__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN VBS.LoveLetter.A Worm May 5, 2000 16:00 GMT Number K-039d [Revision A 5/5/2000 added .C variant Very Funny] [Revision B 5/8/2000 added more variants] [Revision C 5/8/2000 cleaning Microsoft Exchange] [Revision D 5/11/2000 clarifications on deleting WSH] _______________________________________________________________________ PROBLEM: A new worm program named VBS.LoveLetter.A is spreading rapidly around the Internet using a variety of propagation methods. Multiple variants are also spreading. PLATFORM: Windows systems. To spread using e-mail requires Microsoft Outlook. DAMAGE: Mail servers are clogged with thousands of messages. All files of the following types are destroyed: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG. Files of type .MP2 and .MP3 have been replaced but the original files are still there but hidden. Some of the variants destroy .DLL, .INI, .EXE, and .COM files which render systems unbootable. SOLUTION: If you receive an e-mail message with the subject: "ILOVEYOU" with an attachment named: "LOVE-LETTER-FOR-YOU.TXT.vbs"do not open the attachment. If you have already run the attachment, shut the system down until you have a method for cleaning your system. Be sure your system is disconnected from the network before starting it up for cleaning. See the list below for files to watch for in the variants. ______________________________________________________________________ VULNERABILITY The risk is HIGH. This worm is spreading rapidly ASSESSMENT: throughout the Internet. ______________________________________________________________________ The VBS.LoveLetter.A Worm CIAC has information that the VBS.Loveletter. A worm is spreading rapidly around the Internet. This worm uses multiple methods for spreading itself, making disinfection and removal a difficult process. If you have received this e-mail message and opened it but have not yet opened the attachment, you are not infected. Simply delete the e-mail message and the attachment. If you have opened the attachment, the safest thing to do is to shut down your system until you are prepared to clean up the worm. Be sure the system is disconnected from any network before starting it up for cleaning. Variants ======== VBS.LoveLetter.A The original worm, see description below. Subject: ILOVEYOU Message Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe VBS.LoveLetter.B, Lithuania, Susitikim Subject: Susitikim shi vakara kavos puodukui... (translated: Let's meet this evening for a cup of coffee) Message Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe VBS.LoveLetter.C, Very Funny, Joke The variant is identical to the .A variant but changes the name of the attached file and the contents and subject of the e-mail message. Subject: fwd: Joke Message Body: -nothing- Attachment: Very Funny.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: Very Funny.HTM, WIN-BUGSFIX.exe VBS.LoveLetter.D, BugFix This one has an error in the registry entry that loads the Trojan program. The entry points to WIN- BUGSFIX.exe instead of WIN-BUGSFIX.exe. Subject: ILOVEYOU Message Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe VBS.LoveLetter.E, Mothers Day This version destroys .INI and .BAT files making systems unbootable. You will have to reinstall your system to clean this variant. Subject: Mothers Day Order Confirmation Message Body: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place. Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com Attachment: mothersday.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .INI, .BAT Hidden Files: .MP2, .MP3 Other Files: mothersday.HTM VBS.LoveLetter.F, Virus Warning Subject: Dangerous Virus Warning Message Body: There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it. Attachment: virus_warning.jpg.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: Urgent_virus_warning.htm, WIN-BUGSFIX.exe VBS.LoveLetter.G, Virus Alert This variant has a long body that purports to be a warning message from Symantec. The attachment installs the worm instead of cleaning it. This variant also does not try to download and install the Trojan program but instead changes the Internet Explorer start page to point to a porno site and changes the search pages to other sites. Note that this infection also destroys .COM and .BAT files, likely making the infected system unbootable. You will have to reinstall your system after being infected with this variant. Subject: Virus ALERT!!! Message Body: (long) ************************************ Dear Symantec customer, Symantec's AntiVirus Research Center began receiving reports regarding VBS.LoveLetter.A virus early morning on May 4, 2000 GMT. This worm appears to originate from the Asia Pacific region. Distribution of the virus is widespread and hundreds of thousands of machines are re ported infected. The VBS.LoveLetter.A is an Internet worm that uses Microsoft Outlook to e-mail itself as an attachment. The subject line of the e-mail reads ILOVEYOU, with the attachment titled LOVE-LETTER-FOR-YOU.TXT.VBS. Once the attachment is opened, the virus replicates and sends an e-mail to all e-mail addresses listed in the address book. The virus also spreads itself via Internet relay chat and infects files on local and remote drives including files with extensions vbs, vbe, js, sje, css, wsh, sct, hta, jpg, jpeg, mp3, mp2. Users should exercise caution when opening e-mails with this subject line, even if the e-mail is from someone they know, as that is how the virus is spread. Symantec Corp. today announced availability of the virus definition to detect, repair and protect users against the VBS.LoveLetter.A virus. This definition is available now via Symantec's LiveUpdate and can also be downloaded from the following web sites: http://www.symantecstore.com/AF74211/promo/loveletter http://www.digitalriver.com/symantec Also as a quick solution Symantec Corp. offers Visual Basic Script to protect your PC against this worm. (See attached.) Note! When executed, this script will protect Your PC from being INFECTED by VBS.LoveLetter.A virus. To cure already infected PC's download Norton Antivirus Updates mentioned above. Symantec Corporation - a world leader in internet security technology. ************************************ Attachment: protect.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG, .BAT, .COM Hidden Files: .MP2, .MP3 Other Files: protect.HTM VBS.LoveLetter.H, No Comments This one is the same as variant A but has the comment lines at the beginning of the worm code removed. Subject: ILOVEYOU Message Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: LOVE-LETTER-FOR-YOU.TXT.HTM, WIN-BUGSFIX.exe VBS.LoveLetter.I, Important! Read carefully!!, Brainstorm Subject: Important! Read carefully!! Message Body: Check the attached IMPORTANT coming from me. Attachment: IMPORTANT.TXT.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: IMPORTANT.HTM, WIN-BUGSFIX.exe VBS.LoveLetter.J This variant is largely the same as the G variant. Note that this infection also destroys .COM and .BAT files, likely making the infected system unbootable. Subject: Virus ALERT!!! Message Body: (long see G variant) Attachment: protect.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG, .BAT, .COM Hidden Files: .MP2, .MP3 Other Files: protect.HTM VBS.LoveLetter.K, Unnamed Subject: How to protect yourself from the ILOVEYOU bug! Message Body: Here's the easy way to fix the love virus. Attachment: Virus-Protection-Instructions.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG Hidden Files: .MP2, .MP3 Other Files: Virus-Protection-Instructions.HTM VBS.LoveLetter.L, I Cant Believe This!!! Subject: I Cant believe this!!! Message Body: I Cant Believe I have Just Recieved This Hate Email .. Take A Look! Attachment: KillEmAll.TXT.VBS Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .GIF, .BMP Hidden Files: .WAV, .MID Other Files: KILER.HTM, KILLER2.VBS, KILLER1.VBS VBS.LoveLetter.M, Arab Air This variant destroys .EXE and .DLL files so the system will likely not be bootable after the infection. Subject: Thank You For Flying With Arab Airlines Message Body: Please check if the bill is correct, by opening the attached file Attachment: ArabAir.TXT.vbs Destroyed files: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .DLL, .EXE Hidden Files: .SYS, .DLL Other Files: no-hate-FOR-YOU.HTM Original Worm Operation ======================= The worm typically arrives on your system in an e-mail message from someone you know or as an IRC DCC download. The e-mail message has the following characteristics: Subject: ILOVEYOU Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs As long as you do not run the attachment, your system has not been infected. You need only delete the e-mail message and the attachment. However, if you open the attachment such as by double clicking it, the worm code in the attachment is run. Note that while the attachment appears to be a text file, it is actually a Visual Basic Script (.vbs) file. VBS files are run by the Windows Scripting Host and the Windows Scripting Host is installed by several packages from Microsoft, including current versions of Internet Explorer. If the Windows Seripting Host is not installed, the worm cannot run. When the Worm program runs, it first adds the following registry key and sets it to 0. HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout = 0 It then makes copies of itself in the windows and system directories as follows: \Windows\Win32DLL.vbs \Windows\System\MSKernel32.vbs \Windows\System\LOVE-LETTER-FOR-YOU.TXT.vbs On a Windows NT machine, these would be the winnt and system32 folders. The worm modifies the following registry keys to insure that the worm is restarted whenever the system is restarted. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 = \windows\system\MSKernel32.vbs HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL = \windows\Win32DLL.vbs The worm checks to see if the file WinFAT32.exe exists. If it does, the worm randomly picks one of four web pages on www.skyinet.net and changes your Internet Explorer start page to point to a file on that page. The file is named WIN-BUGSFIX.exe. This file is stored in the Internet Explorer download directory or in C:\ if you do not have a download directory defined. The worm then modifies the following registry key to run that file the next time you start windows. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX = \directory\WIN-BUGSFIX.exe where directory is where the program was downloaded to. The worm then resets Internet Explorer’s start page to a blank with the following key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page = about:blank The worm next creates a html version of itself in the file: \windows\system\LOVE-LETTER-FOR-YOU.HTM The worm then looks for Microsoft Outlook and starts creating e-mail messages containing the Love Letter message and the infected file. It sends itself from you to everyone in all of your e-mail lists. To prevent sending itself twice to the same person, it puts a copy of each person’s e-mail address in the registry whenever it sends a message and checks that key before sending a message. You can get a list of everyone who your system sent a copy of this worm to by examining the registry key: HKEY_CURRENT_USER\Software\Microsoft\WAB The worm then starts corrupting your files with copies of itself. It scans all the drives on your system for the following file types: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .JPG, .JPEG. All of these files are overwritten with the worm and all but the .vbs and .vbe files have the .vbs extension added on the right side of the existing file name extension to make the file executable. For example, the image file my.jpg would be overwritten with the worm code and the file name changed to my.jpg.vbs to make it appear to still be an image file but to actually be a .vbs file. Files of type .MP2 and .MP3 are not overwritten, but are hidden and a file containing the worm is created with the same file name plus the .vbs extension. Lastly, the worm looks for IRC chat clients and servers and adds a script.ini file that sends a copy of the html version of the worm to anyone who connects to the IRC chat server. The Trojan Program ================== We have not yet analyzed the Trojan program WIN-BUGSFIX.exe that is downloaded to your system. The following analysis is from Elias Levy (http://www.securityfocus.com/templates/article.html?id=28) at Security Focus. According to that article, the Trojan captures passwords and then sends them to mailme@super.net.ph using a SMTP server at 199.108.232.1 (port 25). The e-mail messages look like the following: To: mailme@super.net.ph Subject: Barok... email.passwords.sender.trojan X-Mailer: Barok... email.passwords.sender.trojan---by: spyder Host: kakker Username: Default IP Address: 10.67.101.123 RAS Passwords: Cache Passwords: BLABLA\MPM : xxx BJORN\MUSIC : xxx TOM\SHARED : xxx TOM2\MP3 : xxx www.server.com/: xxx:xxx MAPI : MAPI where all xxx's stand for plaintext usernames and passwords of SMB shares in the subnet. Quick Test for the Windows Scripting Host ========================================= A quick test to see if you have the Windows Scripting Host installed is to create a text file named test.vbs containing the single line: msgbox "Got You" Save this file and then double click it. If the Windows Scripting Host is installed, the following dialog box will appear. If instead the system opens a dialog asking what program it should use to open the file, the Windows Scripting Host is not installed. [ Image of a dialog box containing "Got You" and an OK button ] If the Windows Scripting Host is not installed, this worm cannot run. What You Should Do ================== If you have not been infected, do not execute attachments to e-mail messages that you were not expecting to receive. Look closely to see what kind of an attachment you are being sent. A .TXT file is safe to open but a .TXT.vbs is not. If you ran the attachment but the Windows Scripting Host is not installed your system has not been compromised. Test your system to see if the Windows Scripting Host is installed using the simple test above. If you do not need the Windows Scripting Host, you should consider disabling it using the instructions below. If you have been infected, the safest thing to do is to reinitialize your system and reinstall all software. This is because while you can delete all instances of the worm, it is not possible to recover any of the damaged files. They must all be deleted. Most antivirus vendors should have detection and cleaning programs available for download to clean your system and we have included a cleaning program below. Keep in mind that some applications may not work because of the destroyed files. While you are waiting to decide what to do about your infected system, you should disconnect that system from any network so the worm cannot spread from you and your passwords cannot be sent to the intruder. What Administrators Should Do ============================= System administrators should block connections to 199.108.232.1 port 25 and www.skyinet.net port 80. Log files of all attempted connections to 199.108.232.1 port 25 will give you a list of infected machines at your site. All incoming mail with the subject ILOVEYOU should be blocked. You should also consider blocking IRC to prevent infection through that path. Disabling The Windows Scripting Host ==================================== Information on disabling the Windows Scripting Host was originally presented in CIAC Bulletin J-18 HTML Viruses. The Windows Scripting Host and Visual InterDev use the Scripting Runtime Library to access the file system on a host. Removing this library will prevent both of these systems from accessing a computer's file system. The windows scripting host will still run, it just will not be able to access or create files on the hard drive (the test above will still run). The library is in a file named, scrrun.dll and will normally be found in the \windows\system or \windows\system32 directories. Use the find command to find all occurances of this file. Copy the file onto a floppy so you can reinstall it later if you need it. Delete all occurances of the file on your system. To reinstall it in the future, put the file back into the directory where you found it and register it with the following command. windows\system32\regsvr32.exe windows\system32\scrrun.dll Be sure to replace windows\system32 with the correct paths to scrrun.dll and regsvr32.exe. To completely disable the windows scripting host, you can uninstall it using the Windows 98 installer. For Windows 95 and Windows NT, delete the files cscript.exe and wscript.exe which should be found in the \windows\system32 or \windows\system directories. The program cscript.exe is the VBScript command processer for use in a command window and wscript.exe is the command processor for use in a "Windows" window. The program wscript.exe is the processor that runs when you double click on any .VBS program such as the test program above. Cleaning Your System ==================== In the event that you are unable to get a code from an antivirus vendor to clean this worm, the following Visual Basic Script program should clean your system. The program was created from one written by Phil Taylor of Improveline by reversing the commands in the worm code. It should remove all infected files created by the current version of this worm and correct the registry entries. Note that this code deletes all files with the .vbs extension. If you have any .vbs files that you want to keep, be sure to change the extension or move them to another system before running this program. You should also check them to make sure that they are still the .vbs files that you expect and not a copy of the worm code. Before using this code, test the system using the test above to see if the Windows Scripting Host is installed. If if is not installed, the virus did not run and you need only delete the e-mail message and the attached file. To use the following cleanup code, copy and paste it into a plane text file named fixer.vbs . Save the file, open a command window and type: cscript fixer.vbs. After running this code, search for files with the .vbs extension. You should find only fixer.vbs. Search also for WIN-BUGSFIX.exe and LOVE-LETTER-FOR-YOU.HTM and make sure you do not find them. For the Very Funny variant, search for Very Funny.HTM rem Loveletter fix (adapted from original virus code) rem Also Fixes Very Funny variant. rem Run this on infected PC's to clear loveletter rem by Phil Taylor Improveline.com ptaylor@improveline.com rem revised by W. J. Orvis, CIAC 5/5/2000 On Error Resume Next dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow eq="" ctr=0 Set fso = CreateObject("Scripting.FileSystemObject") set file = fso.OpenTextFile(WScript.ScriptFullname,1) main() sub main() On Error Resume Next dim