[14780] in bugtraq
Re: IL0VEY0U worm
daemon@ATHENA.MIT.EDU (Ed Padin)
Thu May 4 17:20:33 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <88B83692B566C74F82EBDA8D36983E64B922@exchange2000.WAGWEB.COM>
Date: Thu, 4 May 2000 14:48:34 -0400
Reply-To: Ed Padin <epadin@WAGWEB.COM>
From: Ed Padin <epadin@WAGWEB.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Jim Forester from the snort mailing list (an IDS system) came up with these
rules for trapping the virus. They seem to work as I'v egotten one trigger
yet. I hope you can use this as a template for your own IDS rules:
alert tcp any 110 -> any any (msg:"Incoming Love Letter Worm"; content:"rem
barok -loveletter"; content:"@GRAMMERSoft Group";)
alert tcp any 143 -> any any (msg:"Incoming Love Letter Worm"; content:"rem
barok -loveletter"; content:"@GRAMMERSoft Group";)
alert tcp any any -> any 25 (msg:"Outgoing Love Letter Worm"; content:"rem
barok -loveletter"; content:"@GRAMMERSoft Group";)
>-----Original Message-----
>From: Elias Levy [mailto:aleph1@SECURITYFOCUS.COM]
>Sent: Thursday, May 04, 2000 2:10 PM
>To: BUGTRAQ@SECURITYFOCUS.COM
>Subject: Re: IL0VEY0U worm
>
>
>A quick update with some more information and quick fixes. I
>am reproducing
>my original message in full bellow as some people are
>filtering messages
>with a subject line of ILOVEYOU.
>
>There is a good description of how to disinfect a system manually at
>http://www.thepope.org/index.pl?node_id=140
>
>skyinet.net seems to be off the net. It seems they are being blackholed
>by someone.
>
>The worm has a comment that may or may not indicate the author:
>
> rem barok -loveletter(vbe) <i hate go to school>
> rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group /
>Manila,Philippines
>
>I did not make it clear, but the worm does infect files in mapped
>network drives, so it can spread across the network via file shares
>by infecting the files I reported. When someone opens those files
>the worm will execute and infect their system.
>
>It seems the WIN-BUGFIX.exe file will email any cached passwords to
>MAILME@SUPER.NET.PH.
>
>To stop the spread download updates for your antivirus product
>for your vendor. They all have some type of fix by now, but most
>antivirus vendor websites seems to be unavailable under the
>high load. Some I could reach:
>
>NAI: http://download.mcafee.com/extrafiles/love-4.zip
>Datafellows: http://www.datafellows.com/download-purchase/updates.html
>TrendMicro: http://www.antivirus.com/download/pattern.asp
>Sophos: http://www.sophos.com/downloads/ide/index.html#loveleta
>
>You should also not open visual basic attachments in email (.VBS),
>not accept DCC's on IRC from strangers (or friends for that matter)
>unless you known what you are receiving.
>
>If you control your mail server you should try to configure it to
>stop messages with attachments ending in .vbs. There seems to be
>some patches to sendmail from when Melissa came out that does this.
>You may also want to filter all email going out to MAILME@SUPER.NET.PH
>and stop the download of WIN-BUGFIX.exe in your HTTP proxy.
>
>
>* Elias Levy (aleph1@SECURITYFOCUS.COM) [000504 17:02]:
>> A new VB worm is on the loose. This would normally not be bugtraq
>> material as it exploits no new flaws but it has spread enough that it
>> warrants some coverage. This is a quick and dirty analysis
>of what it does.
>>
>> The worm spreads via email as an attachments and via IRC as
>a DCC download.
>>
>> The first thing the worm does when executed is save itself to three
>> different locations. Under the system directory as MSKernel32.vbs and
>> LOVE-LETTER-FOR-YOU.TXT.vbs and under the windows directory as
>> Win32DLL.vbs.
>>
>> It then creates a number of registry entries to execute
>these programs
>> when the machine restarts. These entries are:
>>
>>
>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru
>n\MSKernel32
>>
>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru
>nServices\Win32DLL
>>
>> It will also modify Internet Explorer's start page to point
>to a web page
>> that downloads a binary called WIN-BUGSFIX.exe. It randomly
>selects between
>> four different URLs:
>>
>>
>http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrds
fmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe
>
http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe5467863
24hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe
>
http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER
67b3Vbvg/WIN-BUGSFIX.exe
>
http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwer
asdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe
>
> I've not been able to obtain copy of the binary to figure out what it
does.
> This does mean the worm has a dynamic components that may change its
> behavior any time the binary is changed and a new one downloaded.
>
> The worm then changes a number of registry keys to run the downloaded
binary
> and to clean up after itself.
>
>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
> about:blank
>
> The worm then creates an HTML file that helps it spread,
> LOVE-LETTER-FOR-YOU.HTM. This is the file DCC'ed to others on IRC.
>
> The worm then spreads to all addresses in the Windows Address Book by
> sending the file LOVE-LETTER-FOR-YOU.TXT.vbs as an attachment. The
> email starts:
>
> kindly check the attached LOVELETTER coming from me.
>
> Then the virus searches for attached drives looking for files with
> certain extensions. It overwrites files ending with vbs, and vbe.
> It overwrites files ending with js, jse, css, wsh, sct, and hta, and
> then renames them to end with vbs. It overwrites files ending with jpg
> and jpeg and appends .vbs to their name. It finds files with the name
> mp3 and mp3, creates vbs files with the same name and sets the hidden
> attribute in the original mp* files.
>
> The it looks for the mIRC windows IRC client and overwrites the script.ini
> file if found. It modifies this file to that it will DCC the
> LOVE-LETTER-FOR-YOU.HTM file to any people that join a channel the
> client is in.
>
> You can find the source of the worm at:
>
>
http://www.securityfocus.com/templates/archive.pike?list=82&msg=3911840F.D75
97030@thievco.com&part=.1
>
> --
> Elias Levy
> SecurityFocus.com
> http://www.securityfocus.com/
> Si vis pacem, para bellum
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
