THE "I LOVE YOU" VIRUS - Upated May 4th , 2000
VERY DANGEROUS
OK,, Once again Micro$oft and Micro$oft Outlook are under attack and I cannot handle this virus in my usual fashion,, things are happening and changing too fast for any one individual to keep track of all the different versions, variants and changes in this virus ,, so I will have to refer you to some of the larger virus detection centers such as,
F-Secure discovered the virus Wednesday evening, May 3d,2000, when the security vendor got a call from an infected user in Norway. F-Secure suspects that the virus originated in the Philippines because the author of the Trojan Horse program included a message in the software reading "Copyright 2000, GRAMMERSoft Group, Manila, Phil."
F-Secure
This site gives the most complete description of the Love Virus and some (not all) of it variants.
You also will want to check with your own anti-virus sites for updates.
If you are running McAfee Antivirus and If you trust me you can download the newest "extra.dat" update to handle this new problem Love-4.zip file here.
McAfees
Symantec * Norton Antivirus
Dr. Solomon
Trend Micro.
This virus is easily altered and it seems like every would be virus "expert(sic)" is getting in the act. This Virus is being altered so quickly it is hard to keep track of all the variants,, it is also being sent out as "Joke",, "Very Funny" ,, all very dangerous variants of the original "Melissa" Worm Virus. The newest one and the most dangerous is titled "Mothers Day Order Confirmation" as the subject line.
Since you will recieve this mail from someone you know,,
The best advice I can give at this time (if at all possible) is do not to open any attachment to any email.
The "I Love You" e-mail virus, which forced the shutdown of e-mail servers around the world on Thursday, contains a Trojan Horse program that sent the cached Windows passwords of unsuspecting recipients who opened the virus-laden attachment to an e-mail account in the Philippines.
Security experts said the Trojan Horse program also has the ability to steal passwords to dial-up Internet services from end-user PCs. Infected users should take care to change passwords that may have been compromised, the experts warned.
Elias Levy, a security analyst at SecurityFocus.com in San Mateo, Calif., said the Love virus modified Internet Explorer start pages to point to one of four Web sites hosted by a Philippine-based Internet service provider called Sky Internet Inc.
But for users who have both Outlook and a companion product called Windows Scripting Host, simply previewing the message is enough to activate the virus, CERT reported. "Advice to avoid clicking on unsolicited mail doesn't help in this case, though it does help users of e-mail programs other than Outlook," CERT said in a statement.
DESCRIPTION
VBS/LoveLetter.worm arrives via email message with one of three subject lines:
"ILOVEYOU"
"Susitikim shi vakara kavos puodukui..."
"Joke"
The text reads "kindly check the attached LOVELETTER coming from me.", and the worm is included in the attachment, called "LOVE-LETTER-FOR-YOU.TXT.vbs" or "VeryFunny.vbs".
This worm attempts to send copies of itself through mIRC to the IRC channels and through Outlook to all address book entries.
VBS/LoveLetter.worm also attempts to download and install an executable file called WIN-BUGSFIX.EXE, a password stealing program that will email any cached passwords it finds to the mail address MAILME@SUPER.NET.PH.
UPDATED
June 11th, 1999 WORM.EXPLORE.ZIP Virus
, is just the latest Clone of the Melissa Macro Viruses, (Technically it is a worm, not a virus) but is by far the MOST DANGEROUS and wide spread version at this time and getting larger. Everyone needs to check out all the info available about this clone. This is the first version that is causing damage to machines. We should have known this was going to happen.
Also be sure to check out McAfees page on this Virus.
Symantec Users go to SYMANTECS ALERT PAGE.
There is also a very good article on this Macro Virus alert on "Wired Magazines News Page "
Once again Micro$oft gets caught with its pants down. This virus is another one that affects Micro$oft programs and files. Is this one of the advantages of integrated programs,, or is Microsoft a victim and just the biggest target around right now for these would-be hackers to attack.
The latest "Worm.Explore.zip" this time highly destructive
Since its discovery in Israel on June 6th, 1999 technical support lines at various anti-virus companies have been ringing frantically over the past 24 hours or so with the spread of a new Win32 worm known as Explore.Zip. The latest in a series of such files, Win32/Explorer.Zip spreads itself by exploiting MAPI aware email packages such as Microsoft Outlook, Outlook Express Exchange.
A message is sent from the infected PC to recipients listed in the users address book containing the following message:
| Hi {name of recipient} |
| I have received your email and I shall send you a reply ASAP. |
| Till then take a look at the attached zipped docs. |
| Bye. |
Additionally the message contains a file attachment named zipped_files.exe. This is the worm, and once executed performs its task behind the mask of an error message box.
