For those computer users who have been infected by the "ILOVEYOU" virus, now officially termed VBS.LoveLetter.A, solutions are available.
Symantec has announced the availability of protection for the virus, but was narrowly beaten to the punch by SecureData, exclusive distributor of Trend Micro's anti-virus software, which has the protection for "ILOVEYOU" in its latest pattern file, available on its Web site (www.sd.co.za). Trend's automatic update will also protect users from the virus.
According to Symantec's Anti-virus Research Centre (SARC), VBS.LoveLetter.A is an e-mail worm, mIRC worm and a file infector. It will use Microsoft Outlook and e-mail itself out as an attachment. The body of the message will be "kindly check the attached LOVELETTER coming from me".
The virus will also infect files with the following extensions: vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3 and mp2.
The virus will drop the following files: MSKernel32.vbs in the Windows System directory, Win32DLL.vbs in the Windows directory, LOVE-LETTER-FOR-YOU.TXT.vbs in the Windows System directory, WinFAT32.EXE in the Internet download directory, WIN-BUGSFIX.EXE in the Internet download directory, and script.ini in the mIRC directory.
SARC recommends administrators filter the attachment name and subject line immediately.
Neal Blount from SMCec's Information Security Architects (ISA) division suggests the following temporary workaround:
"After the machine has run the script, you need to edit the following registry entries before rebooting, if you reboot, the hard disk will be corrupted," he advises.
"Remove the following keys from the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL.
"Then delete the following files from the Windows System Directory: MSKernel32.vbs, Win32DLL.vbs, and LOVE-LETTER-FOR-YOU.TXT.vbs"
Blount warns that this is not a fix as such, but will stop the payloads from executing if you restart your machine.
Another suggested solution is to block HTTP access to the www.skyinet.net domain, as this is the source of the payload. However, unconfirmed reports from the industry claim that the server has been taken down.
Many organisations have disconnected their e-mail servers until such time as the virus is contained.
All virus vendors have committed to releasing updates as soon as protection against this mail worm are available.
Related stories:
Share
