nettime's_basic_visual_script on Sun, 7 May 2000 19:20:13 +0200 (CEST) |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
<nettime> tough love digest |
Pit Schultz <pit@icf.de> cure from loveletter virus "Claire Walsh" <clairew@nildram.co.uk> Item from Need to Know, London, 5 May 2000 t byfield <tbyfield@panix.com> pagre@alpha.oac.ucla.edu: [RRE]notes and recommendations [abridged] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Date: Thu, 04 May 2000 20:55:12 +0200 From: Pit Schultz <pit@icf.de> Subject: cure from loveletter virus 19:49 04.05.00 Berlin where have all the jpges gone? it started in the phillipines and spread exponentially, all kinds of agencies who use outlook spread the virus into the businessworld, pentagon e-mail was shut down etc. the following .exe seems to work properly. shut down other running applications before. did somebody say backup? all best /pit ---- from: alt.virus Here's the Beta cure: http://getvirushelp.com/ILoveYou/iloveyoucleaner.exe I'm planning on adding a couple features when I get a chance, but I've been successful in using this to clean machines. Craig Schmugar craig@getvirushelp.om http://www.getvirushelp.com ---- Hi, I have to go to sleep now. It is getting late over here in Taiwan and I have been looking for a cure for the love-letter-for-you virus. I hope there is cure before I wake up in the morning. I do not have any of the major anti-virus programs so even if there is a cure that can cure the love virus, I couldn't update the definition files to fix it. I am hoping there is something not related to any specific Anti-virus company that I can put on a floppy and install on the infected PC to fix this. Or I can manually fix it. I saw one fix to change the registry delete the culprit and then delete every file that is 11k and has a .vbs extension. I am hoping there is an easier fix as i checked the infected Pc and there about 200 files that match that description mostly jpegs and gifs. Any help would be appreciated. I want our little company to be productive tomorrow. Cheers. Steve Smith Taipei, Taiwan ---- We're clean. In an office of 30, 10 were infected. Followed the instructions by Robin Sayer (and the follow ups) and we're clean. The server is no longer under severe strain (it's better than ever, in fact) and everyone is happy. Have to edit the registry, but nothing too serious - don't be afraid of it. So either find the thread **LOVELETTER VIRUS ALERT** on this newsgroup, or go to www.remarq.com/read/compvirs/q_5GXeCMH9P0C_DzU which has that thread. It works. Although you do lose the files that have been corrupted, what more can I say? (Except, I'll never forget the joy as the processor usage on our server dropped from 100% when the virus was at it's max to a more civilised 10% after I'd cleaned it all) Big thanks to Robin Sayer. ---- Hi there, Who has info on a new virus sweeping South Africa. The virus is called "I love you" , or "Love Letter". It is a .vbs file and works by replicating itself and mailing to everyone in your address book. I think that is fairly new as there is info on the web, I think. Thanks, keep cool guys ! --- It's currently following the timezones west.... Europe has been hit pretty bad. www.datafellows.com has Infos on it. ---- Hey, Here it's hit the west coast. If you don't know how to read VB to find out the files it's using here are the paths and files: Files created: MSKernel32.vbs Win32DLL.vbs Love-Letter-for-you.txt.vbs Registry Settings needed to be deleted: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKerne l32",dirsystem&"\MSKernel32.vbs HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices \Win32DLL",dirwin&"\Win32DLL.vbs fifedog ----- Check task manager & end wscript.exe & outlook.exe if they're running Delete all .VBS files created today (Do findfiles *.vbs - all files created or modified today) Remember to specify 'all-drives' - you will have lost all your jpg's,mp3,mp2,css & some others on local drives & shares. Delete ROOT\WINNT\SYSTEM32\LOVE-LETTER-FOR-YOU.HTM Delete; "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKern el32 MSKernel32.vbs" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunService s\Win32DLL Win32DLL.vbs" Set default internet explorer location back to what it normally is. (www.msn.com by default) Then check; HKCU\Software\Microsoft\Internet Explorer\Main\Start Page to make sure the change has taken ok. Check & delete if exists; "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN- BUGSFIX",downread&"\WIN-BUGSFIX.exe" Search all drives for win-bugsfix.exe & delete Check "HKEY_CURRENT_USER\Software\Microsoft\WAB\" Against your address book to see who you have posted to. No great harm done unless you depend on your jpg's - don't run mail attachments on MC PC's in future. ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From: "Claire Walsh" <clairew@nildram.co.uk> Subject: Item from Need to Know, London, 5 May 2000 Date: Fri, 5 May 2000 21:09:50 +0100 Hello: I hope this format is Ok for Nettime. "HARD NEWS: we love you too. And who do we love? We love the journalists who, despite having the = source of the ILOVEYOU virus repeatedly delivered to them as an = attachment, said that it could 'steal your bank details' (Channel 5) and = that it affected Macintoshes (BBC News Online) but not users of the = 'Lycos operating system' (The Times. We loved NETWORK ASSOCIATES boast = that they 'believed [it] to have orignated in Manila' and 'We have the = name of who we think it is but we're not saying' (amazing detective = work, given that the handle and location of the author is in the first = line of the script). We loved that one of the first propagators in the = UK was McAfee's PR company. We loved watching MoneyFacts send it to = their entire mailing list, then apologise using a cc: list of their = subscribers. We loved it when mail gateways led to it being sent by fax = and SMS. And we loved it when Microsoft pretended that it had nothing to = do with their lousy security provision in Outlook and Windows = Scripting." >From NTN now *the* weekly high-tech sarcastic update for the UK = http://www.ntk.net. Regards Claire Walsh - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Date: Sun, 7 May 2000 11:58:44 -0400 From: t byfield <tbyfield@panix.com> Subject: pagre@alpha.oac.ucla.edu: [RRE]notes and recommendations date: Fri, 5 May 2000 17:44:10 -0700 (PDT) from: Phil Agre <pagre@alpha.oac.ucla.edu> to: "Red Rock Eater News Service" <rre@lists.gseis.ucla.edu> subject: [RRE]notes and recommendations [abridged] Some notes on Microsoft viruses <...> I received about 60 copies of the latest Microsoft e-mail virus and its variants. How many did you get? Fortunately I manage my e-mail with Berkeley mailx and Emacs keyboard macros, so I wasn't at risk. But if we're talking about billions of dollars in damage, which equates roughly to millions of lost work days, then I think that we and Microsoft need to have a little talk. Reading the press reports, Microsoft's stance toward this situation has been disgraceful. Most of their sound bites have been sophistry designed to disassociate the company from any responsibility for the problem. One version goes like this quote from Scott Culp of Microsoft Public Relations, excuse me, I mean Microsoft Security Response Center: This is a general issue, not a Microsoft issue. You can write a virus for any platform. (New York Times 5/5/00) Notice the public relations technology at work here: defocusing the issue so as to move attention away from the specific vulnerabilities of Microsoft's applications architecture and toward the fuzzy concept of "a virus". Technologists will understand the problem here, but most normal people will not. Mr. Culp also says this (CNET 5/5/00): This is by-design behavior, not a security vulnerability. More odd language. It's like saying, "This is a rock, not something that can fall to the ground". It's confusing to even think about it. Even though Microsoft had been specifically informed of the security vulnerability in its software, it had refused to fix it. Microsoft even tried to blame its problem on Netscape, which *had* fixed it: http://news.cnet.com/news/0-1005-200-1820959.html The next step is to blame the users. The same Mr. Culp read on the radio the text of a warning that the users who spread the virus had supposedly ignored. That warning concludes with a statement to the effect that you shouldn't execute attachments from sources that you do not trust. He read that part kind of fast, as you might expect, given that the whole point of this virus is that people receive an attachment from a person who has included them in their address book. This particular blame-shifting tactic is particularly disingenuous given that the virus spread rapidly through Microsoft itself, to the point that the company had to block all incoming e-mail (Wall Street Journal 5/5/00). Similarly, CNET (5/4/00) quoted an unnamed "Microsoft representative" as saying that companies must educate employees "not to run a program from an origin you don't trust". Notice the nicely ambiguous word "origin". The virus arrives in your mailbox clearly labeled as having been sent by a particular individual with whom you probably have an established relationship. It bears no other signs of its "origin" that an ordinary user will be able to parse, short of executing the attachment. So what on earth is Microsoft doing allowing attachments to run code in a full-blown scripting language that can, among many other things, invisibly send e-mail? Says the "Microsoft representative", We include scripting technologies because our customers ask us to put them there, and they allow the development of business-critical productivity applications that millions of our customers use. There needs to be a moratorium on expressions such as "customers ask us to". Does that mean all of the customers? Or just some of them? Notice the some/all ambiguity that is another core technology of public relations. Do these "customers" really specifically asked for fully general scripts that attachments can execute, or do they only ask for certain features that can be implemented in many ways, some of which involve attachments that execute scripts? Do the customers who supposedly ask for these crazy things understand the consequences of them? Do they ask for them to be turned on by default, so that every customer in the world gets the downside of them so that a few customers can more conveniently get the upside? And notice how the "Microsoft representative" defocuses the issue again, shifting from the specific issue of scripts that can be executed by attachments to the fuzzy concept of "scripting technologies", as if anybody were suggesting that scripting technologies, as such, in general, were to blame. Microsoft shouldn't be broken up. It should be shut down. <...> # distributed via <nettime>: no commercial use without permission # <nettime> is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body # archive: http://www.nettime.org contact: nettime@bbs.thing.net