Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 6: Mail Worms

Lovebug -- the Mellissa ++

(a slightly skeptical view on Lovebug worm and its strains (NewLove, Joke, etc.)

By Nikolai Bezroukov

Preliminary note. v. 0.5

Contents


Disclaimer. The author no longer works in virus protection and this is written due to numerous letters to the author asking for help with this particular virus. Use this information on your own risk.  Some information might be incorrect as I am not an expert in WSH. Standard disclaimer applies.


Introduction

Lovebug is a VBScript worm (a worm is a type of self replicating program that does not attach itself to other programs -- so technically speaking it's not a virus, but who cares) that affected mainly users of windows 98 on May 4, 2000 and at least one full subsequent week. Other smaller groups of users that include users of Windows 2000 and beta testers of Microsoft IE5 browser were also hit, but still it looks like this worm was mainly Win98 oriented because this version of Windows was the most mass version that has so called Windows Scripting Host used by the virus (see below).

Like Melissa it spreads via mass mailed e-mail but Melissa limit mailing to the first 50 entries while Lovebug is greedy and mail itself to everybody. This worm is one of the new Melissa-style type of worms that make use of AV program less effective as it mass mail itself on the very first invocation. Therefore if it was not detected at this time it makes little sense to upgrade AV program in order to detect is afterward).  But update of AV program when it was most needed proved to be a tricky business. The WEB sites of AV vendors were down due to this denial of service attack. For example McAfee WEB site was the first victim of the worm because is has the most clueless architecture (running on NT) with a lot of scripts, pictures and other bell and whistles died instantly under the load. Semantic site was slightly better and refused to die, but was extremely slow and from practical reasons can be considered as down from 10:00am on May 4th or so. Smaller vendors WEB sites died like flies on the frost. I do not envy people who tried to download, say, an update for F-secure on May 4th.

Actually the most useful source of information were portals that are used to huge traffic and served information all the time -- for example Excite had F-secure description stored locally and was probably the most assessable site with more or less valid information about the virus.

This epidemic also revealed a really bad state of e-mail filtering in most large corporations and large ISPs and stressed the importance of filtering capabilities on the mail gateway. Several fixes for Sendmail were published the same day in the Sendmail Usenet group and were also available from Freshmeat the same day. But they were limited to a primitive subject line filtering. It was better than nothing as the main version of the worm was by far a dominant and none of the clones  that change subject line dynamically  managed to achieve a significant distributions. But this was just a lucky chance. 

The most widely used mail transfer agent (MTA) -- Sendmail proved to be in bad shape too. Sendmail generally is well known for the obscure configuration files and most organizations that use it have no expertise in modifying rule sets. In this situation Sendmail developers proved to be slow and provided official patch only on May 5. This patch was extremely primitive and was of lower quality that some Sendmail newsgroup submitted patches.

As for general case the only realistic solution was to install procmail as delivery agent for Sendmail. And that proved to be quite tricky if Sendmail just pass mail to another MTA. Not only Sendmail, but most other MTA versions proved to be badly prepared for attachment filtering. I just hope that now  most of them  upgraded their products to make this type of filtering easier.

Like in "make.money.fast" pyramid schemes the speed infection is proportional to the number of ignorant users in the community.

From the point of view of flexibility in this particular situation Sendmail proved to be not flexible enough; that' why  no patch blocking *.vbs attachments was available during the week after the discovery of the virus.  Exchange and Lotus Notes proved to be unsufficiently flexible too.  Mail delivery agent (MDA) Procmail was the most efficiant tool and it come out of this situation with flying colors.

Sendmail without procmail proved to be not flexible enough to filter *.vba attachments. Procmail was the only MDA that come out of this situation with flying colors

Here is the famous procmail fix:

:0 B
* !^FROM_DAEMON
* !^X-Loop: viruscheck
* ^Content-Disposition:.*
* .*.vbs.*
| (formail -rI"Precedence: Virus" \
-A"X-Loop: viruscheck" ; \
echo "Our system received your mail,"; \
echo "but it found something that indicated a virus."; \
echo "and did not delivered this mail"; \
echo "Please do not respond to this mail, it is an auto reply"; \
) | $SENDMAIL -oi -t

The worm actively spread itself until at least May 11. Actually Monday May 9th was worse than Friday May 5 for some US regions.

