[Previo por Fecha] [Siguiente por Fecha] [Previo por Hilo] [Siguiente por Hilo]
[Hilos de Discusión] [Fecha] [Tema] [Autor]---------- Forwarded message ----------
Date: Fri, 5 May 2000 12:37:28 -0700
From: Elias Levy <aleph1 en SECURITYFOCUS COM>
To: INCIDENTS en SECURITYFOCUS COM
Subject: Re: IL0VEY0U worm
Another update.
VARIANTS
--------
Toni Tiainen <toni tiainen en f-secure com> reports of a new variant
they are calling LoveLetter.E with spreads with a subject of
"Mothers Day Order Confirmation" with a message body of (indented
two spaces):
Thanks for your purchase!
We have proceeded to charge your credit card for the amount of $326.92 for
the mothers day diamond special. We have attached a detailed invoice to this
email. Please print out the attachment and keep it in a safe place.
Thanks Again and Have a Happy Mothers Day!
The attachment is named "mothersday.vbs". This variant deleted all files
with an extension of ".bat". F-Secure Anti-Virus for Firewalls with
the latest signature file can detect and delete this variant. For
more info check out http://www.f-secure.com/v-descs/love.htm
The LoveLetter.B variant has a subject of
"Susitikim shi vakara kavos puodukui...".
Brian Moore <bem en cmc net> reports seeing at least one variant where
the VBS virus was not an attachment but it was instead uuencoded.
This may fool antivirus products. Look out for the string
"begin 600 LOVE-LETTER-FOR-YOU.TXT.vbs" in the message. Could this
be the result of some MTA rewriting the message?
Trend Micro has released pattern file number 695 which includes
definitions to detect the variants reported by Dan Simoes <dans en iclick com>
(the tabs to spaces variant).
Sean Malloy <sean en emax com au> is letting us known that changing the
virus to use a WSF extension instead of VBS is just as affective.
WSF stands for Windows Scripting File. Antivirus vendors that want to
be proactive might want to add this extension to their signatures.
The file contents would look something like this:
<job id="iloveyou">
<script language="VBScript">
'insert code here
</script>
</job>
or as Sean points out you could encode it to obfuscate it by doing:
<job id="iloveyouencrypted">
<script language="VBScript.Encode">
#@~^EQAAAA==vbxd^?DDPmKN^?~t^?DnOwYAAA==^#~@
</script>
</job>
where "#@~^EQAAAA==vbxd^?DDPmKN^?~t^?DnOwYAAA==^#~@' is the encoded
worm.
It seems the "fwd: Joke" variant attachment is "Very Funny.vbs" (note the
space) and not "VeryFunny.vbs". Or maybe its a new variant.
FILTERING
---------
As many of you pointed out filtering based on the subject line is less
than perfect. Sadly that is the best you can do with many MTAs without
some hacking. If others can come up with ways to filter based on
attachments let us know. If you can filter by attachment look out
for files with these extensions: VBS, VBE, WSF, WSH, HTA.
Also the second regexp filter I recommended for Postfix was wrong.
Postfix can only match message headers, not attachment headers. So
the line "/Content.*\.vbs/ REJECT" will have no effect on the worm.
You are left with filtering by subject (e.g. "/^Subject:.*ILOVEYOU/ REJECT").
Jose Nazario <jose en biocserver BIOC CWRU Edu> has updated his sendmail
rules. As suggested by Keith Petersen it now generates 501 errors (rather than 553's, which causes an Exchange server to keep retrying delivery) and it now handles the Joke variants.
http://biocserver.bioc.cwru.edu/~jose/iloveyouhack.txt
Jimmy Corio <jimmy corio en icube com> has provided the following procmail
recipe:
#
# Look for ILOVEYOU worm. File copy in /var/mail/ILoveYouSave and
# notify that an infected mail file may have come in.
# - jc3 05/04/00
#
:0 B
* ^Content-Type:
application/octet-stream;.*($|).*name="LOVE-LETTER-FOR-YOU.TXT.vbs"
{ ILOVEYOULOG="/var/mail/ILoveYouSave"
:0 c
$ILOVEYOULOG
:0 h
| (formail -i"Subject: Potential ILOVEYOU worm email received" \
-i"To:jimmy corio en icube com" \
-i"Content-type: text/plain; charset=\"us-ascii\""; \
echo "Potential I Love You virus received. Check Log."; \
echo "Date: `/bin/date`"; \
) | \
$SENDMAIL -oi jimmy corio en icube com
}
Please note you need to change the email address it sends warning messages
to, and you should also modify it to catch the "Very Funny.vbs" attachment.
ANTIVIRUS
---------
Daniel Doekal <ddoc en mia cz> reports that does not seems to stop the virus
with the 24.4.2000 signature file and that LiveUpdate has not yet listed
a newer signature file. At the same type the are conflicting reports that
Norton does detect the virus but as the older BubbleBoy virus or by using
its Bloodhound heuristics technology.
Adele Shakal <adele en caltech edu> points us to DrSolomon's fix at
http://www.drsolomons.com/home/extra.zip
Bernhard Schneck <Bernhard_Schneck en genua de> points us to this
German antivirus vendor fix http://www.antivir.de/presse/loveletter.htm
RECOVERY SCRIPTS
----------------
Dave Salovesh <salovesh en ramassociates com> points out my comment about
the ThePope.org recovery script was wrong. Since the overwritten files
are renamed to have a .vbs extension the script does not need to look
for the other extensions. The script is at http://www.thepope.org/fix.vbs
David E Haasnoot <dave en write-design com> has some scripts to recover
from the worm at http://www.liwdg.org/love.html
Damon Lathe <ascenderon en hotmail com> points us to another recovery
script called the Love Condom at http://www.creativebits.com/love-condom/
OTHER SOLUTIONS
---------------
Chris Needham <chris en futile net> had the clever idea of having the
skyinet.net ISP that hosts the web pages for th WIN-BUGSFIX.exe program
to replace those pages with a page information users they are infected
and with instructions on how to fix their systems. Of curse this is
not likely to happen but local ISPs can redirect these URLs in their
proxies to help their customers.
Dax Kelson <dax en gurulabs com> founds some errors on the script supplied
by Dan Stromberg <strombrg en nis acs uci edu> yesterday. Dan has fixed it
up and made a new version available at
ftp://autoinst.acs.uci.edu/pub/virus/zotiloveyou
David Luyer <david_luyer en pacific net au> provides us with a similar
script in perl. Its attached. Run from /var/spool with $files = `echo mail/*`
or $files = result of building list from grep. No forks, execs, etc, etc,
so it can be run over a few hundred thousand mailboxes without too much pain,
although the locking is very ugly and doesn't actually test the lock.
Steve Parker <steve en shp to> points out a way to stop the worm from
propagating (at least via email). The worms uses the OLE automation object
for Outlook to send the infected messages. It obtains a handle to this
object via the following VBS line:
set out=WScript.CreateObject("Outlook.Application")
"Outlook.Application" references a registry key under HKEY_CLASSES_ROOT.
That key references the CLSID of the OLE automation object for Outlook.
If that key is deleted, renamed, or the CLSID value is changed, VB code will
not be able to automate Outlook, and hence the worm, will not propagate
itself via email.
Steve tested this technique and it does not appear to break Outlook. It did,
however, break the Palm HotSync manager.
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
#!/usr/bin/perl
$virusremoved = 0;
#$files="mail/victim1 mail/victim2 ..."
@files = split(/ /, $files);
open(PW, "</etc/passwd");
while(<PW>) {
@l = split(/:/);
$uid{$l[0]} = $l[2];
}
close(PW);
for $file (@files) {
print "doing $file...\n";
$msg = "";
$isvirus = 0;
$isnotvirus = 0;
open (TMP, ">$file.lock");
close (TMP);
rename ("$file", "$file.TMP-RM-VIRUS");
open (FILEOLD, "<$file.TMP-RM-VIRUS");
open (FILENEW, ">$file");
while (<FILEOLD>) {
if (/^From /) {
print FILENEW $msg if (!$isvirus);
$virusremoved++ if ($isvirus);
print "REMOVED: $virusremoved\n" if ($isvirus);
$msg = "";
$isvirus = 0;
$isnotvirus = 0;
}
$msg .= $_;
if (/^$/ && !$isvirus) {
$isnotvirus++;
}
if(/^Subject: ILOVEYOU$/) {
$isvirus++ if (!$isnotvirus);
}
}
print FILENEW $msg if (!$isvirus);
$virusremoved++ if ($isvirus);
$msg = "";
$isvirus = 0;
$isnotvirus = 0;
close (FILEOLD);
close (FILENEW);
unlink("$file.TMP-RM-VIRUS");
unlink("$file.lock");
$user = $file;
$user =~ s/mail\///;
print "user = $user\n";
$uid = 0;
$uid = $uid{$user} if exists $uid{$user};
print "uid = $uid\n";
chown $uid, 12, $file;
chmod 0660, $file;
}
-- Para desuscribirse, mande correo a: ayuda-unsubscribe en linux org mx Para comandos adicionales, envíelo a: ayuda-help en linux org mx