Security Incidents mailing list archives
Re: IL0VEY0U worm
From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Thu, 4 May 2000 12:15:50 -0700
Some futher comments. Jose Nazario <jose () biocserver BIOC CWRU Edu> has been kind enough to put up a rulseset for sendmail 8.9.x and 8.10.x that stops messages with "ILOVEYOU" in the subject file. You can find it at: http://biocserver.cwru.edu/~jose/iloveyouhack.txt Mike Iglesias <iglesias () draco acs uci edu> and "Frasnelli, Dan" <dfrasnel () corewar com> pointed out I had a typo. The executable file name is WIN-BUGSFIX.exe, not WIN-BUGFIX.exe. Zoa_Chien <zoa_chien () iname com> points out that the WIN-BUGSFIX.exe program connects to the SMPT server at 199.108.232.1 port 25 to send out its email message. You should block the address at your firewall. The message looks as follow: To: mailme () super net ph Subject: Barok... email.passwords.sender.trojan X-Mailer: Barok... email.passwords.sender.trojan---by: spyder Host: kakker Username: Default IP Address: 10.67.101.123 RAS Passwords: Cache Passwords: BLABLA\MPM: xxx BJORN\MUSIC: xxx TOM\SHARED: xxx TOM2\MP3: xxx www.server.com/: xxx:xxx MAPI: MAPI where all xxx's stand for plaintext usernames and passwords of SMB shares in the subnet. CERT is trying to on determining scope of the worm infection. They are asknig people that run into the worm to email cert () cert org with a subject line of "CERT#35894" and report the incident. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
Current thread:
- IL0VEY0U worm Elias Levy (May 04)
- <Possible follow-ups>
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: IL0VEY0U worm Elias Levy (May 05)
- Re: IL0VEY0U worm Elias Levy (May 04)