Archive of CERT general posting, CERT Advisory CA-2000-04

05/05/00, CERT Advisory CA-2000-04
From: CERT Advisory <cert-advisory@cert.org>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: cert-advisory@cert.org
Subject: CERT Advisory CA-2000-04
From: CERT Advisory <cert-advisory@cert.org>
Date: Thu, 4 May 2000 21:29:52 -0400 (EDT)
Organization: CERT(R) Coordination Center - +1 412-268-7090
Reply-To: cert-advisory-request@cert.org

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2000-04 Love Letter Worm

   Original release date: May 4, 2000
   Last revised: --
   Source: CERT/CC
   
   A complete revision history is at the end of this file.
   
Systems Affected

     * Systems running Microsoft Windows with Windows Scripting Host
       enabled
       
Overview

   The "Love Letter" worm is a malicious VBScript program which spreads
   in a variety of ways. As of 2:00pm EDT(GMT-4) May 4, 2000 -- the CERT
   Coordination Center has received reports from more than 250 individual
   sites indicating more than 300,000 individual systems are affected. In
   addition, we have several reports of sites suffering considerable
   network degradation as a result of mail, file, and web traffic
   generated by the "Love Letter" worm.
   
I. Description

   You can be infected with the "Love Letter" worm in a variety of ways,
   including electronic mail, Windows file sharing, IRC, USENET news and
   possibly via webpages. Once the worm has executed on your system, it
   will take the actions described in the Impact section.
   
Electronic Mail

   When the worm executes, it attempts to send copies of itself using
   Microsoft Outlook to all the entries in all the address books. The
   mail it sends has the following characteristics:
     * An attachment named "LOVE-LETTER-FOR-YOU.TXT.VBS"
     * A subject of "ILOVEYOU"
     * A body which reads "kindly check the attached LOVELETTER coming
       from me."
       
   People who receive copies of the worm via electronic mail will most
   likely recognize the sender. We encourage people to avoid executing
   code, including VBScripts, received through electronic mail regardless
   of the sender without firsthand prior knowledge of the origin of the
   code.
   
Internet Relay Chat

   When the worm executes, it will attempt to create a file named
   script.ini in any directory that contains certain files associated
   with the popular IRC client mIRC. The script file will attempt to send
   a copy of the worm via DCC to other people in any IRC channel joined
   by the victim. We encourage people to disable automatic reception of
   files via DCC in any IRC client.
   
Executing Files on Shared File Systems

   When the worm executes, it will search for certain types of files and
   replace them with a copy of the worm (see the Impact section for more
   details). Executing (double clicking) files modified by other infected
   users will result in executing the worm. Files modified by the worm
   may also be started automatically, for example from a startup script.
   
Reading USENET News

   There have been reports of the worm appearing in USENET newsgroups.
   The suggestions above should be applied to users reading messages in
   USENET newsgroups.
   
II. Impact

   When the worm is executed, it takes the following steps:
   
Replaces Files with Copies of the Worm

   When the worm executes, it will search for certain types of files and
   make changes to those files depending on the type of file. For files
   on fixed or network drives, it will take the following steps:
     * For files whose extension is vbs or vbe it will replace those
       files with a copy of itself.
     * For files whose extensions are js, jse, css, wsh, sct, or hta, it
       will replace those files with a copy of itself and change the
       extension to vbs. For example, a file named x.css will be replaced
       with a file named x.vbs containing a copy of the worm.
     * For files whose extension is jpg or jpeg, it will replace those
       files with a copy of the worm and add a vbs extension. For
       example, a file named x.jpg will be replaced by a file called
       x.jpg.vbs containing a copy of the worm.
     * For files whose extension is mp3 or mp2, it will create a copy of
       itself in a file named with a vbs extension in the same manner as
       for a jpg file. The original file is preserved, but its attributes
       are changed to hidden.
       
   Since the modified files are overwritten by the worm code rather than
   being deleted, file recovery is difficult and may be impossible.
   
   Users executing files that have been modified in this step will cause
   the worm to begin executing again. If these files are on a filesystem
   shared over a local area network, new users may be affected.
   
Creates an mIRC Script

   While the worm is examining files as described in the previous
   section, it may take additional steps to create a mIRC script file. If
   the file name being examined is mirc32.exe, mlink32.exe, mirc.ini,
   script.ini or mirc.hlp, the worm will create a file named script.ini
   in the same folder. The script.ini file will contain:
   
   [script]

   n0=on 1:JOIN:#:{
   n1=  /if ( $nick == $me ) { halt }
   n2=  /.dcc send $nick DIRSYSTEM\LOVE-LETTER-FOR-YOU.HTM
   n3=}

   where DIRSYSTEM varies based on the platform where the worm is
   executed. If the file script.ini already exists, no changes occur.
   
