www.FinchHaven.com

the Love Letter Visual Basic Script worm


First, why is it a "worm"?

From: THE [online] JARGON FILE, VERSION 4.2.0, 31 JAN 2000

thanks to Eric Steven Raymond...
worm n.

 [from 'tapeworm' in John Brunner's novel "The Shockwave Rider",
 via XEROX PARC]

 A program that propagates itself over a network, reproducing itself
 as it goes. Compare virus. Nowadays the term has negative connotations,
 as it is assumed that only crackers write worms.  Perhaps the
 best-known example was Robert T. Morris's Great Worm of 1988,
 a 'benign' one that got out of control and hogged hundreds of Suns
 and VAXen across the U.S.
 
 See also cracker, RTM,
 Trojan horse, ice.

Executive summary:

For most people the deal comes down to a problem on Microsoft Windows systems where the client mail program is Microsoft Outlook, and/or where the Microsoft Windows Scripting Host is enabled.

So, you're talkin' Windows 98, Windows 2000, Windows NT 4.0, maybe Windows 95 if the Windows Scripting Host or Microsoft Internet Explorer 5.0 has been installed...

The basic deal is that Microsoft Outlook defaults to executing, unquestioned, an email attachment that might happen to be a Microsoft Visual Basic Script. If the Microsoft Visual Basic Script is a worm, you're dead meat...

as CERT says:

"Exercise caution with attachments in email.

Users should disable auto-opening or previewing of email attachments in their mail programs.

Users should never open attachments from an untrusted origin, or that appear suspicious in any way."

Why does Microsoft Outlook default to executing Microsoft Visual Basic Script attachments, unquestioned? Ask Uncle Bill...


A scathing analysis of the ILOVEYOU worm:

From:            CRYPTO-GRAM

                 May 15, 2000

               by Bruce Schneier
                Founder and CTO
       Counterpane Internet Security, Inc.


               "ILOVEYOU Virus"

What strikes me the most about this virus is how well it social engineers 
the user.  It comes from someone the user knows.  It has an enticing 
subject line.  In Microsoft Outlook the ".vbs" extension is supressed by 
default, so it looks like an innocuous ".txt" file.  Even with all the 
admonitions not to open attachments you're not expecting, the average user 
doesn't stand a chance against a virus like this.

Expect even worse in the future.  Systems running either Microsoft Office 
2000 or Internet Explorer 5.0 can be infected with these sorts of viruses 
even if the recipient doesn't open the attachment.  That's right; if the 
system is running Internet Explorer with the default settings, it is 
vulnerable.  The problem is caused by a programming bug in an
Internet Explorer ActiveX control.  Thank you, Microsoft.

Back to the ILOVEYOU virus.  Read James Gleick's excellent essay:
slate.msn.com/Features/lovebug/

And Phil Agre's commentary is so perfect, I'm just going to reprint it 
here.  You can subscribe to his newsletter, "Red Rock Eater News Service,"
at:
dlis.gseis.ucla.edu/people/pagre/

Phil says:

"I received about 60 copies of the latest Microsoft e-mail virus and its 
variants.  How many did you get?  Fortunately I manage my e-mail with 
Berkeley mailx and Emacs keyboard macros, so I wasn't at risk.  But if 
we're talking about billions of dollars in damage, which equates roughly to 
millions of lost work days, then I think that we and Microsoft need to have 
a little talk.

"Reading the press reports, Microsoft's stance toward this situation has 
been disgraceful.  Most of their sound bites have been sophistry designed 
to disassociate the company from any responsibility for the problem.  One 
version goes like this quote from Scott Culp of Microsoft Public Relations, 
excuse me, I mean Microsoft Security Response Center:

      "This is a general issue, not a Microsoft issue.  You can write a
      virus for any platform." (New York Times 5/5/00)

"Notice the public relations technology at work here: defocusing the issue 
so as to move attention away from the specific vulnerabilities of 
Microsoft's applications architecture and toward the fuzzy concept of "a 
virus".  Technologists will understand the problem here, but most normal 
people will not.  Mr. Culp also says this (CNET 5/5/00):

      "This is by-design behavior, not a security vulnerability."

"More odd language.  It's like saying, "This is a rock, not something that 
can fall to the ground".  It's confusing to even think about it.  Even 
though Microsoft had been specifically informed of the security 
vulnerability in its software, it had refused to fix it.  Microsoft even 
tried to blame its problem on Netscape, which *had* fixed it:

      news.cnet.com/news/

"The next step is to blame the users.  The same Mr. Culp read on the radio 
the text of a warning that the users who spread the virus had supposedly 
ignored.  That warning concludes with a statement to the effect that you 
shouldn't execute attachments from sources that you do not trust.  He read 
that part kind of fast, as you might expect, given that the whole point of 
this virus is that people receive an attachment from a person who has 
included them in their address book.  This particular blame-shifting tactic 
is particularly disingenuous given that the virus spread rapidly through 
Microsoft itself, to the point that the company had to block all incoming 
e-mail (Wall Street Journal 5/5/00).

