ILOVEYOU, man!!!

— 11:30 AM on May 4, 2000

Wow, there's a fun little VB Script virus making the rounds in record time. According to this article, the thing was unheard of until late yesterday afternoon in Hong Kong, but personally I'm already hearing about a lot more infections than I ever did with Melissa.

Short version: If you get an e-mail from somebody with the subject line "ILOVEYOU", don't open the #$@!'ing thing!!! If you do get infected, go to this site for a cleaner.

The virus operates in several different ways. First, it pulls the standard "e-mail myself to everyone in the address list" trick. Second, it writes some entries to the registry so it'll get executed every time the system is rebooted. It also reconfigures Internet Explorer to download a Trojan Horse program of some sort from one of four different locations on the web. According to the site that has the cleaner program, the Trojan opens your system up to other computers on the Internet.

Looking at the virus code, it also appears to infect the popular IRC client MIRC. It either creates or edits an .ini file that causes an infected user's computer to send the virus to everyone on an IRC channel, whenever that user enters a channel. Nasty. If somebody on IRC tries to send you "LOVE-LETTER-FOR-YOU.HTM", don't accept it.

Meanwhile, Symantec's web site appears to be deader than a doornail at this point; talk about bad timing. If you're reading this and you're a Systems Administrator, don't rely on your anti-virus software to catch this one; the virus is too new to be recognized. Send warnings to your users now. If any machines get infected, download the cleaner program mentioned above; the chances of you cleaning this thing off by hand (and getting it all) are pretty slim.

On a more general note, here's a question for everybody out there: Does anybody in the real world use .VBS files for anything but viruses? Part of this is me being cynical, but I have another point behind it; if you changed the file associations on .VBS files to Notepad, it would break these things in a heartbeat. I'm just wondering if it'd break anything besides viruses. If you have any insight on this, click on the comment link and let me know.

Update: According to this instruction sheet for cleaning the virus (thanks to Slashdot for the link), for a file ending in these extensions: "vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, mp2" the virus will write a copy of itself to the same filename with a .vbs extension, then delete the original. Example: You have an MP3 on your hard drive called "My Song.mp3". The virus writes itself to "My Song.vbs" and then deletes "My Song.mp3". This then happens to every .mp3 file on your hard drive. Bad, bad things. This thing has the potential to be the Black Death of MP3 and pr0n collections.

It appears that the cleaner script referenced above does not clean up files created in this manner, giving rise to the possibility of reinfection. The instruction sheet referenced in the paragraph above gives instructions for cleaning them off, but it basically involves indiscriminately deleting every .vbs file on your hard drive. Hopefully an Undelete utility of some sort would be able to get back most of your JPEGs and MP3's in this case. Be very careful.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.