Protect Yourself from the ILOVEYOU and NewLove Viruses
|In a matter of 5 hours on May 4th, 2000, an
email worm crawled its way from the Phillipines across the globe
devasting companies and individuals that weren't prepared for this
catastrophe. Understanding how the ILOVEYOU worm works will enable you
to combat it and several other similar viruses. Below you'll find links
to numerous articles on the so-called Love Bug and how to protect
What is the VBS.Loveletter Virus?
|What is the VBS.Loveletter virus and its NewLove
The ILOVEYOU virus is an email attachment written in Visual Basic and smartly disguised as a love letter. Who wouldn't want to receive a love letter afterall? The email attachment was called LOVE-LETTER-FOR-YOU.TXT.vbs and when opened wrecked havoc throughout a computer system by overwriting files or hiding them throughout the system and in the case of people using Microsoft Outlook it sent a copy of the virus to everyone in the computer's address book.
The Love Bug infects files with the following extensions: "vbs", "vbe", "js", "jse", "css", "wsh", "sct", "hta", "jpg", "jpeg", "mp3", or "mp2". Except for "mp3" and "mp2" files, the virus overwrites the whole file with its virus code and the original file is destroyed.
For "vbs" and "vbe" files
For "js", "jse", "css", "wsh", "sct" or
For "jpg" and "jpeg" files
For "mp3", or "mp2" files
executed, this virus drops the following files:
also modifies the following registry entries so that the virus is
executed at each Windows starts up:
It searches for a file named WinFAT32.exe in the :\Windows\system folder. If the file does not exist, it modifies Internet Explorer’s startup page with one of the following sites:
also searches your system for a file called WIN-BUGSFIX.exe (same as
WinFAT32.exe). Before searching the file, the virus first checks
whether the key Download Directory located at
also modifies the registry key to :
The file WIN-BUGSFIX.EXE is actually a password stealing Trojan.
Unfortunately after the virus has struck there's not much that can be done to retrieve the destroyed data except to reload the destroyed files from a backup. However, after updating your anti-virus program or buying one, then follow these steps to correct the registry and get your computer working again.
Using the REGEDIT program, remove the following keys from your Windows registry.
Not comfortable with Regedit? You can download a small free program called Love_Letter_Clean.exe from Computer Associates, Inc. that automatically removes the registry keys for you. It's available here. When you click on the link, select "Open this file from it's current location" and click OK, or visit any of the top virus protection site like McAfee, Norton, or Trend Micro to download a similar program..
Finally, let's straighten out your IE home page, which the virus reset to www.skyinet.net. From IE's Tools menu, select Internet Options. Right at the top of the dialog you'll see the Home page setting. Type in the URL of the page you use for your home page, and click Ok. That should be it. If you followed all the steps above your system should be free and clean from this painful love letter.
On May 19th a far more dangerous variation of the LoveLetter worm struck, the worm spreads via Microsoft Outlook and sends itself to everyone in the address book just like its predecessor, but this version overwrites ALL files that are not currently in use at the time of the infection. Thus destroying most everything on the hard drive. It also is more dangerous because it changes the wording in the subject line and the name of the attachment it sends by picking a random filename from the users Start folder or making one up.
So if the worm changes itself what can you do to prevent it? Simple..
|Recommended Software for PC Hell Visitors|
iolo System Mechanic®
Emsisoft Anti Malware