Protect Yourself from the ILOVEYOU and NewLove Viruses

In a matter of 5 hours on May 4th, 2000, an email worm crawled its way from the Phillipines across the globe devasting companies and individuals that weren't prepared for this catastrophe. Understanding how the ILOVEYOU worm works will enable you to combat it and several other similar viruses. Below you'll find links to numerous articles on the so-called Love Bug and how to protect yourself.

What is the VBS.Loveletter Virus?
Read about the 30+ Variants of the ILoveYou virus
Remove the Registry Entries from VBS.Loveletter
Learn How to Prevent Viruses like this

Install A Program to Alert you when Scripts Run

Information on the NewLove Variant

 

What is the VBS.Loveletter virus and its NewLove variant?

The ILOVEYOU virus is an email attachment written in Visual Basic and smartly disguised as a love letter. Who wouldn't want to receive a love letter afterall? The email attachment was called LOVE-LETTER-FOR-YOU.TXT.vbs and when opened wrecked havoc throughout a computer system by overwriting files or hiding them throughout the system and in the case of people using Microsoft Outlook it sent a copy of the virus to everyone in the computer's address book.

The Love Bug infects files with the following extensions: "vbs", "vbe", "js", "jse", "css", "wsh", "sct", "hta", "jpg", "jpeg", "mp3", or "mp2". Except for "mp3" and "mp2" files, the virus overwrites the whole file with its virus code and the original file is destroyed.

For "vbs" and "vbe" files
The virus does not change the host filename.

For "js", "jse", "css", "wsh", "sct" or "hta" files
It changes the filename to "<File Basename>.vbs" (For example: MyStyleSheetFile.css is renamed as MyStyleSheetFile.vbs).

For "jpg" and "jpeg" files
It changes the filename to "<Filename>.vbs" (For example: MyJPEGFile.jpg is renamed as MyJPEGFile.jpg.vbs).

For "mp3", or "mp2" files
It changes the attribute of the original audio file as the hidden system file and creates a copy of the virus self in the filename of "<Filename>.vbs" (For example: with MyMP3File.mp3, the virus makes a copy of itself as a file called MyMP3File.mp3.vbs). Therefore, all "mp2" and "mp3" files can be recovered from an infected system.

Once executed, this virus drops the following files:
\windows\Win32DLL.vbs
\system\MSKernel32.vbs
\system\LOVE-LETTER-FOR-YOU.TXT.vbs.
\system\LOVE-LETTER-FOR-YOU.HTM

It also modifies the following registry entries so that the virus is executed at each Windows starts up:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\MSKernel32"
:\windows\system \MSKernel32.vbs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\Win32DLL” :\windows\\Win32DLL.vbs

It searches for a file named WinFAT32.exe in the :\Windows\system folder. If the file does not exist, it modifies Internet Explorer’s startup page with one of the following sites:

http://www.skyinet.net/~young1s/
HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/
WIN-BUGSFIX.exe

http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIy
qwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hf
FEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe

http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBh
AFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw
237461234iuy7thjg/WIN-BUGSFIX.exe

It also searches your system for a file called WIN-BUGSFIX.exe (same as WinFAT32.exe). Before searching the file, the virus first checks whether the key Download Directory located at HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
contains a value. If it does, the virus proceeds to look for the file WIN-BUGSFIX.EXE at the path specified in the Download Directory key. But if the registry key does not contain any value, then the virus looks for WIN-BUGSFIX.EXE at C:\. VBS_LOVELETTER and then modifies Internet Explorer’s startup page to “about:blank”.

It also modifies the registry key to : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\WIN-BUGSFIX, <download directory>\WIN-BUGSFIX.exe if Download Directory contains a value, or to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\WIN-BUGSFIX ,C:\WIN-BUGSFIX.EXE if it does not contain a value.

The file WIN-BUGSFIX.EXE is actually a password stealing Trojan.

How Do I Remove the Virus?

Unfortunately after the virus has struck there's not much that can be done to retrieve the destroyed data except to reload the destroyed files from a backup. However, after updating your anti-virus program or buying one, then follow these steps to correct the registry and get your computer working again.

Using the REGEDIT program, remove the following keys from your Windows registry.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run\ MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\RunServices\ Win32DLL=C:\WINDOWS\Win32DLL.vbs

Not comfortable with Regedit? You can download a small free program called Love_Letter_Clean.exe from Computer Associates, Inc. that automatically removes the registry keys for you. It's available here. When you click on the link, select "Open this file from it's current location" and click OK, or visit any of the top virus protection site like McAfee, Norton, or Trend Micro to download a similar program..

Finally, let's straighten out your IE home page, which the virus reset to www.skyinet.net. From IE's Tools menu, select Internet Options. Right at the top of the dialog you'll see the Home page setting. Type in the URL of the page you use for your home page, and click Ok. That should be it. If you followed all the steps above your system should be free and clean from this painful love letter.

Information on NewLove - a far more dangerous worm/virus

On May 19th a far more dangerous variation of the LoveLetter worm struck, the worm spreads via Microsoft Outlook and sends itself to everyone in the address book just like its predecessor, but this version overwrites ALL files that are not currently in use at the time of the infection. Thus destroying most everything on the hard drive. It also is more dangerous because it changes the wording in the subject line and the name of the attachment it sends by picking a random filename from the users Start folder or making one up.

So if the worm changes itself what can you do to prevent it? Simple..

space.gif (58 bytes)

 

Search PCHell.com



 




Tools for Removing Spyware, Adware, and Malware


PC HELL
Other Pages

Spyware/Adware Removal Help

MSBlast.exe Worm Removal

Welchia (Dllhost.exe and SVCHost.exe) Worm Removal

Uninstall McAfee Instructions

Uninstall Norton Instructions

Uninstall Avast Instructions

Uninstall AVG Instructions

Uninstall Antivir Instructions

Uninstall Panda Instructions

How to Manually Run the Microsoft Malicious Software Removal Tool

Bloodhound.Exploit.6 Virus Removal

MyDoom Virus Removal

MiMail.C Virus Removal

Swen Worm Virus Removal

SoBig.F Worm Removal

Dumaru Virus Removal

BugBear.B Worm Removal

SoBig.E Worm Removal

Pop Up Ad Removal Info

KAK Worm Removal

MiMail.A Worm Removal

W95.MTX Virus Removal

Snow White Virus Removal

BadTrans Trojan Removal

Wininit Virus (Bymer Trojan)

Happy99 Worm Removal

VBS Netlog Worm Removal

Pretty Park Worm Removal

Sasser Worm Virus Removal

Backdoor SDBot.H Trojan Removal

VBS.Loveletter Help

Computer Security Information

Back Orifice Information

PC HELL Main Page

 






iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad



Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.



Written by Mark Hasting

Recommended Software for PC Hell Visitors
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware
iolo System Mechanic® - Fix, Speed Up Your PC
iolo System Mechanic®
Emsisoft Anti Malware
Emsisoft Anti Malware
space.gif (58 bytes)

Search PCHELL.COM

Return to PC Hell
Return to PC Hell

Google