WARNING - Love Letter Virus alert!

Peter Samuelson peter at cadcamlab.org
Fri May 5 01:13:23 GMT 2000

[Seth Vidal <skvidal at phy.duke.edu>]
> could that script be reposted
> I missed it.

Sure.  This iteration, while still a kludge, is much more sophisticated 
than the kludge I posted a few hours ago.  Requires:

  - Samba-TNG `rpcclient' in your path (not necessarily *installed*, per se)
  - GNU findutils ("find -print0 | xargs -0")
  - Linux with smbfs and a somewhat recent smbmount
  - NT clients, with the default administrative shares ADMIN$, C$, etc.


# ILOVEYOU-REMOVE by Peter Samuelson <peter at cadcamlab.org>, 3 May 2000
#   with contributions by other NIAR admin staff
# HOW TO RUN: run this with computer names on the command line.
# Change the next couple lines to reflect your domain and domain admin account
# (usually "Administrator").
# Theory of operation:
#   - removes winnt\win32dll.vbs,
#             winnt\system32\mskernel32.vbs,
#             winnt\system32\love-letter-for-you.txt.vbs
#   - removes registry values:
#             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSKernel32
#             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
#             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\win32dll
#   - attempts to reset the MSIE start page for the current user:
#             HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
#     NOTE that this only affects the current-logged-in user.
#     If any other users have logged on and been hit on this machine,
#     they will still have the bogus page in their profile.
#     You might think about just removing everyone's profile....
#   - attempts to remove every 10-kilobyte *.vbs on drives C, D, E and F
#     You may wish to edit this part.
#     BE CAREFUL if you have a lot of legitimate VBScript.

if [ -z "$1" ]; then
  echo >&2 "usage: $0 machine1 machine2 ..."
  exit 1


stty -echo;
echo -n "$domain\\$user password: ";
read pass;
echo ""
stty echo;

exec 4> /tmp/$(basename $0).log

for machine in "$@"; do
  echo "====================== $machine ======================="

  # We can't use HKEY_CURRENT_USER directly, because, well, we just can't.
  # We *can* go through HKEY_USERS.  Here we enumerate it...
  echo -n "Current user(s) ... "
  sids=$(rpcclient -S $machine -W $domain -U ${user}%${pass} \
    -c 'regenum hkey_users; quit;' |
    awk '/S-1-5-21/ { print $1 }')
  echo $sids

  echo -n "Blowing away major culprits ... "
  # the ADMIN$ share is normally NT's \WINNT directory.
  smbclient //$machine/admin\$ -W $domain -U ${user}%${pass} -c '
    del win32dll.vbs;
    cd system32;
    del mskernel32.vbs;
    del love-letter-for-you.txt.vbs;
  ' >&4 2>&4
  echo "done."

  # Registry diddling.
  echo -n "Frobbing registry ... "
  for sid in $sids; do
      regcreateval \"hkey_users\\$sid\\Software\\Microsoft\\Internet Explorer\\main\\Start Page\" 1 \"http://www.niar.twsu.edu/\";"

  rpcclient -S $machine -W $domain -U ${user}%${pass} -c '
    regdeleteval "hkey_local_machine\software\microsoft\windows\currentversion\run\mskernel32";
    regdeleteval "hkey_local_machine\software\microsoft\windows\currentversion\runservices\win32dll";
    regdeleteval "hkey_local_machine\software\microsoft\windows\currentversion\run\win-bugsfix";
  ' >&4 2>&4
  echo "done."

  # Try to mount the C$, D$, E$ and F$ shares in search of VBScript to destroy.
  # This part of the script is fragile.  It frequently fails, with poor
  # diagnostics.  Blame smbfs, and maybe the design of smbmount.
  mkdir -p /tmp/winmnt
  for dr in C D E F; do
    echo -n "Mounting //$machine/$dr\$ ... "
    if mount -t smbfs -o "workgroup=$domain,username=$user,password=$pass" \
             //$machine/$dr\$ /tmp/winmnt >&4 2>&4; then
      echo "done."
      echo -n "Deleting suspect VBS files ... "
      find /tmp/winmnt \( -name '*.[Vv][Bb][Ss]' -size 10k \)
             -o -name WIN-BUGSFIX.EXE -print0 2>&- | xargs -0 rm -fv
      echo "done."
      umount /tmp/winmnt 2>&4
      echo "FAILED."


More information about the samba-ntdom mailing list