-----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2000-04 Love Letter Worm Original release date: May 4, 2000 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running Microsoft Windows with Windows Scripting Host enabled Overview The "Love Letter" worm is a malicious VBScript program which spreads in a variety of ways. As of 2:00pm EDT(GMT-4) May 4, 2000 -- the CERT Coordination Center has received reports from more than 250 individual sites indicating more than 300,000 individual systems are affected. In addition, we have several reports of sites suffering considerable network degradation as a result of mail, file, and web traffic generated by the "Love Letter" worm. I. Description You can be infected with the "Love Letter" worm in a variety of ways, including electronic mail, Windows file sharing, IRC, USENET news and possibly via webpages. Once the worm has executed on your system, it will take the actions described in the Impact section. Electronic Mail When the worm executes, it attempts to send copies of itself using Microsoft Outlook to all the entries in all the address books. The mail it sends has the following characteristics: * An attachment named "LOVE-LETTER-FOR-YOU.TXT.VBS" * A subject of "ILOVEYOU" * A body which reads "kindly check the attached LOVELETTER coming from me." People who receive copies of the worm via electronic mail will most likely recognize the sender. We encourage people to avoid executing code, including VBScripts, received through electronic mail regardless of the sender without firsthand prior knowledge of the origin of the code. Internet Relay Chat When the worm executes, it will attempt to create a file named script.ini in any directory that contains certain files associated with the popular IRC client mIRC. The script file will attempt to send a copy of the worm via DCC to other people in any IRC channel joined by the victim. We encourage people to disable automatic reception of files via DCC in any IRC client. Executing Files on Shared File Systems When the worm executes, it will search for certain types of files and replace them with a copy of the worm (see the Impact section for more details). Executing (double clicking) files modified by other infected users will result in executing the worm. Files modified by the worm may also be started automatically, for example from a startup script. Reading USENET News There have been reports of the worm appearing in USENET newsgroups. The suggestions above should be applied to users reading messages in USENET newsgroups. II. Impact When the worm is executed, it takes the following steps: Replaces Files with Copies of the Worm When the worm executes, it will search for certain types of files and make changes to those files depending on the type of file. For files on fixed or network drives, it will take the following steps: * For files whose extension is vbs or vbe it will replace those files with a copy of itself. * For files whose extensions are js, jse, css, wsh, sct, or hta, it will replace those files with a copy of itself and change the extension to vbs. For example, a file named x.css will be replaced with a file named x.vbs containing a copy of the worm. * For files whose extension is jpg or jpeg, it will replace those files with a copy of the worm and add a vbs extension. For example, a file named x.jpg will be replaced by a file called x.jpg.vbs containing a copy of the worm. * For files whose extension is mp3 or mp2, it will create a copy of itself in a file named with a vbs extension in the same manner as for a jpg file. The original file is preserved, but its attributes are changed to hidden. Since the modified files are overwritten by the worm code rather than being deleted, file recovery is difficult and may be impossible. Users executing files that have been modified in this step will cause the worm to begin executing again. If these files are on a filesystem shared over a local area network, new users may be affected. Creates an mIRC Script While the worm is examining files as described in the previous section, it may take additional steps to create a mIRC script file. If the file name being examined is mirc32.exe, mlink32.exe, mirc.ini, script.ini or mirc.hlp, the worm will create a file named script.ini in the same folder. The script.ini file will contain: [script] n0=on 1:JOIN:#:{ n1= /if ( $nick == $me ) { halt } n2= /.dcc send $nick DIRSYSTEM\LOVE-LETTER-FOR-YOU.HTM n3=} where DIRSYSTEM varies based on the platform where the worm is executed. If the file script.ini already exists, no changes occur. This code appears to define a script such that whenever the user joins a channel in IRC, a copy of the worm will be sent to others on the channel via DCC. The script.ini file is created only once per folder processed by the worm. Modifies the Internet Explorer Start Page If the file \WinFAT32.exe exists, the worm sets the Internet Explorer Start page to one of four randomly selected URLs. These URLs all refer to a file named WIN-BUGSFIX.exe, which presumably contains malicious code. The worm checks for this file in the Internet Explorer downloads directory, and if found, it is added to the list of programs to run at reboot. The Internet Explorer Start page is then reset to "about:blank". Information about the impact of running WIN-BUGSFIX.exe will be added to this document as soon as it is available. Send Copies of Itself via Email The worm will attempt to use Microsoft Outlook to send copies of itself to all entries in all address books as described in the Description section. Other Modified Registry Keys In addition to other changes, the worm updates the following registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout HKCU\Software\Microsoft\Internet Explorer\Main\Start Page HKCU\Software\Microsoft\WAB\* III. Solution Update Your Anti-Virus Product It is important for users to update their anti-virus software. Some anti-virus software vendors have released updated information, tools, or virus databases to help prevent and combat this worm. A list of vendor-specific