This article may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. To maintain the flow of the article, we've left these URLs in the text, but disabled the links.

MSDN Magazine

Kindly Check the Attached LOVELETTER Coming from Me

Code for this article:Ednote0700.exe (31KB)

We�re writing to you this month from the midst of a virus lockdown. Yes, it was only a few days ago that the now-infamous ILOVEYOU virus and its variants started to infect our systems. We know that you�ve already heard a lot of advice about how to protect yourself and your company from such an attack. Secure your servers! Don�t click on anything! Trust no one! We�re not going to lecture you like that. However, a week later and several hundred pieces of viral mail richer, we would like to scold everyone while sharing some of the lessons we�ve learned.

Are Developers Evil?

      I mean, come on. Writing a program specifically to ruin other people�s machines. What is that, nuts? This has been going on for years now.
      We don�t mean to paint everyone with the same broad brush here, but developers are evil. All of you. You know you�ve had fleeting thoughts about doing something like this at least once, even if it was just meant for that guy three cubicles down. Well, don�t. They can�t find D. B. Cooper, but they sure as heck find the people who start a virus quickly.
      Of course, there�s another dimension to this. As developers, we always think we�re immune to this sort of attack. We have complete mastery over our machinesâ€"no one had better try and screw around with them. Since we�re invincible, we can click anything that comes in! We have several hundred pieces of virus mail from developers who just got careless like this.

Use Your Brains

      Even our moms knew enough not to open this file, but here are some clues to look for; if you see these, there�s a slight chance that the file is a virus:
  • The message is titled ILOVEYOU and it�s from someone you don�t know.
  • The message was sent to you by 20 people at the same time, or to a mailing list you�re on.
  • The message has an attachment called a love letter, which is a VBScript file.
  • When you try to open the attachment, it asks you whether you want to run it.
  • All your files are erased when you run the attachment.
      If you see three or more of these symptoms, do not turn your machine back on. Not only will it rerun the attachment, but more importantly you can�t be trusted to use today�s modern computers.

Don�t Blame the Messenger

      Immediately after the virus attack abated, people started to line up at the microphone to announce that it was all Microsoft�s fault because Outlook lets you do something like this. Well, guess what? Worms were being written long before Microsoft Outlook was created. We saw a similar "read the address book and replicate" virus way back in 1987â€"on IBM mainframes running VM/CMS. And, of course, there have long been Trojan horse programs sent around in e-mail. Just because this one just happened to use Windows Script Host and the Outlook address book to do its damage and replicate doesn�t mean that these two products are "at fault."
      We looked at the code after a few hundred people helpfully sent it to us; the virus designer could�ve added two or three lines to their MAPI code to attack Lotus Notes installations the same way. If it makes you feel safer, go aheadâ€"install Eudora and then run destructive attachments.

Change Your Name

      If your name is Aaron, you�re more likely to get slammed by a worm than if your name is Ziggy. You�re on the top of everyone�s address book, so you�ll always get buried with replicating messages before the victims can exit the program. Don�t believe us? Look around. See how many computer columnists named Ziggy are complaining about the virus.
      There are only two ways to handle outbreaks like this. First, don�t run any attachment before you read it over. Second, if you do choose to run an attachment without vetting it, please take us out of your address book first.

Learn from Adversity

      Being evil developers, we opened the virus code to see what it did. It actually had a few useful bits in it. So we used a little of the dead virus to create our own inoculationâ€"for pesky ISPs. The VBScript file that you can download as part of this Editor�s Note will remove the annoying custom "rainbow butterfly" logo from Internet Explorer and delete a certain ISP�s "unremovable" icon from your desktop. Read over the code before you run it, and don�t try to send us any new versions. Because of the virus alert, we can no longer receive any .vbs files via e-mail.       â€"J.T.

From the July 2000 issue of MSDN Magazine.