"Similarly, CNET (5/4/00) quoted an unnamed "Microsoft representative" as 
saying that companies must educate employees "not to run a program from an 
origin you don't trust".  Notice the nicely ambiguous word "origin".  The 
virus arrives in your mailbox clearly labeled as having been sent by a 
particular individual with whom you probably have an established 
relationship.  It bears no other signs of its "origin" that an ordinary 
user will be able to parse, short of executing the attachment.

"So what on earth is Microsoft doing allowing attachments to run code in a 
full-blown scripting language that can, among many other things, invisibly 
send e-mail?  Says the "Microsoft representative",

      "We include scripting technologies because our customers ask us to
      put them there, and they allow the development of business-critical
      productivity applications that millions of our customers use."

"There needs to be a moratorium on expressions such as "customers ask us 
to".  Does that mean all of the customers?  Or just some of them?  Notice 
the some/all ambiguity that is another core technology of public 
relations.  Do these "customers" really specifically ask for fully general 
scripts that attachments can execute, or do they only ask for certain 
features that can be implemented in many ways, some of which involve 
attachments that execute scripts?  Do the customers who supposedly ask for 
these crazy things understand the consequences of them?  Do they ask for 
them to be turned on by default, so that every customer in the world gets 
the downside of them so that a few customers can more conveniently get the 
upside?  And notice how the "Microsoft representative" defocuses the issue 
again, shifting from the specific issue of scripts that can be executed by 
attachments to the fuzzy concept of "scripting technologies", as if anybody 
were suggesting that scripting technologies, as such, in general, were to 
blame.

"Microsoft shouldn't be broken up. It should be shut down."
Phil Agre, in CRYPTO-GRAM May 15, 2000
"Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety."

Whew!

Strong words, from someone (Schneier) who knows a lot..


Forget everything you heard on CNN or anywhere else, here's the deal, from CERT:

"CERT® Advisory CA-2000-04 Love Letter Worm

Original release date: May 4, 2000
Last revised: May 9, 2000
Source: CERT/CC

Systems Affected

  • Systems running Microsoft Windows with Windows Scripting Host enabled

Overview

The "Love Letter" worm is a malicious VBScript program which spreads in a variety of ways. As of 5:00 pm EDT(GMT-4) May 8, 2000, the CERT Coordination Center has received reports from more than 650 individual sites indicating more than 500,000 individual systems are affected. In addition, we have several reports of sites suffering considerable network degradation as a result of mail, file, and web traffic generated by the "Love Letter" worm.

I. Description

You can be infected with the "Love Letter" worm in a variety of ways, including electronic mail, Windows file sharing, IRC, USENET news, and possibly via webpages. Once the worm has executed on your system, it will take the actions described in the Impact section.

Electronic Mail

When the worm executes, it attempts to send copies of itself using Microsoft Outlook to all the entries in all the address books. The mail it sends has the following characteristics:

  • An attachment named "LOVE-LETTER-FOR-YOU.TXT.VBS"
  • A subject of "ILOVEYOU"
  • The body of the message reads "kindly check the attached LOVELETTER coming from me."

People who receive copies of the worm via electronic mail will most likely recognize the sender. We encourage people to avoid executing code, including VBScripts, received through electronic mail regardless of the sender without firsthand prior knowledge of the origin of the code.

Internet Relay Chat

When the worm executes, it will attempt to create a file named script.ini in any directory that contains certain files associated with the popular IRC client mIRC. The script file will attempt to send a copy of the worm via DCC to other people in any IRC channel joined by the victim. We encourage people to disable automatic reception of files via DCC in any IRC client.

Executing Files on Shared File Systems

When the worm executes, it will search for certain types of files and replace them with a copy of the worm (see the Impact section for more details). Executing (double clicking) files modified by other infected users will result in executing the worm. Files modified by the worm may also be started automatically, for example from a startup script.

Reading USENET News

There have been reports of the worm appearing in USENET newsgroups. The suggestions above should be applied to users reading messages in USENET newsgroups.

II. Impact

When the worm is executed, it takes the following steps:

Replaces Files with Copies of the Worm

When the worm executes, it will search for certain types of files and make changes to those files depending on the type of file. For files on fixed or network drives, it will take the following steps:

  • For files whose extension is vbs or vbe it will replace those files with a copy of itself.
  • For files whose extensions are js, jse, css, wsh, sct, or hta, it will replace those files with a copy of itself and change the extension to vbs. For example, a file named x.css will be replaced with a file named x.vbs containing a copy of the worm.
  • For files whose extension is jpg or jpeg, it will replace those files with a copy of the worm and add a vbs extension. For example, a file named x.jpg will be replaced by a file called x.jpg.vbs containing a copy of the worm.
  • For files whose extension is mp3 or mp2, it will create a copy of itself in a file named with a vbs extension in the same manner as for a jpg file. The original file is preserved, but its attributes are changed to hidden.

Since the modified files are overwritten by the worm code rather than being deleted, file recovery is difficult and may be impossible.

Users executing files that have been modified in this step will cause the worm to begin executing again. If these files are on a filesystem shared over a local area network, new users may be affected.

