Vulnerability Development mailing list archives
I Love you virus cure for exchange server NT
From: sven () VIP BR (sven)
Date: Thu, 4 May 2000 13:24:31 -0300
This was sent to me earlier today and presented as a cure for the I Love you virus: --- BEGIN PASTE --- "I Love You" eMail virus. Summary This document is to provide you with steps to purge the ILOVEYOU virus on Exchange servers for one time. This virus is spread in various ways. It seems the most prevalent method is via an eMail message, which as the following details. Subject line "ILOVEYOU" Mail text: "kindly check the attached LOVELETTER coming from me." Attachment: "LOVE-LETTER-FOR-YOU.TXT.vbs" Size: Approx. 13kb. Steps to cure Exchange 5.5 SP3 and lower If you have Exchange 5.5 with SP3 or a lower version, please 1. Download SCAN.ZIP from ftp://ftp.microsoft.com/transfer/outgoing/webresponse/ a. ftp://ftp.microsoft.com/transfer/outgoing/webresponse/scan.zip.00504.04-07-2 5 2. Unzip file 3. Copy all files to <Exchange server directory>\bin 4. Run the following command: NET STOP MSEXCHANGEIS a. IF you do not want to stop the store, you can use the latest version of EXMERGE.EXE. For more information on how to use this, please refer to Q-article Q246916 (added as appendix) 5. ISSCAN -pri -fix -test badattach,badmessage -c virus.txt 6. If you have public folders the run the following command too a. ISSCAN -pub -fix -test badattach,badmessage -c virus.txt Steps to cure Exchange 5.5 SP3 and Store Fixes If you have Exchange 5.5 with SP3 with additional fixes on the store, 1. download SCAN.ZIP and POST-SP3-ISSCAN.EXE from ftp://ftp.microsoft.com/transfer/outgoing/webresponse/ a. ftp://ftp.microsoft.com/transfer/outgoing/webresponse/scan.zip.00504.04-07-2 5 b. ftp://ftp.microsoft.com/transfer/outgoing/webresponse/post-sp3-isscan.exe.00 504.06-31-12 2. Unpack SCAN.ZIP 3. Unpack POST-SP3-ISSCAN.EXE, choose to overwrite isscan.exe (build 2648) with the new isscan.exe (build 2652.26) 4. Copy all file to: <Exchange server directory>\bin 5. Run the following command: NET STOP MSEXCHANGEIS a. If you do not want to stop the store, you can use the latest version of EXMERGE.EXE. For more information on how to use this, please refer to Q-article Q246916 (added as appendix) 6. ISSCAN -pri -fix -test badattach,badmessage -c virus.txt 7. If you have public folders the run the following command too a. ISSCAN -pub -fix -test badattach,badmessage -c virus.txt Please be aware: POST-SP3 ISSCAN is not downwards compatible Background information This is handled in a very similar way to the Melissa virus.
From an Exchange perspective, the first thing to do is to shut down all IMS
services, and all MTAs, to stop propagation. It has been suggested that, owing to the other infection vectors, HTTP and IRC protocols be stopped as well (or as a critical measure, unplug corporate intranets from the internet until the crisis is under control). A company can block these URLs at their proxy servers, too. ISSCAN can then be used to scan all Information Stores for copies of the message, and delete them. This may not get all messages, and especially as more may trickle in from the outside, from missed servers, or from PST files, this process will need to be repeated over time. Refer to KB article Q224493 (Q224436 talks about handling the Melissa virus and may be of assistance, also). Note that the current ISSCAN on the FTP site is only up to 5.5.SP3 as per Q260022. An updated version of this utility has to be shipped to requesting customers, as per a hot fix. Any other preventative / cure measures need to be handled by NT logon scripts and/or 3rd party anti-virus programs. These need to delete the core .vbs files (as described in the analysis below), delete the WIN-BUGSFIX.exe files, also the LOVE-LETTER-FOR-YOU.HTM file, and remove the registry entries causing these to be run at logon. The WSCRIPT.EXE process should also be killed to stop any current "infection" at this time. More information on the virus on the web www.norman.com http://www.f-secure.com/v-descs/love.htm --- END PASTE --- Source: wishes to remain unknown -- ------------------------------------------------------------------------------------------- Sven E. van 't Veer Afiliado Universo Online Gerente Desenvolvimento Brasil Informática e Telecomunicações Ltda. http://www.brvip.com.br http://www.uol.com.br -------------------------------------------------------------------------------------------
Current thread:
- Re: IL0VEY0U worm, (continued)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: IL0VEY0U worm Elias Levy (May 05)
- New worm? Blue Boar (May 04)
- Re: New worm? Andri Saar (May 04)
- Re: New worm? A.T.Z. (May 04)
- Re: New worm? Sander Smeenk (CistroN Medewerker) (May 04)
- Re: New worm? M J (May 04)
- Re: New worm? Erik Kooijman (May 04)
- email worm, NOT iloveyou Hinken, Brian (May 04)
- Re: New worm? 3APA3A (May 04)
- I Love you virus cure for exchange server NT sven (May 04)
- "I Love You" worm Voodoo Chile (May 04)
- Re: New worm? Ron DuFresne (May 04)
- Re: New worm? Bluefish (May 04)
- lovethingy spread analyses Roelof Temmingh (May 04)
- I love you. Blue Boar (May 04)
- Re: ethernet cards & promisc mode C.J. Oster (May 04)
- Re: ethernet cards & promisc mode Stuart Henderson (May 04)
- Re: ethernet cards & promisc mode Granquist, Lamont (May 04)
- Help me audit a mail filter in C, please? Bennett Todd (May 04)
- Re: ethernet cards & promisc mode David LaPorte (May 04)