Greetings, musicalatina@egroups.com

I thought you would be interested in knowing about this computer virus...

Virus Name: VBS/Loveletter.a

Virus Characteristics:
This is a VBScript worm with virus qualities. This worm will arrive in an
email message with this format:

Subject "ILOVEYOU"
Message "kindly check the attached LOVELETTER coming from me."
Attachment "LOVE-LETTER-FOR-YOU.TXT.vbs"

If the user runs the attachment the worm runs using the Windows Scripting
Host program. This is not normally present on Windows 9x or Windows NT
unless Internet Explorer 5 is installed.

When the worm is first run it drops copies of itself in the following
places :

WINDOWS\SYSTEM\MSKERNEL32.VBS
WINDOWS\WIN32DLL.VBS
WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS

It also adds the registry keys :

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
MSKernel32=WINDOWS\SYSTEM\MSKernel32.vbs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32DLL=WINDOWS\Win32DLL.vbs

in order to run the worm at system startup.

This worm searches all drives connected to the host system and replaces
the following files:

*.JPG
*.JPEG

with copies of itself and it adds the extension .VBS to the original
filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would
contain the worm.

The worm also overwrites the following files:

*.VBS
*.VBE
*.JS
*.JSE
*.CSS
*.WSH
*.SCT
*.HTA

with copies of itself and renames the files to *.VBS.

This virus locates instances of the following file types:

*.MP3
*.MP2

and if found, makes them hidden and copies itself as these filenames
except with .VBS extension. For isntance, if file exists as "2PAC.MP3",
this now becomes a hidden file and the virus is copied as "2PAC.MP3.VBS".

The worm creates a file "LOVE-LETTER-FOR-YOU.HTM" which contains the worm
and this is then sent to the IRC channels if the mIRC client is installed.
This is accomplished by the worm replacing the file SCRIPT.INI.

After a short delay the worm uses Microsoft Outlook to send copies of
itself to all entries in the address book.
The mails will be of the same format as the original mail.

This worm also has another trick up it's sleeve in that it tries to
download and install an executable file called WIN-BUGSFIX.EXE from the
Internet. This exe file is a password stealing program that will email any
cached passwords to the mail address MAILME@...

In order to facilitate this download the worm sets the start-up page of
Microsoft Internet Explorer to point to the web-page containing the
password stealing trojan.

The email sent by this program is as follows :

-------------copy of email sent-----------
From: [victim machine name]@[victim IP address]
To: mailme@...
Subject: Barok... email.passwords.sender.trojan
X-Mailer: Barok... email.passwords.sender.
trojan---by: spyder
Host: [machine name]
Username: [user name]
IP Address: [victim IP address]

RAS Passwords:...[victim password info]
Cache Passwords:...[victim password info]
-------------copy of email sent-----------

The password stealing trojan is also installed via the following registry
key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSF
IX

to autorun at system startup. After it has been run the password stealing
trojan copies itself to WINDOWS\SYSTEM\WinFAT32.EXE and replaces the
registry key with

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
WinFAT32=WinFAT32.EXE


To check your system for this virus, and to learn how to protect yourself
from computer viruses, visit the McAfee PC Clinic at
http://clinic.mcafee.com.

This email was sent to you by Jose Noriega