|
Original release date: May 4, 2000<br> Last revised: May 9, 2000<br> Source: CERT/CC<br> <p>A complete revision history is at the end of this file. <a name="affected"> <h3>Systems Affected</h3> <ul> <li>Systems running Microsoft Windows with Windows Scripting Host enabled</li> </ul> <a name="overview"> <h2>Overview</h2> <p>The "Love Letter" worm is a malicious VBScript program which spreads in a variety of ways. As of 5:00 pm EDT(GMT-4) May 8, 2000, the CERT Coordination Center has received reports from more than 650 individual sites indicating more than 500,000 individual systems are affected. In addition, we have several reports of sites suffering considerable network degradation as a result of mail, file, and web traffic generated by the "Love Letter" worm. </p> <a name="description"> <h2>I. Description</h2> <p>You can be infected with the "Love Letter" worm in a variety of ways, including electronic mail, Windows file sharing, IRC, USENET news, and possibly via webpages. Once the worm has executed on your system, it will take the actions described in the <a href="#impact">Impact</a> section. </p> <h3>Electronic Mail</h3> <p>When the worm executes, it attempts to send copies of itself using Microsoft Outlook to all the entries in all the address books. The mail it sends has the following characteristics: </p> <ul> <li>An attachment named "LOVE-LETTER-FOR-YOU.TXT.VBS" <li>A subject of "ILOVEYOU" <li>The body of the message reads "kindly check the attached LOVELETTER coming from me." </ul> <p>People who receive copies of the worm via electronic mail will most likely recognize the sender. We encourage people to avoid executing code, including VBScripts, received through electronic mail regardless of the sender without firsthand prior knowledge of the origin of the code.</p> <h3>Internet Relay Chat</h3> <p>When the worm executes, it will attempt to create a file named <i>script.ini</i> in any directory that contains certain files associated with the popular IRC client mIRC. The script file will attempt to send a copy of the worm via DCC to other people in any IRC channel joined by the victim. We encourage people to disable automatic reception of files via DCC in any IRC client. <h3>Executing Files on Shared File Systems</h3> <p>When the worm executes, it will search for certain types of files and replace them with a copy of the worm (see the <a href="#impact"> Impact</a> section for more details). Executing (double clicking) files modified by other infected users will result in executing the worm. Files modified by the worm may also be started automatically, for example from a startup script. <h3>Reading USENET News</h3> <p>There have been reports of the worm appearing in USENET newsgroups. The suggestions above should be applied to users reading messages in USENET newsgroups. <a name="impact"> <h2>II. Impact</h2> <p>When the worm is executed, it takes the following steps: <h3>Replaces Files with Copies of the Worm</h3> <p>When the worm executes, it will search for certain types of files and make changes to those files depending on the type of file. For files on fixed or network drives, it will take the following steps: <ul> <li>For files whose extension is <i>vbs</i> or <i>vbe</i> it will replace those files with a copy of itself. <li>For files whose extensions are <i>js</i>, <i>jse</i>, <i>css</i>, <i>wsh</i>, <i>sct</i>, or <i>hta</i>, it will replace those files with a copy of itself and change the extension to <i>vbs</i>. For example, a file named <i>x.css</i> will be replaced with a file named <i>x.vbs</i> containing a copy of the worm. <li>For files whose extension is <i>jpg</i> or <i>jpeg</i>, it will replace those files with a copy of the worm and add a <i>vbs</i> extension. For example, a file named <i>x.jpg</i> will be replaced by a file called <i>x.jpg.vbs</i> containing a copy of the worm. <li>For files whose extension is <i>mp3</i> or <i>mp2</i>, it will create a copy of itself in a file named with a <i>vbs</i> extension in the same manner as for a <i>jpg</i> file. The original file is preserved, but its attributes are changed to hidden. </ul> <p>Since the modified files are overwritten by the worm code rather than being deleted, file recovery is difficult and may be impossible. <p>Users executing files that have been modified in this step will cause the worm to begin executing again. If these files are on a filesystem shared over a local area network, new users may be affected. <h3>Creates an mIRC Script</h3> <p>While