Re: [Fwd: 'ILOVEYOU' script worm] FIX/INFORMATION Domenica G. Pappas 05 May 2000 23:16 EST

At 02:41 PM 05/04/2000 -0400, you wrote:
>FYI ...
>
>--
>[:)] Dave
>_______________________________________________________
>
>David S. Battey
>Information & Technology Coordinator
>Office of Research and Grants Administration
>College of Charleston, Charleston, SC, 29424
>Voice: (843)953-5673      Fax: (843)953-6577
>Internet:  http://www.orga.cofc.edu/
>E-mail:  xxxxxx@cofc.edu
>_______________________________________________________
>
>Return-path: <xxxxxx@LISTSERV.NTBUGTRAQ.COM>
>Received: from VMS.DC.LSOFT.COM (vms.dc.lsoft.com [209.119.1.27])
>  by cofc.edu (PMDF V5.2-32 #39232) with ESMTP id
> <xxxxxx@cofc.edu>;
>  Thu, 4 May 2000 14:05:20 EDT
>Received: from peach (209.119.0.4)
>  by VMS.DC.LSOFT.COM (LSMTP for OpenVMS v1.1a) with SMTP id
>  <xxxxxx@VMS.DC.LSOFT.COM>; Thu, 04 May 2000 13:40:58 -0400
>Received: from LISTSERV.NTBUGTRAQ.COM by LISTSERV.NTBUGTRAQ.COM
>  (LISTSERV-TCP/IP release 1.8d)
>  with spool id 141114 for xxxxxx@LISTSERV.NTBUGTRAQ.COM; Thu,
>  04 May 2000 13:39:36 -0400
>Received: from 195.193.219.202 by PEACH.EASE.LSOFT.COM (SMTPL release 1.0d)
>  with TCP; Thu, 04 May 2000 11:48:49 -0400
>Received: by aserver1.wall.de with Internet Mail Service (5.5.2650.21)
>  id <K271NP2D>; Thu, 04 May 2000 17:49:03 +0200
>Date: Thu, 04 May 2000 17:49:02 +0200
>From: "Mazeland, Siebrand" <xxxxxx@WALL.NL>
>Subject: 'ILOVEYOU' script worm
>Sender: Windows NTBugtraq Mailing List <xxxxxx@LISTSERV.NTBUGTRAQ.COM>
>Approved-by: xxxxxx@RC.ON.CA
>To: xxxxxx@LISTSERV.NTBUGTRAQ.COM
>Reply-to: "Mazeland, Siebrand" <xxxxxx@WALL.NL>
>Message-id: <xxxxxx@aserver1.wall.de>
>MIME-version: 1.0
>X-Mailer: Internet Mail Service (5.5.2650.21)
>Content-type: text/plain; charset="iso-8859-1"
>X-Mozilla-Status2: 00000000
>
>Recently a script worm has hit many systems. Here is some information on how
>to check for and clean infections on Exchange Server server systems. If off
>topic, please refer to a better suited list.
>
>Cheers!
>
>Siebrand Mazeland
>
>--- BEGIN PASTE ---
>"I Love You" eMail virus.
>Summary
>
>This document is to provide you with steps to purge the ILOVEYOU virus on
>Exchange servers for one time. This virus is spread in various ways.  It
>seems the most prevalent method is via an eMail message, which as the
>following details.
>
>Subject line    "ILOVEYOU"
>Mail text:      "kindly check the attached LOVELETTER coming from me."
>Attachment:     "LOVE-LETTER-FOR-YOU.TXT.vbs"
>Size:   Approx. 13kb.
>
>Steps to cure Exchange 5.5 SP3 and lower
>If you have Exchange 5.5 with SP3 or a lower version, please
>         1.      Download SCAN.ZIP from
>ftp://ftp.microsoft.com/transfer/outgoing/webresponse/
>                         a.
>ftp://ftp.microsoft.com/transfer/outgoing/webresponse/scan.zip.00504.04-07-2
>5
>         2.      Unzip file
>         3.      Copy all files to <Exchange server directory>\bin
>         4.      Run the following command: NET STOP MSEXCHANGEIS
>                         a.      IF you do not want to stop the store, you
>can use the latest version of EXMERGE.EXE. For more information on how to
>use this, please refer to Q-article Q246916 (added as appendix)
>         5.      ISSCAN -pri -fix -test badattach,badmessage -c virus.txt
>         6.      If you have public folders the run the following command too
>                         a.      ISSCAN -pub -fix -test badattach,badmessage
>-c virus.txt
>
>Steps to cure Exchange 5.5 SP3 and Store Fixes
>If you have Exchange 5.5 with SP3 with additional fixes on the store,
>         1.      download SCAN.ZIP and POST-SP3-ISSCAN.EXE from
