[Glug]Re: [lug] [GLUE] Fwd: [cfgeeks] The new worm virus. (fwd)

F.L. Whiteley greeley at greeleynet.com
Thu May 4 13:11:36 MDT 2000


One of my clients reported 20 copies this AM.  I intercepted one on a
misdirected e-mail.  I sent out warnings to all of my clients at 7AM this
morning, so hopefully they are okay.  Got a message from a friend at Maxtor.
Their e-mail was down earlier and is up now after a fashion but all
attachments are filtered out.

Frank Whiteley
GreeleyNet
----- Original Message -----
From: "Charles Morrison" <cmorrison at info2000.net>
To: <lug at lug.boulder.co.us>
Cc: <glug at lists.tummy.com>
Sent: Thursday, May 04, 2000 10:43 AM
Subject: [Glug]Re: [lug] [GLUE] Fwd: [cfgeeks] The new worm virus. (fwd)


> On Thu, 04 May 2000, you wrote:
>
> >
> > How many people here have seen the new "ILOVEYOU" virus today?  We have
seen
> > a few of the messages come in here this morning but nobody here has been
> > infected.  CRC and several other companies have been hit hard by it.  It
only
> > affects MS Outlook users so most of us geeks are OK.
> >
> > If you add these lines to your sendmail.cf file it will bounce the
emails
> > containing the virus:
> > HSubject:       $>Check_Subject
> > D{MPat}ILOVEYOU
> > D{MMsg}This message may contain a virus.
> >
> > SCheck_Subject
> > R${MPat} $* $#error $: 553 ${MMsg}
> > RRe: ${MPat} $* $#error $: 553 ${MMsg}
> >
> > Note: the spaces between the $* and the $#error on the last two lines
are
> > supposed to be tabs.
> >
>
>
> I got it twice, from the same unlucky windows user. I even clicked on the
> attachment to see what would happen. Apparently nothing on my Linux
systems.
>
> If you're curious about what it acutally does, read on. This from an email
I
> got via a list at work
> -----------------------------------------------------
> Just FYI, from USENET:
>
> >From: frisk at complex.is (Fridrik Skulason)
> >Subject: Analysis of LoveLetter
> >Date: 4 May 2000 12:20:10 -0000
> >
> >The following analysis is the work of the researchers at Frisk Software
> >International, primarily Dr. Vesselin Bontchev and Peter Ferrie.
> >
> >The worm poses a risk to users that have Windows Scripting Host
(including
> >Win '98 users, users who have installed IE 5.x in default mode, users who
> >have installed WSH specifically, and probably users of Windows 2000).
> >
> >The worm will only spread from infected machines that have Outlook '98
> >or Outlook 2000 installed, but it will damage/overwrite files even if
> >Outlook is not in use.
> >
> >The worm is received either as an e-mail attachment or via IRC.  If the
> >user does not open (double-click on) the attached file, the worm will not
> >run or do any damage.
> >
> >If it is received via e-mail, the Subject: of the message
> >is "ILOVEYOU" and the body of the message says
> >
> >  kindly check the attached LOVELETTER coming from me.
> >
> >The name of the attachment is LOVE-LETTER-FOR-YOU.TXT.vbs
> >(which, if the system is configured not to show the
> >extensions of the files, will look like a TXT file to the
> >user).
> >
> >If it is received via IRC, it resides in a file named
> >LOVE-LETTER-FOR-YOU.HTM.
> >
> >When executed, the worm makes copies of itself under
> >the names MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs
> >in the Windows System directory and under the name
> >Win32DLL.vbs in the Windows directory. Then it modifies
> >the Registry, so that the files Win32DLL.vbs and
> >MSKernel32.vbs will be executed every time Windows is
> >started.
> >
> >Then the worm modifies the Registry, changing the
> >startup page of the Internet Explorer, so that when IE
> >is started, it will download a file named WIN-BUGSFIX.exe
> >from one of 4 possible places on http://www.skyinet.net
> >(randomly selected) and the Registry is modified, so
> >that this file is executed the next time Windows is
> >started.
> >
> >Then the worm creates an HTML version of itself, in a
> >file named LOVE-LETTER-FOR-YOU.HTM in the Windows System
> >directory.
> >
> >Next, the worm starts a copy of Outlook in the
> >background (only Outlook 98 or 2000 will work - not
> >Outlook 97 or Outlook Express). It examines all Outlook
> >Address Books and, if an Outlook Address Book contains
> >more addresses than the Windows Address Book, the worm
> >mass-mails itself to all addresses in that Outlook
> >Address Book. (The worm does NOT mass-mail itself to
> >any addresses in the Windows Address Book.)
> >
> >Finally, the worm examines all directories on all hard
> >and network drives. If a file has one of the following
> >extensions: VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, MP2,
> >MP3, JPG or JPEG the worm overwrites the file with a
> >copy of itself. If the extension was not VBS or VBE, the
> >worm adds the extension VBS to the name of the file -
> >so that, for instance, PICTURE.JPG becomes
> >PICTURE.JPG.vbs. In case a MP2 or MP3 file was
> >overwritten, the worm also sets its file attribute to
> >ReadOnly.
> >
> >If, during this directory traversal, any of the following
> >files is found: mirc32.exe, mlink32.exe, mirc.ini,
> >script.ini or mirc.hlp, the worm drops in that directory
> >a file named SCRIPT.INI which begins with the comments
> >
> >;mIRC Script
> >;  Please dont edit this script... mIRC will corrupt, if mIRC will
> >     corrupt... WINDOWS will affect and will not run correctly. thanks
> >;
> >;Khaled Mardam-Bey
> >;http://www.mirc.com
> >
> >This file tries to send the file LOVE-LETTER-FOR-YOU.HTM
> >from the Windows System directory via IRC's command /DCC
> >to all users joining the IRC channel which the infected
> >user is on.
> >
> >The worm sets or modifies the following Registry keys:
> >
> >HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout
>
>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
>
>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Wi
n32DLL
> >HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory
> >HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
> >
> >The file WIN-BUGSFIX.exe is a Backdoor created in the
> >Phillippines which collects the network passwords cached
> >by Windows and sends them to an attacker's site when the
> >infected user connects to the Internet.
> >--
> ------------------------------------------------------------------------
>
>
> --
> Chuck Morrison
> VA Linux - Western Region
> Sr Systems Engineer
>
> _______________________________________________
> Glug mailing list
> Glug at lists.tummy.com
> http://lists.tummy.com/mailman/listinfo/glug
>






More information about the LUG mailing list