IL0VEY0U worm (fwd)

[Lic. Rodolfo Gonzalez Gonzalez]

---------- Forwarded message ----------
Date: Fri, 5 May 2000 12:37:28 -0700
From: Elias Levy <aleph1 en SECURITYFOCUS.COM>
To: INCIDENTS en SECURITYFOCUS.COM
Subject: Re: IL0VEY0U worm

Another update.


VARIANTS
--------

Toni Tiainen <toni.tiainen en f-secure.com> reports of a new variant
they are calling LoveLetter.E with spreads with a subject of
"Mothers Day Order Confirmation" with a message body of (indented
two spaces):

  Thanks for your purchase!

  We have proceeded to charge your credit card for the amount of $326.92 for
  the mothers day diamond special. We have attached a detailed invoice to this
  email. Please print out the attachment and keep it in a safe place.

  Thanks Again and Have a Happy Mothers Day!

The attachment is named "mothersday.vbs". This variant deleted all files
with an extension of ".bat". F-Secure Anti-Virus for Firewalls with
the latest signature file can detect and delete this variant. For
more info check out http://www.f-secure.com/v-descs/love.htm

The LoveLetter.B variant has a subject of
"Susitikim shi vakara kavos puodukui...".

Brian Moore <bem en cmc.net> reports seeing at least one variant where
the VBS virus was not an attachment but it was instead uuencoded.
This may fool antivirus products. Look out for the string
"begin 600 LOVE-LETTER-FOR-YOU.TXT.vbs" in the message. Could this
be the result of some MTA rewriting the message?

Trend Micro has released pattern file number 695 which includes
definitions to detect the variants reported by Dan Simoes <dans en iclick.com>
(the tabs to spaces variant).

Sean Malloy <sean en emax.com.au> is letting us known that changing the
virus to use a WSF extension instead of VBS is just as affective.
WSF stands for Windows Scripting File. Antivirus vendors that want to
be proactive might want to add this extension to their signatures.
The file contents would look something like this:

<job id="iloveyou">
<script language="VBScript">
	'insert code here
</script>
</job>

or as Sean points out you could encode it to obfuscate it by doing:

<job id="iloveyouencrypted">
<script language="VBScript.Encode">
#@~^EQAAAA==vbxd^?DDPmKN^?~t^?DnOwYAAA==^#~@
</script>
</job>

where "#@~^EQAAAA==vbxd^?DDPmKN^?~t^?DnOwYAAA==^#~@' is the encoded
worm.

It seems the "fwd: Joke" variant attachment is "Very Funny.vbs" (note the
space) and not "VeryFunny.vbs". Or maybe its a new variant.


FILTERING
---------

As many of you pointed out filtering based on the subject line is less
than perfect. Sadly that is the best you can do with many MTAs without
some hacking. If others can come up with ways to filter based on
attachments let us know. If you can filter by attachment look out
for files with these extensions: VBS, VBE, WSF, WSH, HTA.

Also the second regexp filter I recommended for Postfix was wrong.
Postfix can only match message headers, not attachment headers. So
the line "/Content.*\.vbs/ REJECT" will have no effect on the worm.
You are left with filtering by subject (e.g. "/^Subject:.*ILOVEYOU/ REJECT").

Jose Nazario <jose en biocserver.BIOC.CWRU.Edu> has updated his sendmail
rules. As suggested by Keith Petersen it now generates 501 errors (rather       than 553's, which causes an Exchange server to keep retrying delivery) and      it now handles the Joke variants.
http://biocserver.bioc.cwru.edu/~jose/iloveyouhack.txt

Jimmy Corio <jimmy.corio en icube.com> has provided the following procmail
recipe:

#
# Look for ILOVEYOU worm.  File copy in /var/mail/ILoveYouSave and
# notify that an infected mail file may have come in.
# - jc3 05/04/00
#
:0 B
* ^Content-Type:
application/octet-stream;.*($|).*name="LOVE-LETTER-FOR-YOU.TXT.vbs"
{                                                                                 ILOVEYOULOG="/var/mail/ILoveYouSave"

  :0 c
  $ILOVEYOULOG

  :0 h
    | (formail -i"Subject: Potential ILOVEYOU worm email received" \
      -i"To:jimmy.corio en icube.com" \
      -i"Content-type: text/plain; charset=\"us-ascii\""; \
      echo "Potential I Love You virus received.  Check Log."; \
      echo "Date: `/bin/date`"; \
      ) | \
      $SENDMAIL -oi jimmy.corio en icube.com
}

Please note you need to change the email address it sends warning messages
to, and you should also modify it to catch the "Very Funny.vbs" attachment.