Creates an mIRC Script

While the worm is examining files as described in the previous section, it may take additional steps to create a mIRC script file. If the file name being examined is mirc32.exe, mlink32.exe, mirc.ini, script.ini, or mirc.hlp, the worm will create a file named script.ini in the same folder. The script.ini file will contain:

[script]

n0=on 1:JOIN:#:{
n1=  /if ( $nick == $me ) { halt }
n2=  /.dcc send $nick DIRSYSTEM\LOVE-LETTER-FOR-YOU.HTM
n3=}

where DIRSYSTEM varies based on the platform where the worm is executed. If the file script.ini already exists, no changes occur.

This code defines an mIRC script so that when a new user joins an IRC channel the infected user has previously joined, a copy of the worm will be sent to the new user via DCC. The script.ini file is created only once per folder processed by the worm.

Modifies the Internet Explorer Start Page

If the file <DIRSYSTEM>\WinFAT32.exe does not exist, the worm sets the Internet Explorer Start page to one of four randomly selected URLs. These URLs all refer to a file named WIN-BUGSFIX.exe, which presumably contains malicious code. The worm checks for this file in the Internet Explorer downloads directory, and if found, the file is added to the list of programs to run at reboot. The Internet Explorer Start page is then reset to "about:blank". Information about the impact of running WIN-BUGSFIX.exe will be added to this document as soon as it is available.

Sends Copies of Itself via Email

The worm attempts to use Microsoft Outlook to send copies of itself to all entries in all address books as described in the Description section.

Modifies Other Registry Keys

In addition to other changes, the worm updates the following registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\WAB\*

Note that when the worm is sending email, it updates the last entry each time it sends a message. If a large number of messages are sent, the size of the registry may grow significantly, possibly introducing additional problems.

III. Solution

Update Your Anti-Virus Product

It is important for users to update their anti-virus software. Some anti-virus software vendors have released updated information, tools, or virus databases to help prevent and combat this worm. A list of vendor-specific anti-virus information can be found in Appendix A.

Disable Windows Scripting Host

Because the worm is written in VBS, it requires the Windows Scripting Host (WSH) to run. Disabling WSH prevents the worm from executing. For information about disabling WSH, see:

http://www.sophos.com/support/faqs/wsh.html

This change may disable functionality the user desires. Exercise caution when implementing this solution.

Disable Active Scripting in Internet Explorer

Information about disabling active scripting in Internet Explorer can be found at:

http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps

This change may disable functionality the user desires. Exercise caution when implementing this solution.

Disable Auto-DCC Reception in IRC Clients

Users of Internet Relay Chat (IRC) programs should disable automatic reception of files offered to them via DCC.

Filter the Worm in E-Mail

Sites can use email filtering techniques to delete messages containing subject lines known to contain the worm. For sites using unix, here are some possible methods:

Sendmail

Sendmail, Inc. has published information about blocking the worm in incoming email at:

http://www2.sendmail.com/loveletter

PostFix

Add the following line in /etc/postfix/header_checks:

/^Subject: ILOVEYOU/ REJECT

The main Postfix configuration file must contain the following line to enable the check :

header_checks = regexp:/etc/postfix/header_checks

Postfix must also be reloaded after this information is added.

Exim

A generic Windows-executable content-blocking filter has been produced for Exim. This will block messages with attachments whose extensions are vbs, as well as several other types that Windows may consider executable by default. The filter, which includes some supporting installation documention within the filter file itself, can be found at:

ftp://ftp.exim.org/pub/filter

Procmail

This procmail rule also deletes any messages with the Subject: line containing "ILOVEYOU":

   :0 D
   * ^Subject:[[tab] ]+ILOVEYOU
   /dev/null

Note that in all of these examples, [tab] represents a literal tab character, and must be replaced with a tab for them to work correctly.

It is important to note that these three methods, as described, do not prevent the worm from spreading if the Subject: line of the email has changed. Administrators can use more complicated procmail rules to block the worm based on the body of the email, but such methods require more processing time on mail servers, and may not be feasible at sites with high volumes of email traffic.

Exercise Caution When Opening Attachments

Exercise caution with attachments in email. Users should disable auto-opening or previewing of email attachments in their mail programs. Users should never open attachments from an untrusted origin, or that appear suspicious in any way."

<snip>

Legal Stuff

The CERT® Coordination Center is part of the Software Engineering Institute. The Software Engineering Institute is operated by Carnegie Mellon University for the Department of Defense.

  1. CERT® security alerts (such as advisories and the CERT® Summary)

    All readers
    Permission is granted to reproduce and distribute CERT® security alerts in their entirety, provided the CERT® PGP signature is included and provided the alert is used for noncommercial purposes and with the intent of increasing the awareness of the Internet community.


www.FinchHaven.com

Canon Pro90 IS Digital Imaging!

All my digital photography
copyright John D Sage/FinchHaven
1999, 2000, 2001, 2002


Any and all e-mail addresses associated with this domain in any way
are located in the State of Washington,
and as such may not, by law, be harvested for spam.

This page preened using GNU Emacs 20.5.1
at www.FinchHaven.com by Webmaster
Last modified: Sun Nov 12 09:06:54 2006

counter


Goto the Top