visual basic script - ILOVEYOU

Printable View

Show 60 post(s) from this thread on one page

May 3rd, 2000, 09:11 PM
billwagnon

What is the difference between the .vbs file extension and an exe?

Is there any non-virus use for .vbs?

Thanks for the info.
May 3rd, 2000, 09:51 PM
rchiav

Same thing here at work.. 50k employees.. sucks to be a sys admin today :)
May 3rd, 2000, 09:58 PM
Iain17

Yeah we got a warning at work today to.
May 3rd, 2000, 10:51 PM
badgers

my reading indicates VB script is intended for internet.
To my understanding you need a scripting engine. From what I read it is vbscript.dll in the windows\system director. Similar to the runtime needed for VB programs.
A person here at work tried to run the attachment for the I love you virus and it did not work. It appears that he did not have the correct version of the dll needed.
A good case for having runtimes?
I would like to know if anyone uses VB script
May 3rd, 2000, 10:56 PM
Serge

We got this virus too.
May 3rd, 2000, 11:12 PM
badgers

it appears that you need a version of vbscript.dll higher then 3.1.0 but this is not confirmed. anyone else have the abillity to test this?
A guy here tried to run the attachment with 3.1.0 on his machine and the thing would not run. NT gave an error that the file could not be run.
I don't think it was NT in general because others here have run the attachment.
I have VB6 with SP3 and my version of vbscript.dll is 5.0
HTH
May 3rd, 2000, 11:27 PM
billwagnon

Maybe you need the latest version of Outlook to have the .dll? We don't have Outlook, so we've gotten some of the emails but haven't had any problems here.

So far, no one has written one of these for Lotus Notes. Does that make Lotus better than Microsoft?
May 3rd, 2000, 11:32 PM
cady

We received this virus this morning and it went out to all my email contacts, when I called my Mom to warn her not to open any attachments that say "I Love You" she had allready tried to open mine and couldn't. The message she received said she was unable to open this attachment due to #31 or something like that. She didn't know it was a virus at the time. We have 160+ employees and it's been going back and forth all morning I have deleted probably 90 emails this morning saying I love You, and not one of them was a real I LOVE YOU! How sad.:)

Cady
May 3rd, 2000, 11:53 PM
rchiav

OK.. here's the scoop..

To run this, you need the windows scripting host. Installing IE5 = installing WSH.. or installing Win2000 = installing WSH.

As far as any non virus purpose... think of anything you might want to script. Being a sysadmin, Win2K and the WSH is going to bring some if the much needed flexability to login scripting and administrative scripting in general. You could do all of this stuff on a unix system for years.. people are just targeting Windows.. you're going to effect more people by writing something that targets a MS operating system. Same with the comment about Notes.. there's a lot more people ising Outlook and Outlook express than Notes. It's just sad that someone has to do something like this.. 75% of the people here could write something that does the same exact thing. Actually... anyone with some time and half a brain could do it.. you can find all the code you'd need in different examples all over the web. It's probably someone who has a "Short Man" complex and their trying to take it out on everyone else :)

WSH will also support Javascript, Perl and some others.... It's actually a good thing. In the unix world, you can send an email with one line in a shell script. It's not something that Microsoft has opened up.. it's been there for a long time on the UNIX side but no one has ignorant enough to write something to exploit it.

OK.. I'm rambeling.. I'll stop :)
May 4th, 2000, 03:18 AM
V(ery) Basic

Eh?

That's all very well, but what is the I LOVE YOU virus?

If it's like Melissa but ... different I won't have got it
because I'm not on anybody's Contacts list :(

Just WHAT is it? What does it do?
May 4th, 2000, 03:40 AM

Our work also got this.
May 4th, 2000, 03:43 AM
HDR

It is an e-mail message with ILoveYou in the subject line. When you open the attachment that comes with it, it overwrites some common files on your hard drive with a version of itself, and then e-mails itself to all of your contacts or everyone in your addressbook. We have people starting early, so it was found and stopped before it got too bad.
May 4th, 2000, 03:47 AM
cady

Hey regarding the I Love You virus make sure the IT department where you work (I work in interactive so thank God thats not me) check out your servers, gif, html, jpeg files etc. We have the code for the virus and it went all throught the registry infecting files in our server where we back up nightly. It was started by someone in Manila, Philippines who "i hate go to school".Anyway just thought you would all want to know if you didn't already.
May 4th, 2000, 04:08 AM
badgers

thats funny, I hate to go to school.
I guess that lead will narrow it down to just about everybody:D
May 4th, 2000, 04:13 AM
cady

on the first line of code it said that about school and the second line said
by: spyder / [email protected] / @GRAMM
ERSoft Group / Manila,Phillipines

maybe that will narrow it down or than again maybe not...
May 4th, 2000, 04:27 AM
Frans C

Does anybody has a copy of this vbs file. I would like to have a look at it. (And no, I don't want to run it, and I don't plan on writing my own virus):D
I'm afraid my colleagues at work deleted about 50 of them, before I could lay a hand on it. Somehow they managed to get a virus scanner able to block these emails at the exchange server, by 15:00 CET.
I think, parts of the code could be very helpful to write useful programs.
May 4th, 2000, 04:41 AM

You can find all of the code to write this in the msdn, and probably quite a bit of it on this site.
May 4th, 2000, 05:18 AM
jcouture100

We got it at work too. I've got a printout of the code. We work on e-commerce solutions and use some VBScript for server side coding. One of our developers was trying to work on his code when an error occurred and when he went into Debug mode, there was the virus code. It trashed all of the script files he was working on.

