[Fwd: 'ILOVEYOU' script worm] FIX/INFORMATION David Battey 04 May 2000 13:41 EST
FYI ... -- [:)] Dave _______________________________________________________ David S. Battey Information & Technology Coordinator Office of Research and Grants Administration College of Charleston, Charleston, SC, 29424 Voice: (843)953-5673 Fax: (843)953-6577 Internet: http://www.orga.cofc.edu/ E-mail: xxxxxx@cofc.edu _______________________________________________________
'ILOVEYOU' script worm Mazeland, Siebrand 04 May 2000 10:49 EST
Recently a script worm has hit many systems. Here is some information on how to check for and clean infections on Exchange Server server systems. If off topic, please refer to a better suited list. Cheers! Siebrand Mazeland --- BEGIN PASTE --- "I Love You" eMail virus. Summary This document is to provide you with steps to purge the ILOVEYOU virus on Exchange servers for one time. This virus is spread in various ways. It seems the most prevalent method is via an eMail message, which as the following details. Subject line "ILOVEYOU" Mail text: "kindly check the attached LOVELETTER coming from me." Attachment: "LOVE-LETTER-FOR-YOU.TXT.vbs" Size: Approx. 13kb. Steps to cure Exchange 5.5 SP3 and lower If you have Exchange 5.5 with SP3 or a lower version, please 1. Download SCAN.ZIP from ftp://ftp.microsoft.com/transfer/outgoing/webresponse/ a. ftp://ftp.microsoft.com/transfer/outgoing/webresponse/scan.zip.00504.04-07-2 5 2. Unzip file 3. Copy all files to <Exchange server directory>\bin 4. Run the following command: NET STOP MSEXCHANGEIS a. IF you do not want to stop the store, you can use the latest version of EXMERGE.EXE. For more information on how to use this, please refer to Q-article Q246916 (added as appendix) 5. ISSCAN -pri -fix -test badattach,badmessage -c virus.txt 6. If you have public folders the run the following command too a. ISSCAN -pub -fix -test badattach,badmessage -c virus.txt Steps to cure Exchange 5.5 SP3 and Store Fixes If you have Exchange 5.5 with SP3 with additional fixes on the store, 1. download SCAN.ZIP and POST-SP3-ISSCAN.EXE from ftp://ftp.microsoft.com/transfer/outgoing/webresponse/ a. ftp://ftp.microsoft.com/transfer/outgoing/webresponse/scan.zip.00504.04-07-2 5 b. ftp://ftp.microsoft.com/transfer/outgoing/webresponse/post-sp3-isscan.exe.00 504.06-31-12 2. Unpack SCAN.ZIP 3. Unpack POST-SP3-ISSCAN.EXE, choose to overwrite isscan.exe (build 2648) with the new isscan.exe (build 2652.26) 4. Copy all file to: <Exchange server directory>\bin 5. Run the following command: NET STOP MSEXCHANGEIS a. If you do not want to stop the store, you can use the latest version of EXMERGE.EXE. For more information on how to use this, please refer to Q-article Q246916 (added as appendix) 6. ISSCAN -pri -fix -test badattach,badmessage -c virus.txt 7. If you have public folders the run the following command too a. ISSCAN -pub -fix -test badattach,badmessage -c virus.txt Please be aware: POST-SP3 ISSCAN is not downwards compatible Background information This is handled in a very similar way to the Melissa virus. >From an Exchange perspective, the first thing to do is to shut down all IMS services, and all MTAs, to stop propagation. It has been suggested that, owing to the other infection vectors, HTTP and IRC protocols be stopped as well (or as a critical measure, unplug corporate intranets from the internet until the crisis is under control). A company can block these URLs at their proxy servers, too. ISSCAN can then be used to scan all Information Stores for copies of the message, and delete them. This may not get all messages, and especially as more may trickle in from the outside, from missed servers, or from PST files, this process will need to be repeated over time. Refer to KB article Q224493 (Q224436 talks about handling the Melissa virus and may be of assistance, also). Note that the current ISSCAN on the FTP site is only up to 5.5.SP3 as per Q260022. An updated version of this utility has to be shipped to requesting customers, as per a hot fix. Any other preventative / cure measures need to be handled by NT logon scripts and/or 3rd party anti-virus programs. These need to delete the core .vbs files (as described in the analysis below), delete the WIN-BUGSFIX.exe files, also the LOVE-LETTER-FOR-YOU.HTM file, and remove the registry entries causing these to be run at logon. The WSCRIPT.EXE process should also be killed to stop any current "infection" at this time. More information on the virus on the web www.norman.com http://www.f-secure.com/v-descs/love.htm --- END PASTE --- Source: wishes to remain unknown