Re: [Fwd: 'ILOVEYOU' script worm] FIX/INFORMATION Domenica G. Pappas 05 May 2000 23:16 EST
At 02:41 PM 05/04/2000 -0400, you wrote: >FYI ... > >-- >[:)] Dave >_______________________________________________________ > >David S. Battey >Information & Technology Coordinator >Office of Research and Grants Administration >College of Charleston, Charleston, SC, 29424 >Voice: (843)953-5673 Fax: (843)953-6577 >Internet: http://www.orga.cofc.edu/ >E-mail: xxxxxx@cofc.edu >_______________________________________________________ > >Return-path: <xxxxxx@LISTSERV.NTBUGTRAQ.COM> >Received: from VMS.DC.LSOFT.COM (vms.dc.lsoft.com [209.119.1.27]) > by cofc.edu (PMDF V5.2-32 #39232) with ESMTP id > <xxxxxx@cofc.edu>; > Thu, 4 May 2000 14:05:20 EDT >Received: from peach (209.119.0.4) > by VMS.DC.LSOFT.COM (LSMTP for OpenVMS v1.1a) with SMTP id > <xxxxxx@VMS.DC.LSOFT.COM>; Thu, 04 May 2000 13:40:58 -0400 >Received: from LISTSERV.NTBUGTRAQ.COM by LISTSERV.NTBUGTRAQ.COM > (LISTSERV-TCP/IP release 1.8d) > with spool id 141114 for xxxxxx@LISTSERV.NTBUGTRAQ.COM; Thu, > 04 May 2000 13:39:36 -0400 >Received: from 195.193.219.202 by PEACH.EASE.LSOFT.COM (SMTPL release 1.0d) > with TCP; Thu, 04 May 2000 11:48:49 -0400 >Received: by aserver1.wall.de with Internet Mail Service (5.5.2650.21) > id <K271NP2D>; Thu, 04 May 2000 17:49:03 +0200 >Date: Thu, 04 May 2000 17:49:02 +0200 >From: "Mazeland, Siebrand" <xxxxxx@WALL.NL> >Subject: 'ILOVEYOU' script worm >Sender: Windows NTBugtraq Mailing List <xxxxxx@LISTSERV.NTBUGTRAQ.COM> >Approved-by: xxxxxx@RC.ON.CA >To: xxxxxx@LISTSERV.NTBUGTRAQ.COM >Reply-to: "Mazeland, Siebrand" <xxxxxx@WALL.NL> >Message-id: <xxxxxx@aserver1.wall.de> >MIME-version: 1.0 >X-Mailer: Internet Mail Service (5.5.2650.21) >Content-type: text/plain; charset="iso-8859-1" >X-Mozilla-Status2: 00000000 > >Recently a script worm has hit many systems. Here is some information on how >to check for and clean infections on Exchange Server server systems. If off >topic, please refer to a better suited list. > >Cheers! > >Siebrand Mazeland > >--- BEGIN PASTE --- >"I Love You" eMail virus. >Summary > >This document is to provide you with steps to purge the ILOVEYOU virus on >Exchange servers for one time. This virus is spread in various ways. It >seems the most prevalent method is via an eMail message, which as the >following details. > >Subject line "ILOVEYOU" >Mail text: "kindly check the attached LOVELETTER coming from me." >Attachment: "LOVE-LETTER-FOR-YOU.TXT.vbs" >Size: Approx. 13kb. > >Steps to cure Exchange 5.5 SP3 and lower >If you have Exchange 5.5 with SP3 or a lower version, please > 1. Download SCAN.ZIP from >ftp://ftp.microsoft.com/transfer/outgoing/webresponse/ > a. >ftp://ftp.microsoft.com/transfer/outgoing/webresponse/scan.zip.00504.04-07-2 >5 > 2. Unzip file > 3. Copy all files to <Exchange server directory>\bin > 4. Run the following command: NET STOP MSEXCHANGEIS > a. IF you do not want to stop the store, you >can use the latest version of EXMERGE.EXE. For more information on how to >use this, please refer to Q-article Q246916 (added as appendix) > 5. ISSCAN -pri -fix -test badattach,badmessage -c virus.txt > 6. If you have public folders the run the following command too > a. ISSCAN -pub -fix -test badattach,badmessage >-c virus.txt > >Steps to cure Exchange 5.5 SP3 and Store Fixes >If you have Exchange 5.5 with SP3 with additional fixes on the store, > 1. download SCAN.ZIP and POST-SP3-ISSCAN.EXE