FLASH: FW: WARNING: e-mail bomb alert !! Solution for the LoveYou virus, ADMIN, READ FIRST PLEASE!!

[Tim Loenders]

Hi there, 


Sorry to bother you with virus info on the mailing list but it seems that

this one is nasty!


If you have problems with the Loveyou virus (like I had this morning). The

way to desinfect your PC is written below. 


Be sure not to open any mail with the loveyou subject.


If it's too late be sure to clean your PC thoroughly the way described

below.


Hope it helps.


Tim


> WARNING!!

> 

> Please be aware of a e-mail message with subject: ILOVEYOU

> It contains an VBScript attachment (iloveyou.vbs)

> When you open the attachment - the e-mail virus will spread itself to ALL

> the recipients in

> your addressbooks.

> 

> DO NOT OPEN THE VBS ATTACHMENT !!

> 

> The virus will attempt to:

> - send itself to all your recipients (address lists)

>     internal and external addresses !

> - change your default webpage in Internet Explorer to an infected website

> - try to connect to an infected IRC server

> - create other copies of itself on your local harddisk (all with extension

> *.vbs)

>    it uses filenames of existing jpg files...

> - register itself in the registry to run at login

> 

> 

> To find infected PC's you can search the local harddisk for one of the

> following files:

> - Win32DLL.vbs

> - MSKernel32.vbs

> - LOVE-LETTER-FOR-YOU.TXT.vbs

-  LOVE-LETTER-FOR-YOU.htm or html


What you can do and SHOULD do immediately, if infected: 


In the Windows directory (C:\WINDOWS or C:\WINNT): delete the Win32DLL.vbs

file

In the Windows System directory (e.g. C:\WINNT\SYSTEM32): delete the

MSKernel32.vbs file

in c:\Windows directory (e.g. WINNT) delete

\SYSTEM32\LOVE-LETTER-FOR-YOU.TXT.vbs

in c:\Windows directory (e.g. WINNT) delete

\SYSTEM32\LOVE-LETTER-FOR-YOU.HTM

In the Registry delete these keys: 


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 

and

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win

32DLL 

Than reboot your system. Now the virus should no longer be active...



[Tim Loenders]  The size of the VBS files is 10.307 bytes


> The first action you should take is to delete all the created *.vbs files

> on the harddisk to prevent further spreading of the virus.

> 

> Here is an example of the VBScript code used:

> 

> c.Copy(dirsystem&"\MSKernel32.vbs")

> c.Copy(dirwin&"\Win32DLL.vbs")

> c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")

> ....

> regcreate

> "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel

> 32",dirsystem&"\MSKernel32.vbs"

> regcreate

> "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\

> Win32DLL",dirwin&"\Win32DLL.vbs"

> ....

> set mapi=out.GetNameSpace("MAPI")

> for ctrlists=1 to mapi.AddressLists.Count

> set a=mapi.AddressLists(ctrlists)

> ...

> male.Subject = "ILOVEYOU"

> male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."

> male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")

> male.Send

> ..........

> 

> 

> More info can be found at:

> http://www.virusinfo.com/v-descs/love.htm

> 

> 

> Please inform your IT depts. about this email virus.

> 

> 

> 

> This one will certainly catch the news this evening !

> 

> 

> 

> 

> 

> -------------------------

>   Filip Jonckers

>     consultant

>  Interconnect nv

> network Solutions

> +32 (0)3 450.74.70

> 


flasher is generously supported by...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 Get the last 100 messages from the flasher list NOW

    http://www.chinwag.com/flasher/last100.shtml


 Flash books http://www.chinwag.com/flasher/books.shtml

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To unsubscribe or change your list settings go to

http://www.chinwag.com/flasher or email

helpchinwag [dot] com