So, what UserStory would someone have before developing this, and what UnitTest''''''s might s/he have had? Do you think that PairProgramming was exercised? ''Read the code for yourself and see X-P'' ''More practically, could a more negative approach ( a UserAntiStory for example ) have stopped people implementing such a feature'' ---- OK, here's a summary of what the script file does: 1. Disables the timeout in the scripting host so that the script may run indefinitely. (The default behavior kills a script after a time limit because it is assumed to have failed). * ''Isn't this a stupid security hole?'' It's a HumanVectoredScriptingWorm. Blame debate transported there. 2. Copies itself to c:\windows\system\mskernel32.vbs. a) Adds this to registry at HKLM\Software\Microsoft\Windows\Current''''''Version\Run\MSKernel32 3. Copies itself to c:\windows\win32dll.vbs a) Adds this to registry at HKLM\Software\Microsoft\Windows\Current''''''Version\Run''''''Services\Win32DLL ''The above two items ensure the script probably fires each time you reboot or restart the shell.'' 4. Copies itself to c:\windows\system\lover-letter-for-you.txt.vbs 5. Creates a file called c:\windows\system\love-letter-for-you.htm, which downloads itself and runs the script. (Tells the user it needs an ActiveX control so the user must click a button to run it). 6. Iterates through all the files in the system on fixed drives mounted network drives (not unmounted shares) a) It overwrites all files with the extensions .vba, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg with a copy of itself. i) Note: this merely destroys .css, .js, .jse, .hta, .jpg, .jpeg files. b) It writes a copy of itself for every .mp3 and .mp2 file on the system (A file called Bobs.mp3 will have a matching Bobs.mp3.vbs) c) If a folder containing MIRC is found, it writes a script into the script.ini (run at startup) that send the previously generated love-letter-for-you.htm to every person in any group you join. 7. If MicrosoftOutlook is installed, it generates a copy of itself in a file, goes through every name in every address book, creates a new e-mail, writes its HTML content into this, and attaches the copy of itself. 8. If c:\windows\system\winfat32.exe exists (which isn't part of a normal install and the script dosen't install it so I don't know where it comes from), it resets the start page to download an EXE. Again the user will be prompted to accept and run the file. a) If the user manages to download this program, and the script is run again, it kindly resets the home page to blank. So, to remove this virus, delete: All .vba, .vbe, .js, .css, .wsh, .sct, .hta, .jpg, .jpeg files. c:\windows\system\mskernel.vba c:\windows\system\lover-letter-for-you.htm c:\windows\system\lover-letter-for-you.txt.vbs c:\windows\system\win32dll.vbs your MIRC script.ini HKCU\Software\Microsoft\Internet Explorer\Main\Start Page HKLM\Software\Microsoft\Windows\Current''''''Version\Run\MSKernel32 HKLM\Software\Microsoft\Windows\Current''''''Version\Run''''''Services\Win32DLL HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout -- StevenNewton & fans ''(Better yet, format the drive and install Lynux! ;-)'' Is there any information on the WIN-BUGSFIX.exe this script wants to download to your drive? I tried to get it off the website for dissection when this script showed up in our office. --ShaeErisson ''It's reputedly a password-stealing program. See http://vil.nai.com/villib/dispVirus.asp?virus_k=98617 '' ---- It's fascinating how this sort of thing gets mis-reported in the mainstream media: the Love Bug isn't a "computer virus" or an "email virus", it's not a virus, it's a worm, and it's a ''MicroSoft mail tools'' worm. Some-one has pointed out somewhere that MS's monopoly produces a monoculture that like all small ecosystems is vulnerable to attack by parasites. ---- The previous comment makes the same mistake that many media folk make-- that this problem is limited to Microsoft's Outlook. That's completely false. This "virus" is simply an email attachment. Most email client software I use has the ability to launch attached files. For example, at work we use Lotus Notes, which has this ability. ''OK, so when was the last time you received a Notes virus? The "problem" of malicious scripting isn't limited to Microsoft products, but IloveYou is a parasite of Microsoft products. Most viruses, worms, whatever are parasites of the Microsoft platform.'' Microsoft ''should'' be faulted for not having better security. But folks who think this only has to do with Microsoft's Outlook are fooling themselves. This is more of an issue to do with Windows Scripting Host than email. In fact, some people have gotten ILoveYou without email at all. As mentioned in the script summary above, ILoveYou can use mIRC to spread itself. Visit the subroutine "infectfiles" around lines 106 to 120 in the virus code. ILoveYou is less of an example of virus design and implementation and instead one of "social engineering". Love starved folks from all over the planet saw a message saying someone loved them, and so they blindly launched the file to learn more. One guy I know received the ILoveYou from his (male) boss. Both profess to being heterosexual and not terribly close, yet when the receiver got the notice that boss loved him, he just had to launch that attachment to learn more. Ironically, the same guy has a banner over his computer that reads, "Think!" But you want to know the really scary thing about this? Let's say that instead of people receiving messages stating someone loved them, the message read as follows: ''This message has a destructive virus attached; please launch it like the robotic moron you are to destroy files and waste precious time.'' Would the results be any different? I'm too cynical to answer. -- JohnPassaniti ---- Question: if someone were to release a malicious script attached to an email with the subject line "Do not open this email's attachment, doing so will damage your system.", and then people did (as I'm sure many would), would you have any criminal liability for the damage caused? Not that I want to put ideas into anyone's head, or anything. -- KeithBraithwaite This went to court in the US during the 80s; the short answer is "yes". It seems that somebody had designed his program to infect computers with a virus if they decided not to buy it after the trial period (or something like that), and mentioned this fact in the license agreement. License agreements are on shaky legal ground in general, on the basis that they are not available to the consumer until he has already purchased the product, but that is not an issue here because no purchase was involved; the "license" was just as binding as the GPL, and for the same reason. This case would certainly be a strong precedent in any similar situation today. Perhaps a lawyer can provide more details... -- DanielKnapp Since I'm Dutch, I'm legally not supposed to be able to understand English. If I send you an e-mail with the subject line : "Niet openmaken! Het openen van het aanhangsel zal uw systeem beschadigen.", can I hide behind the fact that the subject line told you not to open the attachment? -- StephanHouben Good question. I personally do know enough Nederlands to see that the subject line you quote above is trying to tell me something important: that if I open the "aanhangsel" (the attachement, I take it, the "on-hanging" thing?) my system will get "beshadigen". To the dictionaries, to learn that "beshadigen" is "damage", or "spoil". Well, I don't want any of that happening to my systeem. So I've been diligent and if I go ahead and open the thing I'd expect you to be covered. Then again, I'm probably unusual amongst non-Nederlands or Afrikaans speaking 'net folk in having even that much clue about your subject line. This sounds like the kind of grey area that makes lawyers a lot of money. -- KeithBraithwaite On a related note, I often get spam that advertises stuff "as seen on national TV". Strangely enough, I never see those ads on (Dutch) national TV... -- StephanHouben ---- The CEO of our consulting company and a number of top officials sent me the "I Love You" virus. You'd think we'd know better. Since then, we've learned. (Mostly. ;-) ---- My understanding (possibly wrong) is that one factor in the vulnerability of Microsoft products is that Microsoft mailers (and other tools) launch these executables without asking the user and without the cability of being turned off. For example, VB scripting can be hidden by user control, but it cannot be turned off. This is allegedly because Microsoft tools are wired to depend on it. I have heard it claimed that this came up in the litigation against MS. While the decision to standardize on MS strikes me as amazingly stupid, I don't think individual users - even CEO's - can be blamed because they get these viruses as a result.