anti-virus information can be found in Appendix A. Disable Windows Scripting Host Because the worm is written in VBS, it requires the Windows Scripting Host (WSH) to run. Disabling WSH prevents the worm from executing. For information about disabling WSH, see: http://www.sophos.com/support/faqs/wsh.html This change may disable functionality the user desires. Exercise caution when implementing this solution. Disable Active Scripting in Internet Explorer Information about disabling active scripting in Internet Explorer can be found at: http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps This change may disable functionality the user desires. Exercise caution when implementing this solution. Disable Auto-DCC Reception in IRC Clients Users of Internet Relay Chat (IRC) programs should disable automatic reception of files offered to them via DCC. Filter Virus in E-Mail Sites can use email filtering techniques to delete messages containing subject lines known to contain the worm. For sites using unix, here are some possible methods: Sendmail The following sendmail rule will delete all messages with the Subject: line ILOVEYOU: HSubject:[tab][tab][tab]$>Check_Subject D{MPat}ILOVEYOU D{MMsg}This message may contain the ILOVEYOU virus SCheck_Subject R${MPat} $*[tab]$#error $: 553 ${MMsg} RRe: ${MPat} $*[tab]$#error $: 553 ${MMsg} RFW: ${MPat} $*[tab]$#error $: 553 ${MMsg} PostFix Add the following line in /etc/postfix/header_checks: /^Subject: ILOVEYOU/ REJECT Procmail This procmail rule also deletes any messages with the Subject: line containing "ILOVEYOU": :0 D * ^Subject:[[tab] ]+ILOVEYOU /dev/null Note that in all of these examples, [tab] represents a literal tab character, and must be replaced with one for this to work correctly. It is important to note that these three methods, as described, do not prevent the worm from spreading if the Subject: line of the email has changed. Administrators can use more complicated procmail rules to block the worm based on the body of the email, but such methods require more processing time on mail servers, and may not be feasible at sites with high volumes of email traffic. Exercise Caution When Opening Attachments Exercise caution with attachments in email. Users should disable auto-opening or previewing of email attachments in their mail programs. Users should never open attachments from an untrusted origin, or that appear suspicious in any way. Appendix A. Anti-Virus Vendor Information Aladdin Knowledge Systems http://www.aks.com/home/csrt/valerts.asp Command Software Systems, Inc. http://www.command.co.uk/html/virus/love.html http://www.commandcom.com/virus/love.html Computer Associates http://www.ca.com/virusinfo/virusalert.htm F-Secure http://www.f-secure.com/download-purchase/updates.html Finjan Software, Ltd. http://www.finjan.com/attack_release_detail.cfm?attack_release_id=34 McAfee / Network Associates http://vil.nai.com/villib/dispVirus.asp?virus_k=98617 http://www.cert.org/advisories/CA-2000-04/nai.dat (This file is also included at the end of this message.) Proland Software http://www.pspl.com/virus_info/worms/loveletter.htm Sophos http://www.sophos.com/virusinfo/analyses/vbsloveleta.html http://www.sophos.com/virusinfo/analyses/trojloveleta.html Symantec http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html Trend Micro http://www.antivirus.com/vinfo _________________________________________________________________ The CERT Coordination Center would like to thank David Slade of Lucent Technologies for their help in constructing this advisory. We thank Christopher Lindsey for the providing the procmail rule. _________________________________________________________________ The following people were involved in the creation of this document: Jeff Carpenter, Cory Cohen, Chad Dougherty, Ian Finlay, Kathy Fithen, Rhonda Green, Robert Hanson, Jeff Havrilla, Shawn Hernan, Kevin Houle, Brian King, Jed Pickel, Joseph Pruzynski, Robin Ruefle, John Schaffer, and Mark Zajicek ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2000-04.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2000 Carnegie Mellon University. Revision History May 4, 2000: Initial release This is the DAT file provided by Network Associates: - ----8<--------8<--------8<--------8<--------8<--------8<--------8<---- 134 178 156 177 9 51 219 241 94 28 193 220 123 86 193 214 121 71 232 193 178 50 157 76 9 177 143 178 13 152 153 147 13 55 142 176 95 118 192 176 73 122 192 177 66 125 137 143 69 103 192 199 235 49 141 163 196 63 6 85 231 198 113 62 236 223 122 69 241 197 249 6 35 204 141 183 13 56 193 252 91 118 160 255 72 103 217 246 95 59 223 246 74 97 216 253 94 27 136 251 89 126 193 155 3 96 221 225 72 114 201 231 66 118 192 242 68 127 165 190 143 57 136 157 122 92 255 222 13 51 140 179 25 125 138 10643 256 10425 VBS/LoveLetter 105 178 157 176 77 51 221 228 94 127 226 197 104 127 232 199 121 86 255 76 9 162 143 179 14 146 136 56 204 247 92 119 242 55 28 177 12 48 44 187 141 245 40 22 141 245 40 22 214 50 140 48 15 47 137 18 3 244 73 100 199 253 8 56 134 184 65 54 192 247 92 105 12 50 95 186 13 2 222 128 8 115 136 76 5 62 15 182 13 51 141 178 13 39 64 177 2 51 30 182 162 115 141 179 181 52 9899 256 10425 PWSLoveLetter 107 178 156 176 9 51 196 225 78 28 193 220 123 86 193 214 121 71 232 193 242 55 15 177 12 51 44 187 243 197 107 68 225 198 124 75 235 49 221 178 196 57 123 83 230 210 8 50 230 223 107 93 121 134 145 139 13 49 141 184 65 124 219 246 32 127 200 231 89 118 223 184 75 124 223 158 84 124 216 157 69 103 192 190 143 54 141 179 13 50 141 167 67 160 136 179 9 51 214 192 158 54 141 183 13 104 222 180 9593 256 10425 IRC/LoveLetter - ----8<--------8<--------8<--------8<--------8<--------8<--------8<---- This DAT file is also located at: http://www.cert.org/advisories/CA-2000-04/nai.dat -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBORIXEFFO4fmE3w/VAQEWZwQApwMZx3etImFUH3GZ2v2kweeQtKWmH7re jhzwt/uNyZzfRLHLTU68AcpKASFEooleO9KRYcolgoO0kAuL4ERKtLc/eid3A+Q/ apP6v8RT9wcDLg3wlbWqqvkdijdCX0L1nSkM6oR4vrGTRFe0OTxQtndYlbupw1gJ 5CpHT6/fDaE= =CoQt -----END PGP SIGNATURE-----