Anyone receive this virus today? I've already received 12 copies (and since 4 more but minus the attachment). Supposedly it started off somewhere like Hong Kong and has spread around the world like wildfire. Only affects Microsoft Outlook usrers (typical!).

Any plonkers out there actually swallow this one and run the attachment http://www.eforecourt.com/UBB/clown1.gif ?

Here's some info on the worm :
<FONT face="Comic Sans MS">
" VBS_Loveletter" Worm
04 May 2000
Virus Control

Alias: Loveletter, VBS/Loveletter
Discovery Date: 04 May 2000
Likelihood: High
Characteristics: The worm uses the Outlook e-mail application to spread. LoveLetter is also an overwriting VBS virus, and it spreads itself using mIRC client as well. The LoveLetter worm is a VBS script, that propagates itself using Microsoft Outlook and mIRC.

Description:

Once executed this computer worm modifies the registry and drops files for it to spread. It replicates via Microsoft Outlook by sending an email with an attachment file “LOVE-LETTER-FOR-YOU.TXT.vbs” to all email addresses listed in the address list. It also propagates using mIRC by modifying the “script.ini.” After connecting to a chat server using mIRC, the virus initiates a DCC send to all the users in the current channel and sends a copy of itself. It is also capable of infecting files with specific extensions.

The message that it sends will be as follows:

Subject: ILOVEYOU
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

Infection:

Once executed, this virus drops the following files:
&lt;root&gt;:\windows\Win32DLL.vbs
&lt;root&gt;:\windows\system\MSKernel32.vbs
&lt;root&gt;:\windows\system\LOVE-LETTER-FOR-YOU.TXT.vbs.

It also modifies the following registry entries so that the virus is run at each Windows starts up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\MSKernel32",
&lt;root&gt;:\windows\system \MSKernel32.vbs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\Win32DLL”,
&lt;root&gt;:\windows\\Win32DLL.vbs.

Payload:

It searches for a file named WinFAT32.exe in the &lt;root&gt;:\windows\system folder. If the file exists, then it modifies Internet Explorer’s startup page with one of the following sites:
http://www.skyinet.net/~young1s/
HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf 7679njbvYT/
WIN-BUGSFIX.exe
http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIy
qwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/
WIN-BUGSFIX.exe
http://www.skyinet.net/~koichi/
jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3V bvg/
WIN-BUGSFIX.exe http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBh
AFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmads hfgqw
237461234iuy7thjg/WIN-BUGSFIX.exe

It also searches for a file named WIN-BUGSFIX.exe in the &lt;root&gt;:\windows\system folder. If the file does not exists, then it modifies Internet Explorer’s startup page with “about:blank” page and modifies the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\WIN-BUGSFIX, \WIN-BUGSFIX.exe
</FONT f>

[This message has been edited by WhipLash (edited 04 May 2000).]

Here are a few links with info on the ILOVEYOU worm (some appear to be very busy, you may have to wait for the server to free up) :

Datafellows Europe (http://europe.datafellows.com/v-descs/love.htm)
Mcafee (http://vil.mcafee.com/dispVirus.asp?virus_k=98617)
Antivirus Centre (http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_LOVELETTER)

The original ILOVEYOU message has been changed and now there's another mail spreading with the same virus :eek: - here's the details!

<FONT face="Comic Sans MS">Very Funny.VBS

A new variant of the LoveLetter worm now exists. The only difference between the original e-mail and the new variant is the e-mail subject line and the name of the attachments. The characteristics of the infected e-mail are:

Subject line will show “FWD: Joke”
The text of the e-mail will contain only an attachment named “Very Funny.vbs”
</FONT f>

<FONT face="Comic Sans MS">http://www.drsolomons.com/home/vbslove.htm

Is Also a handy link or even just http://www.drsolomons.com/
</FONT f>

------------------
Junior
junior@eForecourt.com

Junior's Web (http://juniorsweb.hypermart.net)

There are about 10 variants at this stage including ones like Mothers Day & Warning Urgent Virus Instructions,Jokes etc.
Won't be able to open a God Damn thing for weeks now.Nearly everyone at work got it but amazingly I didn't which I thought was strange but some people opened it and it started forwarding to everyone in the address list.The only way they could stop it was to turn off their system.

