Date: Fri, 5 May 2000 07:21:13 +1200 (NZST) From: Joe Abley <jabley@automagic.org> To: hackers@freebsd.org Subject: Re: IL0VEY0U worm (fwd) Message-ID: <Pine.BSO.4.21.0005050719530.10477-100000@flame.quicksilver.co.nz>
next in thread | raw e-mail | index | archive | help
In the interests of putting the ILOVEYOU thread to death, here's a concise description of the worm from bugtraq. ---------- Forwarded message ---------- Date: Thu, 4 May 2000 11:09:32 -0700 From: Elias Levy <aleph1@SECURITYFOCUS.COM> To: BUGTRAQ@SECURITYFOCUS.COM Subject: Re: IL0VEY0U worm A quick update with some more information and quick fixes. I am reproducing my original message in full bellow as some people are filtering messages with a subject line of ILOVEYOU. There is a good description of how to disinfect a system manually at http://www.thepope.org/index.pl?node_id=140 skyinet.net seems to be off the net. It seems they are being blackholed by someone. The worm has a comment that may or may not indicate the author: rem barok -loveletter(vbe) <i hate go to school> rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines I did not make it clear, but the worm does infect files in mapped network drives, so it can spread across the network via file shares by infecting the files I reported. When someone opens those files the worm will execute and infect their system. It seems the WIN-BUGFIX.exe file will email any cached passwords to MAILME@SUPER.NET.PH. To stop the spread download updates for your antivirus product for your vendor. They all have some type of fix by now, but most antivirus vendor websites seems to be unavailable under the high load. Some I could reach: NAI: http://download.mcafee.com/extrafiles/love-4.zip Datafellows: http://www.datafellows.com/download-purchase/updates.html TrendMicro: http://www.antivirus.com/download/pattern.asp Sophos: http://www.sophos.com/downloads/ide/index.html#loveleta You should also not open visual basic attachments in email (.VBS), not accept DCC's on IRC from strangers (or friends for that matter) unless you known what you are receiving. If you control your mail server you should try to configure it to stop messages with attachments ending in .vbs. There seems to be some patches to sendmail from when Melissa came out that does this. You may also want to filter all email going out to MAILME@SUPER.NET.PH and stop the download of WIN-BUGFIX.exe in your HTTP proxy. * Elias Levy (aleph1@SECURITYFOCUS.COM) [000504 17:02]: > A new VB worm is on the loose. This would normally not be bugtraq > material as it exploits no new flaws but it has spread enough that it > warrants some coverage. This is a quick and dirty analysis of what it does. > > The worm spreads via email as an attachments and via IRC as a DCC download. > > The first thing the worm does when executed is save itself to three > different locations. Under the system directory as MSKernel32.vbs and > LOVE-LETTER-FOR-YOU.TXT.vbs and under the windows directory as > Win32DLL.vbs. > > It then creates a number of registry entries to execute these programs > when the machine restarts. These entries are: > > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL > > It will also modify Internet Explorer's start page to point to a web page > that downloads a binary called WIN-BUGSFIX.exe. It randomly selects between > four different URLs: > > http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe > http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe > http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe > http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe > > I've not been able to obtain copy of the binary to figure out what it does. > This does mean the worm has a dynamic components that may change its > behavior any time the binary is changed and a new one downloaded. > > The worm then changes a number of registry keys to run the downloaded binary > and to clean up after itself. > > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX > HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page > about:blank > > The worm then creates an HTML file that helps it spread, > LOVE-LETTER-FOR-YOU.HTM. This is the file DCC'ed to others on IRC. > > The worm then spreads to all addresses in the Windows Address Book by > sending the file LOVE-LETTER-FOR-YOU.TXT.vbs as an attachment. The > email starts: > > kindly check the attached LOVELETTER coming from me. > > Then the virus searches for attached drives looking for files with > certain extensions. It overwrites files ending with vbs, and vbe. > It overwrites files ending with js, jse, css, wsh, sct, and hta, and > then renames them to end with vbs. It overwrites files ending with jpg > and jpeg and appends .vbs to their name. It finds files with the name > mp3 and mp3, creates vbs files with the same name and sets the hidden > attribute in the original mp* files. > > The it looks for the mIRC windows IRC client and overwrites the script.ini > file if found. It modifies this file to that it will DCC the > LOVE-LETTER-FOR-YOU.HTM file to any people that join a channel the > client is in. > > You can find the source of the worm at: > > http://www.securityfocus.com/templates/archive.pike?list=82&msg=3911840F.D7597030@thievco.com&part=.1 > > -- > Elias Levy > SecurityFocus.com > http://www.securityfocus.com/ > Si vis pacem, para bellum -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSO.4.21.0005050719530.10477-100000>