LISTSERV - MUSEUM-L Archives - HOME.EASE.LSOFT.COM

MUSEUM-L Archives

Museum discussion list

MUSEUM-L@HOME.EASE.LSOFT.COM

	LISTSERV Archives
	MUSEUM-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Computer virus information....
From:	Thomas Mooney <[log in to unmask]>
Reply To:	Museum discussion list <[log in to unmask]>
Date:	Thu, 4 May 2000 11:12:06 -0500
Content-Type:	TEXT/PLAIN
Parts/Attachments:	TEXT/PLAIN (105 lines)

Museum-L members,

        Many of you are probably already aware of the new virus that is
going around.  If not, please see below.  I have been hit several times
from various sources, but luckily I did not open the infected attachment.
I just wanted you to be aware.

Tom Mooney

--
Tom Mooney, Library Technician                  [log in to unmask]
University Archives & Special Collections       (402) 472-2531
N209 Love Library, P.O. Box 880410
University of Nebraska-Lincoln
Lincoln, NE 68588-0410

---------- Forwarded message ----------
Date: Thu, 4 May 2000 10:29:17 -0500 (CDT)
From: Jon Keene <[log in to unmask]>
To: [log in to unmask]
Subject: More Virus info

We've gotten several more reports of library staff receiving this
virus.  Please remember that viruses like this will almost always
be sent from a "trusted source."  That is, someone who has your
address in their address list.  I still haven't gotten through to
the McAfee site, but we now know that even the most recent .dat
files from McAfee do NOT prevent infection.

I'm including what information I have about this virus below.
Again, please contact ASO as soon as possible if you receive this
virus.

VBS:LoveLetter
Overview
VBS:LoveLetter is a computer worm created in VBS (Visual Basic Script
language). It arrives  via e-mail and is activated by double click on the
message attachment called LOVE-LETTER-FOR-YOU.TXT.vbs. It requires Windows
Scripting Host to be installed on the victim's computer. This support is not
installed under Windows 95 and Windows NT 4 by default. It is installed under
Windows 98 and Windows NT and it is also  part of some additional software
packages (such as Microsoft Internet Explorer v5.x).
VBS:LoveLetter was discovered on 4th May 2000 and it spreads like a fire.
This worm uses e-mail as the primary spreading channel. It is also able to
use mIRC client as secondary distribution channels.

VBS:LoveLetter copies itself to following files:
MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs in the system directory and
Win32DLL.vbs in the Windows directory.

It also modifies two registry keys for its activation after computer restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MsKernel32
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL

VBS:LoveLetter sends itself via Outlook application as an attachment in a
similar way as Melissa does. It sends the infected message  to all recipients
in every address book. The message has the following subject and body:

Subject: ILOVEYOU
Body:    kindly check the attached LOVELETTER coming from me.

The worm sends itself  only once from the infected computer.

If the file system\WinFAT32.exe does not exist, worm sets the MSIE start page
to remote EXE file on certain web page. After successfull download of file
named WIN-BUGSFIX.exe it sets another registry key

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX

in order to run this file on every computer restart and sets the MSIE start
page to about:blank

VBS:LoveLetter searches for the certain files on all local and remote drives.
If it finds the file with extension vbs or vbe, it overwrites such file with
itself. Files with extension js, jse, css, wsh, sct, hta are overwritten as
well and renamed to *.vbs. Also jpg and jpeg files are overwritten and
renamed to *.jpg.vbs, while mp3 and mp2 files are overwritten, renamed to
*.mp?.vbs and their attributes are changed.

When VBS:LoveLetter finds mIRC client, it overwites the "mirc.ini" file and
is able to send itself  to other users via IRC channels.

Worm also drops the HTM file in order to get better chance to spread.


Removal
Delete all infected files and remove all registry keys mentioned above. Then
reboot the computer.
Any avast! with VPS file dated on or after 4th May 2000 is able to detect
this virus.


--
Jon Keene                       Room 22H Love Library
Automated Systems Office        402-472-4538
UNL Libraries                   [log in to unmask]

=========================================================
Important Subscriber Information:

The Museum-L FAQ file is located at http://www.finalchapter.com/museum-l-faq/ . You may obtain detailed information about the listserv commands by sending a one line e-mail message to [log in to unmask] . The body of the message should read "help" (without the quotes).

If you decide to leave Museum-L, please send a one line e-mail message to [log in to unmask] . The body of the message should read "Signoff Museum-L" (without the quotes).

ATOM RSS1 RSS2

HOME.EASE.LSOFT.COM