MUSEUM-L Archives

Museum discussion list

MUSEUM-L@HOME.EASE.LSOFT.COM
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Computer virus information....
From:
Aaron Marcavitch <[log in to unmask]>
Reply To:
Museum discussion list <[log in to unmask]>
Date:
Thu, 4 May 2000 10:58:29 -0700
Content-Type:
text/plain
Parts/Attachments:
text/plain (166 lines) 
Its a real one folks.  Check out yahoo news items.
Scary.  Makes you all really want to run out and get a
mac!

Keep safe!
Aaron

--- Thomas Mooney <[log in to unmask]> wrote:
> Museum-L members,
>
>         Many of you are probably already aware of
> the new virus that is
> going around.  If not, please see below.  I have
> been hit several times
> from various sources, but luckily I did not open the
> infected attachment.
> I just wanted you to be aware.
>
> Tom Mooney
>
> --
> Tom Mooney, Library Technician
> [log in to unmask]
> University Archives & Special Collections
> (402) 472-2531
> N209 Love Library, P.O. Box 880410
> University of Nebraska-Lincoln
> Lincoln, NE 68588-0410
>
> ---------- Forwarded message ----------
> Date: Thu, 4 May 2000 10:29:17 -0500 (CDT)
> From: Jon Keene <[log in to unmask]>
> To: [log in to unmask]
> Subject: More Virus info
>
> We've gotten several more reports of library staff
> receiving this
> virus.  Please remember that viruses like this will
> almost always
> be sent from a "trusted source."  That is, someone
> who has your
> address in their address list.  I still haven't
> gotten through to
> the McAfee site, but we now know that even the most
> recent .dat
> files from McAfee do NOT prevent infection.
>
> I'm including what information I have about this
> virus below.
> Again, please contact ASO as soon as possible if you
> receive this
> virus.
>
> VBS:LoveLetter
> Overview
> VBS:LoveLetter is a computer worm created in VBS
> (Visual Basic Script
> language). It arrives  via e-mail and is activated
> by double click on the
> message attachment called
> LOVE-LETTER-FOR-YOU.TXT.vbs. It requires Windows
> Scripting Host to be installed on the victim's
> computer. This support is not
> installed under Windows 95 and Windows NT 4 by
> default. It is installed under
> Windows 98 and Windows NT and it is also  part of
> some additional software
> packages (such as Microsoft Internet Explorer v5.x).
> VBS:LoveLetter was discovered on 4th May 2000 and it
> spreads like a fire.
> This worm uses e-mail as the primary spreading
> channel. It is also able to
> use mIRC client as secondary distribution channels.
>
> VBS:LoveLetter copies itself to following files:
> MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs in
> the system directory and
> Win32DLL.vbs in the Windows directory.
>
> It also modifies two registry keys for its
> activation after computer restart:
>
>
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MsKernel32
>
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
>
> VBS:LoveLetter sends itself via Outlook application
> as an attachment in a
> similar way as Melissa does. It sends the infected
> message  to all recipients
> in every address book. The message has the following
> subject and body:
>
> Subject: ILOVEYOU
> Body:    kindly check the attached LOVELETTER coming
> from me.
>
> The worm sends itself  only once from the infected
> computer.
>
> If the file system\WinFAT32.exe does not exist, worm
> sets the MSIE start page
> to remote EXE file on certain web page. After
> successfull download of file
> named WIN-BUGSFIX.exe it sets another registry key
>
>
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
>
> in order to run this file on every computer restart
> and sets the MSIE start
> page to about:blank
>
> VBS:LoveLetter searches for the certain files on all
> local and remote drives.
> If it finds the file with extension vbs or vbe, it
> overwrites such file with
> itself. Files with extension js, jse, css, wsh, sct,
> hta are overwritten as
> well and renamed to *.vbs. Also jpg and jpeg files
> are overwritten and
> renamed to *.jpg.vbs, while mp3 and mp2 files are
> overwritten, renamed to
> *.mp?.vbs and their attributes are changed.
>
> When VBS:LoveLetter finds mIRC client, it overwites
> the "mirc.ini" file and
> is able to send itself  to other users via IRC
> channels.
>
> Worm also drops the HTM file in order to get better
> chance to spread.
>
>
> Removal
> Delete all infected files and remove all registry
> keys mentioned above. Then
> reboot the computer.
> Any avast! with VPS file dated on or after 4th May
> 2000 is able to detect
> this virus.
>


=====
Aaron Marcavitch-- [log in to unmask]
Webmaster/Program Assistant
Historic Massachusetts
&
Designer/Consultant
Cymatium.net Web Designs
http://www.cymatium.net

__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/

=========================================================
Important Subscriber Information:

The Museum-L FAQ file is located at http://www.finalchapter.com/museum-l-faq/ . You may obtain detailed information about the listserv commands by sending a one line e-mail message to [log in to unmask] . The body of the message should read "help" (without the quotes).

If you decide to leave Museum-L, please send a one line e-mail message to [log in to unmask] . The body of the message should read "Signoff Museum-L" (without the quotes).

ATOM RSS1 RSS2