Security

SECURITY ALERT: No love in ILOVEYOU worm

A new, devastating worm is wreaking havoc worldwide. Like Melissa, the worm, called ILOVEYOU, is spread through Microsoft Outlook. Get the complete description, and a quick fix, right here.

Computer users worldwide using Microsoft's Outlook e-mail program have been hit hard by a new worm called "ILOVEYOU." A worm is a malicious program that replicates itself, "worming" its way through a computer's resources. The full extent of the damage is unknown, but it's growing by leaps and bounds. CNET this morning reported computers down in Hong Kong and Denmark, while ZDNET reported that the virus was "sweeping through Asia." Trend Micro reported "several hundred phone calls" in the early morning hours from "major European customers within government, industry, and trade."

Like the recent devastating Melissa worm, which affected close to one million computers according to a Wired report, ILOVEYOU spreads through the e-mail program Microsoft Outlook. A message is sent to a user with the subject line "ILOVEYOU" and an attachment named "LOVE-LETTER-FOR-YOU.TXT.vbs." If a user opens the attachment, which contains the malicious code, the worm uses the recipient's Outlook address book to send a copy to everyone listed. In addition to exponentially spreading the bad code, the volume of mail can then threaten to overload mail servers and cause them to fail.

Once the payload is activated, it begins altering files and registry entries on computers running Microsoft Windows the following way (Macintosh, Linux, and UNIX operating systems are not affected):
  • Internet Explorer gets ready to receive a copy of a file called WIN_BUGFIX.exe from several URLs (Internet addresses).
  • The worm searches through all subdirectories and files on individual computers and networks.
  • All files are overwritten with a copy of the virus with file extensions .JPG, .VBS, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .MP3, and .MP2. The file extensions are changed to .VBS. If these files are subsequently clicked or activated by a program, ILOVEYOU executes all over again.

In addition, the code infects the registry.

The worm has also been reported to spread through IRC (Internet Relay Chat), a popular chat service.

A description of the virus and disinfection procedures can be found at Security Watch .

Fight back
Here are suggestions for fighting against the virus:
  • Tell all company users not to open any e-mail with the subject line "ILOVEYOU." In one case, a message was allegedly sent by a company's CEO and was, of course, opened by many employees, despite the oddness of a CEO sending "kindly check the attached LOVELETTER coming from me." Consider Xeroxing the message and distributing the old-fashioned way, as e-mail may be corrupt.
  • Create a mail filter to automatically delete all messages with "ILOVEYOU" in the subject line.
  • Disable vbs abilities as completely as possible.

If you are infected, you should do the following immediately (according to Security Watch):

First: In the Windows directory (C:\WINDOWS or C:\WINNT), delete the file Win32DLL.vbs.

Second: In the Windows System directory (C:\WINDOWS\SYSTEM32 or C:\WINNT\SYSTEM32), delete LOVE-LETTER-FOR-YOU.TXT.vbs and LOVE-LETTER-FOR-YOU.HTM.

Third: In the Registry, delete the keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL.

Now reboot your system. The virus should no longer be active.

Further cleaning
Additional steps are necessary, according to Kevin Brown, a Web development engineer at TechRepublic. If you’re sure your machine is infected, use Window's Search feature to locate all .vbs files in all directories and subdirectories. These files will be corrupt and should be deleted; otherwise, clicking them will reactivate the virus.

Clean up the virus with this Visual Basic script from TechRepublic
Kevin Brown has written a Visual Basic script that will clean computers of the ILOVEYOU worm. He took the image of the virus and examined its routines. Brown then wrote the script to remove the damage. As a special service, TechRepublic is making the code available to its users —feel free to cut and paste directly from the article. The script was tested on TechRepublic's own computers, many of which were infected by ILOVEYOU.

Based on incoming reports, ILOVEYOU looks to be many times more extensive and damaging than the Melissa virus. Corporations and home users are urged to act quickly to minimize the damage. Check vendor Web sites for the latest updates to antivirus programs and download them immediately. As of this writing, Web sites for Symantec and other popular antivirus vendors were slow to respond or not responding, due to the volume of requests.

Mike Jackman is an editor in chief of TechProGuild and the editor of PC Troubleshooter and Windows Support Professional, and he also works as a freelance Web designer and consultant. In his spare time (when he can find some), Mike's an avid devourer and writer of science fiction, parent to two perpetually adolescent cats, and a hiking enthusiast.

The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.Imitations of the ILOVEYOU worm are on the way. While the copycat programs are not expected to cause as much widespread damage as the ILOVEYOU virus, these new iterations pose significant threats and the potential to defeat the protective signatures created by major antivirus manufacturers and the patch produced by TechRepublic. One of the first variants to emerge arrives via e-mail with the subject “fwd:joke” and an attachment titled “very funny.vbs.” Others are sure to follow.
0 comments

Editor's Picks