The Payload
The payload of this virus is highly destructive. Once executed the EXPLORE.EXE file is dropped, and the WIN.INI file on the host machine is modified such that it runs this executable on each Windows startup. The destructive part of the payload is that it searches all accessible drives (including network drives) for the following file types, and if found reduces their length to zero bytes.
| File extensions effected:.ASM | .CPP | .DOC | .XLS | .PPT |
The number of reports/notifications we have received concerning Win32/Explore.Zip indicate that it is definitely 'In-the-Wild', and has spread rapidly over the past 24 hours. Contact your anti-virus product vendor for information on obtaining updates to protect your system against this latest threat.
| Virus Alerts |
| SUBJECT : MAILISSA,, is a Macro
Virus , Found March , 1999
W97M.Mailissa VirusName: W97M.Mailissa Aliases: W97M.Melissa Infection Length: one VBA5 module named Melissa Area of Infection: Microsoft Word 97 documents Likelihood: Common Region Reported: US Characteristics: Macro, Wild Additional Information can be confirmed at : http://www.symantec.com/avcenter/venc/data/mailissa.html |
| Method of Infection | Removing Virus | One Solution | Virus Characteristics |
| Prevention | Data on Virus | What is a Macro Virus | Indications of Virus |
.You can go straight down the page or use the menu above to locate specific areas.
Where Would You Like To Go On Our Other Pages ?
Click the "Back" Button to return to the last Page you were at.
.
.
MALISSA, W97M, Word Macro Virus
Virus Characteristics
W97M.Mailissa
is a common macro virus with a unique payload.
Similar to W97M.Pri, the virus turns off the security protection upon opening
an
infected document in MS Word 2000. This disables MS Word 2000 macro prompt
the next time the document is opened.
It infects MS Word 97 document by adding a new VBA5 (macro) module named
Melissa. Although there is nothing unique in the infection routine of this
macro virus,
it has a payload that utilizes MS Outlook to send an attachment of the
infected MS
Word 97 document being opened..
.
.
Technical Notes
When opening or closing an infected document, the virus determines if there
has
been a previous mass emailing by checking the following registry key:
"HKEY_CURRENT_USER\Software\Microsoft\Office\" as "Melissa?" value.
The value data is set to "…by Kwyjibo" if the mass emailing has been done
on the
current machine.
If the virus does not find the registry entry, it will do the following:
1. Open MS Outlook.
2. Use MAPI calls, to retrieve the user's profile to use MS Outlook
3. Creates a new email message that sends up to 50 addresses listed in
MS Outlook address book.
4. The email will have the subject line of : "Important Message From
USERNAME" where USERNAME is taken from MS Word profile.
5. The email message is "Here is that document you asked for ... don't
show anyone else ;-)"
6. Attaches the active document (the infected document being opened
or closed) to the email message.
7. Sends the email.
Please note that "HKEY_CURRENT_USER\Software\Microsoft\Office" is a
registry entry created by MS Office. The virus simply adds a new value
into this
registry entry: "Melissa?". As stated above, the value is set to "…by Kwyjibo",
if the
virus has successfully mass emailed infected documents from the system.
Once the
value is set, the virus does not attempt another mass emailing.
The second payload replaces the currently selected text of the document
with:
" Twenty-two points, plus triple-word-score, plus fifty points for using
all my letters. Game's over. I'm outta here."
Warning: If
you receive a message with the following subject or banner:
"Important Message
from "Username"",
do not execute its
attachment. Delete the entire message.
.
.
.
Method of Infection
By Email Attachment.
,
.
Removal
Norton AntiVirus users can protect themselves
from this virus by downloading the
current virus definitions either through LiveUpdate or from the following
webpage:
http://www.symantec.com/avcenter/download.html
.
.
.
Additional Information
.
.
Prevention
Warning: If
you receive a message with the following subject or banner:
"Important Message
from "Username"",
do not execute its
attachment. Delete the entire message.
.
.
.
.
Here is one solution to a Macro Virus :
A very wise rule to follow is to*not*allow your email client, News reader, Web browser, etc. to automatically run the "viewer" application associated with a downloaded file by type. *Especially*if the associations are coming from Windows, rather than being hard coded in the client program where they can be limited to true viewers.
The "launch attachment automatically" button in many News readers is especially dangerous, because you don't even get to see what the file name really is (as opposed to what the subject line says) before it is launched. You may think you're about to view "bikini.jpg", when you're really going to run "gotcha.bat".
So rule one is make sure you know what the file name/type is before you let the associated application be launched. Rule two, then, is to be very careful when the file type is one that can contain executable code. In addition to .bat, .com, and .exe, this category includes data files for any application that supports a macro language, like .doc, .dot, .xls, etc.
.bat files can be examined before running.
ALL Executable programs from an untrusted or from an unknown source should be virus-scanned.
}... } The virus can be defeated by not opening the } attachment, or by using the macro virus detection capabilities of } Word 8 (which ships in Office 97).
Also, macro packages to add macro virus security to Word 6 and 7 can be downloaded from http://www.microsoft.com.
The best solution (IMHO) is to download the Word *viewer*, wordview.exe, and set that up as the default application for opening .doc and .dot files. It's free, and it can't execute macro code so it's always safe.