North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Virus Update

  • From: Branden R. Williams
  • Date: Thu May 04 11:44:38 2000

Ok, this thing is pretty nasty...  Here is a quick summary of what it
does.

Should you run it, you will lose any files of the following
extensions.  They will be renamed to filename.extension.vbs with a fresh
copy of the replication part.

File extensions
affected:  vbs,vbe,js,jse,css,wsh,sct,hta,jpg,jpeg,mp2,mp3.

Every file with that extension is overwritten with the virus.  It looks to
be localized to mounted hard drives.  It does not appear to affect mapped
network drives.

It also makes a dozen or so registry entries including one to reset your
start page to the following URL.

http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe

I have not gone to this URL yet to see what it is, but it downloads a copy
of a file called WIN-BUGSFIX.exe.

In addition, it creates a MIRC script called script.ini to DCC SEND this
to whatever channel you are on.

Of course it sends it to everyone in your address book with the subject
ILOVEYOU.  It looks to only affect people who actually run the vbs
script.  I would assume that if you are not on a Windows platform that you
are not affected.

I'll let you know more when we find more.

Cheers,

Branden R. Williams <[email protected]>
Vice President, Systems - NetVitality, Inc.
http://www.netvitality.net/
Internet Commerce Specialists