affected by this version.
The worm uses the Microsoft Outlook e-mail application and
mIRC client to spread. At this time, it does not seem that the worm can
use Outlook Express to propagate. You can, however, be infected with the
worm no matter which email program you use or received the file through.
There are several things that you can do to protect
yourself. These suggestions combine to provide the best protection
possible. Doing just one of these, or following this advice inconsistently
will provide less than maximum safety.
- Always exercise caution when handling ALL
attachments. We recommend that you do not open any attachments
of which you have no prior knowledge. This is important even if the
message and attachment seems to come from someone you know well. If
you are in their address book and they are infected with this type of worm,
then you will receive it from them.
- Purchase, install and regularly update a strong Anti-Virus program.
Some suggestions can be found on our Anti Virus page.
- For 'LoveLetter' and 'BubbleBoy' (and variants)
specifically, you can disable the Windows Scripting Host. This may
disable some features of Windows, but should not have a noticeable effect for
most users. This will also help protect against future worms/viruses of this
type.
To
disable Windows Scripting Host:
- Go to Start/Settings/Control Panel.
- Open Add/Remove Programs
- Choose the Windows Setup tab.
- Double-click on "Accessories" and make sure Windows
Scripting Host is deselected (no checkmark).
- Click OK on "Accessories" and then Apply (if available) and
OK on Add/Remove Programs.
- A somewhat more complicated procedure is disabling Active Scripting within
Internet Explorer 5. For instructions, please see the Malicious
Web Scripts FAQ at CERT.
- Users of Internet Relay Chat (IRC) programs should disable automatic
reception of files offered to them via DCC. How this is done will
differ depending on the software package you use. Contact the software
vendor if you have any questions.
- Runestone Internet Services is now scanning out the original "LoveLetter"
and several variants. We will not be able to always catch
viruses/worms this way as new variants and strains are constantly being
developed. You should not assume that this filtering means that the
previous suggestions need not be followed.
The worm will arrive as an attachment to an email
message. This email will most likely come from someone you know. The
message will show the following characteristics (variations have been found
using different subjects and attachment names, see above for more
details):
- The subject will be 'ILOVEYOU'
- The text of the message will be 'kindly check the attached LOVELETTER
coming from me.'
- The email will include an attachment called 'LOVE-LETTER-FOR-YOU.TXT.vcbs'
If you receive an email that has these attributes, do
not open the attachment. Simply delete the email from the Inbox, then
go to the Deleted Items folder and delete the email message from there.
This will completely remove the email and worm from the system.
What happens if I get infected with 'LoveLetter'?
If the email attachment 'LOVE-LETTER-FOR-YOU.TXT.vbs' is
opened, the following will happen:
- Copies of the worm will be placed in the following locations:
- C:\windows\System\MSKernel32.vbs
- C:\windows\Win32DLL.vbs
- C:\windows\System\LOVE-LETTER-FOR-YOU.TXT.vbs
- C:\windows\Temp\LOVE-LETTER-FOR-YOU.TXT.vbs
- The following keys will be added to the registry to ensure that your system stays infected unless thoroughly cleaned of the
worm
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
- If a file named 'WinFAT32.exe' is not found on your computer (most
likely)
- Your Internet Start Page will be set to an address similar to the one
below
http://www.skyinet.net/~account_name/......../WIN-BUGSFIX.exe - When
you open Internet Explorer (Netscape Navigator is not affected) it will attempt to
download a program that would send out your password via e-mail.
- This
website has since been taken off-line, and the download file has been
removed.
- If a file named 'WinFAT32.exe' is on your computer:
- The following
key will be added to the Windows registry.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX - The
'BUGSFIX.exe' program will be run every time your computer starts.
This program attempts to send out your password via e-mail.
- Your
Internet Start Page will be set to a blank page
- The worm will attempt to overwrite several files on your computer.
If you are on a network, the worm will also replace these files on the
network drives.
- Any files with extensions of ".js", ".jse",
".css", ".wsh", ".sct", ".hta",
".vbs" or ".vbe" will be deleted and a new file with the
same name but a ".vbs" extension will be created. This is
actually a copy of the worm itself. The original file is
unrecoverable.
- Any files with extensions of ".jpg",
".jpeg", ".mp2" or ".mp3" will be deleted and
a new file will be created in its place with the original extension plus
".vbs". For example, a file originally called 'picture.jpg'
would be called 'picture.jpg.vbs'. This is actually a copy of
the worm itself. The original file is unrecoverable.
- A file will be created at 'C:\Windows\System\LOVE-LETTER-FOR-YOU.HTM'
- If mIRC is found on your computer, a file named 'script.ini'
will be placed in the IRC program directory. The
file mentioned above contains the worm and will be sent over mIRC each time you connect to
an IRC channel.
- The worm will search for a Microsoft Outlook address book. If
found, the worm will mail itself to everyone in the address book. The
email will appear the same as described in the "What does it look
like?" section of this page. This
is only supposed to occur once, but there are indications that the worm may
be sent repeatedly.
How do I know if I am infected?
To find out if you are infected with the LoveLetter worm, do the following
- Click Start -- Find -- Files or Folders
- In the Named field type in love*, make sure that the C:\
drive is listed in Look in and click Find Now.
- If any file
named LOVE-LETTER-FOR-YOU is listed, you are infected and should
continue with these instructions.
- If the file LOVE-LETTER-FOR-YOU
is not listed, you are likely not
infected and do not need to follow the rest of these instructions.
- You
may also wish to search for either mskernel32.vbs or win32dll.vbs.
How do I remove the worm?
This
information is provided as a courtesy and includes the full knowledge that we
currently have of this virus, it's effects and how to remove it.
Situations may arise that would suggest a different course of action than the
steps laid out here. Runestone Internet Services cannot be held
responsible for any damage caused by the infection with or attempted removal of
this or any other virus, worm, or trojan horse program.
If you do not understand any part of these instructions, please do not
proceed on your own. Doing so may seriously damage your computer. Contact Runestone Technical Support at the following
numbers with any questions. (If you are not a Runestone Internet Services
customer, you must contact your own Internet Provider or computer support.)
- REA-ALP internet customers call either the REA office at 762-1121
(1-800-473-1722) or the ALP office at 763-6501 (1-800-267-8955)
- Runestone Telephone internet customers call the Runestone Telephone
office at 986-2013 (1-800-986-6602)
First, update the virus definitions for your
anti-virus software (consult your documentation for instructions if
needed.) If you don't have anti-virus software, it is highly
recommended. See our Anti-Virus page for
anti-virus software options.
If you found the LOVE-LETTER-FOR-YOU file in the previous section, then
do the following:
- In Find Files, search for: *.vbs
- Delete ALL files
(You may wish to make a note of which
directories these files are stored in. These may have formerly been
program files. Those programs will need to be re-installed if they no
longer work correctly. As an example, Adobe Acrobat is one that may have problems.)
- Now
search for: love*
- Highlight and delete all files that show "LOVE-LETTER-FOR-YOU"
- Use
regedit to delete the following registry keys
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
- Restart your computer
- Open your email program and delete all messages with the subject ILOVEYOU
(or one of the variants mentioned above) making sure not to open any attachments.
- Re-install any programs if necessary.
For more information
These sites have more information on the worm and it's
world wide effects.
CERT
Coordination Center
CNN.com
F-Secure Anti-Virus
McAfee
Anti-Virus
New
York Times
Symantec
Norton Anti-Virus Research Center
This document was last updated on
Thursday, January 22, 2004, at 07:13 PM
