Remove ILOVEYOU virus

by **vinay** Tue May 20, 2008 6:56 am

b]Recover from the ILOVEYOU (VBS/Loveletter) Virus[/b]

The VBS/Loveletter (aka ILOVEYOU or LoveBug) virus is quite destructive because it adds files, changes Windows registry entries, deletes some files and makes others hidden.

Stop the Virus
Press Ctrl+Alt+Del to invoke the Close Program dialog or Task Manager, depending on your operating system. Select any instance of Wscript.exe that is running, and choose End Task to kill it. Do the same with WINS-BUGFIX.exe and WinFat32.exe.

Delete Messages and Files

In Outlook, use Tools > Advanced Find to locate any items with one of these subjects and a file attachment. Delete them:

*ILOVEYOU
*Susitikim shi vakara kavos puodukui
*fwd: Joke
*Mothers Day Order Confirmation
*Dangerous Virus Warning
*Virus ALERT!!!
*Important ! Read carefully !!
*How to protect yourself from the IL0VEY0U bug!

Delete the following files, adjusting the paths as needed to match your system. Start > Find is probably the best way to locate all of these:

*C:\Temp\LOVE-LETTER-FOR-YOU.TXT.vbs
*C:\Temp\LOVE-LETTER-FOR-YOU.TXT1.vbs
*\WIN32DLL.vbs
*\\LOVE-LETTER-FOR-YOU.TXT.vbs
*\\MSKERNEL32.vbs
*Any instances of WINS-BUGFIX.exe anywhere on the system
*Any instances of Very Funny.vbs
*Any instances of Mothersday.vbs
*Any instances of virus_warning.jpg.vbs
*Any instances of protect.vbs
*Any instances of IMPORTANT.TXT.vbs
*Virus-Protection-Instructions.vbs

Delete or examine all VBS and VBE files on your system. The virus will have overwritten these types of files with copies of itself.

The virus also deletes JS, JSE, CSS, WSH, SCT, HTA, JPG, and JPEG files. It then saves another copy of the payload virus script using the original file's name, with the VBS extension added, e.g. image.jpg.vbs. The files will all have the same size and the date and time that the virus ran. You should delete these files as well.

If you use Internet Relay Chat, look for a file named Script.ini. If it contains a reference to LOVE-LETTER-FOR-YOU.HTM, you'll need to delete it or replace it with your original Script.ini, if you have a backup.

Fix Windows Registry

Remember to back up the Registry before making any changes!
Remove the following Windows Registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKERNEL32

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\WIN32DLL

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinFAT32
In the HKEY_CURRENT_USER\Software\Microsoft\WAB\ key, remove all the individual STRING and DWORD entries, but not the (default) entry or any subkeys.
Rename the value of the following registry entry to your desired Internet Explorer home page:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
You may need to restore these registry entries to HKEY_CURRENT_USER, HKEY_USERS and

HKEY_LOCAL_MACHINE. A system policy file that loads at network logon should take care of that automatically:

Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds

Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching