This information can be freely reproduced in any medium, as long as the information is unmodified.
06 May News Flash: According to CNN (leaving our site), the arrest of the writer of VBS/LoveLetter.A is imminent. Hope they got the right guy, and I hope that -- assuming they did -- he gets what he deserves.
08 May Update: Man arrested, according to ZDNet (leaving our site).
The VBScript/LoveLetter.A worm made a splashy appearance on 4 May, 2000, arriving in many email boxes. Like the W97M/Melissa.A virus of over a year ago, this worm uses a "mass mailing" method on Windows computers to send itself via Microsoft Outlook mailboxes. Unlike Melissa, however -- which only sent to the first 50 names in the addressbook -- the LoveLetter worm sends to ALL entries.
That can make an email storm in a hurry -- if the malware gets lucky enough in the first place. This one did.
Since VBS/LoveLetter uses Windows Scripting Host (WSH) to propagate, it does not affect Macintosh computers. Of course, this does not prevent Macintosh users from receiving email infected with VBS/LoveLetter, but at least Mac users need not worry about it infecting their systems.
[Most Windows user have absolutely no need for WSH; click here (leaving our site) to learn how to disable WSH and thereby make your computer more secure from attack by this and other malware.]
The worm trashes some files and hides others -- though these are not files that are found on all computers. For more details, follow the links in the technical section below. Note that the trashed files cannot be repaired; they must be restored from originals, if originals exist.
Fortunately, antivirus vendors are quick to respond, particularly in cases like this. Within hours of VBS/LoveLetter.A's appearance on the world stage, we had extra drivers for our University of Michigan site licensed products -- Dr Solomon's Anti-Virus Toolkit (DSAV) and VirusScan.
University of Michigan faculty, Staff, and students may get extra drivers to handle VBS/LoveLetter for DSAV and VirusScan by clicking on the above links. We now have updated drivers available that are from "07:51 on 19 May, 2000". The updated driver contains drivers for several variants, including the "Mother's Day" version of VBS/LoveLetter, known as VBS/LoveLetter.E. It also includes drivers for the LoveLetter-like worm, VBS/Newlove.A, first seen on 18 May, 2000.
Note that the extra driver does NOT fix the files damaged, if any, by this worm, because VBS/LoveLetter overwrites those files. The damaged files must be reinstalled from originals, if they exist. Also, the extra driver does not remove the changes to the Registry, though I expect that the SuperDAT 4077-- to be released at some time during the week of 8 May, 2000-- will do so for DSAV and VirusScan.
Just install this file in the same folder as the file NAMES.DRV for DSAV or, for VirusScan, NAMES.DAT, and then restart your computer -- this should protect you from this pest.
NOTE: For VirusScan, the extra.dat file is NOT placed with the most of the
rest of the VirusScan installation, but rather in the folder
C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx
Please be sure to place it there.
The drivers have been tested for both DSAV and VirusScan, and appear to work as advertised; note that afflicted files will be deleted, since there is nothing to disinfect.
[If you are a University of Michigan faculty, Staff, student and you do not already have an antivirus product installed on your computer, you can download DSAV or VirusScan to detect, remove, and prevent this and over 50,000 other viruses. Get DSAV or VirusScan by clicking on the appropriate link.]
If you use other antivirus software than DSAV or VirusScan, check with your vendor for updated drivers. F-PROT users should note that new SIGN.DEF files are available from FSI's web site (leaving our site).
More info as it becomes available -- and as our mailbox gets cleared out.
Oh, one final thing: if you happen to have kept a log of the time this worm has cost you, please consider emailing me the details -- confidentiality guaranteed.
Also, the FBI is interested in information from those who have been infected.
If you wish to give others to information about this particular worm, I suggest that you provide a pointer to this URL (http://www.umich.edu/~virus-busters/loveletter.html) .
For technical descriptions of this worm, see F-Secure's (leaving our site) or NAI's (leaving our site) web pages concerning the VBS/LoveLetter family.
Also, you can visit CERT's (leaving our site) document on this, but it contains a few errors of fact. System administrators who follow the (non-CERT) link to the SENDMAIL blocking script should be aware of its severe inadequacies -- but stop-gap measures may be better than none. Feel free to email me if you are a sysadmin and want to know some of the problems -- but I won't be offering you detailed fixes, unfortunately.
For more general virus or hoax info, please see our main page
(http://www.umich.edu/~virus-busters/) or go to another reputable site,
like F-Secure (leaving our
site) -- formerly known as DataFellows.
-BPB
visits to this page since 04 May 2000 12:59 EST