Novell Home

Dealing With the I Love You Virus

Novell Cool Solutions: Feature
By Tay Kratzer

Digg This - Slashdot This

Posted: 5 May 2000
 

Some of you have already been affected by the Love virus. Read the section of this article called ERADICATION.

Some of you may not have been affected by this virus, but you would like to know how to prevent it. See the section called PREVENTION.

Some of you just want more info, on how this might effect GroupWise. See the section called EFFECTS ON GROUPWISE SYSTEMS.

What It Is

First off, the Love virus is a very serious threat! You might remember Melissa, well Love is even more dangerous than Melissa.

The Love virus does a variety of things. It propogrates itself in a big way, it damages files on the local and potentualy network hard drives with extensions of .js", ".jse", ".css", ".wsh", ".sct", ".hta", ".jpg", ".jpeg", ".mp3" or ".mp2", it changes the home page on Windows Explorer so that more software can be downloaded to the infected computer, It also updated the local registry so that everytime the machine is rebooted, the virus is active.

There are lots of sites with detailed information on the Love virus, but many of the more technical anti-virus sites are flooded, and not responding The next best place to look for information is at the media sites such as http://www.cnn.com. The best technical explanation of this virus I found at the following URL: http://www.fsecure.com/v-descs/love.htm The only problem though is that it took me several attempts to get to this explanation.

What To Tell Your End-Users

Just tell your users to delete the E-mail, unless you have an expressed purpose in having them forwarding the message. The reason you don't want to have your users forward the message, is that by doing that it goes to their Sent Items, and the original subject line is masked. Having the original subject line is key to the eradication process mentioned later in this document.

How It Spreads

The key thing is that your users do not run the Visual Basic script that contains the Love virus. Opening up an E-mail with the Virus attached will not cause infection.

Once a user has run the Visual Basic Script, their machine has been infected. It's up to you as to how you take care of infection and damage. Those users who have Outlook installed on their machines are the only ones that have the capacity to spread this virus. Outlook can access the GroupWise address book through MAPI, and so the GroupWise Address Book can be used indirectly to propagate the virus. The Love virus sends an E-mail to everyone in the address book that it can get it's hands on. This is likely to cause major E-mail storms.

Effects On GroupWise Systems

The effects on a GroupWise System are less then on an Microsoft Exchange system! That said though, it can still take down a GroupWise system because so many people have Outlook installed on their computers. There have already been some GroupWise systems that have been taken to their knees by this virus.

One site I work with has a big GroupWise installation, and a small MS Exchange system. The GroupWise users are defined on the MS Exchange system, and so the GroupWise users were flooded with a bunch of E-mail from the Exchange users.

Those customers that have MS Exchange users that regularly communicate with a GroupWise system will most likely be the hardest hit. The next hardest hit will be those customers who have many users that use MS Outlook and GroupWise.

Prevention

Ultimately the Love virus comes from the Internet. Once it's in your GroupWise system, it could bounce around indefinitely until you eradicate it. We talk about eradication a little later. The best thing to do to prevent the Love virus is to use a content filtering solution in conjunction with your Internet mail host or in conjunction with the GWIA. With a third-party content filtering solution you can tell the content filtering solution to discard messages with the Love virus subject line, which is ILOVEYOU. If you don't have something in place right now, then there's nothing on the GWIA that you can configure to tell the GWIA not to allow the Love virus in. There's two good documents at Novell's Support Connection that talk about proactive solutions for viruses. Remember, these are pro-active prevention solutions, if your reacting to the Love virus, then these documents are for future reference.

GroupWise And Viruses at http://support.novell.com/cgi-bin/search/tidfinder.cgi?2954960

How to configure GWIA to allow a third-party virus scanner to scan Internet messages at http://support.novell.com/cgi-bin/search/tidfinder.cgi?10007320

Eradication

The eradication process for Love is going to be complex. We'll focus on eradicating this message from your GroupWise Message Store. You'll need to implement virus protection software at the desktop, and possibly other solutions to fix infected machines.

The GroupWise stand-alone GWCHECK utility has a feature called ITEMPURG. Rather then re-writing something that's already been well written please see this document on a similar virus. Go to the section called: "HOW TO REMOVE BAD MESSAGES FROM THE MESSAGE STORE."

You need to realize that this document was written for a different virus. The subject line to search for on the Love virus is ILOVEYOU. Tay Kratzer Novell Premium Service


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell