Security

Lock IT Down: A quick quarantine for ILOVEYOU e-mail virus

Quarantine ILOVEYOU virus in lieu of anti-virus software


If you’re unable to get a vendor-distributed virus image to fight off the ILOVEYOU virus, here’s a quick quarantine measure that may help you contain this particularly nasty threat. Developed on the fly by TechRepublic’s own Kevin Brown, we used this tool (gratefully dubbed IHATEYOU) ourselves today to contain the spread of ILOVEYOU.

Of course, do not use this simple solution as substitute for the vendor-distributed fixes beginning to circulate. We used it, and it worked for us, but we do not guarantee that it will work in your shop. We hope it can help you get through a crazy day, though.

In short, Kevin reversed the hacker’s VB code to identify instances of VBS files created by the virus, rename them with a IHY (IHATEYOU) extension, and then move them to the C:/Temp directory. His script also undoes the three Registry changes made by ILOVEYOU and resets the infected machine’s IE home page to blank, away from the Trojan horse page installed by ILOVEYOU.

Before you run the script, you probably want to check to see if a machine is infected by searching for these files:
  • MSKernel32.vbs
  • Win32DLL.vbs
  • LOVE-LETTER-FOR-YOU.TXT
  • WinFAT32.EXE
  • WIN-BUGSFIX.EXE
  • script.ini

You can run IHATEYOU on a noninfected system with limited impact. Be forewarned that any legitimate VBS files installed on the system will be renamed as IHY and moved to C:/Temp. In addition, the script conflicts with the IRC instant messaging and chat service.

To use IHATEYOU, copy the following text into a text editor and save the file with a .vbs extention or click on the IHATEYOU sidebar on the right-hand navigation bar.

IHATEYOU
rem I Hate You - removes I love you virus
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
eq=""
ctr=0
Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy="Undo LOVE LETTER VIRUS"
main()
sub main()
 On Error Resume Next
 dim wscr,rr
 set wscr=CreateObject("WScript.Shell")
 Set dirwin = fso.GetSpecialFolder(0)
 Set dirsystem = fso.GetSpecialFolder(1)
 Set dirtemp = fso.GetSpecialFolder(2)
 
 fso.DeleteFile dirsystem & "\MSKernel32.vbs", true
 fso.DeleteFile dirwin & "\Win32DLL.vbs", true
 fso.DeleteFile dirsystem & "\LOVE-LETTER-FOR-YOU.TXT.vbs", true
 fso.DeleteFile dirsystem & "\WinFAT32.EXE", true
 regruns()
 html()
 spreadtoemail()
 listadriv()
end sub
sub regruns()
 On Error Resume Next
 Dim num,downread
 regdelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run\MSKernel32"

 regdelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunServices\Win32DLL"

 downread=""
 downread=regget("HKEY_CURRENT_USER\Software
\Microsoft\Internet Explorer\Download Directory")

 if (downread="") then
 downread="c:\"
 end if
 regdelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run\WIN-BUGSFIX"

 regdelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run\WinFAT32"

 regcreate "HKEY_CURRENT_USER\Software\Microsoft
\Internet Explorer\Main\Start Page","about:blank"

end sub
sub listadriv
 On Error Resume Next
 Dim d,dc,s
 Set dc = fso.Drives
 For Each d in dc
 If d.DriveType = 2 or d.DriveType=3 Then
 folderlist(d.path&"\")
 end if
 Next
 listadriv = s
end sub
sub infectfiles(folderspec)
 On Error Resume Next
 dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
 set f = fso.GetFolder(folderspec)
 set fc = f.Files
 for each f1 in fc
 ext=fso.GetExtensionName(f1.path)
 ext=lcase(ext)
 s=lcase(f1.name)
 if (ext="vbs") or (ext="vbe") or (s="script.ini") then
 bname=fso.GetBaseName(f1.path)
 set cop=fso.GetFile(f1.path)
 cop.copy("c:\temp\"&"\"&bname&".ihy")
 fso.DeleteFile f1.path, true
 end if
 next
end sub
sub folderlist(folderspec)
 On Error Resume Next
 dim f,f1,sf
 set f = fso.GetFolder(folderspec)
 set sf = f.SubFolders
 for each f1 in sf
 infectfiles(f1.path)
 folderlist(f1.path)
 next
end sub
sub regdelete(regkey)
 Set regedit = CreateObject("WScript.Shell")
 regedit.RegDelete regkey
end sub
sub regcreate(regkey,regvalue)
 Set regedit = CreateObject("WScript.Shell")
 regedit.RegWrite regkey,regvalue
end sub
function regget(value)
 Set regedit = CreateObject("WScript.Shell")
 regget=regedit.RegRead(value)
end function
function fileexist(filespec)
 On Error Resume Next
 dim msg
 if (fso.FileExists(filespec)) Then
 msg = 0
 else
 msg = 1
 end if
 fileexist = msg
end function
function folderexist(folderspec)
 On Error Resume Next
 dim msg
 if (fso.GetFolderExists(folderspec)) then
 msg = 0
 else
 msg = 1
 end if
 fileexist = msg
end function
sub spreadtoemail()
 On Error Resume Next
 dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad
 set regedit=CreateObject("WScript.Shell")
end sub
sub html
 On Error Resume Next
 
 fso.DeleteFile(dirsystem&"\LOVE-LETTER-FOR-YOU.HTM")
end sub

About

Ken Hardin is a freelance writer and business analyst with more than two decades in technology media and product development. Before founding his own consultancy, Clarity Answers LLC, Ken was a member of the start-up team and an executive with TechRe...

Editor's Picks

Free Newsletters, In your Inbox