Love Bug Special Edition | ||
 | ||
Rather ironically, the last few weeks we have been working extensively on firewall products when along comes "LoveBug". Just in case you have missed the news "LoveBug" is a very destructive and prolific email virus. The virus has hit many organisations badly. Unlike previous well-known viruses such as Melissa, LoveBug is very destructive, corrupting data on a large scale. I hope to cover in this newsletter the details of what it is, what it does and crucially, how you avoid this happening to you. Apologies we don't have our normal newsletter coverage, normal service will be resumed for the next edition.
CONTENTS:
You receive an email starting "I Love You". It has an attachment, you open it (well you would, wouldn't you). That's it, you're stuffed! This is pre-dominantly an issue for Microsoft Outlook users. You will see message that contains:
Subject: ILOVEYOU Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.VBS Note, though because Windows normally hides the ".VBS" part, what you see on screen only shows ".TXT", making you think you have only got a text file. Importantly, the message will seem to be from someone you know. You can also receive the same mail through Internet Relay Chat (IRC). Look for a file called LOVE-LETTER-FOR-YOU.HTM.
The attachment is a VB Script (a small program) that runs as soon as you open it. Firstly it mails itself to everyone in your address book - not just once, but every time you start Windows. In detail, here is what happens: 1) It copies itself to your hard drive 2) Modifies the registry so it runs every time you reboot 3) Copies itself to \windows\win32dll.vbs 4) Copies itself to \windows\system\mskernel32.vbs 5) If mIRC (Relay Chat) is running, will try to copy via Internet also 6) Will try and download, then run a file called WIN-BUGSFIX.EXE from the Internet. This program scans for passwords on your machine and sends them to the virus writer. (Though his domain is now off-line). 7) Sets WIN-BUGSFIX.EXE to run every time you reboot
8) It will then proceed to find local and network drives connected to
your computer and overwrite files with further copies of the virus:
9) It then scans your Outlook address book and sends an infected mail to all your contacts. As you can see from this, LoveBug is a very serious and destructive virus. Melissa did no actual harm, LoveBug wipes files, attempts to hide itself in many locations, will scan over your network for files. Basically, once LoveBug has got inside your network it will proliferate very rapidly.
First of all we have those machines which actively run the virus: that is any system running Windows 98 or 2000, plus any machine running Windows Scripting Host (WSH). However, the virus could affect ANY MACHINE. Unix and other non- Windows variants may have files damaged by the virus and become unwitting "Typhoid Mary" carriers of the virus. A Unix or NT machine though seemingly uninfected could carry the file, then next time a Windows user accesses the file, it starts all over again So basically, assume any kind of machine is a potential carrier and infected. N.B. It is not just Outlook, which carries the virus. ANY EMAIL program can carry the virus. Opening the attachment in any email program will launch the virus. Outlook is only special in that virus uses the address book as one way of proliferating.
If you are on a Windows system, check for a file called "LOVE-LETTER- FOR-YOU.TXT.VBS". You will have at least one copy in your Windows system folder (usually c:\windows\system or c:\windows\system32). However, that will NOT tell you if you have picked up an infected file that has not been run yet. In other words, you could have the virus waiting in a jpeg or MP3 file - you just don't know it yet. The only real answer is to ensure your Anti-Virus software (you do have Anti-Virus software don't you?) is up to date and running. VERY IMPORTANT: Many anti-virus packages are set by default to check "Program Files Only" or something similar. They must check ALL files, since the infected files look like ordinary data files, not program files. As of this morning all the major anti-virus companies had released updates, which will find the LoveBug virus. But we'll return to this later.