Apparently, the suspected author of the virus is a woman! Here's a copy of an article on said story from Reuters...


Love Bug suspect is
identified by police

--------------------------------------------------------------------------------

The Philippines has said the US was helping to track down the source of the Love Bug virus that ravaged computers worldwide, and an official said the suspected hacker was a woman.

National police chief Gen Panfilo Lacson told reporters that investigators had identified the suspect but it could take a while to make an arrest because "the suspect is a moving target".

Lacson and other investigators had earlier indicated the suspect was a man but an official of the National Bureau of Investigation (NBI) involved in the search said the bureau was looking for a woman.

The official, who asked not to be identified, also said it was possible the suspect might have already destroyed whatever evidence could link her to the most massive cyber attack yet.

Police said the suspect was a young computer school student and apparently from a middle-class family.

But the official also said it was possible the suspect might not be responsible for the computer attack. "It was only the computer used to launch the virus that was traced but anybody could use that computer," the official said.

The Washington Post said the US Federal Bureau of Investigation (FBI) had traced the virus to the Philippines through a fairly obvious electronic trail and was ready to seize computers used in the attack once it got permission.

In Sweden, a computer expert said on Saturday he believed an 18-year-old German exchange student in Australia was responsible for the virus.

But the Australian Federal Police said yesterday they had been given no firm evidence to back up the allegation. - (Reuters)

I see that a couple were arrested in the Philippines over the LoveBug virus. Here's the story :

Judging by what could be seen through the window of their ground-floor apartment in Manila yesterday, the young couple who lived there, Reomel Ramones and Irene de Guzman, liked to pass the evening strumming a guitar and drinking whisky.

But there was also evidence that in their tiny living room they spent a lot of time online and reading computer magazines. Here one day last week, according to warrants issued for their arrest, the two Filipino bank clerks deposited the "love bug" message on the Internet which wreaked havoc on e-mail servers last week from the House of Commons to the White House.

The apartment had been under surveillance since Saturday, but the NBI was unable to act immediately because computer hacking is not a crime in the Philippines. However, amid scenes of great excitement in the neighbourhood, two dozen plain-clothes agents arrived at the apartment yesterday with search warrants - and a mob of reporters and camera crews in tow.

After a 31/2-hour search they handcuffed and took away 27-year-old Ramones, who refused to speak to the agents, along with some computer disks, telephone wiring and magazines, leaving behind a guitar, several bottles of Scotch, and scattered clothing in the dilapidated apartment.

Of the computer itself or of 23year-old Ms de Guzman there was no trace, although officials said she would present herself to authorities by today. The raid came after three days of legal confusion, at the end of which the Philippine investigators finally came up with a piece of legislation under which the suspects could be charged.

The warrants said there was reason to believe that equipment in the house had been used in violation of the Access Devices Regulation Act, which governs the use of codes, account numbers and passwords giving access to different types of devices. The law provides for a maximum punishment of 20 years in jail.

Ramones and de Guzman were a quiet, unassuming couple, according to neighbours. "She was nice, she would smile at me when passing, but I hardly ever talked to her," said one woman who describer her as "pretty".

The Philippines National Bureau of Investigation (NBI) said it was also likely further investigation could lead to more arrests, but would not give details. The alleged perpetrators of an act of vandalism, which cost billions of pounds in damage worldwide, were not very clever at hiding their tracks, according to NBI. The flood of malicious codes which shut down networks worldwide was easily traced to their flat in the lower middle-class Bagong Barangay suburb of the Philippines capital.

The hackers not only caused a chain reaction with their "I love you" e-mails. Their bug redirected the victim's browser to a site which downloaded a separate programme that stole passwords and e-mailed them back to the virus author. "If that's the case, they might as well have put their return address on the virus," said one of the investigators.