the worm is examining files as described in the previous section, it may take additional steps to create a mIRC script file. If the file name being examined is <i>mirc32.exe</i>, <i>mlink32.exe</i>, <i>mirc.ini</i>, <i>script.ini</i>, or <i>mirc.hlp</i>, the worm will create a file named <i>script.ini</i> in the same folder. The <i>script.ini</i> file will contain: <font face="monospace"> <dl><dd><pre> [script] n0=on 1:JOIN:#:{ n1= /if ( $nick == $me ) { halt } n2= /.dcc send $nick DIRSYSTEM\LOVE-LETTER-FOR-YOU.HTM n3=} </pre></dl> </font> <p>where DIRSYSTEM varies based on the platform where the worm is executed. If the file <i>script.ini</i> already exists, no changes occur. <p>This code defines an mIRC script so that when a new user joins an IRC channel the infected user has previously joined, a copy of the worm will be sent to the new user via DCC. The <i>script.ini</i> file is created only once per folder processed by the worm. <h3>Modifies the Internet Explorer Start Page</h3> <p>If the file <i><DIRSYSTEM>\WinFAT32.exe</i> does not exist, the worm sets the Internet Explorer Start page to one of four randomly selected URLs. These URLs all refer to a file named <i>WIN-BUGSFIX.exe</i>, which presumably contains malicious code. The worm checks for this file in the Internet Explorer <i>downloads</i> directory, and if found, the file is added to the list of programs to run at reboot. The Internet Explorer Start page is then reset to "about:blank". Information about the impact of running <i>WIN-BUGSFIX.exe</i> will be added to this document as soon as it is available. <h3>Sends Copies of Itself via Email</h3> <p>The worm attempts to use Microsoft Outlook to send copies of itself to all entries in all address books as described in the <a href="#description">Description</a> section. <h3>Modifies Other Registry Keys</h3> <p>In addition to other changes, the worm updates the following registry keys: <dl><dd> <pre> HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout HKCU\Software\Microsoft\Internet Explorer\Main\Start Page HKCU\Software\Microsoft\WAB\* </pre> </dl> <p>Note that when the worm is sending email, it updates the last entry each time it sends a message. If a large number of messages are sent, the size of the registry may grow significantly, possibly introducing additional problems. <a name="solution"> <h2>III. Solution</h2> <h3>Update Your Anti-Virus Product</h3> <p>It is important for users to update their anti-virus software. Some anti-virus software vendors have released updated information, tools, or virus databases to help prevent and combat this worm. A list of vendor-specific anti-virus information can be found in <a href="#antivirus">Appendix A</a>. <h3>Disable Windows Scripting Host</h3> <p>Because the worm is written in VBS, it requires the Windows Scripting Host (WSH) to run. Disabling WSH prevents the worm from executing. For information about disabling WSH, see: <dl><dd> <a href="https://web.archive.org/web/20020802184411/http://www.sophos.com/support/faqs/wsh.html"> http://www.sophos.com/support/faqs/wsh.html</a> </dl> <p> <p>This change may disable functionality the user desires. Exercise caution when implementing this solution. <h3>Disable Active Scripting in Internet Explorer</h3> <p>Information about disabling active scripting in Internet Explorer can be found at: <dl><dd> <a href="https://web.archive.org/web/20020802184411/http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps"> http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps</a> </dl> <p> <p>This change may disable functionality the user desires. Exercise caution when implementing this solution. <h3>Disable Auto-DCC Reception in IRC Clients</h3> <p>Users of Internet Relay Chat (IRC) programs should disable automatic reception of files offered to them via DCC. <h3>Filter the Worm in E-Mail</h3> <p>Sites can use email filtering techniques to delete messages containing subject lines known to contain the worm. For sites using unix, here are some possible methods: <h4>Sendmail</h4> <p>Sendmail, Inc. has published information about blocking the worm in incoming email at: <dl><dd> <a href="https://web.archive.org/web/20020802184411/http://www2.sendmail.com/loveletter"> http://www2.sendmail.com/loveletter</a> </dl> <h4>PostFix</h4> <p>Add the following line in /etc/postfix/header_checks: <font face="monospace"> <pre> /^Subject: ILOVEYOU/ REJECT </pre> </font> <p>The main Postfix configuration file must contain the following line