Re: IL0VEY0U worm

[aleph1 () SECURITYFOCUS COM (Elias Levy)]

One final update for the day. It seems a couple of variations of the worm
are going around. At least one uses a subject line of "Joke" or "fw: Joke"
and the attachment is called VeryFunny.vbs. Thanks to Patrick Cantwell
<seamus () insomnia org> and Mitchell Patenaude <mrp () sonic net> for pointing
this out.

At least in some intances it seems tabs in the virus code have been
changed to spaces. That means the code looks the same but its not.
Some antivirus products may be fooled by this. Trend Micro Interscan for
mail servers, Solaris version, seems to be affected. Thanks to
Brett Dikeman <brett () iclick com> for pointing this out.

A VB script to disinfect your system is available at
http://www.thepope.org/fix.vbs. It seems to do a good job
but I think it misses a number of extensions like js, jse, css, sct, hta,
jpg, jpeg and wsh.

Matt Davis <bigdog () dogpound vnet net> points out that you can modify
John D. Hardin's procmail filters to stop the worm. You can find them
at ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html

Adele Shakal <adele () caltech edu> had a few tips.

Sendmail.com has a rule to filter the worm based on the subject header
at http://www2.sendmail.com/loveletter. It works with Sendmail 8.9
and newer. You should probably add "Joke" to the subject lines it
scans for.

If you are a Postfix users you can stop the virus by doing the
following:

* Make sure your version of postfix supports the header_checks directive.
* Add the line "header_checks = regexp:/etc/postfix/header_checks"
  to your main.cf file.
* Create a /etc/postfix/header_checks file with a line of:
         /^Subject:.*ILOVEYOU/ REJECT
  or better yet
        /Content.*\.vbs/ REJECT
* Execute "postfix reload".

For Exchange Steve Willocks <willocks () bskb com> recommends
Mail essentials for Exchange/SMTP. Its a commercial product that
you configure to block messages based on types of attachments or
keyword matches among other features. You can find it at
http://www.gfi.com/mesindex.htm

CERT has a small summary of the outbreatk at
http://www.cert.org/current/current_activity.html#loveletter

More antivirus updates:

Alladin:        http://www.aks.com/home/csrt/valerts.asp
CA:             http://www.ca.com/virusinfo/virusalert.htm
DrSolomon:      http://www.drsolomons.com/home/extra.zip
F-Secure:       http://www.f-secure.com/download-purchase/updates.html
Finjan:         http://www.finjan.com/attack_release_detail.cfm?attack_release_id=34
McAffe:         http://download.mcafee.com/extrafiles/love-4.zip
NAI:            http://vil.nai.com/villib/dispVirus.asp?virus_k=98617
Proland:        http://www.pspl.com/virus_info/worms/loveletter.htm
Sophos:         http://www.sophos.com/virusinfo/analyses/vbsloveleta.html
Sophos:         http://www.sophos.com/virusinfo/analyses/trojloveleta.html
Symantec:       http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html
TrendMicro:     http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_LOVELETTER-O

spiff <spiff () bway net> relates that pop3d on OpenBSD seems to reject the
infected messages with an error message of "Attachment Corrupted", thus
their users are not affected.

Michael Damm <symetrix () symetrix org> seems to think that Norton
Antivirus stops the worm without the latest update. It seems Norton
confuses the virus with VBS.BubbleBoy and stops it. His virus
definition fileis 135 days old. Go figure.

Dan Stromberg <strombrg () nis acs uci edu> has developed a Python script
that removes the virus from a set of mbox-formatted mail files. Its
attached. It replaces the infected message with a warning that indicated
who send the mail. Use at your own risk.

If you use Content-length, this program could mess up your mailbox.
Content-length usage is indicated, I believe, by the "v" option on
your local ("Mlocal" line) mail delivery agent in sendmail.cf.
Please consider the program copylefted.

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum


<HR NOSHADE>
<UL>
<LI>text/plain attachment: otiloveyou_
</UL>