The ILOVEYOU virus is an email attachment written in Visual Basic and smartly disguised as a love letter. Who wouldn't want to receive a love letter afterall? The email attachment was called LOVE-LETTER-FOR-YOU.TXT.vbs and when opened wrecked havoc throughout a computer system by overwriting files or hiding them throughout the system and in the case of people using Microsoft Outlook it sent a copy of the virus to everyone in the computer's address book.
The Love Bug infects files with the following extensions: "vbs", "vbe", "js", "jse", "css", "wsh", "sct", "hta", "jpg", "jpeg", "mp3", or "mp2". Except for "mp3" and "mp2" files, the virus overwrites the whole file with its virus code and the original file is destroyed.
For "vbs" and "vbe" files
The virus does not change the host filename.
For "js", "jse", "css", "wsh", "sct" or "hta" files
It changes the filename to ".vbs" (For example: MyStyleSheetFile.css is renamed as MyStyleSheetFile.vbs).
For "jpg" and "jpeg" files
It changes the filename to ".vbs" (For example: MyJPEGFile.jpg is renamed as MyJPEGFile.jpg.vbs).
For "mp3", or "mp2" files
It changes the attribute of the original audio file as the hidden system file and creates a copy of the virus self in the filename of ".vbs" (For example: with MyMP3File.mp3, the virus makes a copy of itself as a file called MyMP3File.mp3.vbs). Therefore, all "mp2" and "mp3" files can be recovered from an infected system.
Once executed, this virus drops the following files:
\windows\Win32DLL.vbs
\system\MSKernel32.vbs
\system\LOVE-LETTER-FOR-YOU.
\system\LOVE-LETTER-FOR-YOU.
It also modifies the following registry entries so that the virus is executed at each Windows starts up:
HKEY_LOCAL_MACHINE\Software\
CurrentVersion\Run\MSKernel32"
:\windows\system \MSKernel32.vbs
HKEY_LOCAL_MACHINE\Software\
CurrentVersion\RunServices\
It searches for a file named WinFAT32.exe in the :\Windows\system folder. If the file does not exist, it modifies Internet Explorer’s startup page with one of the following sites:
http://www.skyinet.net/~
HJKhjnwerhjkxcvytwertnMTFwetrd
WIN-BUGSFIX.exe
http://www.skyinet.net/~
qwerWe546786324hjk4jnHHGbvbmKL
FEkbopBdQZnmPOhfgER67b3Vbvg/
http://www.skyinet.net/~chu/
AFSDGjkhYUgqwerasdjhPhjasfdglk
237461234iuy7thjg/WIN-BUGSFIX.
It also searches your system for a file called WIN-BUGSFIX.exe (same as WinFAT32.exe). Before searching the file, the virus first checks whether the key Download Directory located at HKEY_CURRENT_USER\Software\
contains a value. If it does, the virus proceeds to look for the file WIN-BUGSFIX.EXE at the path specified in the Download Directory key. But if the registry key does not contain any value, then the virus looks for WIN-BUGSFIX.EXE at C:\. VBS_LOVELETTER and then modifies Internet Explorer’s startup page to “about:blank”.
It also modifies the registry key to : HKEY_LOCAL_MACHINE\Software\
CurrentVersion\Run\WIN-
CurrentVersion\Run\WIN-BUGSFIX ,C:\WIN-BUGSFIX.EXE if it does not contain a value.
The file WIN-BUGSFIX.EXE is actually a password stealing Trojan.
How Do I Remove the Virus?
Unfortunately after the virus has struck there's not much that can be done to retrieve the destroyed data except to reload the destroyed files from a backup. However, after updating your anti-virus program or buying one, then follow these steps to correct the registry and get your computer working again.
Using the REGEDIT program, remove the following keys from your Windows registry.
HKEY_LOCAL_MACHINE\Software\
\Run\ MSK
"The
ILOVEYOU virus is an email attachment written in Visual Basic and
smartly disguised as a love letter. Who wouldn't want to receive a love
letter afterall? The email attachment was called
LOVE-LETTER-FOR-YOU.TXT.vbs and when opened wrecked havoc throughout a
computer system by overwriting files or hiding them throughout the
system and in the case of people using Microsoft Outlook it sent a copy
of the virus to everyone in the computer's address book.
The Love Bug infects files with the following
extensions: "vbs", "vbe", "js", "jse", "css", "wsh", "sct", "hta",
"jpg", "jpeg", "mp3", or "mp2". Except for "mp3" and "mp2" files, the
virus overwrites the whole file with its virus code and the original
file is destroyed.
