Five ways to beat the bug
8 May 2000
On 4 May 2000, the LoveLetter virus slipped past anti-virus scanners across the globe, bringing email services and networks to a standstill, destroying data and crippling communications.
As well as the damage to computer systems, the virus, like so many in the past year, damages reputations by emailing itself to important clients.
The virus arrived in an attachment to an email message with the subject: "ILOVEYOU".
Opening the email did no damage - it is not possible for a text email message to cause damage by opening it. But this is not true of html email messages.
The LoveLetter email contains the message: "Kindly check the attached LOVELETTER coming from me." The attachment is a file named LOVE-LETTER-FOR-YOU.TXT.vbs. This is the virus.
This virus, and others we have seen in the past year ,spread fast by making a copy of your entire windows email address book and then sending itself to everyone as if it is from you, so it appears to come from a safe source.
But the problem with LoveLetter is not just that it sends the virus to your email list. It searches your PC, and the entire network, for files that end with the extensions VBS, VBE, JS, JSE, CSS, WSH, SCT or HTA, replacing the contents with the virus and changing the file extension to .VBS.
JPG or JPEG files are overwritten and have the extension .VBS added to the existing filename.
MP2 or MP3 files are overwritten by the virus but are also copied to a new file with a .VBS extension added. The original file is then hidden.
The result is that the original data is lost and the moment you attempt to open an infected file the virus is triggered again. If you are infected, these files will need to be cleaned, including the hidden ones.
So what can you do to protect your firm from future viruses?
The simple answer is yes. These viruses are successful because Office products now contain a powerful programming language called Visual Basic Script (VBS).
This programming language enables companies to automate functions in Windows and Microsoft Office products.
If you use Internet Relay Chat - IRC and mIRC software - the virus will attempt to send itself via an html page to everyone in the chatroom when you go online.
Finally, the virus attempts to install a password-stealing Trojan on your system. It does this by changing the home page in your internet browser, pointing it to one of four websites from which it will attempt to download WIN-BUGSFIX.EXE, a password-stealing program.
This will be set to run every time windows is booted and send your hostname, username, host IP address, remote access passwords and cache passwords, including online banking passwords, to an address in the Philippines.
Most of us seldom, if ever, use VBS and if that is the case it is worth disabling Windows Scripting Host, without which this and similar VBS viruses are rendered harmless.
It is easy to do:
Enter Start/Settings/Control Panel.
Open Add/Remove Programs
Choose the Windows Setup tab.
Double click on Accessories and make sure Windows Scripting Host is de-selected (ie no checkmark). Although this might help in the future, if you were infected it is important to check that you have really cleaned the system - this virus will have infected huge areas of your systems and can easily start over again.
Make sure you set the attachment security in Outlook to HIGH - this warns you before running scripts (Click Tools/Options - Security tab).
Never open a vbs or exe file attachment unless you are expecting it. If sending material, it may even be worth encrypting and password protecting any executable file so your recipient knows it is safe.
If you have been infected, clean your system with anti-virus software, which you can obtain from the websites listed below. Make sure that you scan the entire system - local PCs and network drives. Many of these files are not checked in a normal default scan because they are imagefiles.
If you were infected, change all passwords and make it a policy to regularly change passwords in future.
Antivirus software and advice can be obtained from the following sites: www.Symantec.com, www.McAfee.com, www.Sophos.com, www.drsolomons.com.