[Fwd: 'ILOVEYOU' script worm] FIX/INFORMATION David Battey 04 May 2000 13:41 EST

FYI ...

--
[:)] Dave
_______________________________________________________

David S. Battey
Information & Technology Coordinator
Office of Research and Grants Administration
College of Charleston, Charleston, SC, 29424
Voice: (843)953-5673      Fax: (843)953-6577
Internet:  http://www.orga.cofc.edu/
E-mail:  xxxxxx@cofc.edu
_______________________________________________________

'ILOVEYOU' script worm Mazeland, Siebrand 04 May 2000 10:49 EST

Recently a script worm has hit many systems. Here is some information on how
to check for and clean infections on Exchange Server server systems. If off
topic, please refer to a better suited list.

Cheers!

Siebrand Mazeland

--- BEGIN PASTE ---
"I Love You" eMail virus.
Summary

This document is to provide you with steps to purge the ILOVEYOU virus on
Exchange servers for one time. This virus is spread in various ways.  It
seems the most prevalent method is via an eMail message, which as the
following details.

Subject line    "ILOVEYOU"
Mail text:      "kindly check the attached LOVELETTER coming from me."
Attachment:     "LOVE-LETTER-FOR-YOU.TXT.vbs"
Size:   Approx. 13kb.

Steps to cure Exchange 5.5 SP3 and lower
If you have Exchange 5.5 with SP3 or a lower version, please
 1.      Download SCAN.ZIP from
ftp://ftp.microsoft.com/transfer/outgoing/webresponse/
 a.
ftp://ftp.microsoft.com/transfer/outgoing/webresponse/scan.zip.00504.04-07-2
5
 2.      Unzip file
 3.      Copy all files to <Exchange server directory>\bin
 4.      Run the following command: NET STOP MSEXCHANGEIS
 a.      IF you do not want to stop the store, you
can use the latest version of EXMERGE.EXE. For more information on how to
use this, please refer to Q-article Q246916 (added as appendix)
 5.      ISSCAN -pri -fix -test badattach,badmessage -c virus.txt
 6.      If you have public folders the run the following command too
 a.      ISSCAN -pub -fix -test badattach,badmessage
-c virus.txt

Steps to cure Exchange 5.5 SP3 and Store Fixes
If you have Exchange 5.5 with SP3 with additional fixes on the store,
 1.      download SCAN.ZIP and POST-SP3-ISSCAN.EXE from
ftp://ftp.microsoft.com/transfer/outgoing/webresponse/
 a.
ftp://ftp.microsoft.com/transfer/outgoing/webresponse/scan.zip.00504.04-07-2
5
 b.
ftp://ftp.microsoft.com/transfer/outgoing/webresponse/post-sp3-isscan.exe.00
504.06-31-12
 2.      Unpack SCAN.ZIP
 3.      Unpack POST-SP3-ISSCAN.EXE, choose to overwrite isscan.exe
(build 2648) with the new isscan.exe (build 2652.26)
 4.      Copy all file to: <Exchange server directory>\bin
 5.      Run the following command: NET STOP MSEXCHANGEIS
 a.      If you do not want to stop the store, you
can use the latest version of EXMERGE.EXE. For more information on how to
use this, please refer to Q-article Q246916 (added as appendix)
 6.      ISSCAN -pri -fix -test badattach,badmessage -c virus.txt
 7.      If you have public folders the run the following command too
 a.      ISSCAN -pub -fix -test badattach,badmessage
-c virus.txt

Please be aware: POST-SP3 ISSCAN is not downwards compatible
Background information

This is handled in a very similar way to the Melissa virus.

>From an Exchange perspective, the first thing to do is to shut down all IMS
services, and all MTAs, to stop propagation. It has been suggested that,
owing to the other infection vectors, HTTP and IRC protocols be stopped as
well (or as a critical measure, unplug corporate intranets from the internet
until the crisis is under control).  A company can block these URLs at their
proxy servers, too.

ISSCAN can then be used to scan all Information Stores for copies of the
message, and delete them.  This may not get all messages, and especially as
more may trickle in from the outside, from missed servers, or from PST
files, this process will need to be repeated over time.  Refer to KB article
Q224493 (Q224436 talks about handling the Melissa virus and may be of
assistance, also). Note that the current ISSCAN on the FTP site is only up
to 5.5.SP3 as per Q260022.  An updated version of this utility has to be
shipped to requesting customers, as per a hot fix.

Any other preventative / cure measures need to be handled by NT logon
scripts and/or 3rd party anti-virus programs.

These need to delete the core .vbs files (as described in the analysis
below), delete the WIN-BUGSFIX.exe files, also the LOVE-LETTER-FOR-YOU.HTM
file, and remove the registry entries causing these to be run at logon.  The
WSCRIPT.EXE process should also be killed to stop any current "infection" at
this time.
More information on the virus on the web
www.norman.com
http://www.f-secure.com/v-descs/love.htm
--- END PASTE --- Source: wishes to remain unknown