DFA LOGO

David Fenton Associates

Advice on the "I love you" E-mail virus/worm

--------------------------------------------

Training
Software
Support
Opinion
Help Pages
Partners
About DFA

In case you haven't heard, an e-mail virus that comes with the subject heading "ILOVEYOU" has wreaked havoc worldwide since it was first released May 3rd. A screen-shot of the message as it appears in Outlook is shown at the top of an article on F-Secure's web page about the virus.

Woody's Office Watch has done a special issue on the virus/worm, probably the best single source for information on it at this point.

Microsoft has also issued a lame missive on the subject, basically blaming the whole thing on users.

McAfee, Trend Micro, Norton AV, F-Secure and CERT have published pages describing the technical characteristics of the virus/worm:

Variants continue to appear, with McAfee claiming 17, and Symantec 13. McAfee allows you to scan your PC from the Web at http://www.mcafee.com/viruses/loveletter/.

For more generalized explanations, see the following two articles, which have the best information about it that I've found so far:

From what I've found out in the articles above, I make the following recommendations:

Fact 1: before the variants were release, this virus was very easily identified by the subject heading "ILOVEYOU." Delete unread any e-mail message you receive with this subject heading. You may also want to configure your e-mail program's incoming mail filters to automatically delete any such message.

However, with the discovery of all these variations having different subject headings and different attachment names, one must rely more on the characteristics of the attachment, rather than on something as simple as the message's subject. That makes it all that much more important to follow the instructions below to disable the security risks that have enabled this worm's dissemination.

Fact 2: the attachment to this message is a VBScript file (VBS extension; could also be a VBE extension), which is executed by the Windows Scripting Host, a feature added to Windows98 and Windows2000, but not present by default in Windows95 and Windows NT 4.

  1. if you are running Windows98 or Windows2000 disable the Windows Scripting Host.
  2. if you are running Win95 or NT 4 instead, but have Internet Explorer 5 installed, you may have the Windows Scripting Host installed on your computer.

To disable the execution of VBScript files, first check if you have the Scripting Host installed:

  1. go to the START menu and choose FIND | Files or Folders
  2. search for WSCRIPT.EXE anywhere on your computer.

If it is found, then disable the execution of VBScript files:

  1. open Windows Explorer.
  2. from the VIEW menu, choose OPTIONS.
  3. click the FILE TYPES tab.
  4. scroll down to the bottom of the list and find one or more line items that begin with the word "VBScript." Delete those items.

It is also a good idea to set Internet Explorer to not execute VBScripts. To do that:

  1. start Internet Explorer and from the TOOLS menu, choose Internet Options (you can also execute the Internet Options tool from Control Panel).
  2. click on the SECURITY tab.
  3. at the top, select the icon for INTERNET
  4. click the CUSTOM LEVEL button.
  5. Scroll down to the bottom to the section on SCRIPTING.
  6. in the first item, set Active Scripting to DISABLED.
  7. repeat steps j-l for each of the other icons on the security tab, LOCAL INTERNET, TRUSTED SITES and RESTRICTED SITES.

Netscape does not execute VBScripts if Windows is not configured to automatically execute them. If you disabled VBScript execution in Step f, Netscape will be safe, as well.

Fact 3: Because this virus is transmitted as an attachment, it cannot infect your computer if you do not run it.

Fact 4: Many people use e-mail programs that, by default (as shipped from the manufacturer), automatically execute and open attachments to e-mail messages. These people will all be susceptible to infection if they have the Windows Scripting Host active on their computers.

How can you tell if you are susceptible to accidentally executing this virus? Answer these questions:

  1. does your e-mail reader automatically open all attached messages, whether pictures, MS Word documents or whatever?
  2. do you have a PREVIEW option in your e-mail reader activated that shows you part of the contents of your e-mail messages before you open them?
  3. do you doubleclick all attachments to open them, without saving them and scanning them for malicious code?

If you answer YES to any of these questions, you are susceptible to infection with this virus (technically, it's actually a "worm," not a virus).

Since I do not use any e-mail programs that preview or automatically display attachments, I'm flying blind in my instructions that follow. I can only offer general principles, not any specific step-by-step instructions to protect you from the above.