>ftp://ftp.microsoft.com/transfer/outgoing/webresponse/
>                         a.
>ftp://ftp.microsoft.com/transfer/outgoing/webresponse/scan.zip.00504.04-07-2
>5
>                         b.
>ftp://ftp.microsoft.com/transfer/outgoing/webresponse/post-sp3-isscan.exe.00
>504.06-31-12
>         2.      Unpack SCAN.ZIP
>         3.      Unpack POST-SP3-ISSCAN.EXE, choose to overwrite isscan.exe
>(build 2648) with the new isscan.exe (build 2652.26)
>         4.      Copy all file to: <Exchange server directory>\bin
>         5.      Run the following command: NET STOP MSEXCHANGEIS
>                         a.      If you do not want to stop the store, you
>can use the latest version of EXMERGE.EXE. For more information on how to
>use this, please refer to Q-article Q246916 (added as appendix)
>         6.      ISSCAN -pri -fix -test badattach,badmessage -c virus.txt
>         7.      If you have public folders the run the following command too
>                         a.      ISSCAN -pub -fix -test badattach,badmessage
>-c virus.txt
>
>Please be aware: POST-SP3 ISSCAN is not downwards compatible
>Background information
>
>This is handled in a very similar way to the Melissa virus.
>
> >From an Exchange perspective, the first thing to do is to shut down all IMS
>services, and all MTAs, to stop propagation. It has been suggested that,
>owing to the other infection vectors, HTTP and IRC protocols be stopped as
>well (or as a critical measure, unplug corporate intranets from the internet
>until the crisis is under control).  A company can block these URLs at their
>proxy servers, too.
>
>ISSCAN can then be used to scan all Information Stores for copies of the
>message, and delete them.  This may not get all messages, and especially as
>more may trickle in from the outside, from missed servers, or from PST
>files, this process will need to be repeated over time.  Refer to KB article
>Q224493 (Q224436 talks about handling the Melissa virus and may be of
>assistance, also). Note that the current ISSCAN on the FTP site is only up
>to 5.5.SP3 as per Q260022.  An updated version of this utility has to be
>shipped to requesting customers, as per a hot fix.
>
>Any other preventative / cure measures need to be handled by NT logon
>scripts and/or 3rd party anti-virus programs.
>
>These need to delete the core .vbs files (as described in the analysis
>below), delete the WIN-BUGSFIX.exe files, also the LOVE-LETTER-FOR-YOU.HTM
>file, and remove the registry entries causing these to be run at logon.  The
>WSCRIPT.EXE process should also be killed to stop any current "infection" at
>this time.
>More information on the virus on the web
>www.norman.com
>http://www.f-secure.com/v-descs/love.htm
>--- END PASTE --- Source: wishes to remain unknown

I will be out of the office on Monday, May 8th and Tuesday, May 9th.

If you need assistance, please contact Ms. Janice Haney at (312)  567-3035.

Thank you.

******************************************************
Domenica G. Pappas                              Phone 312-567-3035
Assistant Director                              Fax 312-567-6980
Office of Sponsored Research            xxxxxx@iit.edu
Illinois Institute of Technology
3300 S. Federal Street,  MB Rm 301
Chicago, IL 60616-3793

www.iit.edu/colleges/grad/sresearc.htm
******************************************************

======================================================================
 Instructions on how to use the RESADM-L Mailing List, including
 subscription information and a web-searchable archive, are available
 via our web site at http://www.hrinet.org (click on "Listserv Lists")
======================================================================