Vulnerability Development mailing list archives

I Love you virus cure for exchange server NT

From: sven () VIP BR (sven)
Date: Thu, 4 May 2000 13:24:31 -0300


This was sent to me earlier today and presented as a cure for the I Love
you virus:

--- BEGIN PASTE ---
"I Love You" eMail virus.
Summary

This document is to provide you with steps to purge the ILOVEYOU virus
on
Exchange servers for one time. This virus is spread in various ways.  It
seems the most prevalent method is via an eMail message, which as the
following details.

Subject line    "ILOVEYOU"
Mail text:      "kindly check the attached LOVELETTER coming from me."
Attachment:     "LOVE-LETTER-FOR-YOU.TXT.vbs"
Size:   Approx. 13kb.

Steps to cure Exchange 5.5 SP3 and lower
If you have Exchange 5.5 with SP3 or a lower version, please
        1.      Download SCAN.ZIP from
ftp://ftp.microsoft.com/transfer/outgoing/webresponse/
                        a.
ftp://ftp.microsoft.com/transfer/outgoing/webresponse/scan.zip.00504.04-07-2
5
        2.      Unzip file
        3.      Copy all files to <Exchange server directory>\bin
        4.      Run the following command: NET STOP MSEXCHANGEIS
                        a.      IF you do not want to stop the store,
you
can use the latest version of EXMERGE.EXE. For more information on how
to
use this, please refer to Q-article Q246916 (added as appendix)
        5.      ISSCAN -pri -fix -test badattach,badmessage -c virus.txt
        6.      If you have public folders the run the following command
too
                        a.      ISSCAN -pub -fix -test
badattach,badmessage
-c virus.txt

Steps to cure Exchange 5.5 SP3 and Store Fixes
If you have Exchange 5.5 with SP3 with additional fixes on the store,
        1.      download SCAN.ZIP and POST-SP3-ISSCAN.EXE from
ftp://ftp.microsoft.com/transfer/outgoing/webresponse/
                        a.
ftp://ftp.microsoft.com/transfer/outgoing/webresponse/scan.zip.00504.04-07-2
5
                        b.
ftp://ftp.microsoft.com/transfer/outgoing/webresponse/post-sp3-isscan.exe.00
504.06-31-12
        2.      Unpack SCAN.ZIP
        3.      Unpack POST-SP3-ISSCAN.EXE, choose to overwrite
isscan.exe
(build 2648) with the new isscan.exe (build 2652.26)
        4.      Copy all file to: <Exchange server directory>\bin
        5.      Run the following command: NET STOP MSEXCHANGEIS
                        a.      If you do not want to stop the store,
you
can use the latest version of EXMERGE.EXE. For more information on how
to
use this, please refer to Q-article Q246916 (added as appendix)
        6.      ISSCAN -pri -fix -test badattach,badmessage -c virus.txt
        7.      If you have public folders the run the following command
too
                        a.      ISSCAN -pub -fix -test
badattach,badmessage
-c virus.txt

Please be aware: POST-SP3 ISSCAN is not downwards compatible
Background information

This is handled in a very similar way to the Melissa virus.

From an Exchange perspective, the first thing to do is to shut down all IMS

services, and all MTAs, to stop propagation. It has been suggested that,
owing to the other infection vectors, HTTP and IRC protocols be stopped
as
well (or as a critical measure, unplug corporate intranets from the
internet
until the crisis is under control).  A company can block these URLs at
their
proxy servers, too.

ISSCAN can then be used to scan all Information Stores for copies of the
message, and delete them.  This may not get all messages, and especially
as
more may trickle in from the outside, from missed servers, or from PST
files, this process will need to be repeated over time.  Refer to KB
article
Q224493 (Q224436 talks about handling the Melissa virus and may be of
assistance, also). Note that the current ISSCAN on the FTP site is only
up
to 5.5.SP3 as per Q260022.  An updated version of this utility has to be
shipped to requesting customers, as per a hot fix.

Any other preventative / cure measures need to be handled by NT logon
scripts and/or 3rd party anti-virus programs.

These need to delete the core .vbs files (as described in the analysis
below), delete the WIN-BUGSFIX.exe files, also the
LOVE-LETTER-FOR-YOU.HTM
file, and remove the registry entries causing these to be run at logon.
The
WSCRIPT.EXE process should also be killed to stop any current
"infection" at
this time.
More information on the virus on the web
www.norman.com
http://www.f-secure.com/v-descs/love.htm
--- END PASTE --- Source: wishes to remain unknown

--
-------------------------------------------------------------------------------------------
Sven E. van 't Veer                                                Afiliado
Universo Online
Gerente Desenvolvimento
Brasil Informática e Telecomunicações Ltda.
http://www.brvip.com.br
http://www.uol.com.br
-------------------------------------------------------------------------------------------

Current thread:

Re: IL0VEY0U worm, (continued)
- - - Re: IL0VEY0U worm Elias Levy (May 04)
    - Re: IL0VEY0U worm Elias Levy (May 05)
    - New worm? Blue Boar (May 04)
    - Re: New worm? Andri Saar (May 04)
    - Re: New worm? A.T.Z. (May 04)
    - Re: New worm? Sander Smeenk (CistroN Medewerker) (May 04)
    - Re: New worm? M J (May 04)
    - Re: New worm? Erik Kooijman (May 04)
    - email worm, NOT iloveyou Hinken, Brian (May 04)
    - Re: New worm? 3APA3A (May 04)
    - I Love you virus cure for exchange server NT sven (May 04)
    - "I Love You" worm Voodoo Chile (May 04)
    - Re: New worm? Ron DuFresne (May 04)
    - Re: New worm? Bluefish (May 04)
    - lovethingy spread analyses Roelof Temmingh (May 04)
    - I love you. Blue Boar (May 04)
    - Re: ethernet cards & promisc mode C.J. Oster (May 04)
    - Re: ethernet cards & promisc mode Stuart Henderson (May 04)
    - Re: ethernet cards & promisc mode Granquist, Lamont (May 04)
    - Help me audit a mail filter in C, please? Bennett Todd (May 04)
    - Re: ethernet cards & promisc mode David LaPorte (May 04)

(Thread continues...)