Last Update: May-07-2000
From: Marshall Barry, IBECC Email: MBarry at IBECC.Org Phone: +1-719-685-nnnn
For more info please contact IBECC - IBECC@IBECC.Org Or your local, friendly, antivirus crews including (but not limited to): McAfee, Norton, Trend, etc... (Their websites are jammed as of this moment)
"Y2K being a 'dud' may have lulled many of us into a false, warm, sense of security. 'LOVE' is one of the scenarios that people were worried about for 2000. It just took a couple of months longer to happen," said Michelle Weisblat, President of IBECC. She continued, "Backup early and often - you can never have too many backups, just too few! If you haven't been infected by the 'LOVE WORM', it's not too late to backup and protect your system and your data!"
BEFORE I get into the rest of this message, note that once you have run the "worm" (it's NOT a virus by definition - it does NOT infect files - it replaces them and sends itself on), you are "infected" and there is NO TRIVIAL or SIMPLE way to UNINFECT YOURSELF once this happens. You CAN recover your system, but it will take time and work. Many files will be deleted/renamed or otherwise hidden. SOME can be recovered, others are gone forever (unless you have a BACKUP!)
ALSO Note: While a number of reports and clients/friends/reporters stated that this particular worm could be automatically run simply by looking at the message (i.e. bringing the title up to delete it) those people ALLOWED automatic running of attachments. Not a good idea under ANY circumstances, it's even worse under these.
Further note: This does not mean it can not and does not happen (ref: Melissa last year) - beside which, many emails now include "forced" http (net) references - which can (as this one does) force you to a WWW site which can (and sometimes does) have scripts, ACTIVEx, and JAVA which WILL run -- unless you have blocked them in your "Internet Settings", or have a Firewall or Anti-Virus protector which is smart enough to block them! These net references CAN be valid (We get mail from such legit folks as "Pets.Com" which do this!) but you MUST set your system up to keep out the "malicious."
Another important "pre-note": If you DELETE the message, do it by using the "DEL" key on your keyboard. "Click and Drag" to the "Delete" Bin has the bad tendency to RUN the attachment first (can you say "oops"?) The "DEL" key also "moves" it to the "Delete" Bin. THEN EMPTY THE DELETE BIN!!! Don't leave it around to "accidentally" be clicked or run!
To HELP you - this is NOT a 100% Guarantee, and it WILL cause a large number of extra messages on your screen, you should go to Control Panel, Internet Options, Security Click on the Internet Icon, then click on "Custom Level..." Scroll down to "Scripting" mark all options with "prompt" Note that the system will state that "scripts are usually safe" 'Usually' is the operative keyword - this is a Script and it is, most definitely, NOT safe. You will get MANY requests web-browsing to "allow" scripts to run. It WILL be annoying. Oh, yes, this setting DOES affect Outlook/Express as well as Internet Explorer as they use a common "interface." Does there have to be something better? Yes. When we find it (and "it" may very well be active anti-virus software) we'll try to let you know. (NOTE ADDED: See LoveWorm Updates #2 and #3 for more ways) In the meantime - this CAN help.BE CAREFUL! It just got a whole lot less user-friendly!
EMAIL VIRUS WARNING #2.23!!
Yesterday's email virus has reportedly mutated into a new virus with email Subject names fwd: "Joke" and "Very Funny." Do not open these emails in Microsoft email readers!!
There are also reports that certain versions of Netscape are affected as well. We can neither confirm nor deny this. Please let us know if you are certain, one way or the other.
It's actually "mutated" into at least 1/2 dozen (or more) names ... many of which have nothing to do with funny (wan smile)
(e.g. Mother's Day - also see next)One ended up in the email to my niece ... subject: Accept Jesus or Die (My niece is on AOL, btw...)
IMPORTANT: Whether or not you have a Microsoft (or other) mail program, DO NOT RUN THE ATTACHMENT FOR ANY REASON OR UNDER ANY CIRCUMSTANCES! REPEAT! DO NOT RUN IT! It *WILL* infect your system and quite possibly damage the SOFTWARE beyond repair!
Part of the trick of this little disaster is that it uses the multi-level naming system that "fools" Windows[tm] into thinking that it is something else...
For example:
Plugh.txt.vbswill APPEAR with the "notepad" icon and will seem to be harmless... it IS NOT!
Windows WILL use the FINAL extension (the .vbs) as the type to actually run the program... and the VBS is the script that does the damage. It renames (for example) .jpg (jpeg) files to be .jpg.vbs -- again, they will show up as pictures, and will run the script.A copy of the script, viewable as a text file (really! I promise!) can be made available for you techies out there. It *IS* dangerous to have around as, if you DO accidentally run it, you're in bad shape.
(Also, those folks who "decoded" the script and decided where it came from really didn't have to do much - the following are the first two lines:
rem barok -loveletter(vbe) (i hate go to school) rem by: spyder / ispyder@mail.com / @GRAMMERSoft GroupAs you can see, it's in plain english (as is the rest of the worm) though I/we STRONGLY doubt that the person who wrote this was stupid enough to put his/her real name and email address in it...)
The news media, in its typical panic, is telling people that they will have to format their hard drives and restore/re-install their systems.
Because it appears to be "wolf! Wolf!" people are not believing them.** YOU MAY HAVE TO REFORMAT AND RESTORE/REINSTALL! **This is NOT someone playing around and being obnoxious (much like Melissa)... this little(?) beastie WILL damage your system (NO, it does NOT damage your hardware!!) and will corrupt your registry (that magical place where Windows keeps all it's important info), and WILL damage many files and file types (e.g. jpg, mp*, and other files which normally appear to be "innocuous").
NOTE that the trick of multi-level filetypes (i.e. .jpg.vbs or .txt.exe) has been being used for MONTHS now by crackers and phreaks in the Usenet NEWSgroups to pass on such things as "backdoor" and "BackOrifice" This is nothing new, per se... just that it has been taken on to a new level of "nasty."
Note that as Windows supports blanks in the filename, people HAVE used things like:
"abc.txt .exe"
It will appear to be a "notepad" (txt) file, but will run the program if double-clicked (i.e. it will be treated as an "exe" file!!)SUMMARY: Look at your email. Do NOT run ANY file attachments you are not expecting or which come from anyone you don't know well enough to have eaten dinner at their house without using (smile) poison tasters. Even then, ask them.DO NOT RUN any PROGRAM file with the extensions of:
If there is ANY doubt at all... DO NOT RUN THE PROGRAM OR ANY ATTACHMENT.
.vbs, .vbe, .exe, .com, .bat, .pif, .cmd
(And I'm SURE there are a couple of other "executable" types I have missed!)
Check the NAME of the file... and look ALL the way to the end (see above)Please feel free to contact us with any information, or questions, you may have. We will do our best to help.
We are always interested in Feedback!
Page Maintained, and Copyright © 2000-2006 by:
MBarry at IBECC.Org and mabarry at IBECC.OrgAll rights reserved.
All or part(s) of this document may be freely quoted
for informational, review, and announcement purposes.
No 'frames' version of these pages are currently 'in the works'
or being planned.
According to a statistical survey, more than 40% of the net users
still do not have any
kind of graphical interface (this includes our "challenged"
audience.)
We'd rather be considered 'not trendy' than 'not viewable'.