to enable the check : <font face="monospace"> <dl> <dd>header_checks = regexp:/etc/postfix/header_checks </dl> </font> <p>Postfix must also be reloaded after this information is added. <h4>Exim</h4> <p>A generic Windows-executable content-blocking filter has been produced for Exim. This will block messages with attachments whose extensions are <i>vbs</i>, as well as several other types that Windows may consider executable by default. The filter, which includes some supporting installation documention within the filter file itself, can be found at: <dl> <dd><a href="https://web.archive.org/web/20020802184411/ftp://ftp.exim.org/pub/filter"> ftp://ftp.exim.org/pub/filter</a> </dl> <h4>Procmail</h4> <p>This procmail rule also deletes any messages with the Subject: line containing "ILOVEYOU": <font face="monospace"> <pre> :0 D * ^Subject:[[tab] ]+ILOVEYOU /dev/null </pre> </font> <p>Note that in all of these examples, [tab] represents a literal tab character, and must be replaced with a tab for them to work correctly. <p>It is important to note that these three methods, as described, do not prevent the worm from spreading if the Subject: line of the email has changed. Administrators can use more complicated procmail rules to block the worm based on the body of the email, but such methods require more processing time on mail servers, and may not be feasible at sites with high volumes of email traffic. <h3>Exercise Caution When Opening Attachments</h3> <p>Exercise caution with attachments in email. Users should disable auto-opening or previewing of email attachments in their mail programs. Users should never open attachments from an untrusted origin, or that appear suspicious in any way. <a name="antivirus"> <h2>Appendix A. Anti-Virus Vendor Information</h2> <h3>Aladdin Knowledge Systems</h3> <dl><dd> <a href="https://web.archive.org/web/20020802184411/http://www.aks.com/home/csrt/valerts.asp"> http://www.aks.com/home/csrt/valerts.asp</a> </dl> <p> <h3>Command Software Systems, Inc.</h3> <dl> <dd><a href="https://web.archive.org/web/20020802184411/http://www.command.co.uk/html/virus/love.html"> http://www.command.co.uk/html/virus/love.html</a> <dd><a href="https://web.archive.org/web/20020802184411/http://www.commandcom.com/virus/love.html"> http://www.commandcom.com/virus/love.html</a> </dl> <p> <h3>Computer Associates</h3> <dl><dd> <a href="https://web.archive.org/web/20020802184411/http://www.ca.com/virusinfo/virusalert.htm"> http://www.ca.com/virusinfo/virusalert.htm</a> </dl> <p> <h3>F-Secure</h3> <dl><dd> <a href="https://web.archive.org/web/20020802184411/http://www.f-secure.com/download-purchase/updates.html"> http://www.f-secure.com/download-purchase/updates.html</a> </dl> <p> <h3>Finjan Software, Ltd.</h3> <dl><dd> <a href="https://web.archive.org/web/20020802184411/http://www.finjan.com/attack_release_detail.cfm?attack_release_id=34"> http://www.finjan.com/attack_release_detail.cfm?attack_release_id=34</a> </dl> <p> <h3>McAfee / Network Associates</h3> <dl> <dd><a href="https://web.archive.org/web/20020802184411/http://vil.nai.com/villib/dispVirus.asp?virus_k=98617"> http://vil.nai.com/villib/dispVirus.asp?virus_k=98617</a> <dd><a href="/web/20020802184411/http://www.cert.org/advisories/CA-2000-04/nai.dat"> http://www.cert.org/advisories/CA-2000-04/nai.dat</a> </dl> <p> <h3>Proland Software</h3> <dl><dd> <a href="https://web.archive.org/web/20020802184411/http://www.pspl.com/virus_info/worms/loveletter.htm"> http://www.pspl.com/virus_info/worms/loveletter.htm</a> </dl> <p> <h3>Sophos</h3> <dl> <dd><a href="https://web.archive.org/web/20020802184411/http://www.sophos.com/virusinfo/analyses/vbsloveleta.html"> http://www.sophos.com/virusinfo/analyses/vbsloveleta.html</a> <dd><a href="https://web.archive.org/web/20020802184411/http://www.sophos.com/virusinfo/analyses/trojloveleta.html"> http://www.sophos.com/virusinfo/analyses/trojloveleta.html</a> </dl> <p> <h3>Symantec</h3> <dl><dd> <a href="https://web.archive.org/web/20020802184411/http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html"> http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html</a> </dl> <p> <h3>Trend Micro</h3> <dl><dd> <a href="https://web.archive.org/web/20020802184411/http://www.antivirus.com/vinfo"> http://www.antivirus.com/vinfo</a> </dl> <p> <a name="variants"> <h2>Appendix B. Variants</h2> The CERT Coordination Center has received reports of worms that are nearly identical or are very similar to the Love Letter worm. The information