The following was discussed here and apparently was contained in a
post that came in on the CGIN-list. This info should help clean it
up. (AVP and Dr. Web are probably the best antivirus aids available).
DH
This is a forwarded message
From: List Manager <listmgr@perfectsupport.com>
To: avp-news@perfectsupport.com <avp-news@perfectsupport.com>
Date: Thursday, May 04, 2000, 7:25:16 AM
Subject: Virus Alert - I-Worm.LoveLetter
===8<==============Original message text===============
AVP.COM Newsletter
==================
Advanced Virus Protection (AVP)
Virus Protection for the Real World.(TM)
This newsletter is brought to you by PerfectSupport(TM)
a division of Central Command Inc.
If you suspect a virus infection you can download a free time limted,
fully functional trial version of AntiViral Toolkit Pro from
http://www.avp.com
Visit AVP.COM online http://www.avp.com
New update released for AntiViral Toolkit Pro. Includes
latest virus detection and removal as of 00/00/2000. See descriptions
below for correct URL links to files or visit http://www.avp.com
What's been added to the detection/removal database
I-Worm.LoveLetter
-----------------
I-Worm.LoveLetter is a Visual Basic Script worm that is spreading through
internet via an Microsoft Outlook e-mail message that reads as a chain
letter .
The worm uses the Outlook e-mail application to spread.
I-Worm.LoveLetter is also a overwriting Visual Basic Script virus, and it
can spread itself using mIRC client as well.
Technical Details:
When the worm is executed, it first copies itself to Windows System
directory as:
- MSKernel32.vbs
- LOVE-LETTER-FOR-YOU.TXT.vbs
and to Windows directory:
- Win32DLL.vbs
Then it adds the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Wi
n32DLL
The worm replaces the Internet Explorer home page with a link to an
executable program, "WIN-BUGSFIX.exe" and creates a HTML file, " LOVE-
LETTER-FOR-YOU.HTM", to the Windows System directory.
I-Worm.LoveLetter will use Outlook to mail a copy of itself to everyone in
each address book.
The message will be addressed:
Subject: ILOVEYOU
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
The worm then searches for file with an extension of .jpeg, .mp3,
.mp2,.jpg .js, .jse, .css, .wsh, .sct, and .hta on local and remote drives
and overwrites them with itself. Once overwritten the worm changes the
extension of the overwritten files to .vbs or .vbe.
Reconfigure your internal AntiViral Toolkit Pro Updater for improved
performance.
Step 1. Open AntiViral Toolkit Pro Updater
Step 2. Choose update from the Internet and press "Setup"
Step 3. Change the update URL to: ftp://ftp.avp.com/pub/update
and press the "Ok" button. You do not need a User or Password.
Step 4. Once back at the AntiViral Toolkit Pro Updates main screen make
sure that you are updating from the Internet and the Download
Antivirus Databases and Patches is selected.
Step 5. Choose "Next" and "Next" again to start the download and update
process.
Step 6. Once the download are complete you'll see and "Finished"
message.
================
MAKE EXTRA CASH!
----------------
Join the AVP.COM affiliate program and earn some extra cash for
yourself.
Avp.com is a leading online resource for providing PC users the
ability to protect their computer from malicious applications. By
joining our affiliate program, you can generate extra revenue and
increase the value of your website by offering visitors Advanced
Virus Protection.
By joining the avp.com Affiliate Program and linking to avp.com
through text links, or banner ads on your website, you can earn
revenue that is generated from customers who visit avp.com through
your link. We provide all of the banners and logos for your site.
All you have to do is sign up for the program and choose the graphics
that work best for your site. You can place the avp.com links in as
many places on your site as you want. The better you position the
avp.com links, the more successful the affiliate program can be for
you.
Why Join avp.com's Affiliate Program?
- Generate more income for yourself
- Increase Repeat Traffic to Your Site.
- Leverage avp.com's Success in E-Commerce.
How You Join
Becoming a avp.com Affiliate is simple, and it's FREE. avp.com is
working with LinkShare, a leader in affiliate marketing programs, to
make it easy for you to be a avp.com Affiliate. By signing up for the
avp.com Affiliates Program on the LinkShare site, you can manage your
program, view reports relating to activity on your site, and receive
updates on the avp.com Affiliates Program through a private login on
LinkShare's network. LinkShare does all the tracking and gives you
up-to-date reports on the referral fees you've earned. Start earning
more from your web site today.
JOIN NOW! Click here http://www.avp.com/affiliate.html
You are receiving this message because you have subscribed to
the AVP.COM News mailing list. This is a open mailing list that
allows you to subscribe and unsubscribe at your desire.
PerfectSupport a division of Central Command, Inc. respects your
online privacy. You at anytime can easily remove yourself from
the mailing list by going to http://www.avp.com/unsubscribe.html
and entering your e-mail address and submiting the change. This
will remove you from this mailing list. You will receive
confirmation e-mail of your submission.
Central Command, PerfectSupport, CoreSupport, EssentialSupport,
EnterpriseSupport, EVRT, Emergency Virus Response Team,
Virus Protection for the Real World. are trademarks of Central
Command Inc. All other trademarks are property of their
respective owners. Copyright (C) 2000 Central Command Inc. All
rights reserved.
===8<===========End of original message text===========
To Unsubscribe: Email majordomo@ces.ncsu.edu with the command
"unsubscribe sanet-mg". If you receive the digest format, use the command
"unsubscribe sanet-mg-digest".
To Subscribe to Digest: Email majordomo@ces.ncsu.edu with the command
"subscribe sanet-mg-digest".
All messages to sanet-mg are archived at:
http://www.sare.org/san/htdocs/hypermail
This archive was generated by hypermail 2b29 : Thu May 11 2000 - 22:02:14 EDT