Dear friends and customers,

It has come to our attention at Internet Nebraska that new virus exists called 
VBS/LoveLetter.  This virus spreads itself as an email chain letter, and
is very quick to proliferate itself.  The virus spreads through the
Microsoft Outlook email client and the mIRC Internet relay chat client.
An infected person will automatically send the virus to everyone in
their email address book.

We are doing what we can to disallow entry of this virus onto our system.
Those of you unfortunate enough to have already downloaded a copy should
do the following:

o If you have not run the attached file, delete the message immediately;

o If you have run it follow these steps to remove it:

1. If Outlook is running, turn it off now! There is still a chance
that the messages in your Outbox were not sent yet. Unplug your
network adapter/modem to ensure that you cannot accidentally
connect, open Outlook again, and delete all entries from your
Outbox.
   
2. Close Outlook.

3. Run regedit.exe (Click Start->Run, enter 'regedit' and click OK).

4. Go to HKEY_CURRENT_USER->Software->Microsoft->Windows Script
Host->Settings. If there is an entry for Timeout, delete it. I did
not have this, but the source code looks like it may exist.

5. Go to HKEY_CURRENT_USER->Software->Microsoft->Internet
Explorer->Main. Scroll down until you see an entry for Start Page.
Double click on it, and edit it so it reflects the correct start
page (Such as http://www.inebraska.com).

6. Go to
HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion->
Run. Delete the entry for MSKernel32.

7. Go to
HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion->
RunServices. Delete the entry for Win32DLL.

8. Go to HKLM\Software\Microsoft\Windows\CurrentVersion\Run. If there
is an entry for WIN-BUGSFIX, delete it.

9. Go to
HKEY_CURRENT_USER->Software->Microsoft->Windows->CurrentVersion->
Explorer->Doc Find Spec MRU. This entry contains all of the most
recently used files. It would be a good idea to delete all of the
entries.

10. Open Windows Explorer (Start->Programs->Windows Explorer). Go to
c:\windows\system (or c:\winnt\system32) and delete
MSKernel32.vbs, LOVE-LETTER-FOR-YOU.HTM, and
LOVE-LETTER-FOR-YOU.TXT.vbs. Also, delete Win32DLL.vbs from the
Windows directory.

11. This is the most painful part. This virus replaces every file with
the following file extensions: vbs, vbe, js, jse, css, wsh, sct,
hta, jpg, jpeg, mp3, mp2. You can't get the files back, but you
can at least delete them pretty easily. Do a search for all files
with the .vbs or .vbe extension (Start->Find and enter '*.vbs
*.vbe' in the Named field, then click Find Now). Select all of the
results, and hit delete.
   
12. Finally, you will need to do a search for a couple of other misc.
files that may be on your machine now. Search for WIN-BUGSFIX.exe
or WIN_BUGSFIX-32.exe (if you opened Internet Explorer after
getting the bug) script.ini (if you use mIRC), and possibly
WinFAT32.exe. If you have any of these two files, delete them.

13. When all of the files are deleted, it would be a good idea to
empty your recycle bin.

Aside from adding several keys to the Windows registry, the virus
changes Internet Explorer's default home page to a local file called
WIN-BUGSFIX.exe which causes that file to be run when Internet Explorer
is started.  This virus is classified as a trojan horse, and can easily
be identified in your incoming email by the following:

Subject:    ILOVEYOU
Body:       kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

The worm also creates a HTML file, "LOVE-LETTER-FOR-YOU.HTM", to the 
Windows System directory. This file contains the worm, and it will be sent 
using mIRC whenever the user joins an IRC channel. 

The virus then searches for certain file types on all folders on all local 
and remote drives and overwrites them with its own code. The files that are
overwritten have either "vbs" or "vbe" extension. 

For the files with the following extensions: ".js", ".jse", ".css", ".wsh", 
".sct" and ".hta", the virus will create a new file with the same name, but 
using the extension ".vbs". The original file will be deleted. 

Next the the virus locates files with ".jpg", ".jpeg", ".mp3" or ".mp2", 
adds a new file next to it and deletes the original file. For example, a 
picture named "pic.jpg" will cause a new file called "pic.jpg.vbs"
to be created. 

LoveLetter was found globally in-the-wild on May 4th, 2000. It looks like the 
virus is Philippine origin. 
-- 
Internet Nebraska System Manager - manager@inebraska.com
0019