Manual removal instructions
The VBS.LoveLetter.Worm places several files on your hard drive or drives, and also makes changes to the Windows registry. In addition, it also changes the attribute of some files to hidden. All of this varies with the particular variant of the worm with which the computer was infected.
Enable show all files
Follow these steps to make sure that Windows is set to show all files:
1. Start Windows Explorer.
2. Click the View menu (Windows 95/98/NT) or the Tools menu (Windows Me/2000), and then click Options or Folder options.
3. Click the View tab.
4. Uncheck "Hide file extensions for known file types."
5. Do one of the following:
Windows 95/NT. Click "Show all files."
Windows 98. In the Advanced settings box, under the "Hidden files" folder, click Show all files.
Windows Me/2000. Uncheck "Hide protected operating system files" and under the "Hidden files" folder, click "Show hidden files and folders."
6. Click Apply, and then click OK.
Restart the computer in Safe mode
You must restart the computer in Safe Mode (Windows 95/98/Me/200 only) Follow the instructions in the document for your operating system.
How to restart Windows 9x or Windows Me in Safe Mode.
How to start Windows 2000 in Safe mode.
Find and delete files
1. Click Start, point to Find or Search, and click Files or Folders.
2. Make sure that "Look in" is set to (C
and that Include subfolders is checked.
3. In the "Named" or "Search for..." box, type--or copy and paste--the following file names:
*letter-for-you* MSKernel32.vbs Win32DLL.vbs WinFAT32.EXE WIN-BUGSFIX.EXE script.ini mothersday.vbs funny love.vbs funny love.htm virus_warning.jpg.vbs urgent_virus_warning.htm protect.vbs important.txt.vbs eskernel32.vbs es32dll.vbs kiler.htm killer2.htm killer1.htm KillEmAll.TXT.VBS ArabAir.TXT.vbs no-hate-FOR-YOU.HTM vir-killer.vbs look.vbs bewerbung.txt.vbs reload.vbs
4. Click Find Now or Search Now.
CAUTION: The next step is to delete these files from your system. Make sure that you delete only the files listed, and if you typed the file names, that they were typed exactly as shown. Deleting the wrong file could cause your system to fail to start.
5. Delete the files that are displayed.
NOTES:
There is a space between each file name.
If you copy and paste all of the file names into the Named box, most will not be found. (If you have run a full system scan and NAV has successfully removed these infected files, none may be found. If that is the case, go on to the next section.) This list contains all known files for all known variants. As an alternative, see the previous section (which provides details on the variants) and enter only the files that apply to the variant that the computer was infected with.
Remove entries from the registry
CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4. Look for the following String values in the right pane:
WIN32DLL "C:\Windows\WIN32DLL.vbs"
MSKernel32 "C:\Windows\System\MSKernel32.vbs"
Win-bugsfix "<Path varies>"
Winfat32.exe
ESKernel32
ES32dll
Reload "C:\Windows\System\Reload.vbs"
Any entries that refer to .vbs
5. For those that appear, select each one, press Delete, and then click Yes to confirm.
6. Navigate to the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
7. Look for the following String values in the right pane:
WIN32DLL "C:\Windows\WIN32DLL.vbs"
MSKernel32 "C:\Windows\System\MSKernel32.vbs"
Win-bugsfix "<Path varies>"
Winfat32.exe
ESKernel32
ES32dll
Reload "C:\Windows\System\Reload.vbs"
Any entries that refer to .vbs
8. For those that appear, select each one, press Delete, and then click Yes to confirm.
9. Navigate to the following key:
HKEY_USERS\<username> or <.default>\Software\Microsoft\Windows\CurrentVersion\RunServices
10. Look for the following String values in the right pane:
WIN32DLL "C:\Windows\WIN32DLL.vbs"
MSKernel32 "C:\Windows\System\MSKernel32.vbs"
Win-bugsfix "<Path varies>"
Winfat32.exe
ESKernel32
ES32dll
Reload "C:\Windows\System\Reload.vbs"
Any entries that refer to .vbs
11. For those that appear, select each one, press Delete, and then click Yes to confirm.
12. Exit the Registry editor.
NOTES:
If you are a network administrator, be aware that the following registry keys may have been deleted by the worm:
HKLM\Software\Microsoft\Windows\CurrentVersion\
Policies\Network\HideSharePwds
HKLM\Software\Microsoft\Windows\CurrentVersion\
Policies\Network\DisablePwdCaching
HKLM\Software\Microsoft\Windows\CurrentVersion\
Policies\Network\HideSharePwds
HKLM\Software\Microsoft\Windows\CurrentVersion\
Policies\Network\DisablePwdCaching
For all users, be aware that potentially hundreds of DWORD registry values are created in
HKEY_USERS\username\SOFTWARE\Microsoft\WAB
This is based on how many email messages were sent out. These keys will be different on each computer.
The Worm is now removed from your system. Restart the computer.
NOTE: If you are running Windows 98 and you enabled the Startup menu using MSCONFIG, you should turn it off. If you do not turn it off, the startup menu will appear each time you start the computer.
Delete email attachments
In your email program, delete any file attachments that state I LOVE YOU or LOVE-LETTER-FOR-YOU.TXT.vbs. Make sure to remove them from all of the program's folders.
Verification
This is a difficult worm to remove. If you performed the manual removal procedure, we suggest that you repeat the procedure in the section Find and delete files to make sure that all the files have been found and removed.
Cleanup
If any files were infected by the worm--and have had the .vbs extension appended, as described in the Technical information section--you must delete them and restore them from a backup.
CAUTION: Do not attempt to run files that have been overwritten or renamed by this worm. If you do, the worm is executed again.
NOTE: Files with .mp2 and .mp3 extensions are not infected; only the file name has been changed by adding the .vbs extension (see the Technical Infor
mation section for details). You can recover these files by renaming them back to the original file name in Windows or in DOS. Files with the .jpg extension are destroyed, and must be restored from a backup.
Restore start page
To restore the Internet Explore start page that was modified by the worm, please follow these steps:
1. Start Internet Explorer.
2. Click the Tools menu, and click Internet Options.
3. On the General tab, replace your home page address as desired.
Additional information:
Besides running LiveUpdate frequently, one other thing that you can do to protect your system from this type of worm is to block scripts of this type (NAV 2001) or disable or remove the Windows Scripting Host. VBS.LoveLetter, and others such as the Wscript.KakWorm, use the VBScript computer language to run.
If you are using Norton AntiVirus 2001, a free program update that includes Script Blocking is available.Please run LiveUpdate to obtain this.
For other versions of Norton AntiVirus, Symantec Security Response offers a tool to disable the Windows Scripting Host.
Reply With Quote
