[lug] [GLUE] Fwd: [cfgeeks] The new worm virus. (fwd)

Charles Morrison cmorrison at info2000.net
Thu May 4 10:43:10 MDT 2000


On Thu, 04 May 2000, you wrote:

> 
> How many people here have seen the new "ILOVEYOU" virus today?  We have seen
> a few of the messages come in here this morning but nobody here has been
> infected.  CRC and several other companies have been hit hard by it.  It only
> affects MS Outlook users so most of us geeks are OK. 
> 
> If you add these lines to your sendmail.cf file it will bounce the emails
> containing the virus:
> HSubject:       $>Check_Subject
> D{MPat}ILOVEYOU
> D{MMsg}This message may contain a virus.
> 
> SCheck_Subject
> R${MPat} $*	$#error $: 553 ${MMsg}
> RRe: ${MPat} $*	$#error $: 553 ${MMsg}
> 
> Note: the spaces between the $* and the $#error on the last two lines are
> supposed to be tabs.
> 


I got it twice, from the same unlucky windows user. I even clicked on the
attachment to see what would happen. Apparently nothing on my Linux systems.

If you're curious about what it acutally does, read on. This from an email I
got via a list at work
-----------------------------------------------------
Just FYI, from USENET:

>From: frisk at complex.is (Fridrik Skulason)
>Subject: Analysis of LoveLetter
>Date: 4 May 2000 12:20:10 -0000
>
>The following analysis is the work of the researchers at Frisk Software
>International, primarily Dr. Vesselin Bontchev and Peter Ferrie.
>
>The worm poses a risk to users that have Windows Scripting Host (including
>Win '98 users, users who have installed IE 5.x in default mode, users who
>have installed WSH specifically, and probably users of Windows 2000).
>
>The worm will only spread from infected machines that have Outlook '98
>or Outlook 2000 installed, but it will damage/overwrite files even if
>Outlook is not in use.
>
>The worm is received either as an e-mail attachment or via IRC.  If the
>user does not open (double-click on) the attached file, the worm will not
>run or do any damage.
>
>If it is received via e-mail, the Subject: of the message
>is "ILOVEYOU" and the body of the message says
>
>  kindly check the attached LOVELETTER coming from me.
>
>The name of the attachment is LOVE-LETTER-FOR-YOU.TXT.vbs
>(which, if the system is configured not to show the
>extensions of the files, will look like a TXT file to the
>user).
>
>If it is received via IRC, it resides in a file named
>LOVE-LETTER-FOR-YOU.HTM.
>
>When executed, the worm makes copies of itself under
>the names MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs
>in the Windows System directory and under the name
>Win32DLL.vbs in the Windows directory. Then it modifies
>the Registry, so that the files Win32DLL.vbs and
>MSKernel32.vbs will be executed every time Windows is
>started.
>
>Then the worm modifies the Registry, changing the
>startup page of the Internet Explorer, so that when IE
>is started, it will download a file named WIN-BUGSFIX.exe
>from one of 4 possible places on http://www.skyinet.net
>(randomly selected) and the Registry is modified, so
>that this file is executed the next time Windows is
>started.
>
>Then the worm creates an HTML version of itself, in a
>file named LOVE-LETTER-FOR-YOU.HTM in the Windows System
>directory.
>
>Next, the worm starts a copy of Outlook in the
>background (only Outlook 98 or 2000 will work - not
>Outlook 97 or Outlook Express). It examines all Outlook
>Address Books and, if an Outlook Address Book contains
>more addresses than the Windows Address Book, the worm
>mass-mails itself to all addresses in that Outlook
>Address Book. (The worm does NOT mass-mail itself to
>any addresses in the Windows Address Book.)
>
>Finally, the worm examines all directories on all hard
>and network drives. If a file has one of the following
>extensions: VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, MP2,
>MP3, JPG or JPEG the worm overwrites the file with a
>copy of itself. If the extension was not VBS or VBE, the
>worm adds the extension VBS to the name of the file -
>so that, for instance, PICTURE.JPG becomes
>PICTURE.JPG.vbs. In case a MP2 or MP3 file was
>overwritten, the worm also sets its file attribute to
>ReadOnly.
>
>If, during this directory traversal, any of the following
>files is found: mirc32.exe, mlink32.exe, mirc.ini,
>script.ini or mirc.hlp, the worm drops in that directory
>a file named SCRIPT.INI which begins with the comments
>
>;mIRC Script
>;  Please dont edit this script... mIRC will corrupt, if mIRC will
>     corrupt... WINDOWS will affect and will not run correctly. thanks
>;
>;Khaled Mardam-Bey
>;http://www.mirc.com
>
>This file tries to send the file LOVE-LETTER-FOR-YOU.HTM
>from the Windows System directory via IRC's command /DCC
>to all users joining the IRC channel which the infected
>user is on.
>
>The worm sets or modifies the following Registry keys:
>
>HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
>HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory
>HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
>
>The file WIN-BUGSFIX.exe is a Backdoor created in the
>Phillippines which collects the network passwords cached
>by Windows and sends them to an attacker's site when the
>infected user connects to the Internet.
>--
------------------------------------------------------------------------


-- 
Chuck Morrison
VA Linux - Western Region
Sr Systems Engineer




More information about the LUG mailing list