Looking through the code it attacks files with these extensions:

.js, .jse, .css, .wsh, .sct, .hta, .vbs, .vbe, .jpg, .jpeg

It also makes changes to the registry and adds some EXEs to your computer. One of the EXE files is called BUGSFIX.EXE which is a password stealing program.

The code is not difficult or exceptional at all, just malicious. Looking for a silver lining... It could have been easily made worse by having it attack more crucial file extensions like .EXE, .DOC, etc.
May 4th, 2000, 10:48 AM

A possible fix

Ok got this which may help some one......

If you have inadvertently opened the "I LOVE YOU" virus, and are happy to
> edit your registry, some instructions for fixing it (which may or may not
> work) are at:
>
> http://www.thepope.org/index.pl?node_id=140
>
> Warning: this involves editing your registry, so don't do it if you are at
> all uncertain about what you're doing.
May 4th, 2000, 11:24 AM

The virus mutates

Just got posted this

Joe Hanna (5/05/00 13:53):
The "Love Letter" virus has been mutated into another 2 variations already.

Please read below for more information.

What you need to look out for is

fwd: Joke as the SUBJECT LINE

and the attachment is Very Funny.vbs

VBS/LoveLetter.B

VBS/LoveLetter.B is a variant of the original
VBS/LoveLetter.A worm. The two only differences
are the subject of the arriving e-mail and the
name of the attachment. The subject used by
VBS/LoveLetter.B is

fwd: Joke

instead of the original "ILOVEYOU" subject line
and the name of the attachment is

Very Funny.vbs

instead of LOVE-LETTER-FOR-YOU.TXT.vbs.

The HTML file send through IRC is called

Very Funny.HTM

---------------------------------------------------
Can some one nuke the guy who started this !!!!!!
May 4th, 2000, 07:02 PM
da_silvy

don't you need ie to have support for vb script ??
May 4th, 2000, 09:44 PM
Frans C

Windows98 has included the vb scripting host in the standard installation. This also came with ie5.
May 5th, 2000, 01:02 AM
Jhd.Honza

Can anyone send me this virus, please?
-- Nobody has my address in contacts... :-(

[email protected]
May 5th, 2000, 01:22 AM
Bebe

I have a copy of the mutated version is someone wants it
May 5th, 2000, 01:26 AM
Bebe

Yeah we got a mutant virus in a bad way today!!!!

Again I have a copy of the mutated I love you virus if someone want's it!!!
May 5th, 2000, 02:11 AM
Frans C

Yip,

send it over
May 5th, 2000, 02:22 AM
Bebe

can you give me an email address; our email is down and i need to send it from yahoo ;)and this thingy here defaults to the one on the computer or whatever; hehe
May 5th, 2000, 02:25 AM
Dayo312

The guy who made that virus was not that
good at programing! If I could read the
code that mean alot :)
Im very glad he didnt have it attack more
file extentions, If it would have attacked
deltree and such , It might have been alot
worse.

Does anyone know if he was caught?
May 5th, 2000, 02:30 AM
BHostmeyer

Anyone want the code to ILOVEYOU

I broke down the virus it is a good virus if there is such a thing...

It effects htm,jpeg,jpg and other file extensions. Destroying the origanl file and replacing it with the virus also makes 2 new files that regenerate the virus on boot or the system of its screen saver....

Brooke Hostmeyer
Net Admin / Programmer
-The guy that spent to many hours cleaning the virus lol-
May 5th, 2000, 02:46 AM
Bebe

Id like the code please!!!

Oh, thanks' for the deltree tip ;p
May 5th, 2000, 02:57 AM
Frans C

Bebe,

you can send it to
[email protected]
May 5th, 2000, 03:16 AM
Sulo

I would also like to see code

[email protected]
May 7th, 2000, 03:55 AM
Jhd.Honza

Is there a copy for me, pleaseeee?

[email protected]
May 7th, 2000, 12:12 PM
mitoziz

I've looked at the source code, but I can't seem to find where the part about the screen saver is... are you sure about that, BHostmeyer?

Also, I think some of the coding stuff he used for replacing the jpeg files are weird.

But that's just what I think
May 7th, 2000, 05:11 PM

Why do you guys want that S******** virus?
What good will that do?

The poeple are getting weirder and weirder every day!
May 7th, 2000, 10:54 PM
FantastichenEin

Girls and Boys

Interesting how you all refer to the author as Him or He.
Today in the Daily mail there is a report from manilla that says that Phillipines National Bureau of Investigation are actually looking for a Woman/Girl. An IT student from a middle class background. The suspect is a moving target.
Fant:cool:
May 7th, 2000, 11:02 PM
FantastichenEin

Update

LATEST UPDATE FROM ZDNET

A young woman being sought by Philippine authorities in connection with the creation of the virulent "Love Bug" computer virus will turn herself in, police said on Monday. According to ZDNet Asia, suspected author of the virus, Romel Lamores, 30 years old, was detained by police. -- Reuters
May 7th, 2000, 11:34 PM
Sire

Source code!!!

I have a variant of the source to the ILOVEYOU virus but it aint good. Could somebody send me a copy of the source code, just for educational readers.

- Sire
May 8th, 2000, 12:47 AM
bhogg

The script is fairly simple.. makes a few calls to the Shell object, is easy to read, and is funny in the way it asks a user to download the ActiveX component of their browser if they don't have it, which destroys their system :)

I spent 8 hours getting the damn thing off the network, though, and really don't feel like letting other people mess with it and creating another variation. Just know that it works, and it's really not all that hard to do.

Brian
[email protected]
May 8th, 2000, 03:47 AM

whoever has the source code, send it to me as well.

Show 60 post(s) from this thread on one page