[14784] in bugtraq
Re: IL0VEY0U worm
daemon@ATHENA.MIT.EDU (Elias Levy)
Thu May 4 21:33:00 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="9aCKuHbn5v2q3RVc"
Message-Id: <20000504163541.D14933@securityfocus.com>
Date: Thu, 4 May 2000 16:35:41 -0700
Reply-To: Elias Levy <aleph1@SECURITYFOCUS.COM>
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000504121550.B20905@securityfocus.com>
--9aCKuHbn5v2q3RVc
Content-Type: text/plain; charset=us-ascii
One final update for the day. It seems a couple of variations of the worm
are going around. At least one uses a subject line of "Joke" or "fw: Joke"
and the attachment is called VeryFunny.vbs. Thanks to Patrick Cantwell
<seamus@insomnia.org> and Mitchell Patenaude <mrp@sonic.net> for pointing
this out.
At least in some intances it seems tabs in the virus code have been
changed to spaces. That means the code looks the same but its not.
Some antivirus products may be fooled by this. Trend Micro Interscan for
mail servers, Solaris version, seems to be affected. Thanks to
Brett Dikeman <brett@iclick.com> for pointing this out.
A VB script to disinfect your system is available at
http://www.thepope.org/fix.vbs. It seems to do a good job
but I think it misses a number of extensions like js, jse, css, sct, hta,
jpg, jpeg and wsh.
Matt Davis <bigdog@dogpound.vnet.net> points out that you can modify
John D. Hardin's procmail filters to stop the worm. You can find them
at ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html
Adele Shakal <adele@caltech.edu> had a few tips.
Sendmail.com has a rule to filter the worm based on the subject header
at http://www2.sendmail.com/loveletter. It works with Sendmail 8.9
and newer. You should probably add "Joke" to the subject lines it
scans for.
If you are a Postfix users you can stop the virus by doing the
following:
* Make sure your version of postfix supports the header_checks directive.
* Add the line "header_checks = regexp:/etc/postfix/header_checks"
to your main.cf file.
* Create a /etc/postfix/header_checks file with a line of:
/^Subject:.*ILOVEYOU/ REJECT
or better yet
/Content.*\.vbs/ REJECT
* Execute "postfix reload".
For Exchange Steve Willocks <willocks@bskb.com> recommends
Mail essentials for Exchange/SMTP. Its a commercial product that
you configure to block messages based on types of attachments or
keyword matches among other features. You can find it at
http://www.gfi.com/mesindex.htm
CERT has a small summary of the outbreatk at
http://www.cert.org/current/current_activity.html#loveletter
More antivirus updates:
Alladin: http://www.aks.com/home/csrt/valerts.asp
CA: http://www.ca.com/virusinfo/virusalert.htm
DrSolomon: http://www.drsolomons.com/home/extra.zip
F-Secure: http://www.f-secure.com/download-purchase/updates.html
Finjan: http://www.finjan.com/attack_release_detail.cfm?attack_release_id=34
McAffe: http://download.mcafee.com/extrafiles/love-4.zip
NAI: http://vil.nai.com/villib/dispVirus.asp?virus_k=98617
Proland: http://www.pspl.com/virus_info/worms/loveletter.htm
Sophos: http://www.sophos.com/virusinfo/analyses/vbsloveleta.html
Sophos: http://www.sophos.com/virusinfo/analyses/trojloveleta.html
Symantec: http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html
TrendMicro: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_LOVELETTER-O
spiff <spiff@bway.net> relates that pop3d on OpenBSD seems to reject the
infected messages with an error message of "Attachment Corrupted", thus
their users are not affected.
Michael Damm <symetrix@symetrix.org> seems to think that Norton
Antivirus stops the worm without the latest update. It seems Norton
confuses the virus with VBS.BubbleBoy and stops it. His virus
definition fileis 135 days old. Go figure.
Dan Stromberg <strombrg@nis.acs.uci.edu> has developed a Python script
that removes the virus from a set of mbox-formatted mail files. Its
attached. It replaces the infected message with a warning that indicated
who send the mail. Use at your own risk.
If you use Content-length, this program could mess up your mailbox.
Content-length usage is indicated, I believe, by the "v" option on
your local ("Mlocal" line) mail delivery agent in sendmail.cf.
Please consider the program copylefted.
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
--9aCKuHbn5v2q3RVc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=zotiloveyou
#!/dcs/bin/python
import string
import sys
import os
def w(file,l):
file.write(l)
def possibly_output(f,msg):
bad = 0
subject=''
from_hdr='(unknown sender)'
for line in msg:
lline = string.lower(line)
if lline[0:8] == 'subject:':
subject = string.strip(line[9:])
if subject == 'ILOVEYOU':
bad = bad + 1
if lline[0:5] == 'from:':
from_hdr = string.strip(line[5:])
if line == 'rem barok -loveletter(vbe) <i hate go to school>\n':
bad = bad + 1
# change this to >= 1 to be less careful about not removing false positives
if bad >= 2:
print 'detected virus, replacing with safe warning message'
w(f,'From root\n')
w(f,'From: root\n')
w(f,'Subject: ILOVEYOU virus\n')
w(f,'\n')
w(f,'You received a copy of the ILOVEYOU virus from\n')
w(f,from_hdr+'.\n')
w(f,'\n')
w(f,'It was replaced with this safe message.\n')
w(f,'\n')
w(f,'You may wish to let the sender of the virus know that they may\n')
w(f,'be infected with the virus.\n')
w(f,'\n')
else:
f.writelines(msg)
def main():
tempfilename = 'zotiloveyou.temp'
for filename in sys.argv[1:]:
print 'processing',filename
infile = open(filename,'r')
outfile = open(tempfilename,'w')
msg = []
while 1:
line = infile.readline()
if not line:
break
if line[0:5] == 'From ':
possibly_output(outfile,msg)
msg=[line]
else:
msg.append(line)
possibly_output(outfile,msg)
infile.close()
outfile.close()
os.rename(tempfilename,filename)
main()
--9aCKuHbn5v2q3RVc--
