Advice on the "I love you" E-mail virus/worm
In case you haven't heard, an e-mail virus that comes with the subject heading "ILOVEYOU" has wreaked havoc worldwide since it was first released May 3rd. A screen-shot of the message as it appears in Outlook is shown at the top of an article on F-Secure's web page about the virus.
Microsoft has also issued a lame missive on the subject, basically blaming the whole thing on users.
McAfee, Trend Micro, Norton AV, F-Secure and CERT have published pages describing the technical characteristics of the virus/worm:
For more generalized explanations, see the following two articles, which have the best information about it that I've found so far:
From what I've found out in the articles above, I make the following recommendations:
Fact 1: before the variants were release, this virus was very easily identified by the subject heading "ILOVEYOU." Delete unread any e-mail message you receive with this subject heading. You may also want to configure your e-mail program's incoming mail filters to automatically delete any such message.
However, with the discovery of all these variations having different subject headings and different attachment names, one must rely more on the characteristics of the attachment, rather than on something as simple as the message's subject. That makes it all that much more important to follow the instructions below to disable the security risks that have enabled this worm's dissemination.
Fact 2: the attachment to this message is a VBScript file (VBS extension; could also be a VBE extension), which is executed by the Windows Scripting Host, a feature added to Windows98 and Windows2000, but not present by default in Windows95 and Windows NT 4.
To disable the execution of VBScript files, first check if you have the Scripting Host installed:
If it is found, then disable the execution of VBScript files:
It is also a good idea to set Internet Explorer to not execute VBScripts. To do that:
Netscape does not execute VBScripts if Windows is not configured to automatically execute them. If you disabled VBScript execution in Step f, Netscape will be safe, as well.
Fact 3: Because this virus is transmitted as an attachment, it cannot infect your computer if you do not run it.
Fact 4: Many people use e-mail programs that, by default (as shipped from the manufacturer), automatically execute and open attachments to e-mail messages. These people will all be susceptible to infection if they have the Windows Scripting Host active on their computers.
How can you tell if you are susceptible to accidentally executing this virus? Answer these questions:
If you answer YES to any of these questions, you are susceptible to infection with this virus (technically, it's actually a "worm," not a virus).
Since I do not use any e-mail programs that preview or automatically display attachments, I'm flying blind in my instructions that follow. I can only offer general principles, not any specific step-by-step instructions to protect you from the above.
Fact 5: if the worm successfully executes itself, it may be able to download a program that is designed to steal cached passwords (see the McAfee virus description page). It is not clear whether this means passwords cached in memory or those cached on disk in Windows *.PWL files. I don't know if cached passwords can be cleared, but I do know that PWL files accumulate, especially if multiple people have used a PC. I highly recommend that these be periodically deleted, since anyone managing to steal them might then gain access to your servers via the usernames/passwords of people who've logged into your PC (which might include system administrators with full access to all resources on your network). To do that:
The next time you log in, you will have to confirm all your passwords, including your Dialup Networking passwords. If other users occasionally log into your computer, it is a good idea to regularly clean out your PWL files.
Fact 6: it is possible to abort execution of the worm if you react quickly enough. If you should accidentally execute the VBS attachment, immediately hit CTRL-ALT-DEL and kill the task WSCRIPT.EXE (the Windows Scripting Host). This should terminate all further execution of the VBScript. However, it may have already done significant damage. Also, I am reporting this simply as a suggestion made by some participants in discussions of the virus/worm on ZDNet. I cannot confirm for a fact that it is possible to react quickly enough to terminate the Windows Scripting Host quickly enough to avoid significant damage to your computer. Should you terminate WSCRIPT.EXE in an attempt to stop the worm, I recommend that you immediately shut down your computer and call in your local computer guru to maximize the possibility of a full recovery from the infection.
Fact 7: you cannot depend on your current and up-to-date anti-virus software to protect you from new viruses/worms like this one. Even if you have McAfee or Norton set to scan your incoming e-mail attachments, those programs may not be able to distinguish a new, malicious virus from a legitimate attachment, even if you have the most up-to-date virus definitions. However, if you configure your e-mail program not to preview/execute attachments and set up your computer to ignore VBScript files, you should be adequately protected from infection by this particular virus/worm (and any other such virus of the same type) regardless of whether or not you have the most up-to-date virus definitions for you anti-virus program.
However, all the major anti-virus software providers are now providing updated data files that can protect you against this particular infection. Despite the comments in the paragraph above, everyone should update their virus definitions as soon as they know that the newest definitions will detect this worm, and given the appearance of as many as four variants, it would be advisable to check back with your anti-virus software vendor more than once over the next couple of weeks for virus definitions that can catch the variations, too.
As stated in Fact 1, the easiest protection against this virus is:
DON'T OPEN ANY E-MAIL MESSAGE WITH THE SUBJECT HEADING "ILOVEYOU".
Delete it unopened and unread, then go to your e-mail programs trash can/deleted messages, and delete it again. Then set up a filter in your e-mail program that deletes all messages with the subject "ILOVEYOU".
More important, think about what you are doing before you open an attachment. Regardless of the filename, save it to disk and scan it with your anti-virus program before opening it. If, as is the case here, the file extension that is visible is TXT, open it with notepad to see what it is. Notepad cannot execute any code, so you are in no danger from any text-based virus/worm.
And, last of all, a lesson here for everyone is that you should have reliable backups of all your important files. A virus like this one can easily wipe out gigabytes of important data (in one of CNET's articles, one graphics house is described as having lost their entire archives of photos in JPG format). Any files that are important enough to save are important enough to back up. Any company that doesn't have a proper backup strategy and doesn't test their backups monthly deserves to be put out of business by a virus like this.
|Home | Training | Software | Support | Opinion | HELP |
Partners | About DFA
©2000, David Fenton Associates. Created May 4, 2000. Last updated May 8, 2000.