, SecurityFocus 2000-05-05
Update: The very latest on what the LoveLetter worm does, and how to stop it.
“
i hate go to school
”
To stop the spread, download updates for your antivirus product from your vendor. They all have some type of fix by now, but some antivirus vendor websites may be unavailable under the high load.
Aladin:
CA:
Datafellows:
DrSolomon:
F-Secure:
Finjan:
McAffe:
NAI:
Proland:
Sophos:
Symantec:
TrendMicro:
Do not open visual basic attachments in email (.VBS), and do not accept DCC's on IRC from strangers (or friends for that matter) unless you known what you are receiving.
If you have already been infected, there is a good description of how to disinfect a system manually
The worm spreads via email as an attachment, and via IRC as a DCC download.
The first thing the worm does when executed is save itself to three different locations: Under the system directory as MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs, and under the windows directory as Win32DLL.vbs.
It then creates a number of registry entries to execute these programs when the machine restarts. These entries are:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
It will also modify Internet Explorer's start page to point to a web page that downloads a binary called WIN-BUGSFIX.exe. It randomly selects between four different URLs [redacted]:
http://www.skyinet.net/~young1s/[...]/WIN-BUGSFIX.exe
http://www.skyinet.net/~angelcat/[...]/WIN-BUGSFIX.exe
http://www.skyinet.net/~koichi/[...]/WIN-BUGSFIX.exe
http://www.skyinet.net/~chu/[...]/WIN-BUGSFIX.exe
This means the worm has a dynamic component that may change its behavior any time the binary is changed and a new one downloaded. It seems the WIN-BUGFIX.exe file will email any cached passwords to MAILME@SUPER.NET.PH.
The worm then changes a number of registry keys to run the downloaded binary and to clean up after itself.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Pageabout:blank
The worm then creates an HTML file that helps it spread, LOVE-LETTER-FOR-YOU.HTM. This is the file DCC'ed to others on IRC. In then spreads to all addresses in the Windows Address Book by sending the file LOVE-LETTER-FOR-YOU.TXT.vbs as an attachment. The email begins:
kindly check the attached LOVELETTER coming from me.
After sending itself out, the virus searches for attached drives looking for files with certain extensions. It overwrites files ending with vbs, and vbe. It overwrites files ending with js, jse, css, wsh, sct, and hta, and then renames them to end with vbs. It overwrites files ending with jpg and jpeg and appends .vbs to their name. It finds files with the name mp3 and mp3, creates vbs files with the same name and sets the hidden attribute in the original mp* files.
The worm will infect these files in mapped network drives, so it can spread across the network via file shares. When someone opens those files the worm will execute and infect their system.
It then looks for the mIRC Windows IRC client and overwrites the script.ini file, if found. It modifies this file so that it will DCC the LOVE-LETTER-FOR-YOU.HTM file to any people that join a channel the client is in.
The worm has a comment that may or may not indicate the author:
rem barok -loveletter(vbe) i hate go to school
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
You can download the source of the worm here.
It now seems a couple of variations of the worm are going around. At least one uses a subject line of "Joke" or "fw: Joke" and the attachment is called VeryFunny.vbs. Thanks to Patrick Cantwell and Mitchell Patenaude for pointing this out. Another spreads with a subject of "Mothers Day Order Confirmation".
At least in some instances it appears that tabs in the virus code have been changed to spaces. That means the code looks the same, but it's not. Some antivirus products may be fooled by this. Trend Micro Interscan for mail servers, Solaris version, seems to be affected. Thanks to Brett Dikeman for pointing this out.
If you're a network administrator and you control your mail server, you should try to configure it to stop messages with attachments ending in .vbs. There seem to be some patches to sendmail dating from when Melissa came out that does just that. You may also want to filter all email going out to MAILME@SUPER.NET.PH and block the downloading of WIN-BUGSFIX.exe in your HTTP proxy.