  1. fixing 3) is easiest: NEVER EVER open an attached file that you have not saved to a disk and scanned with your anti-virus software.
  2. the second item is correctible by setting your e-mail software to not preview messages. In Outlook Express, for instance, just turn off the preview pane (I don't have it installed on my PC, so I can't offer specific instructions).
  3. the first item is also correctible by configuring your e-mail software not to automatically open attachments. Unfortunately, I'm not sure if some programs can be configured that way. I've only used AOL a little, but I can't say for certain if you can turn off the automatic display of attachments. I can also not say if AOL e-mail can indeed infect your computer with this virus/worm. I suspect that it could if you've got the Windows Scripting Host installed, but I'm not certain about this.

Fact 5: if the worm successfully executes itself, it may be able to download a program that is designed to steal cached passwords (see the McAfee virus description page). It is not clear whether this means passwords cached in memory or those cached on disk in Windows *.PWL files. I don't know if cached passwords can be cleared, but I do know that PWL files accumulate, especially if multiple people have used a PC. I highly recommend that these be periodically deleted, since anyone managing to steal them might then gain access to your servers via the usernames/passwords of people who've logged into your PC (which might include system administrators with full access to all resources on your network). To do that:

  1. from the START menu, choose FIND | Files or Folders.
  2. search for *.PWL.
  3. select all PWL files and, while holding down the SHIFT key, hit the DELETE key.
  4. check your Recycle bin to be sure that the SHIFT-DEL combination worked (that's what adding the SHIFT key does -- it completely deletes the files instead of just sending them to the Recycle bin). If you still see PWL files in the Recycle bin, select them and hit the DELETE key again. This will remove them from the Recycle bin.

The next time you log in, you will have to confirm all your passwords, including your Dialup Networking passwords. If other users occasionally log into your computer, it is a good idea to regularly clean out your PWL files.

Fact 6: it is possible to abort execution of the worm if you react quickly enough. If you should accidentally execute the VBS attachment, immediately hit CTRL-ALT-DEL and kill the task WSCRIPT.EXE (the Windows Scripting Host). This should terminate all further execution of the VBScript. However, it may have already done significant damage. Also, I am reporting this simply as a suggestion made by some participants in discussions of the virus/worm on ZDNet. I cannot confirm for a fact that it is possible to react quickly enough to terminate the Windows Scripting Host quickly enough to avoid significant damage to your computer. Should you terminate WSCRIPT.EXE in an attempt to stop the worm, I recommend that you immediately shut down your computer and call in your local computer guru to maximize the possibility of a full recovery from the infection.

Fact 7: you cannot depend on your current and up-to-date anti-virus software to protect you from new viruses/worms like this one. Even if you have McAfee or Norton set to scan your incoming e-mail attachments, those programs may not be able to distinguish a new, malicious virus from a legitimate attachment, even if you have the most up-to-date virus definitions. However, if you configure your e-mail program not to preview/execute attachments and set up your computer to ignore VBScript files, you should be adequately protected from infection by this particular virus/worm (and any other such virus of the same type) regardless of whether or not you have the most up-to-date virus definitions for you anti-virus program.

However, all the major anti-virus software providers are now providing updated data files that can protect you against this particular infection. Despite the comments in the paragraph above, everyone should update their virus definitions as soon as they know that the newest definitions will detect this worm, and given the appearance of as many as four variants, it would be advisable to check back with your anti-virus software vendor more than once over the next couple of weeks for virus definitions that can catch the variations, too.

CONCLUSION:

As stated in Fact 1, the easiest protection against this virus is:

DON'T OPEN ANY E-MAIL MESSAGE WITH THE SUBJECT HEADING "ILOVEYOU".

Delete it unopened and unread, then go to your e-mail programs trash can/deleted messages, and delete it again. Then set up a filter in your e-mail program that deletes all messages with the subject "ILOVEYOU".

More important, think about what you are doing before you open an attachment. Regardless of the filename, save it to disk and scan it with your anti-virus program before opening it. If, as is the case here, the file extension that is visible is TXT, open it with notepad to see what it is. Notepad cannot execute any code, so you are in no danger from any text-based virus/worm.

And, last of all, a lesson here for everyone is that you should have reliable backups of all your important files. A virus like this one can easily wipe out gigabytes of important data (in one of CNET's articles, one graphics house is described as having lost their entire archives of photos in JPG format). Any files that are important enough to save are important enough to back up. Any company that doesn't have a proper backup strategy and doesn't test their backups monthly deserves to be put out of business by a virus like this.

--------------------------------------------
I welcome any feedback on this page, especially corrections, at the e-mail address below.

--------------------------------------------
Home | Training | Software | Support | Opinion | HELP
Partners | About DFA
--------------------------------------------

©2000, David Fenton Associates. Created May 4, 2000. Last updated May 8, 2000.