Everyone,
There is a very nasty virus floating around this morning.
The message subject is ILOVEYOU. Do not open this. Delete it immediately
Here is the details, and how to remove this virus from your system.
AntiViral Toolkit Pro has been updated to detect and remove this Worm. http://www.avp.com/may04.html
I-Worm.LoveLetter is a Visual Basic Script worm that is spreading through internet via an Microsoft Outlook e-mail message that reads as a chain letter . The worm uses the Outlook e-mail application to spread.
I-Worm.LoveLetter is also a overwriting Visual Basic Script virus, and
it can spread itself using mIRC client as well.
Technical Details:
When the worm is executed, it first copies itself to Windows System
directory as:
- MSKernel32.vbs
- LOVE-LETTER-FOR-YOU.TXT.vbs
and to Windows directory:
- Win32DLL.vbs
Then it adds the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
The worm replaces the Internet Explorer home page with a link to
an executable program, "WIN-BUGSFIX.exe" and creates a HTML file, "
LOVE-LETTER-FOR-YOU.HTM", to the Windows System directory.
I-Worm.LoveLetter will use Outlook to mail a copy of itself to everyone in each
address book.
The message will be addressed:
Subject: ILOVEYOU
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
The worm then searches for file with an extension of .jpeg, .mp3, .mp2,.jpg .js, .jse, .css, .wsh, .sct, and .hta on local and remote drives andoverwrites them with itself. Once overwritten the worm changes the extension of the overwritten files to .vbs or .vbe.
For more information about the rp-ml, see http://ltk.hut.fi/rp-ml/
This archive was generated by hypermail 2.1.2 : Tue Jun 05 2001 - 23:03:24 EEST