For "vbs" and "vbe" files
The virus does not change the host filename.
For "js", "jse", "css", "wsh", "sct" or
"hta" files
It changes the filename to "<File
Basename>.vbs" (For example: MyStyleSheetFile.css is renamed as
MyStyleSheetFile.vbs).
For "jpg" and "jpeg" files
It changes the filename to
"<Filename>.vbs" (For example: MyJPEGFile.jpg is renamed
as MyJPEGFile.jpg.vbs).
For "mp3", or "mp2" files
It changes the attribute of the original audio file as
the hidden system file and creates a copy of the virus self in the
filename of "<Filename>.vbs" (For example: with
MyMP3File.mp3, the virus makes a copy of itself as a file called
MyMP3File.mp3.vbs). Therefore, all "mp2" and "mp3" files can be
recovered from an infected system.
Once
executed, this virus drops the following files:
\windows\Win32DLL.vbs
\system\MSKernel32.vbs
\system\LOVE-LETTER-FOR-YOU.TXT.vbs.
\system\LOVE-LETTER-FOR-YOU.HTM
It
also modifies the following registry entries so that the virus is
executed at each Windows starts up:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\MSKernel32"
:\windows\system \MSKernel32.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\Win32DLL” :\windows\\Win32DLL.vbs
It
searches for a file named WinFAT32.exe in the :\Windows\system folder.
If the file does not exist, it modifies Internet Explorer’s
startup page with one of the following sites:
http://www.skyinet.net/~young1s/
HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/
WIN-BUGSFIX.exe
http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIy
qwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe
http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hf
FEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe
http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBh
AFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw
237461234iuy7thjg/WIN-BUGSFIX.exe
It
also searches your system for a file called WIN-BUGSFIX.exe (same as
WinFAT32.exe). Before searching the file, the virus first checks
whether the key Download Directory located at
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
contains a value. If it does, the virus proceeds to look for the file
WIN-BUGSFIX.EXE at the path specified in the Download Directory key.
But if the registry key does not contain any value, then the virus
looks for WIN-BUGSFIX.EXE at C:\. VBS_LOVELETTER and then modifies
Internet Explorer’s startup page to
“about:blank”.
It
also modifies the registry key to :
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\WIN-BUGSFIX, <download
directory>\WIN-BUGSFIX.exe if Download Directory contains a
value, or to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\WIN-BUGSFIX ,C:\WIN-BUGSFIX.EXE if it does not
contain a value.
The file
WIN-BUGSFIX.EXE is actually a password stealing Trojan.
How Do I Remove the Virus?
Unfortunately
after the virus has struck there's not much that can be done to
retrieve the destroyed data except to reload the destroyed files from a
backup. However, after updating
your anti-virus program or buying
one, then follow these steps to correct the registry and get
your computer working again.
Using the
REGEDIT program, remove the following keys from your Windows registry.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run\ MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices\ Win32DLL=C:\WINDOWS\Win32DLL.vbs
Not
comfortable with Regedit? You can download a small free program called
Love_Letter_Clean.exe from Computer Associates, Inc. that automatically
removes the registry keys for you. It's available here.
When you click on the link, select "Open this file from it's current
location" and click OK, or visit any of the top virus protection site
like McAfee, Norton,
or Trend
Micro to download a similar program..
Finally,
let's straighten out your IE home page, which the virus reset to
www.skyinet.net. From IE's Tools menu, select Internet Options. Right
at the top of the dialog you'll see the Home page setting. Type in the
URL of the page you use for your home page, and click Ok. That should
be it. If you followed all the steps above your system should be free
and clean from this painful love letter.
Information on NewLove - a far
more dangerous worm/virus
On May 19th
a far more dangerous variation of the LoveLetter worm struck, the worm
spreads via Microsoft Outlook and sends itself to everyone in the
address book just like its predecessor, but this version overwrites ALL
files that are not currently in use at the time of the infection. Thus
destroying most everything on the hard drive. It also is more dangerous
because it changes the wording in the subject line and the name of the
attachment it sends by picking a random filename from the users Start
folder or making one up.
So if the
worm changes itself what can you do to prevent it? Simple..
Purchase Anti-Virus Software for
your computer
Keep your Anti-Virus program
up-to-date with the latest virus signatures
Install a program to alert you
when scripts run on your computer
Learn about the dangerous of HTML
email and attachments
and avoid opening any attachments."
- ILOVEYOU Virus and NewLove Virus Information - VBS.LoveLetter (view on Google Sidewiki)
