Ok, this thing is pretty nasty... Here is a quick summary of what it does. Should you run it, you will lose any files of the following extensions. They will be renamed to filename.extension.vbs with a fresh copy of the replication part. File extensions affected: vbs,vbe,js,jse,css,wsh,sct,hta,jpg,jpeg,mp2,mp3. Every file with that extension is overwritten with the virus. It looks to be localized to mounted hard drives. It does not appear to affect mapped network drives. It also makes a dozen or so registry entries including one to reset your start page to the following URL. http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwer... I have not gone to this URL yet to see what it is, but it downloads a copy of a file called WIN-BUGSFIX.exe. In addition, it creates a MIRC script called script.ini to DCC SEND this to whatever channel you are on. Of course it sends it to everyone in your address book with the subject ILOVEYOU. It looks to only affect people who actually run the vbs script. I would assume that if you are not on a Windows platform that you are not affected. I'll let you know more when we find more. Cheers, Branden R. Williams <brw@netvitality.net> Vice President, Systems - NetVitality, Inc. http://www.netvitality.net/ Internet Commerce Specialists
On Thu, 4 May 2000, Branden R. Williams wrote:
Should you run it, you will lose any files of the following extensions. They will be renamed to filename.extension.vbs with a fresh copy of the replication part.
Actually it is a fresh copy of the entire virus. Sorry for the confusion. Cheers, Branden R. Williams <brw@netvitality.net> Vice President, Systems - NetVitality, Inc. http://www.netvitality.net/ Internet Commerce Specialists
Symantec is unreachable (of course). Does anyone have any info on patches/fixes etc? Also, if you use sendmail, there is a patch available for Sendmail 8.9.x ... doesn't work with 8.10.x - available in the normal places - which will stop the virus at your gateway.. "Branden R. Williams" wrote:
On Thu, 4 May 2000, Branden R. Williams wrote:
Should you run it, you will lose any files of the following extensions. They will be renamed to filename.extension.vbs with a fresh copy of the replication part.
Actually it is a fresh copy of the entire virus. Sorry for the confusion.
Cheers,
Branden R. Williams <brw@netvitality.net> Vice President, Systems - NetVitality, Inc. http://www.netvitality.net/ Internet Commerce Specialists
-- Rodney Joffe CenterGate Research Group, LLC. http://www.centergate.com "Technology so advanced, even we don't understand it!"(SM)
Just block .vsd files from coming in. Filter them all at the border (thanks msft). I guess most of us are running unix based mailers so we dont get to see the effects/affects of these great news worthy viruses. can anyone tell me one time they could not do their job cause they counldnt read a .vsd file? If you look at the .vsd file, you see it is very easy to re-do, send some other string and on its way it goes to destroy mail servers around the world. Without blocking all .vsd files at the border, theses DOS attacks will flood our emails over the next few weeks. just my two cents.... On Thu, 4 May 2000, Rodney Joffe wrote:
Symantec is unreachable (of course).
Does anyone have any info on patches/fixes etc?
Also, if you use sendmail, there is a patch available for Sendmail 8.9.x ... doesn't work with 8.10.x - available in the normal places - which will stop the virus at your gateway..
"Branden R. Williams" wrote:
On Thu, 4 May 2000, Branden R. Williams wrote:
Should you run it, you will lose any files of the following extensions. They will be renamed to filename.extension.vbs with a fresh copy of the replication part.
Actually it is a fresh copy of the entire virus. Sorry for the confusion.
Cheers,
Branden R. Williams <brw@netvitality.net> Vice President, Systems - NetVitality, Inc. http://www.netvitality.net/ Internet Commerce Specialists
-- Rodney Joffe CenterGate Research Group, LLC. http://www.centergate.com "Technology so advanced, even we don't understand it!"(SM)
.vsd is a visio drawing. Did you mean .vbs? We've quarantined a _bunch_ so far. -ls- Christian Nielsen <cnielsen@nielsen.net> wrote:
Just block .vsd files from coming in. Filter them all at the border (thanks msft).
