VBScript worm help for you

February 12, 2001

This is a VBScript worm with virus qualities. The best thing to do is to go to McAfee On-line and sign up for a trial period or just pay for it but buying a virus scanner from the store will not have all the newest virus killers in it. It is really the best money to just pay $29.95 per year and you will never have a problem again. Mine updates with new virus files about 2 times a week.

Here is a link to go to get a 10 free trial and it should clean your system of this virus:

http://www.mcafee.com/pr_register.asp?hidService=CLINIC & hidAction=TRIAL

The VBScriptworm comes in several different forms but they all do the same thing.

If the user runs the attachment it drops copies of itself and writes an .HTM file in the following places :

WINDOWS\SYSTEM\MSKERNEL32.VBSWINDOWS\WIN32DLL.VBSWINDOWS\SYSTEM\??????.VBSWINDOWS\SYSTEM\??????.HTM (the ??????? stands for the type of worm it is. It could be loveletter e, loveletter k, mothersday, fool. You have to search for it using your find that is located in your start menu. This particular worm always attaches itself to pictures)

It attaches to:

*.JPG*.JPEG

with copies of itself and it adds the extension .VBS to the original filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would contain the worm.

The worm also overwrites the following files:

*.VBS*.VBE*.JS*.JSE*.CSS*.WSH*.SCT*.HTA

with copies of itself and adds '.VBS' as the extension.

This virus locates instances of the following file types:

*.MP3*.MP2

and if found, makes them hidden and copies itself as these filenames except with .VBS extension. For instance, if file exists as '2PAC.MP3', this now becomes a hidden file and the virus is copied as '2PAC.MP3.VBS'.

After a short delay the worm uses Microsoft Outlook to send copies of itself to all entries in the address book. The mails will be of the same format as the original mail.

February 12, 2001

At 18:36 -0500 2/12/01, 73153 had this to say:

>The VBScriptworm comes in several different forms but they all do

>the same thing.

>

>If the user runs the attachment it drops copies of itself and writes

>an .HTM file in the following places :

thank goodness it doesn't affect Macs!

--stella

February 12, 2001

, thank goodness you wrote this. What if I never use OL and only

use Netscape? I took my virus scan off a while ago to save room and it

was not working right. I have looked for all the extensions you note

and have deleted the attachments I downloaded with Kremlin Secure

Delete. Now what, do you know?

Thanks again

Robin

February 12, 2001

Robin, I think you might be ok. But best to check it out on line at

McAfee. The worm is perpetuated by Outlook Express 5.0 but I still

think it gets in there and changes your files and hides some no

matter what web system you use. I would be careful sending any

pictures or media files in the email right now. I would definetly

take advantage of the 10 day free trial offer. This worm is sent out

valentines and mothers day the most often. Cause we are just suckers

for a pretty line. Someone sent it to Heidi and then it sent itself

out and she probably did not even know it tilw it got sent to the

group. Big reason why I come on line to read messages. And because

of the security problems with Outlook my virus scanner scans all

messages I receive. If you do not have a up to date virus scanner,

for sure go do a windows update because they have updated the files

that allow such security leaks in Outlook (which I still think is the

finest email program ever ~

> , thank goodness you wrote this. What if I never use OL and

only

> use Netscape? I took my virus scan off a while ago to save room

and it

> was not working right. I have looked for all the extensions you

note

> and have deleted the attachments I downloaded with Kremlin Secure

> Delete. Now what, do you know?

>

> Thanks again

>

> Robin

February 12, 2001