from >ftp://ftp.microsoft.com/transfer/outgoing/webresponse/ > a. >ftp://ftp.microsoft.com/transfer/outgoing/webresponse/scan.zip.00504.04-07-2 >5 > b. >ftp://ftp.microsoft.com/transfer/outgoing/webresponse/post-sp3-isscan.exe.00 >504.06-31-12 > 2. Unpack SCAN.ZIP > 3. Unpack POST-SP3-ISSCAN.EXE, choose to overwrite isscan.exe >(build 2648) with the new isscan.exe (build 2652.26) > 4. Copy all file to: <Exchange server directory>\bin > 5. Run the following command: NET STOP MSEXCHANGEIS > a. If you do not want to stop the store, you >can use the latest version of EXMERGE.EXE. For more information on how to >use this, please refer to Q-article Q246916 (added as appendix) > 6. ISSCAN -pri -fix -test badattach,badmessage -c virus.txt > 7. If you have public folders the run the following command too > a. ISSCAN -pub -fix -test badattach,badmessage >-c virus.txt > >Please be aware: POST-SP3 ISSCAN is not downwards compatible >Background information > >This is handled in a very similar way to the Melissa virus. > > >From an Exchange perspective, the first thing to do is to shut down all IMS >services, and all MTAs, to stop propagation. It has been suggested that, >owing to the other infection vectors, HTTP and IRC protocols be stopped as >well (or as a critical measure, unplug corporate intranets from the internet >until the crisis is under control). A company can block these URLs at their >proxy servers, too. > >ISSCAN can then be used to scan all Information Stores for copies of the >message, and delete them. This may not get all messages, and especially as >more may trickle in from the outside, from missed servers, or from PST >files, this process will need to be repeated over time. Refer to KB article >Q224493 (Q224436 talks about handling the Melissa virus and may be of >assistance, also). Note that the current ISSCAN on the FTP site is only up >to 5.5.SP3 as per Q260022. An updated version of this utility has to be >shipped to requesting customers, as per a hot fix. > >Any other preventative / cure measures need to be handled by NT logon >scripts and/or 3rd party anti-virus programs. > >These need to delete the core .vbs files (as described in the analysis >below), delete the WIN-BUGSFIX.exe files, also the LOVE-LETTER-FOR-YOU.HTM >file, and remove the registry entries causing these to be run at logon. The >WSCRIPT.EXE process should also be killed to stop any current "infection" at >this time. >More information on the virus on the web >www.norman.com >http://www.f-secure.com/v-descs/love.htm >--- END PASTE --- Source: wishes to remain unknown I will be out of the office on Monday, May 8th and Tuesday, May 9th. If you need assistance, please contact Ms. Janice Haney at (312) 567-3035. Thank you. ****************************************************** Domenica G. Pappas Phone 312-567-3035 Assistant Director Fax 312-567-6980 Office of Sponsored Research xxxxxx@iit.edu Illinois Institute of Technology 3300 S. Federal Street, MB Rm 301 Chicago, IL 60616-3793 www.iit.edu/colleges/grad/sresearc.htm ****************************************************** ====================================================================== Instructions on how to use the RESADM-L Mailing List, including subscription information and a web-searchable archive, are available via our web site at http://www.hrinet.org (click on "Listserv Lists") ======================================================================