Jose Nazario has been kind enough to put up a
Zoa Chien pointed out that the WIN-BUGSFIX.exe program connects to the SMTP server at 199.108.232.1 port 25 to send out its email message. You should block the address at your firewall. The message looks as follow:
To: mailme@super.net.ph
Subject: Barok... email.passwords.sender.trojan
X-Mailer: Barok... email.passwords.sender.trojan---by: spyder
Host: kakker
Username: Default
IP Address: 10.67.101.123
RAS Passwords:
Cache Passwords:
BLABLA\MPM : xxx
BJORN\MUSIC : xxx
TOM\SHARED : xxx
TOM2\MP3 : xxx
www.server.com/: xxx:xxx
MAPI : MAPI
where all xxx's stand for plaintext usernames and passwords of SMB shares in the subnet.
Matt Davis points out that you can modify John D. Hardin's procmail filters to stop the worm. You can find them
Adele Shakal pointed out that Sendmail.com has a rule to filter the worm based on the subject header, available
For Exchange, Steve Willocks recommends Mail Essentials for Exchange/SMTP. It's a commercial product that you configure to block messages based on types of attachments or keyword matches, among other features. You can find it
CERT has a
VARIANTS
--------
Toni Tiainen from F-Secure reports a new variant they are calling LoveLetter.E which spreads with a subject of "Mothers Day Order Confirmation" with a message body of (indented two spaces):
Thanks for your purchase!
We have proceeded to charge your credit card for the amount of $326.92 for
the mothers day diamond special. We have attached a detailed invoice to this
email. Please print out the attachment and keep it in a safe place.
Thanks Again and Have a Happy Mothers Day!
The attachment is named "mothersday.vbs". This variant deleted all files with an extension of ".bat". F-Secure Anti-Virus for Firewalls with the latest signature file can detect and delete this variant. For more info check out
There is a variant called LoveLetter.B which has a subject of "Susitikim shi vakara kavos puodukui...".
Brian Moore reports seeing at least one variant where the VBS virus was not an attachment but it was instead uuencoded. This may fool antivirus products. Look out for the string "begin 600 LOVE-LETTER-FOR-YOU.TXT.vbs" in the message. Could this be the result of some MTA rewriting the message?
Trend Micro has released pattern file number 695 which includes definitions to detect the the tabs to spaces variant described above.
Sean Malloy is warning us that changing the virus to use a WSF extension instead of VBS is just as effective. WSF stands for Windows Scripting File. Antivirus vendors that want to be proactive might want to add this extension to their signatures.
It seems the "fwd: Joke" variant attachment is "Very Funny.vbs" (note the space) and not "VeryFunny.vbs". Or maybe its a new variant.
FILTERING
---------
As many of you pointed out, filtering based on the subject line is less than perfect. Sadly that is the best you can do with many MTAs without some hacking. If others can come up with ways to filter based on attachments let us know. If you can filter by attachment look out for files with these extensions: VBS, VBE, WSF, WSH, HTA.
Jose Nazario has updated his sendmail rules. As suggested by Keith Petersen it now generates 501 errors (rather than 553's, which causes an Exchange server to keep retrying delivery) and it now handles the Joke variants. You can find it
RECOVERY SCRIPTS
----------------
Dave Salovesh points out correctly that my comment about the
David E Haasnoot has
OTHER SOLUTIONS
---------------
Chris Needham had the clever idea of having the skyinet.net ISP that hosts the web pages for th WIN-BUGSFIX.exe program to replace those pages with a page informing users they are infected and with instructions on how to fix their systems. Of course, this is not likely to happen, but local ISPs can redirect these URLs in their proxies to help their customers.
Steve Parker points out a way to stop the worm from propagating (at least via email). The worms uses the OLE automation object for Outlook to send the infected messages. It obtains a handle to this object via the following VBS line:
set out=WScript.CreateObject("Outlook.Application")
"Outlook.Application" references a registry key under HKEY_CLASSES_ROOT. That key references the CLSID of the OLE automation object for Outlook. If that key is deleted, renamed, or the CLSID value is changed, VB code will not be able to automate Outlook, and hence the worm, will not propagate itself via email.
Steve tested this technique and it does not appear to break Outlook. It did, however, break the Palm HotSync manager.
