[Previo por Fecha] [Siguiente por Fecha] [Previo por Hilo] [Siguiente por Hilo]
[Hilos de Discusión] [Fecha] [Tema] [Autor]---------- Forwarded message ---------- Date: Fri, 5 May 2000 12:37:28 -0700 From: Elias Levy <aleph1 en SECURITYFOCUS COM> To: INCIDENTS en SECURITYFOCUS COM Subject: Re: IL0VEY0U worm Another update. VARIANTS -------- Toni Tiainen <toni tiainen en f-secure com> reports of a new variant they are calling LoveLetter.E with spreads with a subject of "Mothers Day Order Confirmation" with a message body of (indented two spaces): Thanks for your purchase! We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place. Thanks Again and Have a Happy Mothers Day! The attachment is named "mothersday.vbs". This variant deleted all files with an extension of ".bat". F-Secure Anti-Virus for Firewalls with the latest signature file can detect and delete this variant. For more info check out http://www.f-secure.com/v-descs/love.htm The LoveLetter.B variant has a subject of "Susitikim shi vakara kavos puodukui...". Brian Moore <bem en cmc net> reports seeing at least one variant where the VBS virus was not an attachment but it was instead uuencoded. This may fool antivirus products. Look out for the string "begin 600 LOVE-LETTER-FOR-YOU.TXT.vbs" in the message. Could this be the result of some MTA rewriting the message? Trend Micro has released pattern file number 695 which includes definitions to detect the variants reported by Dan Simoes <dans en iclick com> (the tabs to spaces variant). Sean Malloy <sean en emax com au> is letting us known that changing the virus to use a WSF extension instead of VBS is just as affective. WSF stands for Windows Scripting File. Antivirus vendors that want to be proactive might want to add this extension to their signatures. The file contents would look something like this: <job id="iloveyou"> <script language="VBScript"> 'insert code here </script> </job> or as Sean points out you could encode it to obfuscate it by doing: <job id="iloveyouencrypted"> <script language="VBScript.Encode"> #@~^EQAAAA==vbxd^?DDPmKN^?~t^?DnOwYAAA==^#~@ </script> </job> where "#@~^EQAAAA==vbxd^?DDPmKN^?~t^?DnOwYAAA==^#~@' is the encoded worm. It seems the "fwd: Joke" variant attachment is "Very Funny.vbs" (note the space) and not "VeryFunny.vbs". Or maybe its a new variant. FILTERING --------- As many of you pointed out filtering based on the subject line is less than perfect. Sadly that is the best you can do with many MTAs without some hacking. If others can come up with ways to filter based on attachments let us know. If you can filter by attachment look out for files with these extensions: VBS, VBE, WSF, WSH, HTA. Also the second regexp filter I recommended for Postfix was wrong. Postfix can only match message headers, not attachment headers. So the line "/Content.*\.vbs/ REJECT" will have no effect on the worm. You are left with filtering by subject (e.g. "/^Subject:.*ILOVEYOU/ REJECT"). Jose Nazario <jose en biocserver BIOC CWRU Edu> has updated his sendmail rules. As suggested by Keith Petersen it now generates 501 errors (rather than 553's, which causes an Exchange server to keep retrying delivery) and it now handles the Joke variants. http://biocserver.bioc.cwru.edu/~jose/iloveyouhack.txt Jimmy Corio <jimmy corio en icube com> has provided the following procmail recipe: # # Look for ILOVEYOU worm. File copy in /var/mail/ILoveYouSave and # notify that an infected mail file may have come in. # - jc3 05/04/00 # :0 B * ^Content-Type: application/octet-stream;.*($|).