[14793] in bugtraq
Re: IL0VEY0U worm
daemon@ATHENA.MIT.EDU (Elias Levy)
Fri May 5 15:44:17 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="yudcn1FV7Hsu/q59"
Message-Id: <20000505123728.W7489@securityfocus.com>
Date: Fri, 5 May 2000 12:37:28 -0700
Reply-To: Elias Levy <aleph1@SECURITYFOCUS.COM>
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000504163541.D14933@securityfocus.com>; from
aleph1@SECURITYFOCUS.COM on Thu, May 04, 2000 at 04:35:41PM -0700
--yudcn1FV7Hsu/q59
Content-Type: text/plain; charset=us-ascii
Another update.
VARIANTS
--------
Toni Tiainen <toni.tiainen@f-secure.com> reports of a new variant
they are calling LoveLetter.E with spreads with a subject of
"Mothers Day Order Confirmation" with a message body of (indented
two spaces):
Thanks for your purchase!
We have proceeded to charge your credit card for the amount of $326.92 for
the mothers day diamond special. We have attached a detailed invoice to this
email. Please print out the attachment and keep it in a safe place.
Thanks Again and Have a Happy Mothers Day!
The attachment is named "mothersday.vbs". This variant deleted all files
with an extension of ".bat". F-Secure Anti-Virus for Firewalls with
the latest signature file can detect and delete this variant. For
more info check out http://www.f-secure.com/v-descs/love.htm
The LoveLetter.B variant has a subject of
"Susitikim shi vakara kavos puodukui...".
Brian Moore <bem@cmc.net> reports seeing at least one variant where
the VBS virus was not an attachment but it was instead uuencoded.
This may fool antivirus products. Look out for the string
"begin 600 LOVE-LETTER-FOR-YOU.TXT.vbs" in the message. Could this
be the result of some MTA rewriting the message?
Trend Micro has released pattern file number 695 which includes
definitions to detect the variants reported by Dan Simoes <dans@iclick.com>
(the tabs to spaces variant).
Sean Malloy <sean@emax.com.au> is letting us known that changing the
virus to use a WSF extension instead of VBS is just as affective.
WSF stands for Windows Scripting File. Antivirus vendors that want to
be proactive might want to add this extension to their signatures.
The file contents would look something like this:
<job id="iloveyou">
<script language="VBScript">
'insert code here
</script>
</job>
or as Sean points out you could encode it to obfuscate it by doing:
<job id="iloveyouencrypted">
<script language="VBScript.Encode">
#@~^EQAAAA==vbxd^?DDPmKN^?~t^?DnOwYAAA==^#~@
</script>
</job>
where "#@~^EQAAAA==vbxd^?DDPmKN^?~t^?DnOwYAAA==^#~@' is the encoded
worm.
It seems the "fwd: Joke" variant attachment is "Very Funny.vbs" (note the
space) and not "VeryFunny.vbs". Or maybe its a new variant.
FILTERING
---------
As many of you pointed out filtering based on the subject line is less
than perfect. Sadly that is the best you can do with many MTAs without
some hacking. If others can come up with ways to filter based on
attachments let us know. If you can filter by attachment look out
for files with these extensions: VBS, VBE, WSF, WSH, HTA.
Also the second regexp filter I recommended for Postfix was wrong.
Postfix can only match message headers, not attachment headers. So
the line "/Content.*\.vbs/ REJECT" will have no effect on the worm.
You are left with filtering by subject (e.g. "/^Subject:.*ILOVEYOU/ REJECT").
Jose Nazario <jose@biocserver.BIOC.CWRU.Edu> has updated his sendmail
rules. As suggested by Keith Petersen it now generates 501 errors (rather than 553's, which causes an Exchange server to keep retrying delivery) and it now handles the Joke variants.
http://biocserver.bioc.cwru.edu/~jose/iloveyouhack.txt
Jimmy Corio <jimmy.corio@icube.com> has provided the following procmail
recipe:
#
# Look for ILOVEYOU worm. File copy in /var/mail/ILoveYouSave and
# notify that an infected mail file may have come in.
# - jc3 05/04/00
#
:0 B
* ^Content-Type:
application/octet-stream;.*($|).*name="LOVE-LETTER-FOR-YOU.TXT.vbs"
{ ILOVEYOULOG="/var/mail/ILoveYouSave"
:0 c
$ILOVEYOULOG
:0 h
| (formail -i"Subject: Potential ILOVEYOU worm email received" \
-i"To:jimmy.corio@icube.com" \
-i"Content-type: text/plain; charset=\"us-ascii\""; \
echo "Potential I Love You virus received. Check Log."; \
echo "Date: `/bin/date`"; \
) | \
$SENDMAIL -oi jimmy.corio@icube.com
}
Please note you need to change the email address it sends warning messages
to, and you should also modify it to catch the "Very Funny.vbs" attachment.
