Loading ...
Sorry, an error occurred while loading the content.


Expand Messages
  • Dragoljub Pokrajac - EECS
    May 4, 2000
      ILOVEYOU file, that apeared on the list can contain VIRUS. I forward the
      message from my University Student Union.



      ---------- Forwarded message ----------
      Date: Thu, 4 May 2000 09:42:39 -0700 (PDT)
      From: Steve Kuehn <sckuehn@...>
      To: Multiple recipients of list EECSGRADS <eecsgrads@...>
      Subject: Urgent: New e-mail virus found at WSU


      I just received reports of a new e-mail virus called
      LoveLetter which is loose on the internet. There already
      have been several reports of the virus on the WSU system
      including from College of Engineering, College of Vet Med,
      Business Affairs office, College of Liberal Arts, College
      of Ag and Home Ec, and Budget Office. This virus is
      spreading very rapidly.

      The e-mail virus (technically a worm) uses the Microsoft
      Outlook e-mail application to spread to every person listed
      in the Outlooks address book. LoveLetter also spreads itself
      using the mIRC chat client. It will search for mIRC and if
      found will put a custom script in it to infect other mIRC
      users. If you receive this in an email, don't open it. One
      should delete it and then empty the trash.

      Name is: LoveLetter

      Subject line is: ILOVEYOU

      Message text
      The message contains the following text:
      kindly check the attached LOVELETTER coming from me.

      E-mail attachment
      The message will have an attachment:
      Execution of the attachment will infect the persons computer.

      For more information see

      Virus Characteristics
      This worm is a VBS program that is sent attached to an email with the
      subject ILOVEYOU. The mail caontains the message "kindly check the
      attached LOVELETTER coming from me." The attachment is called
      LOVE-LETTER-FOR-YOU.TXT.vbs If the user runs the attachment the
      worm runs using the Windows Scripting Host program. This is not
      normally present on Windows 95 or Windows NT unless Internet Explorer
      5 is installed. When the worm is first run it drops copies of
      itself in the following places :- C:\WINDOWS\SYSTEM\MSKERNEL32.VBS
      It also adds the registry keys :-
      Win32DLL=C:\WINDOWS\Win32DLL.vbs in
      order to run the worm at system startup. The worm replaces the following
      files :- *.JPG *.JPEG *.MP3 *.MP2 with copies of itself and it
      adds the extension .VBS to the original filename. So PICT.JPG would be
      replaced with PICT.JPG.VBS and this would contain the worm.
      The worm also overwrites the following files :- *.VBS *.VBE *.JS *.JSE
      *.CSS *.WSH *.SCT *.HTA with copies of itself and renames the
      files to *.VBS. The worm creates a file LOVE-LETTER-FOR-YOU.HTM which
      contains the worm and this is then sent to the IRC channels
      if the mIRC client is installed. This is accomplished by the worm
      replacing the file SCRIPT.INI with the following script :- [script] n0=on
      1:JOIN:#:{ n1= /if ( $nick == $me ) { halt } n2= /.dcc send $nick
      a short delay the worm uses Microsoft Outlook to send copies of itself
      to all entries in the address book. The mails will be of the same format
      as the original mail. This worm also has onother trick up it's sleeve
      in that it tries to download and install an executable file called
      WIN-BUGSFIX.EXE from the Internet. This exe file is a password stealing
      program that will email any cached passwords to the mail address
      MAILME@... In order to facilitate this download the worm sets
      the start-up page of Microsoft Internet Explorer to point to
      the web-page containing the password stealing trojan


      Steve Kuehn, GPSA President
      Voice: (509) 335-2645
      Fax: (509) 335-9530
      E-mail: sckuehn@...

      Graduate and Professional Student Association
      Washington State University
      308 Compton Union Building
      PO Box 647204
      Pullman, WA 99164-7204

      Jo Mark, Office Coordinator: (509) 335-9545

      *To post a message to the list, send it to ai-geostats@....
      *As a general service to list users, please remember to post a summary
      of any useful responses to your questions.
      *To unsubscribe, send email to majordomo@... with no subject and
      "unsubscribe ai-geostats" in the message body.
      DO NOT SEND Subscribe/Unsubscribe requests to the list!