Pit Schultz on Thu, 4 May 2000 20:57:09 +0200 (CEST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Nettime-bold] cure from loveletter virus


19:49 04.05.00 Berlin

where have all the jpges gone? it started in the phillipines and
spread exponentially, all kinds of agencies who use outlook
spread the virus into the businessworld, pentagon e-mail was
shut down etc.

the following .exe seems to work properly. shut down other
running applications before. did somebody say backup? 


all best
/pit

----

from: alt.virus

Here's the Beta cure:
http://getvirushelp.com/ILoveYou/iloveyoucleaner.exe
 
I'm planning on adding a couple features when I get a chance, but I've been
successful
 in using this to clean machines.
 
Craig Schmugar
craig@getvirushelp.om
http://www.getvirushelp.com


----

Hi,
 
I have to go to sleep now. It is getting late over here in Taiwan and I
have been looking for a cure for the love-letter-for-you virus. I hope
there is cure before I wake up in the morning. I do not have any of the
major anti-virus programs so even if there is a cure that can cure the love
virus, I couldn't update the definition files to fix it. I am hoping there
is something not related to any specific Anti-virus company that I can put
on a floppy and install on the infected PC to fix this. Or I can manually
fix it. I saw one fix to change the
registry delete the culprit and then delete every file that is 11k and has
a .vbs extension. I am hoping there is an easier fix as i checked the
infected Pc and there about 200 files that match that description mostly
jpegs and gifs.
 
Any help would be appreciated. I want our little company to be
productive tomorrow.
 
Cheers.
 
Steve Smith
Taipei, Taiwan
 


----

We're clean.
In an office of 30, 10 were infected.  Followed the instructions by Robin
Sayer (and the follow ups) and we're clean.  The server is no longer under
severe strain (it's better than ever, in
fact) and everyone is happy.
 
Have to edit the registry, but nothing too serious - don't be
afraid of it.
 
So either find the thread **LOVELETTER VIRUS ALERT** on this
newsgroup, or go to
 
www.remarq.com/read/compvirs/q_5GXeCMH9P0C_DzU
 
which has that thread.
 
It works.  Although you do lose the files that have been
corrupted, what more can I say?
(Except, I'll never forget the joy as the processor usage on our server
dropped from 100% when the virus was at it's max to a
more civilised 10% after I'd cleaned it all)
 
Big thanks to Robin Sayer.


----
Hi there,
Who has info on a new virus sweeping South Africa. The virus is called "I
love you" , or "Love Letter". It is a .vbs file and works by replicating
itself and mailing to everyone in your address book. I think that is fairly
new as there is info on the web, I think.
 
Thanks, keep cool guys !

---

It's currently following the timezones west.... Europe has been hit pretty
bad. www.datafellows.com has Infos on it.

----


Hey,
Here it's hit the west coast.  If you don't know how to read VB to find out
the files it's using here are the paths and files:
 
Files created:
MSKernel32.vbs
Win32DLL.vbs
Love-Letter-for-you.txt.vbs
 
Registry Settings needed to be deleted:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKerne
l32",dirsystem&"\MSKernel32.vbs
 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
\Win32DLL",dirwin&"\Win32DLL.vbs
 
fifedog
 
 
-----


Check task manager & end wscript.exe & outlook.exe if they're running
Delete all .VBS files created today  (Do findfiles *.vbs - all files
created or modified today)
Remember to specify 'all-drives'  - you will have lost all your
jpg's,mp3,mp2,css & some others on local drives & shares. 
 
Delete ROOT\WINNT\SYSTEM32\LOVE-LETTER-FOR-YOU.HTM
 
Delete;
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKern
el32 MSKernel32.vbs"
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunService
s\Win32DLL Win32DLL.vbs"
 
Set default internet explorer location back to what it normally is.
(www.msn.com by default)
Then check;
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
to make sure the change has taken ok.
 
Check & delete if exists;
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-
BUGSFIX",downread&"\WIN-BUGSFIX.exe"
Search all drives for win-bugsfix.exe & delete
 
Check
"HKEY_CURRENT_USER\Software\Microsoft\WAB\"
Against your address book to see who you have posted to.
 
No great harm done unless you depend on your jpg's - don't run mail
attachments on MC PC's in future.
 

----



_______________________________________________
Nettime-bold mailing list
Nettime-bold@nettime.org
http://www.nettime.org/cgi-bin/mailman/listinfo/nettime-bold