LOVE LETTER - Read our OPINION on the fundamental problem. |
Short description |
Another "Melissa-style" Internet worm written in VBS. It requires Windows Scripting Host to be installed (default on Windows 98 and Windows 2000). Overwrites a lot of files with itself (vbs, vbe, js, jse, css, wsh, sct, hta). Creates .jpg.vbs and .jpeg.vbs files from the images and then deletes the original file. ".mp3" and ".mp2" are not erased : their names are simply modified and they are hidden. The virus spreads itself by looping through your address book ( Windows 98 and Windows 2000 ) and by modifying the setup of MIRC to display an infected web page on connections. There are already several variants of this worm
|
In practice |
If you don't have any anti-virus, follow these instructions You'll need F-Secure Anti-Virus 4.07, 4.08 to apply these updates fsupdate site 1 * fsupdate site 2 IMPORTANT NOTES 1 - Scan all files. If the virus activated, there is a good chance that files with non standard (double points) extensions are infected. In addition, your F-Secure Anti-Virus may not be configured to scan the worm's target extensions. 2 - The virus doesn't append itself to files, it either creates infected files or overwrites existing files with infectious code. It can not be "disinfected" : the infected files are the worm itself and need to be removed : delete the infected files. 3 - The virus creates infected files ( among others ) with the name
You might be afraid to remove them because they look like system files but they are not : these files should be removed as they are essential to the survival of the worm. REGISTRY Modifications HKEY_CURRENT_USER\Software\Microsoft\Windows
Scripting Host\Settings\Timeout HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32",dirsystem&"\MSKernel32.vbs The Worm uses a load balancing mechanism to fetch a fake WIN-BUGSFIX.exe file from different web sites. HKCU\Software\Microsoft\Internet
Explorer\Main\StartPage","http://www.skyinet.net/~young1s/
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/ This "bugfix" is then run through the following key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX And the
MSIE Start page is then reset. Link to the F-Secure Corporation description of the virus
|
DataRescue 45 quai de la Dérivation 4020 Liège (Belgium) tel 32-4-3446510 fax 32-4-3446514 Please send us your questions or comments. |