   This code appears to define a script such that whenever the user joins
   a channel in IRC, a copy of the worm will be sent to others on the
   channel via DCC. The script.ini file is created only once per folder
   processed by the worm.
   
Modifies the Internet Explorer Start Page

   If the file <DIRSYSTEM>\WinFAT32.exe exists, the worm sets the
   Internet Explorer Start page to one of four randomly selected URLs.
   These URLs all refer to a file named WIN-BUGSFIX.exe, which presumably
   contains malicious code. The worm checks for this file in the Internet
   Explorer downloads directory, and if found, it is added to the list of
   programs to run at reboot. The Internet Explorer Start page is then
   reset to "about:blank". Information about the impact of running
   WIN-BUGSFIX.exe will be added to this document as soon as it is
   available.
   
Send Copies of Itself via Email

   The worm will attempt to use Microsoft Outlook to send copies of
   itself to all entries in all address books as described in the
   Description section.
   
Other Modified Registry Keys

   In addition to other changes, the worm updates the following registry
   keys:
   
   HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
   HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
   HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout
   HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
   HKCU\Software\Microsoft\WAB\*
          
III. Solution

Update Your Anti-Virus Product

   It is important for users to update their anti-virus software. Some
   anti-virus software vendors have released updated information, tools,
   or virus databases to help prevent and combat this worm. A list of
   vendor-specific anti-virus information can be found in Appendix A.
   
Disable Windows Scripting Host

   Because the worm is written in VBS, it requires the Windows Scripting
   Host (WSH) to run. Disabling WSH prevents the worm from executing. For
   information about disabling WSH, see:
   
   http://www.sophos.com/support/faqs/wsh.html
          
   This change may disable functionality the user desires. Exercise
   caution when implementing this solution.
   
Disable Active Scripting in Internet Explorer

   Information about disabling active scripting in Internet Explorer can
   be found at:
   
   http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps
          
   This change may disable functionality the user desires. Exercise
   caution when implementing this solution.
   
Disable Auto-DCC Reception in IRC Clients

   Users of Internet Relay Chat (IRC) programs should disable automatic
   reception of files offered to them via DCC.
   
Filter Virus in E-Mail

   Sites can use email filtering techniques to delete messages containing
   subject lines known to contain the worm. For sites using unix, here
   are some possible methods:
   
Sendmail

   The following sendmail rule will delete all messages with the Subject:
   line ILOVEYOU:

   HSubject:[tab][tab][tab]$>Check_Subject
   D{MPat}ILOVEYOU
   D{MMsg}This message may contain the ILOVEYOU virus
   SCheck_Subject
   R${MPat} $*[tab]$#error $: 553 ${MMsg}
   RRe: ${MPat} $*[tab]$#error $: 553 ${MMsg}
   RFW: ${MPat} $*[tab]$#error $: 553 ${MMsg}

PostFix

   Add the following line in /etc/postfix/header_checks:

   /^Subject: ILOVEYOU/ REJECT

Procmail

   This procmail rule also deletes any messages with the Subject: line
   containing "ILOVEYOU":

   :0 D
   * ^Subject:[[tab] ]+ILOVEYOU
   /dev/null

   Note that in all of these examples, [tab] represents a literal tab
   character, and must be replaced with one for this to work correctly.
   
   It is important to note that these three methods, as described, do not
   prevent the worm from spreading if the Subject: line of the email has
   changed. Administrators can use more complicated procmail rules to
   block the worm based on the body of the email, but such methods
   require more processing time on mail servers, and may not be feasible
   at sites with high volumes of email traffic.
   
Exercise Caution When Opening Attachments

   Exercise caution with attachments in email. Users should disable
   auto-opening or previewing of email attachments in their mail
   programs. Users should never open attachments from an untrusted
   origin, or that appear suspicious in any way.
   
Appendix A. Anti-Virus Vendor Information

Aladdin Knowledge Systems

   http://www.aks.com/home/csrt/valerts.asp
          
Command Software Systems, Inc.

   http://www.command.co.uk/html/virus/love.html
   http://www.commandcom.com/virus/love.html
          
Computer Associates

   http://www.ca.com/virusinfo/virusalert.htm
          
F-Secure

   http://www.f-secure.com/download-purchase/updates.html
          
Finjan Software, Ltd.

   http://www.finjan.com/attack_release_detail.cfm?attack_release_id=34
          
McAfee / Network Associates

   http://vil.nai.com/villib/dispVirus.asp?virus_k=98617
   http://www.cert.org/advisories/CA-2000-04/nai.dat
   (This file is also included at the end of this message.)
          