I guess most of us are running unix based mailers so we dont get to see the effects/affects of these great news worthy viruses.
can anyone tell me one time they could not do their job cause they counldnt read a .vsd file?
If you look at the .vsd file, you see it is very easy to re-do, send some other string and on its way it goes to destroy mail servers around the world. Without blocking all .vsd files at the border, theses DOS attacks will flood our emails over the next few weeks.
just my two cents....
On Thu, 4 May 2000, Rodney Joffe wrote:
Symantec is unreachable (of course).
Does anyone have any info on patches/fixes etc?
Also, if you use sendmail, there is a patch available for Sendmail 8.9.x ... doesn't work with 8.10.x - available in the normal places - which will stop the virus at your gateway..
"Branden R. Williams" wrote:
On Thu, 4 May 2000, Branden R. Williams wrote:
Should you run it, you will lose any files of the following extensions. They will be renamed to filename.extension.vbs with a fresh copy of the replication part.
Actually it is a fresh copy of the entire virus. Sorry for the confusion.
Cheers,
Branden R. Williams <brw@netvitality.net> Vice President, Systems - NetVitality, Inc. http://www.netvitality.net/ Internet Commerce Specialists
-- Rodney Joffe CenterGate Research Group, LLC. http://www.centergate.com "Technology so advanced, even we don't understand it!"(SM)
Hate to followup on my own email.. .vbs files need to be blocked. not .vsd. working with visio the past few days :) and for those who were hit, you need to remove this file c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs") from your system. I also see that there are some very nice providers announcing the /24 for skyinet.net. thanks to them for helping the internet at large. Christian On Thu, 4 May 2000, Christian Nielsen wrote:
Just block .vsd files from coming in. Filter them all at the border (thanks msft).
I guess most of us are running unix based mailers so we dont get to see the effects/affects of these great news worthy viruses.
can anyone tell me one time they could not do their job cause they counldnt read a .vsd file?
If you look at the .vsd file, you see it is very easy to re-do, send some other string and on its way it goes to destroy mail servers around the world. Without blocking all .vsd files at the border, theses DOS attacks will flood our emails over the next few weeks.
just my two cents....
On Thu, 4 May 2000, Rodney Joffe wrote:
Symantec is unreachable (of course).
Does anyone have any info on patches/fixes etc?
Also, if you use sendmail, there is a patch available for Sendmail 8.9.x ... doesn't work with 8.10.x - available in the normal places - which will stop the virus at your gateway..
"Branden R. Williams" wrote:
On Thu, 4 May 2000, Branden R. Williams wrote:
Should you run it, you will lose any files of the following extensions. They will be renamed to filename.extension.vbs with a fresh copy of the replication part.
Actually it is a fresh copy of the entire virus. Sorry for the confusion.
Cheers,
Branden R. Williams <brw@netvitality.net> Vice President, Systems - NetVitality, Inc. http://www.netvitality.net/ Internet Commerce Specialists
-- Rodney Joffe CenterGate Research Group, LLC. http://www.centergate.com "Technology so advanced, even we don't understand it!"(SM)
On 4 May 00, at 9:10, Rodney Joffe wrote:
Does anyone have any info on patches/fixes etc?
Tim Cartwright here at Splitrock has written a cleaner (attached). -- Mark Borchers Splitrock Services Network Engineering 9012 New Trails Dr. (281) 465-1200 The Woodlands, TX 77381 mborchers@splitrock.net http://www.splitrock.net/
Also, if you use sendmail, there is a patch available for Sendmail 8.9.x ... doesn't work with 8.10.x - available in the normal places - which will stop the virus at your gateway..
http://www2.sendmail.com/loveletter/ and it says it works in all versions of sendmail 8.9.x and above...perhaps you were looking at something else? -- |-----< "CODE WARRIOR" >-----| codewarrior@daemon.org * "ah! i see you have the internet twofsonet@graffiti.com (Andrew Brown) that goes *ping*!" andrew@crossbar.com * "information is power -- share the wealth."