*name="LOVE-LETTER-FOR-YOU.TXT.vbs" { ILOVEYOULOG="/var/mail/ILoveYouSave" :0 c $ILOVEYOULOG :0 h | (formail -i"Subject: Potential ILOVEYOU worm email received" \ -i"To:jimmy corio en icube com" \ -i"Content-type: text/plain; charset=\"us-ascii\""; \ echo "Potential I Love You virus received. Check Log."; \ echo "Date: `/bin/date`"; \ ) | \ $SENDMAIL -oi jimmy corio en icube com } Please note you need to change the email address it sends warning messages to, and you should also modify it to catch the "Very Funny.vbs" attachment. ANTIVIRUS --------- Daniel Doekal <ddoc en mia cz> reports that does not seems to stop the virus with the 24.4.2000 signature file and that LiveUpdate has not yet listed a newer signature file. At the same type the are conflicting reports that Norton does detect the virus but as the older BubbleBoy virus or by using its Bloodhound heuristics technology. Adele Shakal <adele en caltech edu> points us to DrSolomon's fix at http://www.drsolomons.com/home/extra.zip Bernhard Schneck <Bernhard_Schneck en genua de> points us to this German antivirus vendor fix http://www.antivir.de/presse/loveletter.htm RECOVERY SCRIPTS ---------------- Dave Salovesh <salovesh en ramassociates com> points out my comment about the ThePope.org recovery script was wrong. Since the overwritten files are renamed to have a .vbs extension the script does not need to look for the other extensions. The script is at http://www.thepope.org/fix.vbs David E Haasnoot <dave en write-design com> has some scripts to recover from the worm at http://www.liwdg.org/love.html Damon Lathe <ascenderon en hotmail com> points us to another recovery script called the Love Condom at http://www.creativebits.com/love-condom/ OTHER SOLUTIONS --------------- Chris Needham <chris en futile net> had the clever idea of having the skyinet.net ISP that hosts the web pages for th WIN-BUGSFIX.exe program to replace those pages with a page information users they are infected and with instructions on how to fix their systems. Of curse this is not likely to happen but local ISPs can redirect these URLs in their proxies to help their customers. Dax Kelson <dax en gurulabs com> founds some errors on the script supplied by Dan Stromberg <strombrg en nis acs uci edu> yesterday. Dan has fixed it up and made a new version available at ftp://autoinst.acs.uci.edu/pub/virus/zotiloveyou David Luyer <david_luyer en pacific net au> provides us with a similar script in perl. Its attached. Run from /var/spool with $files = `echo mail/*` or $files = result of building list from grep. No forks, execs, etc, etc, so it can be run over a few hundred thousand mailboxes without too much pain, although the locking is very ugly and doesn't actually test the lock. Steve Parker <steve en shp to> points out a way to stop the worm from propagating (at least via email). The worms uses the OLE automation object for Outlook to send the infected messages. It obtains a handle to this object via the following VBS line: set out=WScript.CreateObject("Outlook.Application") "Outlook.Application" references a registry key under HKEY_CLASSES_ROOT. That key references the CLSID of the OLE automation object for Outlook. If that key is deleted, renamed, or the CLSID value is changed, VB code will not be able to automate Outlook, and hence the worm, will not propagate itself via email. Steve tested this technique and it does not appear to break Outlook. It did, however, break the Palm HotSync manager. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
#!/usr/bin/perl $virusremoved = 0; #$files="mail/victim1 mail/victim2 ..." @files = split(/ /, $files); open(PW, "</etc/passwd"); while(<PW>) { @l = split(/:/); $uid{$l[0]} = $l[2]; } close(PW); for $file (@files) { print "doing $file...\n"; $msg = ""; $isvirus = 0; $isnotvirus = 0; open (TMP, ">$file.lock"); close (TMP); rename ("$file", "$file.TMP-RM-VIRUS"); open (FILEOLD, "<$file.TMP-RM-VIRUS"); open (FILENEW, ">$file"); while (<FILEOLD>) { if (/^From /) { print FILENEW $msg if (!$isvirus); $virusremoved++ if ($isvirus); print "REMOVED: $virusremoved\n" if ($isvirus); $msg = ""; $isvirus = 0; $isnotvirus = 0; } $msg .= $_; if (/^$/ && !$isvirus) { $isnotvirus++; } if(/^Subject: ILOVEYOU$/) { $isvirus++ if (!$isnotvirus); } } print FILENEW $msg if (!$isvirus); $virusremoved++ if ($isvirus); $msg = ""; $isvirus = 0; $isnotvirus = 0; close (FILEOLD); close (FILENEW); unlink("$file.TMP-RM-VIRUS"); unlink("$file.lock"); $user = $file; $user =~ s/mail\///; print "user = $user\n"; $uid = 0; $uid = $uid{$user} if exists $uid{$user}; print "uid = $uid\n"; chown $uid, 12, $file; chmod 0660, $file; }
-- Para desuscribirse, mande correo a: ayuda-unsubscribe en linux org mx Para comandos adicionales, envíelo a: ayuda-help en linux org mx