Vulnerability Development mailing list archives
Re: IL0VEY0U worm
From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Thu, 4 May 2000 16:35:41 -0700
One final update for the day. It seems a couple of variations of the worm are going around. At least one uses a subject line of "Joke" or "fw: Joke" and the attachment is called VeryFunny.vbs. Thanks to Patrick Cantwell <seamus () insomnia org> and Mitchell Patenaude <mrp () sonic net> for pointing this out. At least in some intances it seems tabs in the virus code have been changed to spaces. That means the code looks the same but its not. Some antivirus products may be fooled by this. Trend Micro Interscan for mail servers, Solaris version, seems to be affected. Thanks to Brett Dikeman <brett () iclick com> for pointing this out. A VB script to disinfect your system is available at http://www.thepope.org/fix.vbs. It seems to do a good job but I think it misses a number of extensions like js, jse, css, sct, hta, jpg, jpeg and wsh. Matt Davis <bigdog () dogpound vnet net> points out that you can modify John D. Hardin's procmail filters to stop the worm. You can find them at ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html Adele Shakal <adele () caltech edu> had a few tips. Sendmail.com has a rule to filter the worm based on the subject header at http://www2.sendmail.com/loveletter. It works with Sendmail 8.9 and newer. You should probably add "Joke" to the subject lines it scans for. If you are a Postfix users you can stop the virus by doing the following: * Make sure your version of postfix supports the header_checks directive. * Add the line "header_checks = regexp:/etc/postfix/header_checks" to your main.cf file. * Create a /etc/postfix/header_checks file with a line of: /^Subject:.*ILOVEYOU/ REJECT or better yet /Content.*\.vbs/ REJECT * Execute "postfix reload". For Exchange Steve Willocks <willocks () bskb com> recommends Mail essentials for Exchange/SMTP. Its a commercial product that you configure to block messages based on types of attachments or keyword matches among other features. You can find it at http://www.gfi.com/mesindex.htm CERT has a small summary of the outbreatk at http://www.cert.org/current/current_activity.html#loveletter More antivirus updates: Alladin: http://www.aks.com/home/csrt/valerts.asp CA: http://www.ca.com/virusinfo/virusalert.htm DrSolomon: http://www.drsolomons.com/home/extra.zip F-Secure: http://www.f-secure.com/download-purchase/updates.html Finjan: http://www.finjan.com/attack_release_detail.cfm?attack_release_id=34 McAffe: http://download.mcafee.com/extrafiles/love-4.zip NAI: http://vil.nai.com/villib/dispVirus.asp?virus_k=98617 Proland: http://www.pspl.com/virus_info/worms/loveletter.htm Sophos: http://www.sophos.com/virusinfo/analyses/vbsloveleta.html Sophos: http://www.sophos.com/virusinfo/analyses/trojloveleta.html Symantec: http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html TrendMicro: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_LOVELETTER-O spiff <spiff () bway net> relates that pop3d on OpenBSD seems to reject the infected messages with an error message of "Attachment Corrupted", thus their users are not affected. Michael Damm <symetrix () symetrix org> seems to think that Norton Antivirus stops the worm without the latest update. It seems Norton confuses the virus with VBS.BubbleBoy and stops it. His virus definition fileis 135 days old. Go figure. Dan Stromberg <strombrg () nis acs uci edu> has developed a Python script that removes the virus from a set of mbox-formatted mail files. Its attached. It replaces the infected message with a warning that indicated who send the mail. Use at your own risk. If you use Content-length, this program could mess up your mailbox. Content-length usage is indicated, I believe, by the "v" option on your local ("Mlocal" line) mail delivery agent in sendmail.cf. Please consider the program copylefted. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum <HR NOSHADE> <UL> <LI>text/plain attachment: otiloveyou_ </UL>
Current thread:
- ethernet cards & promisc mode, (continued)
- ethernet cards & promisc mode Security Team (May 03)
- Re: ethernet cards & promisc mode R (May 04)
- Info on the VBS/LoveLetter virus Roelof Temmingh (May 04)
- Re: ethernet cards & promisc mode Todd Garrison (May 04)
- Re: ethernet cards & promisc mode RioTek (May 04)
- ILOVEYOU worm Elias Levy (May 04)
- don't open email w/ subject line "I love you." (Was: Re: I love you.) Ken Williams (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- I Love You.. Repair Program James Wilkins (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: IL0VEY0U worm Elias Levy (May 05)
- New worm? Blue Boar (May 04)
- Re: New worm? Andri Saar (May 04)
- Re: New worm? A.T.Z. (May 04)
- Re: New worm? Sander Smeenk (CistroN Medewerker) (May 04)
- Re: New worm? M J (May 04)
- Re: New worm? Erik Kooijman (May 04)
- email worm, NOT iloveyou Hinken, Brian (May 04)
- Re: New worm? 3APA3A (May 04)
- I Love you virus cure for exchange server NT sven (May 04)