provided above applies to these variants except as noted below. This section is not intended to be comprehensive, and we are aware of reports involving additional variants not described here. <h3>Joke / Very Funny</h3> <p>This variant changes several references to <i>LOVE-LETTER-FOR-YOU</i> in the source code to <i>Very Funny</i>. This primarily results in an email attachment name <i>Very Funny.vbs</i>. The email messages sent by this variant have a subject of "fwd: Joke", and an empty message body. <h3>Mothers Day</h3> <p>The subject of this variant is "Thanks for your purchase!" and the body of the message contains: <dl><dd> We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place. Thanks Again and Have a Happy Mothers Day! </dl> <p>This variant infects files as previously described, with the exception of <i>jpg</i> and <i>jpeg</i> files. Instead, this variant infects <i>ini</i> and <i>bat</i> in a similar way. Specifically, for files whose extension is <i>ini</i> or <i>bat</i>, it will replace those files with a copy of the worm and add a <i>vbs</i> extension. For example, a file named <i>x.ini</i> will be replaced by a file called <i>x.ini.vbs</i> containing a copy of the worm. <p>This variant also includes different URLs for the Internet Explorer Start Page. <hr noshade> <p>The CERT Coordination Center thanks David Slade of Lucent Technologies for help in constructing this advisory; Christopher Lindsey for the providing the procmail rule; and Jeff Rife for catching an error in an earlier version of this advisory. </p> <p></p> <hr noshade> <p>The following people were involved in the creation of this document: Jeff Carpenter, Cory Cohen, Chad Dougherty, Ian Finlay, Kathy Fithen, Rhonda Green, Robert Hanson, Jeff Havrilla, Shawn Hernan, Kevin Houle, Brian King, Jed Pickel, Joseph Pruszynski, Robin Ruefle, John Shaffer, and Mark Zajicek <p></p> <hr noshade width="100%"> This document is available from: <a href="https://web.archive.org/web/20020802184411/http://www.cert.org/advisories/CA-2000-04.html"> http://www.cert.org/advisories/CA-2000-04.html</a> <hr noshade width="100%"> <h2>CERT/CC Contact Information</h2> <dl> <b>Email:</b> <a href="https://web.archive.org/web/20020802184411/mailto:cert@cert.org">cert@cert.org</a><br> <b>Phone:</b> +1 412-268-7090 (24-hour hotline)<br> <b>Fax:</b> +1 412-268-6989<br> <b>Postal address:</b><br> <dd> CERT Coordination Center<br> Software Engineering Institute<br> Carnegie Mellon University<br> Pittsburgh PA 15213-3890<br> U.S.A.<br> </dd> </dl> <p> CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. </p> <h4>Using encryption</h4> <p> We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from </p> <ul> <a href="https://web.archive.org/web/20020802184411/http://www.cert.org/CERT_PGP.key">http://www.cert.org/CERT_PGP.key</a> </ul> <p> If you prefer to use DES, please call the CERT hotline for more information. </p> <h4>Getting security information</h4> <p> CERT publications and other security information are available from our web site </p> <ul> <a href="https://web.archive.org/web/20020802184411/http://www.cert.org/">http://www.cert.org/</a> </ul> <p> To subscribe to the CERT mailing list for advisories and bulletins, send email to <a href="https://web.archive.org/web/20020802184411/mailto:majordomo@cert.org">majordomo@cert.org</a>. Please include in the body of your message<br></p> <p> <tt>subscribe cert-advisory</tt> </p> <p> * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. </p> <hr noshade width="100%"> <p> <b><u>NO WARRANTY</u></b><br> <b>Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.</b> </p> <hr> <a href="https://web.archive.org/web/20020802184411/http://www.cert.org/legal_stuff.html">Conditions for use, disclaimers, and sponsorship information</a> <p> </p> <p>Copyright 2000 Carnegie Mellon University.</p> <p>Revision History <pre> May 4, 2000: Initial release May 5, 2000: Updates to Postfix information May 5, 2000: Fixed an error in the statement regarding the actions of the worm when it checks for the existance of the <i><DIRSYSTEM>\WinFAT32.exe</i> file. We incorrectly reported that if this file exists, then the value of the IE start page will be changed. In fact, the value of the start page is changed if the file does <em>not</em> exist. Our thanks to Jeff Rife for catching this error. May 5, 2000: Added information on variants May 9, 2000: Updated affected site count May 9, 2000: Added EXIM information May 9, 2000: Clarified mIRC script description </pre> |