This is real The offices of in Detroit of FORD and on of the military bases email servers just got shut down!

-------

" VBS_Loveletter" Worm 04 May 2000 Virus Control

Alias: Loveletter, VBS/Loveletter Discovery Date: 04 May 2000 Likelihood: High Characteristics: The worm uses the Outlook e-mail application to spread. LoveLetter is also an overwriting VBS virus, and it spreads itself using mIRC client as well. The LoveLetter worm is a VBS script, that propagates itself using Microsoft Outlook and mIRC.

Description:

Once executed this computer worm modifies the registry and drops files for it to spread. It replicates via Microsoft Outlook by sending an email with an attachment file “LOVE-LETTER-FOR-YOU.TXT.vbs” to all email addresses listed in the address list. It also propagates using mIRC by modifying the “script.ini.” After connecting to a chat server using mIRC, the virus initiates a DCC send to all the users in the current channel and sends a copy of itself. It is also capable of infecting files with specific extensions.

The message that it sends will be as follows:

Subject: ILOVEYOU

Body: kindly check the attached LOVELETTER coming from me.

Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

Infection:

Once executed, this virus drops the following files:
:\windows\Win32DLL.vbs
:\windows\system\MSKernel32.vbs
:\windows\system\LOVE-LETTER-FOR-YOU.TXT.vbs.

It also modifies the following registry entries so that the virus is run at each Windows starts up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run\MSKernel32",
:\windows\system \MSKernel32.vbs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\RunServices\Win32DLL”,
:\windows\\Win32DLL.vbs.

Payload:

It searches for a file named WinFAT32.exe in the :\windows\system folder. If the file exists, then it modifies Internet Explorer’s startup page with one of the following sites:

http://www.skyinet.net/~young1s/ HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/ WIN-BUGSFIX.exe

http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIy qwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/ WIN-BUGSFIX.exe

http://www.skyinet.net/~koichi/ jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/ WIN-BUGSFIX.exe http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBh AFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw 237461234iuy7thjg/WIN-BUGSFIX.exe

It also searches for a file named WIN-BUGSFIX.exe in the :\windows\system folder. If the file does not exists, then it modifies Internet Explorer’s startup page with “about:blank” page and modifies the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run\WIN-BUGSFIX, \WIN-BUGSFIX.exe

Detection/Removal:

Users should delete any messages from both the Inbox and Deleted items folder with the following attributes:

- Subject line of the email messages contains the words "ILOVEYOU" - Text in the body of the message includes the words "kindly check the attached LOVELETTER coming from me" - There is an attachment file in the message with the title, "LOVE-LETTER-FOR-YOU.TXT.vbs"

Prevention:

Users should delete any messages from both the Inbox and Deleted items folder with the following attributes: - Subject line of the email messages contains the words "ILOVEYOU" - Text in the body of the message includes the words "kindly check the attached LOVELETTER coming from me" - There is an attachment file in the message with the title, "LOVE-LETTER-FOR-YOU.TXT.vbs"

- Never open executable file attachments, such as .exe, .com, .bat, .shs, and .vbs. - If an attachment is received unexpectedly, even from a person you trust, ask the sender before opening. Never open attachments received from unknown sources. Delete the e-mail from both your Inbox and Deleted Items folders. - Ensure that you are running anti-virus software with the latest signature update. - Never circulate virus warnings that did not originate from the EDS Security Virus Control group. If you are unsure of the authenticity of the warning, forward it to the Virus Control group at security-viruses@eds.com for validation.