ANTIVIRUS
---------
Daniel Doekal <ddoc@mia.cz> reports that does not seems to stop the virus
with the 24.4.2000 signature file and that LiveUpdate has not yet listed
a newer signature file. At the same type the are conflicting reports that
Norton does detect the virus but as the older BubbleBoy virus or by using
its Bloodhound heuristics technology.
Adele Shakal <adele@caltech.edu> points us to DrSolomon's fix at
http://www.drsolomons.com/home/extra.zip
Bernhard Schneck <Bernhard_Schneck@genua.de> points us to this
German antivirus vendor fix http://www.antivir.de/presse/loveletter.htm
RECOVERY SCRIPTS
----------------
Dave Salovesh <salovesh@ramassociates.com> points out my comment about
the ThePope.org recovery script was wrong. Since the overwritten files
are renamed to have a .vbs extension the script does not need to look
for the other extensions. The script is at http://www.thepope.org/fix.vbs
David E Haasnoot <dave@write-design.com> has some scripts to recover
from the worm at http://www.liwdg.org/love.html
Damon Lathe <ascenderon@hotmail.com> points us to another recovery
script called the Love Condom at http://www.creativebits.com/love-condom/
OTHER SOLUTIONS
---------------
Chris Needham <chris@futile.net> had the clever idea of having the
skyinet.net ISP that hosts the web pages for th WIN-BUGSFIX.exe program
to replace those pages with a page information users they are infected
and with instructions on how to fix their systems. Of curse this is
not likely to happen but local ISPs can redirect these URLs in their
proxies to help their customers.
Dax Kelson <dax@gurulabs.com> founds some errors on the script supplied
by Dan Stromberg <strombrg@nis.acs.uci.edu> yesterday. Dan has fixed it
up and made a new version available at
ftp://autoinst.acs.uci.edu/pub/virus/zotiloveyou
David Luyer <david_luyer@pacific.net.au> provides us with a similar
script in perl. Its attached. Run from /var/spool with $files = `echo mail/*`
or $files = result of building list from grep. No forks, execs, etc, etc,
so it can be run over a few hundred thousand mailboxes without too much pain,
although the locking is very ugly and doesn't actually test the lock.
Steve Parker <steve@shp.to> points out a way to stop the worm from
propagating (at least via email). The worms uses the OLE automation object
for Outlook to send the infected messages. It obtains a handle to this
object via the following VBS line:
set out=WScript.CreateObject("Outlook.Application")
"Outlook.Application" references a registry key under HKEY_CLASSES_ROOT.
That key references the CLSID of the OLE automation object for Outlook.
If that key is deleted, renamed, or the CLSID value is changed, VB code will
not be able to automate Outlook, and hence the worm, will not propagate
itself via email.
Steve tested this technique and it does not appear to break Outlook. It did,
however, break the Palm HotSync manager.
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
--yudcn1FV7Hsu/q59
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=rmvirus
#!/usr/bin/perl
$virusremoved = 0;
#$files="mail/victim1 mail/victim2 ..."
@files = split(/ /, $files);
open(PW, "</etc/passwd");
while(<PW>) {
@l = split(/:/);
$uid{$l[0]} = $l[2];
}
close(PW);
for $file (@files) {
print "doing $file...\n";
$msg = "";
$isvirus = 0;
$isnotvirus = 0;
open (TMP, ">$file.lock");
close (TMP);
rename ("$file", "$file.TMP-RM-VIRUS");
open (FILEOLD, "<$file.TMP-RM-VIRUS");
open (FILENEW, ">$file");
while (<FILEOLD>) {
if (/^From /) {
print FILENEW $msg if (!$isvirus);
$virusremoved++ if ($isvirus);
print "REMOVED: $virusremoved\n" if ($isvirus);
$msg = "";
$isvirus = 0;
$isnotvirus = 0;
}
$msg .= $_;
if (/^$/ && !$isvirus) {
$isnotvirus++;
}
if(/^Subject: ILOVEYOU$/) {
$isvirus++ if (!$isnotvirus);
}
}
print FILENEW $msg if (!$isvirus);
$virusremoved++ if ($isvirus);
$msg = "";
$isvirus = 0;
$isnotvirus = 0;
close (FILEOLD);
close (FILENEW);
unlink("$file.TMP-RM-VIRUS");
unlink("$file.lock");
$user = $file;
$user =~ s/mail\///;
print "user = $user\n";
$uid = 0;
$uid = $uid{$user} if exists $uid{$user};
print "uid = $uid\n";
chown $uid, 12, $file;
chmod 0660, $file;
}
--yudcn1FV7Hsu/q59--
