Home

Articles

Reviews

Table of Contents

Search

Staff

 

Children of 'Love' bug: No celebration
by Roy Linker


An international manhunt has failed to deter several anonymous authors from creating new, potentially more destructive variants of the 'ILOVEYOU' script worm that clogged e-mail servers around the world on Thursday.

In less than 36 hours, five different variants of the ILOVEYOU worm have appeared. The one found Friday morning, dubbed "Mothers Day," masquerades as a response to an order for a Mother's Day gift. Like the 'Love' bug, the worm deletes files and spreads itself through e-mail.

"This will follow the pattern that we learned with Melissa," said David Kennedy, director of research services for security firm ICSA.net. "Within 24 hours we saw a variant of Melissa. Within three days we saw a worse variant that infected Excel files."
Kennedy expected a similar effect with ILOVEYOU.

"We will continue to see variations on the theme," he said. In fact, late Friday another variant, called "Brainstorm," had popped up. The subject line of the e-mail carrying the worm says "Important! Read carefully!"

More to come?
The "Mothers Day" variant is perhaps the worst yet, said Richard Jacobs, president of Sophos Inc., an anti-virus software maker in Wakefield, Mass. Instead of overwriting multimedia and script files (as the "ILOVEYOU" worm does), he said, it overwrites and deletes .bat and .ini files, which can cause more damage and prevent systems from booting up.

Mothers Day Virus
* Subject line reads 'Mother's Day Order Confirmation' and a blurb of text informs the recipient that his or her credit card has been charged $326.92 for a Mother's Day diamond special. The attachment is in the form of an invoice, entitled mothersday.vbs, leading security experts to believe many people will unwittingly open it.

Lithuanian worm
* A version of the bug apparently modified by someone in Lithuania. The subject field is 'Susitikim shi vakara kavos puodukui,' which is reportedly Lithuanian for 'Let's meet this evening for a cup of coffee.'

Joke Worm
* The subject field of this version reads 'fwdd:Joke,' and the infected attachment is entitled VeryFunny.vbs.

Brainstorm
* 'Brainstorm',
a fifth variant of the 'love' bug.
Subject:'Important! Read carefully!!'
Body text: 'Check the attached IMPORTANT coming from me !'
Attachment: 'IMPORTANT.TXT.vbs'

Second, after mailing itself out, the worm places a copy into every script file and several multimedia files as well, essentially deleting their contents.

Image files (.jpg and .jpeg), Visual Basic scripts (.wsh, .vbs and .vbe) and JavaScript (.je and .jse) will all be replaced by a copy of the worm and will be renamed with the .vbs extension. HTML applications (.hta) and other program codes (.css and .sct) will also be overwritten.
Music files (.mp3 and .mp2) are hidden, and a file of the same name -- containing the worm's script and a .vbs file extension -- is put in its place.

The worm also infects files on networked and mapped drives, and it sends itself to people who join a chat room with an infected member. A number of Windows register entries are changed as well.


Note from another User Group with a make shift Fix.
A remedy, should you catch the ILOVEYOU virus

Until such time that you can get a hold of a fix from McAfee or another virus removal publisher, try this:
Delete WINDOWS/SYSTEM/MSKERNEL32.VBS
Delete WINDOWS/SYSTEM/LOVE*.VBS
Delete WINDOWS/WIN32DLL.VBS
Find and delete LOVE*.HTM
Find and delete LOVE*.VBS
Run REGEDIT and delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer- sion\Run\MSKernel32=
C:\WINDOWS\SYSTEM\MSKernel32.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer- sion\RunService\WIN3
2DLL=C:\WINDOWS\Win32DLL.vbs
Rename C:\WINDOWS\WSCRIPT.EXE to WSCRIPT.old
You may get an error upon start up that it can't find WSCRIPT.EXE to run a script -- just cancel out. This is a Visual Basic program that you probably don't need.

Last Update:7/1/2003

 

Copyright 1999 - 2012 PC Lifeline