LoveWorm Update #1 LoveWorm Update #3 Back to News
PLEASE FEEL FREE TO PASS THIS ON.
From: Marshall Barry, IBECC Email: MBarry at IBECC.Org Web: www.IBECC.Org Phone: +1-719-685-nnnnFor more info please contact IBECC - IBECC@IBECC.Org (Sorry - Our Web Site is woefully out of date right now) Or your local, friendly, antivirus crews including (but not limited to): McAfee, Norton, Trend, etc... (Their websites are jammed as of this moment)
IBECC Official Quote of the Day:
"Y2K being a 'dud' may have lulled many of us into a false, warm, sense of security. 'LOVE' is one of the scenarios that people were worried about for 2000. It just took a couple of months longer to happen," said Michelle Weisblat, President of IBECC. She continued, "Backup early and often - you can never have too many backups, just too few! If you haven't been infected by the 'LOVE WORM', it's not too late to backup and protect your system and your data!"Welcome to the latest update - hopefully with a voice of sanity.
If you miss (have missed) an update (this is #2 in a hopefully short series), please let us know and we'll be happy to forward it to you.
BEFORE I get into the rest of this message, note that once you have run the "worm" (it's NOT a virus by definition - it does NOT infect files - it replaces them and sends itself on), you are "infected" and there is NO TRIVIAL or SIMPLE way to UNINFECT YOURSELF once this happens. You CAN recover your system, but it will take time and work. Many files will be deleted/renamed or otherwise hidden. SOME can be recovered, others are gone forever (unless you have a BACKUP!)
BE CAREFUL OUT THERE!
** Other names for the LoveWorm now include:
"Your Mother's Day Order Confirmation", "Mother's Day Specials",
"Accept Jesus Or Die!", "IMPORTANT - Please Pass This On",
"Just A Letter To Say I Love You", "I Hate School",
"I Hate Everyone But You..." and others (of course!)(This is not a comprehensive list, but more a note that simply deleting/ignoring/not reading messages that say "I Love You" in the subject is **NOT** enough!)
The following are "Techie" Solutions to NOT ALLOW the "Worm" to get you. ** WARNING ** ALL OF THE FOLLOWING CAN AFFECT THE OPERATION OF YOUR SYSTEM! (These fixes MAY keep some programs from running, or may produce results which are, ahem, not satisfactory in your computer environment). WE assume NO RESPONSIBILITY. AGAIN, these are "Techie" solutions... all of which strike at the "heart" of the worm, that is, preventing it from running.These methods will ALSO prevent a number of "legitimate" programs from running - specifically Visual Basic (and some C++) Scripts.
OK, we're covered now... You're now "on your own!"
Techie Solution #1: These instructions will render the LoveWorm (and other VBS Worms) inoperative on Windows 95/98, but ONLY if you do this BEFORE receiving the email, or running the worm! This is a PREVENTIVE measure: Go to Windows Explorer. Choose the "View" menu Option. Choose "File types"(if you run Windows95) or "Folder Options" (if you run Windows98). Scroll down the list until you find the VBS (.vbs) file extensions, or the VBScript association, and remove it. (It should say something about wscript.exe and/or cscript.exe) Do the same for the VBE (.vbe) extension. CLick OK, and Exit Explorer. If you do this, and then receive the LoveWorm, or any other VBS Worm, it won't work even if you accidentally open it. (This doesn't mean "TRY IT!") Windows will prompt you with a message saying "... this file has no association ..." and will ask you to make one. Just say "No!" (i.e. don't do it!) The Worm can not run because Windows won't know how to run it. End Users won't know what they are doing (note: This is called "Techie Superiority"), so they will give up and call Tech Support, or end up associating it with Word or Notepad or something moderately innocuous, which just brings up what will appear to be nonsense text (aka the source code for the worm). YOUR PC WON'T get infected, but the worm WILL REMAIN on it, still deadly, but in a form of computer stasis... DELETE IT! Then empty the recycle bin!
Techie Response #2: To keep the worm from (re)infecting people, delete: WSCRIPT.EXE and CSCRIPT.EXE from PC's. (These are found in the "Windows" and "Windows\Command" directories respectively - USUALLY. If they are not there, and to be SURE that there are not multiple copes, use the Windows "FIND" command (from the Start Menu) and delete these programs ANYPLACE you find them!). These files are MOSTLY needed by programmers and regular users USUALLY do not need them. Since the worm requires xSCRIPT.EXE to run, by deleting these files it can not execute the script, stopping it dead. YOUR PC WON'T get infected, but the worm WILL REMAIN on it, still deadly, but in a form of computer stasis... DELETE IT! Then empty the recycle bin!
Techie Trick #3 (courtesy of a number of sources): If you do not use Visual Basic scripting (or some versions of C++ and its scripting) in the course of your work day, you should turn this option off. To do so: 1. Click on Settings 2. Click on Control Panel 3. Click on Add/Remove 4. Click on the "Windows Setup" tab at the top 5. Click on Accessories - This will display MANY details 6. Uncheck "Windows Scripting Host" if it is checked (If it isn't checked, use one of the previous methods) 7. Click “OK” to save any changes The System MAY ask for your Windows CD (it shouldn't, but someone said it did one time). You should (but don't have to) re-boot (restart) your system, just to make sure it all works! YOUR PC WON'T get infected, but the worm WILL REMAIN on it, still deadly, but in a form of computer stasis... DELETE IT! Then empty the recycle bin!
Final Note: All of these methods rely on the way the LoveWorm transfers itself, that is it uses a "scripting" language (a series of commands that the system, with certain software) understands.
These mechanisms DELETE the scripting language from your computer! ANYTHING ELSE which may use it, will NOT run... but, of course, neither will the LoveWorm.
Please feel free to contact us with any information, or questions,
you may have.
We will do our best to help.
Page Maintained, and Copyright © 2000-2006 By:
mbarry at IBECC.Org and mabarry at IBECC.OrgAll rights reserved.
All or part(s) of this document may be freely quoted
for informational, review, and announcement purposes.
No 'frames' version of these pages are currently 'in the works'
or being planned.
According to a statistical survey, more than 40% of the net users
still do not have any
kind of graphical interface (this includes our "challenged"
audience.)
We'd rather be considered 'not trendy' than 'not viewable'.