[14783] in bugtraq
Re: IL0VEY0U worm
daemon@ATHENA.MIT.EDU (Elias Levy)
Thu May 4 17:59:13 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000504121550.B20905@securityfocus.com>
Date: Thu, 4 May 2000 12:15:50 -0700
Reply-To: Elias Levy <aleph1@SECURITYFOCUS.COM>
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000504110932.N15104@securityfocus.com>
Some futher comments.
Jose Nazario <jose@biocserver.BIOC.CWRU.Edu> has been kind enough to
put up a rulseset for sendmail 8.9.x and 8.10.x that stops messages with
"ILOVEYOU" in the subject file. You can find it at:
http://biocserver.cwru.edu/~jose/iloveyouhack.txt
Mike Iglesias <iglesias@draco.acs.uci.edu> and
"Frasnelli, Dan" <dfrasnel@corewar.com> pointed out I had a
typo. The executable file name is WIN-BUGSFIX.exe, not WIN-BUGFIX.exe.
Zoa_Chien <zoa_chien@iname.com> points out that the WIN-BUGSFIX.exe
program connects to the SMPT server at 199.108.232.1 port 25 to
send out its email message. You should block the address at your
firewall. The message looks as follow:
To: mailme@super.net.ph
Subject: Barok... email.passwords.sender.trojan
X-Mailer: Barok... email.passwords.sender.trojan---by: spyder
Host: kakker
Username: Default
IP Address: 10.67.101.123
RAS Passwords:
Cache Passwords:
BLABLA\MPM : xxx
BJORN\MUSIC : xxx
TOM\SHARED : xxx
TOM2\MP3 : xxx
www.server.com/ : xxx:xxx
MAPI : MAPI
where all xxx's stand for plaintext usernames and passwords of SMB shares
in the subnet.
CERT is trying to on determining scope of the worm infection. They are
asknig people that run into the worm to email cert@cert.org with a
subject line of "CERT#35894" and report the incident.
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