Later on Friday, May 19, a new strain called NEWLOVE caused a hype attack that was really nasty. In the paper The Virus 'Ambulance Chasers' Wired author Katie Dean wrote

...Anti-virus companies have always been seen as ambulance chasers, and sometimes, it's true," said Dan Schrader, the chief security analyst at Trend Micro. "Because this is an industry that has been built on hype and alerts and pretensions of being good citizens, the industry doesn't have a lot of credibility."

..."I have to admit this whole thing became a media feeding frenzy," said Schrader, who estimated he had been interviewed a dozen times since 5 a.m. (PDT) Friday morning.

"This whole industry runs on hysteria," said Rob Rosenberger, webmaster of Computer Virus Myths. "It's just one more press release about a virus that's probably going nowhere."

News of the virus spread rapidly as soon as it was discovered. Trend Micro learned that one of its customers was infected with the newer, nasty virus late Thursday, Schrader said. A reporter called him, having heard from anti-virus company Symantec that one of its customers was also affected, and Trend Micro then decided to call the Associated Press.

"This thing is all of a sudden snowballing," Schrader said.

Ironically, the "NewLove" virus, while nasty, has had nowhere near the effect that its pesky cousin "Love Bug" did two weeks ago.

"We really haven't seen it out there that much," admitted McAfee director Sal Viveros.

But Schrader said that despite the hype, there are legitimate reasons to inform the media to get the word out quickly.

 

Short description

Similar to Melissa this 12K VBScript-based worm uses the Outlook e-mail application to spread.

But unlike Melissa it's written in VBscript and require so called Windows Scripting Host(WSH) to operate. That means that Windows 98 users and beta testers of IE5 were mainly affected.

I hope that most of them have backups or Norton Utilities or similar package up and running because this is a destructive virus and it does overwrite several types of files on the PC. Unlike all previous worms it also attempts to spread itself using mIRC client. The worm creates a HTML file, "LOVE-LETTER-FOR-YOU.HTM", to the Windows System directory. This file contains the worm as inlike script, and it will be sent using mIRC whenever the user joins an IRC channel.

Mass mail part of the worm is primitive and programmed to mail the same letter to each address in the Outlook address book with the same subject line and the name of attachment. That simplified detection and eradiation of the worm. The first and most widespread version used the following:

    Subject:    ILOVEYOU
    Body:       kindly check the attached LOVELETTER coming from me.
    Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

Mail is send only once (worm adds and them check a special marker in the registry).

The virus then searches for certain filetypes on all folders on all local and remote drives and overwrites them with its own code. The files that are overwritten have either "vbs" or "vbe" extension.

For the files with the following extensions: ".js", ".jse", ".css", ".wsh", ".sct" and ".hta", the virus will create a new file with the same name, but using the extension ".vbs". The original file will be deleted.

Next the the virus locates files with ".jpg" and ".jpeg" extension, adds a new file next to it and deletes the original file. Then the virus locates ".mp3" and ".mp2" files, creates a new file and hides the original file. For above two cases, the new files created will have the original name added with the extension ".vbs". For example, a picture named "pic.jpg" will cause a new file called "pic.jpg.vbs" to be created.

1. Windows Scripting Host(WSH) is installed.  The worm is written is Visual Basic Script which is a different language from Virus Basic and needs the VBS interpretation DLLs to function. Here much depends on the version of OS used:

Again I would like to stress that this DLLs collectively called "Windows Scripting Host" are not normally present on Windows 95 or Windows NT unless Internet Explorer 5 is installed. Generally any Windows installation that does not have WSH installed is immune to the virus. And IE4 is still the most common version of Internet Explore on Windows machines. To temporary disable Visual Basic scripting in Win98, you should turn this option off:

2. User got e-mail and clicked on the attachment. It might be possible to activate such a virus in Outlook 2000 if  message contains this script inline and both preview mode activated and low level security level are specified (in this case clicking on the message header might be enough; I never checked this possibility).

Here is WSH present user may lose files that virus overwrite as this part of the virus will be executed. And here users that does not have Norton Unities installed and who are unable to use them after deletion may really lose their files. But it's important to note that anybody with decent knowledge of FAT file and Norton Utilities can recover all or most of the files if user did not write anything to the disk after the attack.

In Windows NT environment actions of the virus also depends on whether the user have admin right to the workstation: (virus attempts to modify the registry in order to survive reboot and without this the virus attempts to modify the registry will be crippled, but destruction of file still will happen; if user does not have permissions for files in other directories these files will not be overwritten -- this is exactly why Unix systems usually fare better against such attacks unless somebody works as root.

If both conditions stated above are met, then the effect depends upon whether Outlook was installed and configured and that its address book contains addresses. If Outlook is used as the main mail client this is the case, if Eudora or Netscape Messenger or Lotus Notes are used as e-mail clients usually Outlook address book is empty even if the program itself is installed. In the latter case the chances that a virus will propagate any mail are zero, but destruction of files on this particular computer still will take place.

If Outlook is installed, configured and have valid addresses, the virus will mail itself to all addresses and if ISP does not filters than it might propagate further.

Virus also tries to destroy several categories of files on PC (musical MP3, graphics, cascading style sheets, VBScript and JavaScript programs and several other types). It replace them with it's own text probably in order to increase chances of accidental execution or copings of the script to other machines, although in this case virus already run on this particular PC and this chances are pretty slim.

 

Defense

AV programs are almost completely useless against such viruses because the speed of virus propagation exceed the ability of both AV vendors and site IS to react. Updates were available only after the first wave of infections. Moreover AV vendors WEB sites were down this most critical period due to poor design and overload.

Blocking the virus on the gateway

One of the most important and effective measures that should be taken is blocking the virus message on the gateway.

The main thing that was needed was blocking .vbs attachments on the gateway.  Most Sendmail installation fail to do this. Actually Sendmail is working with ActiveState to implement a Perl scripting plugin that will give quite good control over filtering of mail attachments.

But on May 4, 2000 most Sendmail-based mail gateways were not able to install a decent patch quickly. By decent patch I mean the patch that permits blocking files with a particular type of attachments, although even primitive subject line filtering hack would be better than nothing. But many mailer on major ISPs have this parch installed on May 4, 2000 too. That's why virus spread so widely and so widely. As for mail delivery agents, only procmail come out of this test with flying colors and it should be used instead on standard mailer on any Unix workstation.

See Softpanorama (slightly skeptical)Antimalware Page for additional links

Protection from similar attacks in case Outlook is used is a mail client.

Old "Melissa" updates to Outlook 97, Outlook 98 and Outlook 2000 were available and might make it more difficult to inadvertently launch attachments. The updates provide a more explicit warning dialogue, and prevent attached executables from being launched directly from e-mails; instead, they must be saved to disk and launched as a separate step. The update also is included as part of Office 2000 SR1.

Newer update (see Protect Against Viruses with the Outlook E-mail Security Update) in addition also blocks address book access which is a nice thing to do. Here is a relevant quote from ZDNet News No 'Love' lost MS secures Outlook

Microsoft (Nasdaq: MSFT) will attach two main updates to its e-mail software. First, the company has added code that protects users against malicious attachments by disallowing automatic double-clicking of certain file types. While a user will still be able to double-click on .doc and .xls files, for example, .vbs script files, like the one that propagated the ILOVEYOU worm, will not allow double-click launching.

The second update, the object-model guard, puts a gatekeeper between the Outlook address book and any program attempting to access it. The prompt will require a user to allow or disallow the offending program to access users in an address book for sending mail. This would go a long way to scotching the massive spread of viruses like ILOVEYOU, which infiltrated users' Outlook address books and forwarded mail to everyone in it.

According to a statement released by Microsoft, "For one, corporations will have to implement alternate filtering of  high-risk email attachments including sharing them via file shares, Intranets or community Web sites," the company said in a statement. "Users will have to provide approval for legitimate uses of Outlook automation such as Palm or Pocket PC synchronization -- this will no longer be a 'hands-off' process (users will have to click yes on a dialog box before synchronization takes place)."

Recovering files

The most unpleasant consequence of such attacks is destruction of files. If Norton Utilities or similar tool is installed then deleted files might be recovered. They also can be recovered from any FAT partition using Norton Utilities if:

Aside fro the recovery of files in case virus was unable to modify registry the disinfections consists of deleting of three VBS scripts installed by the virus:

· C:\WINDOWS\SYSTEM\MSKERNEL32.VBS

· C:\WINDOWS\WIN32DLL.VBS

· C:\WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS

After the recovery of files, if any, it’s recommended to search for the names *.vbs using Windows File Explorer as some virus clones may have the name of the attachment changed as well as the path (directories) were the virus files are installed/overwritten. If the date of last modification is recent and size of the file is approximately 12K this file is suspect. Opening it in the Notepad should provide something like that:

rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / [email protected] / @GRAMMERSoft Group / Manila,Philippines
On Error Resume Next
dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
eq=""
ctr=0
Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll
main()
sub main()
On Error Resume Next

Any such file should be deleted. The user does not need to reboot the PC.

On Windows 9x (and on NT if the user has admin right or is able to write to registry), the virus will change the registry and it needs to be corrected. It's best to do this using backup it is available (and on properly managed PC it should be available). In case it is not, situation is slightly more complex. The following keys need to be deleted:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL

Several other keys are modified by the virus too, so there is no simple manual way to completly restore the registry, but this will suffice for the start. Symantec tool A tool to repair the VBS.LoveLetter infection, including all known versions, is available here. Additionally, users of Norton Unities (or Norton Systemworks) will be able to recover these files if NProtect was running at the time of infection and it has big undelete cache (the size of the Recycle bin) that is able to accommodate all deleted files (usually this is not the case if you have a lot of MP3 files on your computer).

Actually disinfection is a trivial thing to do. The main challenge is to restore files.

The first thing to understand that the fact that files are not actually destroyed -- they are recoverable, especially on home systems with Win9x that use FAT or FAT32. If Norton Utilities are installed the recovery is simpler otherwise it's more involved, but still possible if  the user did not write anything substantial on the drive(s) than contains deleted files. To restore one logical drive one can try to use image of system blocks (produced by the image utility that runs on each startup). This is a simpler way to achieve full recovery, although in case some files were written it's a slightly more ricky solution in comparison with finding chains of clusters in FAT and that and than fix them one by one using Disk Editor or Undelete or both. In any case one should check the integrity of the recovered files.

I already saw one specialized program LBugMP3 1.0 that fix some of MP3 files. I do not know what algorithm it uses.

There is also a useful collection of disinfections programs at CNET.com - Downloads - PC - Search Results

Protection by replacing WSH executables  with proxy

It's possible to replace regular files called by scripting host by proxy -- replacement executable that performs additional checking. It can for example block execution of VBScripts that were created today and reside in temp directories (that's were they are written by Outlook and other mailers before execution).  There is already one program that implements a weaker version of the  proposed approach. It just warns the users.

VBProtect 1.2

Receive a prompt before any Visual Basic Script is executed on your PC.

OS: Windows (all)   License: Free

05/08/2000

new

That looks pretty useful for home PCs and can be recommended. That probably the simplest and most reliable defense available on the workstation level, but measures should be taken on mail gateway level first.

Known strains(NewLove, Joke, etc.)

None of strains reached even a 10% of the popularity of the original version. The most widely reported was strain called NewLove reported on May 19, 2000. But this strain never achieved wide distribution. The most actually distributed strain was probably the Joke strain VBS.LoveLetter.C that probably got around 1% of the original virus distribution.

NewLove -- hype attack by "Ambulance chasing AV companies"

This was mainly hype attack by "ambulance chaser". But technologically NewLove strain tried to address two weaknesses of the ILOVEYOU virus -- the static subject line and the name of attachment and the static code. In this strain the attachment name varies, but still will always have a .Vbs extension that is easily detectable on the gateway, so gateway filtering is still very easy.

The subject header will begin with "FW: " and will include the name of the randomly chosen file from the recently used list. Upon each infection, the worm introduces up to 10 new lines of randomly generated comments in order to make the detection more difficult.

So the new features of this strain is the way both file name of the attachment and subject line are generated from name of the recently used local file. The attachment name can become, for example "Pricing Guidelines.rtf.vbs" if the user has recently used list. Then the virus would copy itself into a file "Pricing Guidelines.rtf.vbs" and e-mails that file as an attachment to people found in the address book. Subject of the e-mail would be "FW: Pricing Guidelines". The result is a more realistic e-mail from the person that you know, which has higher probability of being opened. But previous "awareness training" with ILOVEYOU works again this strain even with this improvements. Especially in environments that does not hide the last part of extension.

Please note that with default settings some mailers like MS Outlook(MS Outlook users should install patch available from the Microsoft site ASAP to block the virus) would hide the ".vbs" extension of the attachment. Lotus Notes will show the full set of extensions so users will see that the attachment has the last extension .vbs.

This strain is more destructive that the previous. If the user would open the file, the worm first e-mail itself further and then start to overwrite all accessible files on the local hard drive and mounted network drives. At some point, the computer might crash. In most cases it won't boot.

The virus is programmed so that it keeps changing its code by adding random comments but it never delete them. So the body of the virus became larger and larger on each invocation much like old Jerusalem virus.

Joke

Much less impressive strain that actually managed to achieve a wide distribution is so called Joke strain (probably around 0.1% of total number of the cases as of May 20). It has just different subject line and the name of attachment. Both are static.

VBS.LoveLetter.C (Very Funny)

email subject: "fwd: Joke"

attachment name: "Very Funny.vbs"

but still it represent less than one percent of all occurrences of the worm.

What is interesting about this strain is than fact that when the subject like was blocked on corporate mail servers, the analysis of rejected mail shoed the extent to which corporate mail is misused -- a lot of rejected mails were not virus but jokes send to a large number of people ;-).

MotherDay (might be a hoax)

Another one, although I did not saw it in the wild, is a more interesting variant as it demonstrates an excellent knowledge of psychology. It is sometimes called VBS/LoveLetter.E.  or Mother Day virus. It spreads itself in the following message:

Subject: Mothers Day Order Confirmation

Body: We have proceeded to charge your credit card for the
amount of $326.92 for the mothers day diamond special.
We have attached a detailed invoice to this email.
Please print out the attachment and keep it in a safe
place. Thanks Again and Have a Happy Mothers Day!

[email protected]

Attachment: mothersday.vbs

Another dangerous mutation comes in an email with the subject header "VIRUS ALERT!!!" The email begins, "Dear Symantec customer," and proceeds to describe the virus in detail. Its attachment is called "protect.vbs." This variant overwrites *.bat and *com files, in addition to the image and audio files already overwritten or hidden by the original "Love" bug.

Yet another clone is VBS.LoveLetter.B (Lithuania) with subject line: "Susitikim shi vakara kavos puodukui..." that does not give the virus much chances for survival outside Lithuania.

Here is the table of strains from CNET.com - News - Enterprise Computing - Virus posing as Symantec email could be worst :

c FWD: JOKE VERYFUNNY.
vbs
yes
d** I Love You LOVE-LETTER-
FOR-YOU.TXT.
vbs
yes
e Mother's Day Order Confirmation mothersday.
vbs
no
f*** Dangerous Virus Warning virus_warning.
jpg.vbs
yes
g**** VIRUS ALERT!!! protect.vbs yes
h***** A killer for VBS/LoveMail and VBS/Kak worm viruskiller.vbs yes

Attempt to install password sniffer and mail passwords

For pretty small 12K program it's doing a lot of stuff. It even attempts to download and install password sniffer although this part of the worm was probably never executed after its discovery on May 4th -- site was shut down. To do than the worm replaces the Internet Explorer home page with a link that points to an executable program, "WIN-BUGSFIX.exe". If the file is downloaded, the worm adds it to the Run folder of the registry. That means that program will be executed on reboot. On startup this executable tries to find a hidden window named 'BAROK...'. If it is present, it exits immediately, if not it checks for the WinFAT32 subkey in the following Registry key:

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

If the WinFAT32 subkey key is not found, the trojan creates it, copies itself to \Windows\System\ directory as WINFAT32.EXE and then runs the file from that location. The above registry key modification makes the trojan become active every time Windows starts.

The executable sniffer also resets Internet Explorer startup page to 'about:blank'. After that the Trojan tries to find and delete the following keys:

  Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds
  Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching
 .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds
 .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching

Then this Trojan registers a new window class and creates a hidden window titled 'BAROK...' and remains resident in Windows memory as a hidden application.

Immediately after startup and when timer counters reaches the certain values, the trojan loads MPR.DLL library, calls WNetEnumCashedPasswords function and sends stolen RAS passwords and all cached Windows passwords to '[email protected]' e-mail address. The trojan uses the 'smpt.super.net.ph' mail server to send e-mails. The e-mail's subject is 'Barok... email.passwords.sender.trojan'.

Webliography

[May 19, 2000] NewLove virus not nearly as widespread as LoveLetter

[May 16, 2000] Protect Against Viruses with the Outlook E-mail Security Update

To help protect you against most viruses that can be spread via attachments in e-mail, Microsoft has introduced a significant security enhancement for Outlook 98 and Outlook 2000. The Outlook 2000 E-mail Security Update and the Outlook 98 E-mail Security Update provide protection from most viruses that spread through email attachments, such as the ILOVEYOU and Melissa viruses or worm viruses that can replicate through Outlook. This update limits certain functionality in Outlook to provide a higher level of security; it was not created to address a security vulnerability within Outlook. This update provides unprecedented security protection for Outlook and Microsoft encourages that all users of Outlook 2000 and Outlook 98 install this update.

Some e-mail viruses — including the Melissa and ILOVEYOU viruses — are contained in e-mail attachments and spread by simply opening the attachment. The message usually asks you to open and read the contents of the attached file, and then the virus sends copies of itself to people listed in your e-mail program's address book. To counteract this process, this update restricts access to certain attachments and restricts programmatic access to the Outlook Address Book and Contacts List.

Three ways to protect you from e-mail viruses

The security update protects you from e-mail viruses in three ways:

CERT Advisory 2000-04 Love Letter Worm -- recommendations are primitive and not well thought out.

Disable Windows Scripting Host

Because the worm is written in VBS, it requires the Windows Scripting Host (WSH) to run. Disabling WSH prevents the worm from executing. For information about disabling WSH, see:

http://www.sophos.com/support/faqs/wsh.html

This change may disable functionality the user desires. Exercise caution when implementing this solution.

Disable Active Scripting in Internet Explorer

Information about disabling active scripting in Internet Explorer can be found at:

http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps

This change may disable functionality the user desires. Exercise caution when implementing this solution.

Disable Auto-DCC Reception in IRC Clients

Users of Internet Relay Chat (IRC) programs should disable automatic reception of files offered to them via DCC.

Filter the Worm in E-Mail

Sites can use email filtering techniques to delete messages containing subject lines known to contain the worm. For sites using unix, here are some possible methods:

Sendmail

Sendmail, Inc. has published information about blocking the worm in incoming email at:

http://www2.sendmail.com/loveletter

PostFix

Add the following line in /etc/postfix/header_checks:

/^Subject: ILOVEYOU/ REJECT

The main Postfix configuration file must contain the following line to enable the check :

header_checks = regexp:/etc/postfix/header_checks

Postfix must also be reloaded after this information is added.

Exim

A generic Windows-executable content-blocking filter has been produced for Exim. This will block messages with attachments whose extensions are vbs, as well as several other types that Windows may consider executable by default. The filter, which includes some supporting installation documention within the filter file itself, can be found at:

ftp://ftp.exim.org/pub/filter

Procmail

This procmail rule also deletes any messages with the Subject: line containing "ILOVEYOU":

   :0 D
   * ^Subject:[[tab] ]+ILOVEYOU
   /dev/null

Note that in all of these examples, [tab] represents a literal tab character, and must be replaced with a tab for them to work correctly.

It is important to note that these three methods, as described, do not prevent the worm from spreading if the Subject: line of the email has changed. Administrators can use more complicated procmail rules to block the worm based on the body of the email, but such methods require more processing time on mail servers, and may not be feasible at sites with high volumes of email traffic.

Exercise Caution When Opening Attachments

Exercise caution with attachments in email. Users should disable auto-opening or previewing of email attachments in their mail programs. Users should never open attachments from an untrusted origin, or that appear suspicious in any way.

Q188135 - Description of Windows Script Host (WSH)

WinNTMag: NTFS Access Control Security Enhancements

- In Windows 2000 (Win2K), Microsoft redesigned how NTFS handles access control to files and other objects. Also Security Configuration Manager (SCM), which Microsoft released in Windows NT 4.0 Service Pack 4 (SP4), handles access control like Win2K does. The new NTFS access control model changes access control in three areas. First, permissions are much more granular, which means you can fine-tune user access. Second, if you come from the Novell NetWare world and like NetWareґs dynamic inheritance, the dynamic way Win2K and SCM handle the inheritance of permissions will especially impress you. Third, Microsoft completely revamped the access control dialog boxes.

PC World News Microsoft Don't Blame Us for Virus --Simple, But Not Secure?

In contrast, security analysts say the friendly style that has helped to make Microsoft products so popular often comes at the expense of security.

Steve Fallin, director of the rapid-response team for WatchGuard Technologies, an Internet security firm, says Microsoft's mission to simplify PC use often means a trade-off in protecting users from hackers and viruses.

"Is this a security flaw in a Microsoft product? No, I don't think so. Microsoft could have done things to make its products more secure, but Microsoft is in the business of making everybody's life easy," Fallin says.

The "Love Letter" worm exploits a Microsoft-developed programming language called Visual Basic, which helps programmers write applications for Microsoft's Windows operating system.

 

F-Secure - description -- early and not very well written description that never mentions WSH

 

SecurityWatch - description -- does mention WSH

Who is affected by this virus?
All Microsoft Windows users which have the Windows Scripting Host (WSH) enabled are potential victims. Most Windows PCs hosting MS Office applications have WSH, which enables the Visual Basic (vb) scripting languages to automate common tasks.

I Love You Outbreak

Antivirus Software Messages

How many hours of productivity have you lost due to the I Love You worm?
None
74 votes (34%)
1-2 hours
29 votes (13%)
3-5 hours
34 votes (16%)
6-10 hours
30 votes (14%)
More than 10 hours!
52 votes (24%)
 
Your vote was "None" on 5/8/00 3:26 pm
219 people have voted so far

ABCNEWS.com 'Love Bug' Apartment Raided -- super inflated estimates

Estimates of the virus’s damage vary widely. Antivirus company Symantec said it infected up to 3 million computers at a cost of up to $2 billion. The U.S. Department of Justice estimated it will have cost companies and governments $10 billion by Tuesday, and insurer Lloyd’s of London estimated $15.3 billion in damages.

'Love Bug' Probe Slows in Philippines (washingtonpost.com)

Among the informal network of virus hunters who have been pursuing the case, some of the most recent revelations have come from Jonathan James, 19, a Swedish information security researcher. James, who last year worked with security experts Fredrik Bjorck of Sweden and Richard M. Smith of the United States to track down the author of the damaging Melissa virus, said he searched the source code of viruses from the Philippines and found common elements that he traced back to a student, "Michael," at Amable Mendoza Aguiluz Computer College in the Philippines.

The suspected student allegedly is affiliated with virus writers who use the name GRAMMERsoft, James said. A copyright notice in the text of the virus code mentions GRAMMERSOFT. "This person either coded the virus or he knows who coded the virus," James said.

In cross-checking other electronic traces in the virus, James found a half-dozen accounts on a popular ICQ online chat system. One such account included the online nickname "Spyder," which was found in the text of the virus code. On a chat-room form about personal information, Spyder wrote: "i love computer . . . programming . . . sex." Spyder then adds in Tagalog: "Any kind of alcohol as long as it's alcohol."

...

Motivations are slippery. Many of the new breed of viruses focus on Microsoft Corp.'s popular Outlook mail-management software program. That could be because so many techies dislike Microsoft. But it's just as likely that Microsoft products, by their near-ubiquity, present a compelling test field for virus creators who might want to see their work spread far and wide.

Virus writers also are drawn to Outlook's ability to run mini-programs written in Visual Basic, a programming environment developed by Microsoft so that any user could write simple programs that could work within word processors, spreadsheets and other applications.

...

One quality that many of the virus writers do share is a talent for rationalizing their actions. Like many of the people who break into computer systems, virus writers often argue that they are pointing out holes in system security--or that the real bad guys are the vendors and customers who make and buy such weak products. Spafford says that attitude is "I'm doing a favor"--and adds, "Lord help us from too many favors."

The biggest security problem, one that is unlikely to be resolved as long as high-tech companies and their customers don't value security as highly as economy and speed, is the fundamental asymmetry of risk between the good guys and the bad guys, said Tom Telleur, managing director of consultants KPMG and a former computer crime sleuth for the National Aeronautics and Space Administration. "It involves little costs for them to attack us, but it takes a big cost for us to protect ourselves, he said."

Businesses worldwide are buying technologies before they fully understand them, but the bad guys have the time and inclination to learn about, poke and prod every new gadget and program that comes along, Telleur said. When companies adopt something new, he said, the new technologies "are going to be used against [the firms] before they even know how to use the technologies."



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March, 12, 2019