ANTIVIRUS
---------

Daniel Doekal <ddoc en mia.cz> reports that does not seems to stop the virus
with the 24.4.2000 signature file and that LiveUpdate has not yet listed
a newer signature file. At the same type the are conflicting reports that
Norton does detect the virus but as the older BubbleBoy virus or by using
its Bloodhound heuristics technology.

Adele Shakal <adele en caltech.edu> points us to DrSolomon's fix at
http://www.drsolomons.com/home/extra.zip

Bernhard Schneck <Bernhard_Schneck en genua.de> points us to this
German antivirus vendor fix http://www.antivir.de/presse/loveletter.htm


RECOVERY SCRIPTS
----------------

Dave Salovesh <salovesh en ramassociates.com> points out my comment about
the ThePope.org recovery script was wrong. Since the overwritten files
are renamed to have a .vbs extension the script does not need to look
for the other extensions. The script is at http://www.thepope.org/fix.vbs

David E Haasnoot <dave en write-design.com> has some scripts to recover
from the worm at http://www.liwdg.org/love.html

Damon Lathe <ascenderon en hotmail.com> points us to another recovery
script called the Love Condom at http://www.creativebits.com/love-condom/


OTHER SOLUTIONS
---------------

Chris Needham <chris en futile.net> had the clever idea of having the
skyinet.net ISP that hosts the web pages for th WIN-BUGSFIX.exe program
to replace those pages with a page information users they are infected
and with instructions on how to fix their systems. Of curse this is
not likely to happen but local ISPs can redirect these URLs in their
proxies to help their customers.

Dax Kelson <dax en gurulabs.com> founds some errors on the script supplied
by Dan Stromberg <strombrg en nis.acs.uci.edu> yesterday. Dan has fixed it
up and made a new version available at
ftp://autoinst.acs.uci.edu/pub/virus/zotiloveyou

David Luyer <david_luyer en pacific.net.au> provides us with a similar
script in perl. Its attached. Run from /var/spool with $files = `echo mail/*`
or $files = result of building list from grep.  No forks, execs, etc, etc,
so it can be run over a few hundred thousand mailboxes without too much pain,
although the locking is very ugly and doesn't actually test the lock.

Steve Parker <steve en shp.to> points out a way to stop the worm from
propagating (at least via email). The worms uses the OLE automation object
for Outlook to send the infected messages. It obtains a handle to this
object via the following VBS line:

	set out=WScript.CreateObject("Outlook.Application")

"Outlook.Application" references a registry key under HKEY_CLASSES_ROOT.
That key references the CLSID of the OLE automation object for Outlook.
If that key is deleted, renamed, or the CLSID value is changed, VB code will
not be able to automate Outlook, and hence the worm, will not propagate
itself via email.

Steve tested this technique and it does not appear to break Outlook.  It did,
however, break the Palm HotSync manager.
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
------------ próxima parte ------------
#!/usr/bin/perl

$virusremoved = 0;

#$files="mail/victim1 mail/victim2 ..."
@files = split(/ /, $files);

open(PW, "</etc/passwd");
while(<PW>) {
  @l = split(/:/);
  $uid{$l[0]} = $l[2];
}
close(PW);

for $file (@files) {
   print "doing $file...\n";
   $msg = "";
   $isvirus = 0;
   $isnotvirus = 0;
   open (TMP, ">$file.lock");
   close (TMP);
   rename ("$file", "$file.TMP-RM-VIRUS");
   open (FILEOLD, "<$file.TMP-RM-VIRUS");
   open (FILENEW, ">$file");
   while (<FILEOLD>) {
     if (/^From /) {
       print FILENEW $msg if (!$isvirus);
           $virusremoved++ if ($isvirus);
           print "REMOVED: $virusremoved\n" if ($isvirus);
       $msg = "";
       $isvirus = 0;
       $isnotvirus = 0;
     }
     $msg .= $_;
     if (/^$/ && !$isvirus) {
       $isnotvirus++;
     }
         if(/^Subject: ILOVEYOU$/) {
           $isvirus++ if (!$isnotvirus);
         }
   }
   print FILENEW $msg if (!$isvirus);
   $virusremoved++ if ($isvirus);
   $msg = "";
   $isvirus = 0;
   $isnotvirus = 0;
   close (FILEOLD);
   close (FILENEW);
   unlink("$file.TMP-RM-VIRUS");
   unlink("$file.lock");
   $user = $file;
   $user =~ s/mail\///;
   print "user = $user\n";
   $uid = 0;
   $uid = $uid{$user} if exists $uid{$user};
   print "uid = $uid\n";
   chown $uid, 12, $file;
   chmod 0660, $file;
}

------------ próxima parte ------------
-- 
Para desuscribirse, mande correo a: ayuda-unsubscribe en linux.org.mx
Para comandos adicionales, envíelo a: ayuda-help en linux.org.mx