Dealing With the I Love You Virus
Novell Cool Solutions: Feature
By Tay Kratzer
Digg This -
Posted: 5 May 2000
Some of you have already been affected by the Love virus. Read the section of this article called ERADICATION.
Some of you may not have been affected by this virus, but you would like to know how to prevent it. See the section called PREVENTION.
Some of you just want more info, on how this might effect GroupWise. See the section called EFFECTS ON GROUPWISE SYSTEMS.
What It IsFirst off, the Love virus is a very serious threat! You might remember Melissa, well Love is even more dangerous than Melissa.
The Love virus does a variety of things. It propogrates itself in a big way, it damages files on the local and potentualy network hard drives with extensions of .js", ".jse", ".css", ".wsh", ".sct", ".hta", ".jpg", ".jpeg", ".mp3" or ".mp2", it changes the home page on Windows Explorer so that more software can be downloaded to the infected computer, It also updated the local registry so that everytime the machine is rebooted, the virus is active.
There are lots of sites with detailed information on the Love virus, but many of the more technical anti-virus sites are flooded, and not responding The next best place to look for information is at the media sites such as http://www.cnn.com. The best technical explanation of this virus I found at the following URL: http://www.fsecure.com/v-descs/love.htm The only problem though is that it took me several attempts to get to this explanation.
What To Tell Your End-UsersJust tell your users to delete the E-mail, unless you have an expressed purpose in having them forwarding the message. The reason you don't want to have your users forward the message, is that by doing that it goes to their Sent Items, and the original subject line is masked. Having the original subject line is key to the eradication process mentioned later in this document.
How It SpreadsThe key thing is that your users do not run the Visual Basic script that contains the Love virus. Opening up an E-mail with the Virus attached will not cause infection.
Once a user has run the Visual Basic Script, their machine has been infected. It's up to you as to how you take care of infection and damage. Those users who have Outlook installed on their machines are the only ones that have the capacity to spread this virus. Outlook can access the GroupWise address book through MAPI, and so the GroupWise Address Book can be used indirectly to propagate the virus. The Love virus sends an E-mail to everyone in the address book that it can get it's hands on. This is likely to cause major E-mail storms.
One site I work with has a big GroupWise installation, and a small MS Exchange system. The GroupWise users are defined on the MS Exchange system, and so the GroupWise users were flooded with a bunch of E-mail from the Exchange users.
Those customers that have MS Exchange users that regularly communicate with a GroupWise system will most likely be the hardest hit. The next hardest hit will be those customers who have many users that use MS Outlook and GroupWise.
GroupWise And Viruses at http://support.novell.com/cgi-bin/search/tidfinder.cgi?2954960
How to configure GWIA to allow a third-party virus scanner to scan Internet messages at http://support.novell.com/cgi-bin/search/tidfinder.cgi?10007320
The GroupWise stand-alone GWCHECK utility has a feature called ITEMPURG. Rather then re-writing something that's already been well written please see this document on a similar virus. Go to the section called: "HOW TO REMOVE BAD MESSAGES FROM THE MESSAGE STORE."
You need to realize that this document was written for a different virus. The subject line to search for on the Love virus is ILOVEYOU. Tay Kratzer Novell Premium Service
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com