Andrew Brown wrote:
Also, if you use sendmail, there is a patch available for Sendmail 8.9.x ... doesn't work with 8.10.x - available in the normal places - which will stop the virus at your gateway..
http://www2.sendmail.com/loveletter/
and it says it works in all versions of sendmail 8.9.x and above...perhaps you were looking at something else?
At the time, only the 8.9.x was available. Because I am not a conspiracy theorist, I probably don't think that this was a grand way for Metallica to solve the napster problem in one broad swoop. The virus nails all .mp2 and .mp3 files, as well as .jpg and .jpg. :-)
-- |-----< "CODE WARRIOR" >-----| codewarrior@daemon.org * "ah! i see you have the internet twofsonet@graffiti.com (Andrew Brown) that goes *ping*!" andrew@crossbar.com * "information is power -- share the wealth."
-- Rodney Joffe CenterGate Research Group, LLC. http://www.centergate.com "Technology so advanced, even we don't understand it!"(SM)
I would assume that if you are not on a Windows platform that you are not affected.
You are safe from most of these as long as you don't use a mailer that wantonly executes VB script. Outlook for Windows is the specific culprit, not Windows. -- Eric A. Hall ehall@ehsco.com +1-650-685-0557 http://www.ehsco.com
AFAICT, Frontpage server extentions, under many flavors of *nix, can also execute VBS files, as can the ChiliSoft ASP stuff. BTW, VSD files are Visio drawings. You want to block VBS files.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Eric A. Hall Sent: Thursday, May 04, 2000 11:08 AM To: Branden R. Williams Cc: nanog@merit.edu; bugtraq@securityfocus.com Subject: Re: Virus Update
I would assume that if you are not on a Windows platform that you are not affected.
You are safe from most of these as long as you don't use a mailer that wantonly executes VB script. Outlook for Windows is the specific culprit, not Windows.
-- Eric A. Hall ehall@ehsco.com +1-650-685-0557 http://www.ehsco.com
Mutations have also been spreading. Look out for messages with a subject line of "fwd: Joke" and an attachment named "Very Funny.vbs". Aside from the name change it's identical to "I LOVE YOU". Rachel ============================================== Rachel Luxemburg rslux@link-net.com Visit SoundAmerica http://soundamerica.com -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Roeland Meyer (E-mail) Sent: Thursday, May 04, 2000 1:40 PM To: 'Eric A. Hall'; 'Branden R. Williams' Cc: nanog@merit.edu; bugtraq@securityfocus.com Subject: RE: Virus Update AFAICT, Frontpage server extentions, under many flavors of *nix, can also execute VBS files, as can the ChiliSoft ASP stuff. BTW, VSD files are Visio drawings. You want to block VBS files.
On Thu, 4 May 2000, Rachel Luxemburg wrote:
Mutations have also been spreading.
Look out for messages with a subject line of "fwd: Joke" and an attachment named "Very Funny.vbs". Aside from the name change it's identical to "I LOVE YOU".
Yes, see my earlier email about this. That is why it was suggested for everyone to filter all .vbs files from their mail systems. Who really needs .vbs files anyways? Who runs .exe when they come in via email? Who runs any program. If you send me a .exe or anything that can run, it goes in the trash (ok /dev/null/). Didnt some people get hit with high phone charges last year or so when they downloaded some porn .exe file and it changed their dialup information? education is the key here... Christian
participants (9)
-
Andrew Brown
-
Branden R. Williams
-
Christian Nielsen
-
Eric A. Hall
-
Larry Snyder
-
Mark Borchers
-
Rachel Luxemburg
-
Rodney Joffe
-
Roeland Meyer (E-mail)