Firstly, run your anti-virus program and delete any file that is infected. Secondly, double check, you may have files in your mail program, which have not been picked up by the virus check - delete them too. Check your InBox, Deleted messages and certainly Sent Items. Because it emails itself, Sent Items will have many messages in it. (Tip: Shift- Delete really deletes a message, not just moves it to the Deleted folder where you have to delete it again) Thirdly, don't forget - this virus attacks your local network - so any connected machines are potentially infected and remain a source of possible re-infection - let users/administrators of those other machines know you have been hit. It is a bit like a sexually transmitted disease but without the embarrassment, at least if you have been infected you know you are popular enough to appear in someone else's address book. If you don't get it, maybe you're not popular enough... Anyway, there is no shame in owning up to being struck by it. The virus has also inserted itself in the windows registry - you will need to fix this too. Until you do, you may get error messages about "missing files" as you restart Windows. You are also ready to re- infect at a later date too. Using Regedit you need to remove the following entries from HKEY_LOCAL_MACHINE:
\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 \Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL \Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX \Software\Microsoft\Windows\CurrentVersion\Run\WinFAT32=WinFAT32.EXE \Software\Microsoft\Windows Scripting Host\Settings\Timeout The virus also may have changed an Internet Explorer setting: Your Start Page (the first page you see when you start IE) is changed to a blank page. To fix that open up the start page you want in the browser then go to Tools | Internet Options | General and click on the 'Use Current' button. If you are mIRC user, then your script.ini file will have been overwritten too. Do not start up mIRC until you have restored your original script.ini file, otherwise you will re-infect yourself and others.
LoveBug has upped the stakes in the virus world - where idiots compete against each other for more and more destructive and virulent packages. You be assured that there will be another such attack. After all, LoveBug is only an extra spin on Melissa, which was only an extra spin on... and so on ad finitum. The trouble with LoveBug, is that the *type* of virus it represents is particularly tricky to stop. While the specific version (and there are already variants) can be tracked by anti-virus software, the more generalised case is hard to eliminate. Nevertheless, there are certainly some firewall and mail sweeper users out there who are counting their blessings this morning (as well as counting the logged captures of the virus). FIREWALL, CONTENT CHECK, ANTI-VIRUS, SECURE INTERNET CONNECTIONS Firstly, the only real protection against these types of attacks is the firewall approach. You need to examine all in-bound email messages and quarantine any file, which appears dodgy. Note "appears", you need to err on the side of caution here. FIREWALL: What is a firewall? A firewall is a hardware/software package that sits between you and the Internet. It protects against many types of attack from the Internet, including spoofing, relaying and denial of service attacks. The firewall is the more general protection against Internet attack. Important: many firewalls do not sweep mail and so do not protect against LoveBug. CONTENT CHECK: What is a mail sweeper? Mail sweepers or content checkers are the next step from firewalls. A mail checker will investigate inbound (and indeed outbound too) email messages for dubious content. This could be viruses, pornography, company secrets etc. Typically messages with suspect content are "quarantined" so that an administrator can check the file before passing legitimate files onwards. ANTI-VIRUS: Isn't my virus checker enough? No. Your anti-virus software will always be slightly behind the latest viruses. That's not to say your AV is useless - quite the reverse it is a very important part of the protection - but it is only a part. SECURE INTERNET CONNECTIONS: Some ISP's are now offering services where all security checking is handled by the ISP before it every reaches your network. This is a new and powerful service. Yet it is also very cost effective since you do not have to purchase and administer local protection hardware and software.
Please contact us: Centreline 2000 can provide firewalls, mail sweeper and anti-virus software. Here are some corporate solutions: AXENT RAPTOR FIREWALL extensive firewall protection CENTRELINE 2000 PALLADIO email sweeping for Unix systems GFI MAIL ESSENTIALS email sweeping for Windows systems NETWORK ASSOCIATES virus protection STAR INTERNET Secure Internet connectivity
|
 |
|
|
|
Centreline 2000 - Uniplex, Unix, Windows and Internet Arle Court, Hatherley Lane, Cheltenham, GL51 6PN Tel: (UK) 01242 255 000 |
|
|
|
|
|
URL: www.c2000.com/papers/nw_000506.htm © 1995-2001 Centreline 2000 Last Updated: 6th May 2000 |
|
|
|
|
|
|
|
|
|