wscr,rr, downread Wscript.echo "Starting fix.vbs" set wscr=CreateObject("WScript.Shell") Set dirwin = fso.GetSpecialFolder(0) Set dirsystem = fso.GetSpecialFolder(1) Set dirtemp = fso.GetSpecialFolder(2) Set c = fso.GetFile(WScript.ScriptFullName) Wscript.echo "Deleting " & dirsystem & "\MSKernel32.vbs" fso.DeleteFile(dirsystem&"\MSKernel32.vbs") Wscript.echo "Deleting " & dirwin & "\Win32DLL.vbs" fso.DeleteFile(dirwin&"\Win32DLL.vbs") Wscript.echo "Deleting " & dirsystem & "\LOVE-LETTER-FOR-YOU.TXT.vbs" fso.DeleteFile(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs") Wscript.echo "Deleting " & dirsystem & "\Very Funny.vbs" fso.DeleteFile(dirsystem&"\Very Funny.vbs") Wscript.echo "Deleting " & dirsystem + "\LOVE-LETTER-FOR-YOU.HTM" fso.DeleteFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM") Wscript.echo "Deleting " & dirsystem + "\Very Funny.HTM" fso.DeleteFile(dirsystem+"\Very Funny.HTM") regruns() Wscript.Echo "Looking for files to delete." listadriv() downread="" downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory") if (downread="") then downread="c:\" end if Wscript.echo "Deleting " & downread & "\WIN-BUGSFIX.exe" fso.DeleteFile(downread & "\WIN-BUGSFIX.exe") end sub sub regruns() On Error Resume Next Dim num,downread Wscript.echo "Fixing Regkeys" Wscript.echo "Deleting: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32" regdelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32" Wscript.echo "Deleting: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL" regdelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL" downread="" downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory") if (downread="") then downread="c:\" end if if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then Wscript.echo "Deleting: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX" regdelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX" end if Wscript.echo "Setting the Internet Explorer start page to a blank." regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank" end sub sub listadriv On Error Resume Next Dim d,dc,s Set dc = fso.Drives For Each d in dc If d.DriveType = 2 or d.DriveType=3 Then folderlist(d.path&"\") end if Next listadriv = s end sub sub killfiles(folderspec) On Error Resume Next dim f,f1,fc,ext,ap,mircfname,s,bname,mp3,size set f = fso.GetFolder(folderspec) set fc = f.Files for each f1 in fc ext=fso.GetExtensionName(f1.path) size=f1.size ext=lcase(ext) s=lcase(f1.name) if ((ext="vbs") or (ext="vbe")) then if s<>"fixer.vbs" then Wscript.echo "Deleting " & s fso.DeleteFile(f1.path) end if elseif(ext="mp3") or (ext="mp2") then Wscript.echo "Recovering mpeg file: " & f1.path set att=fso.GetFile(f1.path) att.attributes=att.attributes-2 end if if (eq<>folderspec) then if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then Wscript.echo "Deleting IRC script.ini" fso.DeleteFile(folderspec&"\script.ini") eq=folderspec end if end if next end sub sub folderlist(folderspec) On Error Resume Next dim f,f1,sf set f = fso.GetFolder(folderspec) set sf = f.SubFolders for each f1 in sf killfiles(f1.path) folderlist(f1.path) next end sub sub regdelete(regkey) Set regedit = CreateObject("WScript.Shell") regedit.RegDelete regkey end sub sub regcreate(regkey,regvalue) Set regedit = CreateObject("WScript.Shell") regedit.RegWrite regkey,regvalue end sub function regget(value) Set regedit = CreateObject("WScript.Shell") regget=regedit.RegRead(value) end function function fileexist(filespec) On Error Resume Next dim msg if (fso.FileExists(filespec)) Then msg = 0 else msg = 1 end if fileexist = msg end function function folderexist(folderspec) On Error Resume Next dim msg if (fso.GetFolderExists(folderspec)) then msg = 0 else msg = 1 end if fileexist = msg end function -------------------------------------------------------------------------------- Thanks to Elias Levy of Security Focus for his analysis and Phil Taylor of Improveline for his repair script. -------------------------------------------------------------------------------- For additional information or assistance, please contact CIAC: Voice: +1 925-422-8193 (5:00 - 18:00 PST, 13:00 - 2:00 GMT) Emergency (DOE, DOE Contractors, and NIH ONLY): 1-888-449-8369 (primary), 1-800-201-9288 (secondary) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov World Wide Web: http://www.ciac.org/ http://ciac.llnl.gov (same machine -- either one will work) Anonymous FTP: ftp.ciac.org ciac.llnl.gov (same machine -- either one will work) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) -------------------------------------------------------------------------------- This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. --------------------------------------------------------------------------------