Warning to all University at Albany e-mail users.
May 4, 2000
The University has been hit by an e-mail bug. This bug contains a worm that will affect your computer if you open the attachment to the email. If you receive an e-mail with the subject of "ILOVEYOU" simply delete the message, DO NOT attempt to open the e-mail, regardless of the sender. This mail may appear to come from someone you know.
The University has temporarily stopped e-mail service to prevent the propagation of this e-mail worm through our servers. However it is important to note that once e-mail service is restored the University cannot stop this worm or any other incoming viruses or malicious attachments. Therefore please practice safe computing and never open any attachments which you receive via e-mail unless you are certain of their source.
If you have already opened the attachment please contact your local support personnel.
Please direct any questions regarding this message to the Help Desk at 442-3706 or [email protected]. We apologize for any inconvenience this may cause.
The following information is duplicated from www.commandcom.com/virus/love.html
VBS/LoveLetter.A Worm Information
May 4, 2000
VBS/LoveLetter.A is an internet worm that exploits the
recipient's Outlook address book to spread via e-mail.
Subject: ILOVEYOU
Body: "kindly check the attached LOVELETTER coming from me."
contains an attachment, LOVE-LETTER-FOR-YOU.TXT.vbs. Once executed, it changes the Windows Scripting Host timeout to 0, in an attempt to ensure certain actions go undetected. The virus then copies MSKernel32.vbs to the Windows\System directory, and Win32dll.vbs to the Windows directory.
VBS/LoveLetter.A reads to determine the MS download directory location. If it is not found, it will use C:\. It then checks the Windows\System directory for Winfat32.exe and if found, randomizes a number between 1 and 4, modifying the registry to set Internet Explorer's start page to the corresponding page associated
with the random number. This allows it to download Win-Bugsfix.exe which appears to be a backdoor trojan. The virus checks to see if Win-Bugsfix.exe was successfully downloaded and, if it was, changes the user's MSIE start page to a blank page.
This worm then generates an html file, checks for mirc32.exe or mlink32.exe, and generates script.ini, placing it in the folder for the mirc application found. This script then attempts to send the virus via IRC.
VBS/LoveLetter.A maliciously overwrites all files with the extensions: .JSE, .CSS, .JS, .WSH, .SCT, and .HTA. In addition, it overwrites and adds .VBS to all .JPG, .JPEG, .MP2, and .MP3 files.
VBS/LoveLetter.A relies on WSH (Windows Shell Script) to run.
Detection:
Command AntiVirus version 4.58.3 with deffiles dated May 4, 2000 or above will detect this worm. As with all worms and trojans, disinfection is accomplished by deleting the offending file(s).
Name: VBS/LoveLetter.A
Aliases: LoveBug
Type: Internet worm
Description
The message:
