Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2000.085 -- CERT Advisory CA-2000-04
Love Letter Worm
05 May 2000
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Love Letter Worm
Vendor: N/A
Operating System: MS Windows
Platform: N/A
Impact: Denial of Service
Execute Arbitrary Code
Modify Data
Access Required: Remote
Ref: AL-2000.05
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2000-04 Love Letter Worm
Original release date: May 4, 2000
Last revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
* Systems running Microsoft Windows with Windows Scripting Host
enabled
Overview
The "Love Letter" worm is a malicious VBScript program which spreads
in a variety of ways. As of 2:00pm EDT(GMT-4) May 4, 2000 -- the CERT
Coordination Center has received reports from more than 250 individual
sites indicating more than 300,000 individual systems are affected. In
addition, we have several reports of sites suffering considerable
network degradation as a result of mail, file, and web traffic
generated by the "Love Letter" worm.
I. Description
You can be infected with the "Love Letter" worm in a variety of ways,
including electronic mail, Windows file sharing, IRC, USENET news and
possibly via webpages. Once the worm has executed on your system, it
will take the actions described in the Impact section.
Electronic Mail
When the worm executes, it attempts to send copies of itself using
Microsoft Outlook to all the entries in all the address books. The
mail it sends has the following characteristics:
* An attachment named "LOVE-LETTER-FOR-YOU.TXT.VBS"
* A subject of "ILOVEYOU"
* A body which reads "kindly check the attached LOVELETTER coming
from me."
People who receive copies of the worm via electronic mail will most
likely recognize the sender. We encourage people to avoid executing
code, including VBScripts, received through electronic mail regardless
of the sender without firsthand prior knowledge of the origin of the
code.
Internet Relay Chat
When the worm executes, it will attempt to create a file named
script.ini in any directory that contains certain files associated
with the popular IRC client mIRC. The script file will attempt to send
a copy of the worm via DCC to other people in any IRC channel joined
by the victim. We encourage people to disable automatic reception of
files via DCC in any IRC client.
Executing Files on Shared File Systems
When the worm executes, it will search for certain types of files and
replace them with a copy of the worm (see the Impact section for more
details). Executing (double clicking) files modified by other infected
users will result in executing the worm. Files modified by the worm
may also be started automatically, for example from a startup script.
Reading USENET News
There have been reports of the worm appearing in USENET newsgroups.
The suggestions above should be applied to users reading messages in
USENET newsgroups.
II. Impact
When the worm is executed, it takes the following steps:
Replaces Files with Copies of the Worm
When the worm executes, it will search for certain types of files and
make changes to those files depending on the type of file. For files
on fixed or network drives, it will take the following steps:
* For files whose extension is vbs or vbe it will replace those
files with a copy of itself.
* For files whose extensions are js, jse, css, wsh, sct, or hta, it
will replace those files with a copy of itself and change the
extension to vbs. For example, a file named x.css will be replaced
with a file named x.vbs containing a copy of the worm.
* For files whose extension is jpg or jpeg, it will replace those
files with a copy of the worm and add a vbs extension. For
example, a file named x.jpg will be replaced by a file called
x.jpg.vbs containing a copy of the worm.
* For files whose extension is mp3 or mp2, it will create a copy of
itself in a file named with a vbs extension in the same manner as
for a jpg file. The original file is preserved, but its attributes
are changed to hidden.
Since the modified files are overwritten by the worm code rather than
being deleted, file recovery is difficult and may be impossible.
Users executing files that have been modified in this step will cause
the worm to begin executing again. If these files are on a filesystem
shared over a local area network, new users may be affected.
Creates an mIRC Script
While the worm is examining files as described in the previous
section, it may take additional steps to create a mIRC script file. If
the file name being examined is mirc32.exe, mlink32.exe, mirc.ini,
script.ini or mirc.hlp, the worm will create a file named script.ini
in the same folder. The script.ini file will contain:
[script]
n0=on 1:JOIN:#:{
n1= /if ( $nick == $me ) { halt }
n2= /.dcc send $nick DIRSYSTEMLOVE-LETTER-FOR-YOU.HTM
n3=}
where DIRSYSTEM varies based on the platform where the worm is
executed. If the file script.ini already exists, no changes occur.
This code appears to define a script such that whenever the user joins
a channel in IRC, a copy of the worm will be sent to others on the
channel via DCC. The script.ini file is created only once per folder
processed by the worm.
Modifies the Internet Explorer Start Page
If the file <DIRSYSTEM>WinFAT32.exe exists, the worm sets the
Internet Explorer Start page to one of four randomly selected URLs.
These URLs all refer to a file named WIN-BUGSFIX.exe, which presumably
contains malicious code. The worm checks for this file in the Internet
Explorer downloads directory, and if found, it is added to the list of
programs to run at reboot. The Internet Explorer Start page is then
reset to "about:blank". Information about the impact of running
WIN-BUGSFIX.exe will be added to this document as soon as it is
available.
Send Copies of Itself via Email
The worm will attempt to use Microsoft Outlook to send copies of
itself to all entries in all address books as described in the
Description section.
Other Modified Registry Keys
In addition to other changes, the worm updates the following registry
keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunMSKernel32
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesWin32DLL
HKLMSoftwareMicrosoftWindowsCurrentVersionRunWIN-BUGSFIX
HKCUSoftwareMicrosoftWindows Scripting HostSettingsTimeout
HKCUSoftwareMicrosoftInternet ExplorerMainStart Page
HKCUSoftwareMicrosoftWAB*
III. Solution
Update Your Anti-Virus Product
It is important for users to update their anti-virus software. Some
anti-virus software vendors have released updated information, tools,
or virus databases to help prevent and combat this worm. A list of
vendor-specific anti-virus information can be found in Appendix A.
Disable Windows Scripting Host
Because the worm is written in VBS, it requires the Windows Scripting
Host (WSH) to run. Disabling WSH prevents the worm from executing. For
information about disabling WSH, see:
http://www.sophos.com/support/faqs/wsh.html
This change may disable functionality the user desires. Exercise
caution when implementing this solution.
Disable Active Scripting in Internet Explorer
Information about disabling active scripting in Internet Explorer can
be found at:
http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps
This change may disable functionality the user desires. Exercise
caution when implementing this solution.
Disable Auto-DCC Reception in IRC Clients
Users of Internet Relay Chat (IRC) programs should disable automatic
reception of files offered to them via DCC.
Filter Virus in E-Mail
Sites can use email filtering techniques to delete messages containing
subject lines known to contain the worm. For sites using unix, here
are some possible methods:
Sendmail
The following sendmail rule will delete all messages with the Subject:
line ILOVEYOU:
HSubject:[tab][tab][tab]$>Check_Subject
D{MPat}ILOVEYOU
D{MMsg}This message may contain the ILOVEYOU virus
SCheck_Subject
R${MPat} $*[tab]$#error $: 553 ${MMsg}
RRe: ${MPat} $*[tab]$#error $: 553 ${MMsg}
RFW: ${MPat} $*[tab]$#error $: 553 ${MMsg}
PostFix
Add the following line in /etc/postfix/header_checks:
/^Subject: ILOVEYOU/ REJECT
Procmail
This procmail rule also deletes any messages with the Subject: line
containing "ILOVEYOU":
:0 D
* ^Subject:[[tab] ]+ILOVEYOU
/dev/null
Note that in all of these examples, [tab] represents a literal tab
character, and must be replaced with one for this to work correctly.
It is important to note that these three methods, as described, do not
prevent the worm from spreading if the Subject: line of the email has
changed. Administrators can use more complicated procmail rules to
block the worm based on the body of the email, but such methods
require more processing time on mail servers, and may not be feasible
at sites with high volumes of email traffic.
Exercise Caution When Opening Attachments
Exercise caution with attachments in email. Users should disable
auto-opening or previewing of email attachments in their mail
programs. Users should never open attachments from an untrusted
origin, or that appear suspicious in any way.
Appendix A. Anti-Virus Vendor Information
Aladdin Knowledge Systems
http://www.aks.com/home/csrt/valerts.asp
Command Software Systems, Inc.
http://www.command.co.uk/html/virus/love.html
http://www.commandcom.com/virus/love.html
Computer Associates
http://www.ca.com/virusinfo/virusalert.htm
F-Secure
http://www.f-secure.com/download-purchase/updates.html
Finjan Software, Ltd.
http://www.finjan.com/attack_release_detail.cfm?attack_release_id=34
McAfee / Network Associates
http://vil.nai.com/villib/dispVirus.asp?virus_k=98617
http://www.cert.org/advisories/CA-2000-04/nai.dat
(This file is also included at the end of this message.)
Proland Software
http://www.pspl.com/virus_info/worms/loveletter.htm
Sophos
http://www.sophos.com/virusinfo/analyses/vbsloveleta.html
http://www.sophos.com/virusinfo/analyses/trojloveleta.html
Symantec
http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html
Trend Micro
http://www.antivirus.com/vinfo
_________________________________________________________________
The CERT Coordination Center would like to thank David Slade of Lucent
Technologies for their help in constructing this advisory. We thank
Christopher Lindsey for the providing the procmail rule.
_________________________________________________________________
The following people were involved in the creation of this document:
Jeff Carpenter, Cory Cohen, Chad Dougherty, Ian Finlay, Kathy Fithen,
Rhonda Green, Robert Hanson, Jeff Havrilla, Shawn Hernan, Kevin Houle,
Brian King, Jed Pickel, Joseph Pruzynski, Robin Ruefle, John Schaffer,
and Mark Zajicek
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2000-04.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2000 Carnegie Mellon University.
Revision History
May 4, 2000: Initial release
This is the DAT file provided by Network Associates:
- - ----8<--------8<--------8<--------8<--------8<--------8<--------8<----
134 178 156 177 9 51 219 241 94 28 193 220 123 86 193 214
121 71 232 193 178 50 157 76 9 177 143 178 13 152 153 147
13 55 142 176 95 118 192 176 73 122 192 177 66 125 137 143
69 103 192 199 235 49 141 163 196 63 6 85 231 198 113 62
236 223 122 69 241 197 249 6 35 204 141 183 13 56 193 252
91 118 160 255 72 103 217 246 95 59 223 246 74 97 216 253
94 27 136 251 89 126 193 155 3 96 221 225 72 114 201 231
66 118 192 242 68 127 165 190 143 57 136 157 122 92 255 222
13 51 140 179 25 125 138
10643 256 10425 VBS/LoveLetter
105 178 157 176 77 51 221 228 94 127 226 197 104 127 232 199
121 86 255 76 9 162 143 179 14 146 136 56 204 247 92 119
242 55 28 177 12 48 44 187 141 245 40 22 141 245 40 22
214 50 140 48 15 47 137 18 3 244 73 100 199 253 8 56
134 184 65 54 192 247 92 105 12 50 95 186 13 2 222 128
8 115 136 76 5 62 15 182 13 51 141 178 13 39 64 177
2 51 30 182 162 115 141 179 181 52
9899 256 10425 PWSLoveLetter
107 178 156 176 9 51 196 225 78 28 193 220 123 86 193 214
121 71 232 193 242 55 15 177 12 51 44 187 243 197 107 68
225 198 124 75 235 49 221 178 196 57 123 83 230 210 8 50
230 223 107 93 121 134 145 139 13 49 141 184 65 124 219 246
32 127 200 231 89 118 223 184 75 124 223 158 84 124 216 157
69 103 192 190 143 54 141 179 13 50 141 167 67 160 136 179
9 51 214 192 158 54 141 183 13 104 222 180
9593 256 10425 IRC/LoveLetter
- - ----8<--------8<--------8<--------8<--------8<--------8<--------8<----
This DAT file is also located at:
http://www.cert.org/advisories/CA-2000-04/nai.dat
- -----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQCVAwUBORIXEFFO4fmE3w/VAQEWZwQApwMZx3etImFUH3GZ2v2kweeQtKWmH7re
jhzwt/uNyZzfRLHLTU68AcpKASFEooleO9KRYcolgoO0kAuL4ERKtLc/eid3A+Q/
apP6v8RT9wcDLg3wlbWqqvkdijdCX0L1nSkM6oR4vrGTRFe0OTxQtndYlbupw1gJ
5CpHT6/fDaE=
=CoQt
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOXXSMSh9+71yA2DNAQGzdAQAm1SeebAKztNgYTFCuXP1vSUJYhXBbGzj
zNuqnWXgUpICjLeAAu+lIaHp7zNy8SycRpk1/e5+jaIKSiMOojoLDLcA5LT+VQwB
ooY0phqrRLbrREfs8oe04MTIov3nIia7kmMcNImEShryjUqpo/eje8gDlmj2WXaD
6pHnwGz5hkQ=
=Z4Vg
-----END PGP SIGNATURE-----