Proland Software

   http://www.pspl.com/virus_info/worms/loveletter.htm
          
Sophos

   http://www.sophos.com/virusinfo/analyses/vbsloveleta.html
   http://www.sophos.com/virusinfo/analyses/trojloveleta.html
          
Symantec

   http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html
          
Trend Micro

   http://www.antivirus.com/vinfo
     _________________________________________________________________
   
   The CERT Coordination Center would like to thank David Slade of Lucent
   Technologies for their help in constructing this advisory. We thank
   Christopher Lindsey for the providing the procmail rule.
     _________________________________________________________________
   
   The following people were involved in the creation of this document:
   Jeff Carpenter, Cory Cohen, Chad Dougherty, Ian Finlay, Kathy Fithen,
   Rhonda Green, Robert Hanson, Jeff Havrilla, Shawn Hernan, Kevin Houle,
   Brian King, Jed Pickel, Joseph Pruzynski, Robin Ruefle, John Schaffer,
   and Mark Zajicek
   ______________________________________________________________________
   
   This document is available from:
   http://www.cert.org/advisories/CA-2000-04.html
   ______________________________________________________________________
   
CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.
          
   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.
   
Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   
   http://www.cert.org/CERT_PGP.key
       
   If you prefer to use DES, please call the CERT hotline for more
   information.
   
Getting security information

   CERT publications and other security information are available from
   our web site
   
   http://www.cert.org/
       
   To be added to our mailing list for advisories and bulletins, send
   email to cert-advisory-request@cert.org and include SUBSCRIBE
   your-email-address in the subject of your message.
   
   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________
   
   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________
   
   Conditions for use, disclaimers, and sponsorship information
   
   Copyright 2000 Carnegie Mellon University.
   
   Revision History

May 4, 2000:  Initial release

This is the DAT file provided by Network Associates:

- ----8<--------8<--------8<--------8<--------8<--------8<--------8<----

 134 178 156 177   9  51 219 241  94  28 193 220 123  86 193 214
 121  71 232 193 178  50 157  76   9 177 143 178  13 152 153 147
  13  55 142 176  95 118 192 176  73 122 192 177  66 125 137 143
  69 103 192 199 235  49 141 163 196  63   6  85 231 198 113  62
 236 223 122  69 241 197 249   6  35 204 141 183  13  56 193 252
  91 118 160 255  72 103 217 246  95  59 223 246  74  97 216 253
  94  27 136 251  89 126 193 155   3  96 221 225  72 114 201 231
  66 118 192 242  68 127 165 190 143  57 136 157 122  92 255 222
  13  51 140 179  25 125 138
10643 256   10425  VBS/LoveLetter

 105 178 157 176  77  51 221 228  94 127 226 197 104 127 232 199
 121  86 255  76   9 162 143 179  14 146 136  56 204 247  92 119
 242  55  28 177  12  48  44 187 141 245  40  22 141 245  40  22
 214  50 140  48  15  47 137  18   3 244  73 100 199 253   8  56
 134 184  65  54 192 247  92 105  12  50  95 186  13   2 222 128
   8 115 136  76   5  62  15 182  13  51 141 178  13  39  64 177
   2  51  30 182 162 115 141 179 181  52
9899 256   10425  PWSLoveLetter

 107 178 156 176   9  51 196 225  78  28 193 220 123  86 193 214
 121  71 232 193 242  55  15 177  12  51  44 187 243 197 107  68
 225 198 124  75 235  49 221 178 196  57 123  83 230 210   8  50
 230 223 107  93 121 134 145 139  13  49 141 184  65 124 219 246
  32 127 200 231  89 118 223 184  75 124 223 158  84 124 216 157
  69 103 192 190 143  54 141 179  13  50 141 167  67 160 136 179
   9  51 214 192 158  54 141 183  13 104 222 180
9593 256   10425  IRC/LoveLetter

- ----8<--------8<--------8<--------8<--------8<--------8<--------8<----

This DAT file is also located at:
  http://www.cert.org/advisories/CA-2000-04/nai.dat

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQCVAwUBORIXEFFO4fmE3w/VAQEWZwQApwMZx3etImFUH3GZ2v2kweeQtKWmH7re
jhzwt/uNyZzfRLHLTU68AcpKASFEooleO9KRYcolgoO0kAuL4ERKtLc/eid3A+Q/
apP6v8RT9wcDLg3wlbWqqvkdijdCX0L1nSkM6oR4vrGTRFe0OTxQtndYlbupw1gJ
5CpHT6/fDaE=
=CoQt
-----END PGP SIGNATURE-----



Previous message sorted by date: CERT Advisory CA-2000-03
Next message sorted by date: CERT Advisory CA-2000-05
Previous message sorted by thread: CERT Advisory CA-2000-03
Next message by thread: CERT Advisory CA-2000-05
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: May 2000