' Written by damir simunic damir@ccb.hr on 04.05.2000 ' v1.1 ' 1) before using the script, be sure to kill any running wscript processes ' win9x: press ctrl+alt+del, find 'wscript' in the list, select and press 'End Task' ' winnt: press ctrl+chift+esc, tab processes,find 'wscript' in the list, select and press 'End Process' ' 2) do not reboot -- if you shut down your machine with virus, disconnect from network before you start. ' 3) start lover-killer ' 4 )when finished, manually find all .vbs and .possiblyINFECTED files ' 5) all files of length around 11k are probably virus, so kill them ' 6) reboot machine On Error Resume Next dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow Set fso = CreateObject("Scripting.FileSystemObject") eq="" ctr=0 main() sub main() On Error Resume Next dim wscr,rr Set dirwin = fso.GetSpecialFolder(0) Set dirsystem = fso.GetSpecialFolder(1) Set dirtemp = fso.GetSpecialFolder(2) Set c = fso.GetFile(WScript.ScriptFullName) msgbox "starting" fso.DeleteFile(dirsystem&"\MSKernel32.vbs") fso.DeleteFile(dirwin&"\Win32DLL.vbs") fso.DeleteFile(dirsystem&"\LOVE-LETTER-FOR-YOU.HTM") fso.DeleteFile(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs") regruns() listadriv() msgbox "Done" end sub sub regruns() On Error Resume Next Dim num,downread regdelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32",dirsystem&"\MSKernel32.vbs" regdelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL",dirwin&"\Win32DLL.vbs" downread="" downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory") if (downread="") then downread="c:\" end if if (fileexist(dirsystem&"\WinFAT32.exe")=1) then regdelete "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe" regdelete "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe" regdelete "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe" regdelete "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe" end if if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then regdelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX",downread&"\WIN-BUGSFIX.exe" end if msgbox "registry done" end sub sub listadriv On Error Resume Next Dim d,dc,s,fMapped Set dc = fso.Drives For Each d in dc If d.DriveType = 2 Then folderlist(d.path&"\") end if Next listadriv = s msgbox "drives done" end sub sub killinfectedfiles(folderspec) On Error Resume Next dim f,f1,fc,ext,ap,mircfname,s,bname,mp3, att set f = fso.GetFolder(folderspec) set fc = f.Files for each f1 in fc bname=fso.GetBaseName(f1.path) ext=fso.GetExtensionName(f1.path) ext=lcase(ext) s=lcase(f1.name) if (ext="vbs") or (ext="vbe") then ' read only files are only renamed ' and not infected. Unfortunately, ' we lost the original extension set att=fso.GetFile(f1.path) if (att.attributes and 2) then att.attributes = att.attributes - 2 end if ' read only files are to be marked as suspicous if (att.attributes and 1) = 1 then set cop=fso.GetFile(f1.path) cop.copy(folderspec&"\"&bname&".possiblyINFECTED") att.attributes = att.attributes - 1 fso.DeleteFile(f1.path) ' remove hidden attribute on previously hidden files. else if left(bname, 12) <> "lover-killer" then fso.DeleteFile(f1.path) end if end if att.close end if ' unhide hidden mp3 files. if (ext="mp3") or (ext="mp2") then set att=fso.GetFile(f1.path) if (att.attributes and 2) then att.attributes = att.attributes - 2 end if att.close end if if (eq<>folderspec) then if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then set scriptini=fso.DeleteFile(folderspec&"\script.ini") eq=folderspec end if end if next end sub sub folderlist(folderspec) On Error Resume Next dim f,f1,sf set f = fso.GetFolder(folderspec) set sf = f.SubFolders for each f1 in sf killinfectedfiles(f1.path) folderlist(f1.path) next end sub sub regcreate(regkey,regvalue) Set regedit = CreateObject("WScript.Shell") regedit.RegWrite regkey,regvalue end sub sub regdelete(regkey,regvalue) on error resume next Set regedit = CreateObject("WScript.Shell") regedit.RegDelete regkey end sub function regget(value) Set regedit = CreateObject("WScript.Shell") regget=regedit.RegRead(value) end function function fileexist(filespec) On Error Resume Next dim msg if (fso.FileExists(filespec)) Then msg = 0 else msg = 1 end if fileexist = msg end function function folderexist(folderspec) On Error Resume Next dim msg if (fso.GetFolderExists(folderspec)) then msg = 0 else msg = 1 end if fileexist = msg end function sub spreadtoemail() On Error Resume Next dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad set regedit=CreateObject("WScript.Shell") set out=WScript.CreateObject("Outlook.Application") set mapi=out.GetNameSpace("MAPI") for ctrlists=1 to mapi.AddressLists.Count set a=mapi.AddressLists(ctrlists) x=1 regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a) if (regv="") then regv=1 end if if (int(a.AddressEntries.Count)>int(regv)) then for ctrentries=1 to a.AddressEntries.Count malead=a.AddressEntries(x) regad="" regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead) if (regad<>"") then regedit.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD" end if x=x+1 next regedit.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count else regedit.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count end if next Set out=Nothing Set mapi=Nothing end sub