[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[RT] RE: Love Letter Virus



PureBytes Links

Trading Reference Links



RT Members,
 
There has recently been a virus inadvertently sent by Ashok Garg, an RT 
member called the Love Letter Virus. Message number 1354 has been deleted in 
which this virus appeared. Those of you who get digest mode will not be affected 
by this problem. Those who receive individual emails will only be affected if 
they opened the attachment.
 
Mr. Garg's ability to post has been temporarily 
suspended until he has cleaned his machine appropriately.
 
Also, while we are talking about viruses, there also appears 
to be a resurgence of the NAVIDAD virus around this time of year as well. 
DO NOT OPEN ANY MESSAGES WITH AN ATTACHMENT OF 
NAVIDAD.EXE.
 
It is suggested not to open any attachments other 
than JPG or GIF-type picture files unless you have virus protection in 
place.
 
For more information on the Love Letter Virus, please read the 
following text below.

Love Letter 
Virus
Not just 
Outlook
Because the virus is being propagated 
via E-mail using Microsoft Outlook as the mailer program, some people have the 
misconception that if they are not using Microsoft Outlook they will not catch 
the virus. The truth of the matter is that you can still catch the virus even if 
you are not using Microsoft Outlook if your system has the Windows Scripting 
Host (WSH) installed. You will not, however, be able to pass the virus around by 
e-mail if you do not use Outlook. By default, WSH is installed on Windows 98 and 
Windows 2000. It is not installed on Windows 95 and Windows NT 4 systems unless 
Internet Explorer version 5 has been installed.
Some news sources reported that the 
LoveLetter virus can be activated by simply reading the e-mail and without 
opening the virus attachment. But while there are other VBS virus that can be 
activated by simply opening the e-mail, (such as the BubbleBoy and the KakWorm), 
most virus experts that have seen the LoveLetter source codes say that 
the LoveLetter virus can only be activated if the e-mail attachments are 
opened.




To protect your system from the 
LoveLetter Virus
The CERT Advisory offers the following 
solutions to prevent the LoveLetter virus from infecting your system 
(http://www.cert.org/advisories/CA-2000-04.html):
1. Update Your Anti-Virus 
Product
It is important for users to update 
their anti-virus software. Some anti-virus software vendors have released 
updated information, tools, or virus databases to help prevent and combat this 
worm. A list of vendor-specific anti-virus information can be found in Appendix 
A (listed below).
2. Disable Windows Scripting 
Host
Because the worm is written in VBS, it 
requires the Windows Scripting Host (WSH) to run. Disabling WSH prevents the 
worm from executing. For information about disabling WSH, see: <A 
href="http://www.sophos.com/support/faqs/wsh.html";>http://www.sophos.com/support/faqs/wsh.html
This change may disable functionality 
the user desires. Exercise caution when implementing this 
solution.
3. Disable Active Scripting in 
Internet Explorer
Information about disabling active 
scripting in Internet Explorer can be found at: <A 
href="http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps";>http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps
This change may disable functionality 
the user desires. Exercise caution when implementing this 
solution.
4. Disable Auto-DCC Reception in 
IRC Clients
Users of Internet Relay Chat (IRC) 
programs should disable automatic reception of files offered to them via 
DCC.
5. Filter the Worm in 
E-Mail
Sites can use email filtering 
techniques to delete messages containing subject lines known to contain the 
worm. The article at listed at:
<A 
href="http://www.cert.org/advisories/CA-2000-04.html";>http://www.cert.org/advisories/CA-2000-04.html
offers some examples of how this can 
be implemented for sites running UNIX.
6. Exercise Caution When Opening 
Attachments
Exercise caution with attachments in 
email. Users should disable auto-opening or previewing of email attachments in 
their mail programs. Users should never open attachments from an untrusted 
origin, or that appear suspicious in any way.




Appendix A. Anti-Virus Vendor 
Information
Aladdin Knowledge Systems <A 
href="http://www.aks.com/home/csrt/valerts.asp";>http://www.aks.com/home/csrt/valerts.asp
Command Software Systems, Inc.<A 
href="http://www.command.co.uk/html/virus/love.html";>http://www.command.co.uk/html/virus/love.html 
<A 
href="http://www.commandcom.com/virus/love.html";>http://www.commandcom.com/virus/love.html
Computer Associates <A 
href="http://www.ca.com/virusinfo/virusalert.htm";>http://www.ca.com/virusinfo/virusalert.htm
F-Secure <A 
href="http://www.f-secure.com/download-purchase/updates.html";>http://www.f-secure.com/download-purchase/updates.html
Finjan Software, Ltd. <A 
href="http://www.finjan.com/attack_release_detail.cfm?attack_release_id=34";>http://www.finjan.com/attack_release_detail.cfm?attack_release_id=34
McAfee / Network Associates <A 
href="http://vil.nai.com/villib/dispVirus.asp?virus_k=98617";>http://vil.nai.com/villib/dispVirus.asp?virus_k=98617 
<A 
href="http://www.cert.org/advisories/CA-2000-04/nai.dat";>http://www.cert.org/advisories/CA-2000-04/nai.dat
Proland Software <A 
href="http://www.pspl.com/virus_info/worms/loveletter.htm";>http://www.pspl.com/virus_info/worms/loveletter.htm
Sophos <A 
href="http://www.sophos.com/virusinfo/analyses/vbsloveleta.html";>http://www.sophos.com/virusinfo/analyses/vbsloveleta.html<A 
href="http://www.sophos.com/virusinfo/analyses/trojloveleta.html";>http://www.sophos.com/virusinfo/analyses/trojloveleta.html
Symantec <A 
href="http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html";>http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html
Trend Micro <A 
href="http://www.antivirus.com/vinfo";>http://www.antivirus.com/vinfo




E-Mail Attachment Security 
Updates
Microsoft is strongly suggesting that 
the E-Mail Attachment Security Updates of the following Microsoft products be 
installed:
1. Outlook 97 <A 
href="http://officeupdate.microsoft.com/downloadDetails/O97attch.htm";>http://officeupdate.microsoft.com/downloadDetails/O97attch.htm
2. Outlook 98 <A 
href="http://officeupdate.microsoft.com/downloadDetails/O98attch.htm";>http://officeupdate.microsoft.com/downloadDetails/O98attch.htm
3. Outlook 2000<A 
href="http://officeupdate.microsoft.com/2000/downloadDetails/O2Kattch.htm";>http://officeupdate.microsoft.com/2000/downloadDetails/O2Kattch.htm
According to Microsoft, the above 
updates will make it more difficult to inadvertently launch attachments. The 
updates provide a more explicit warning dialogue, and prevent attached 
executables from being launched directly from e-mails; instead, they must be 
saved to disk and launched as a separate step. The update also is included as 
part of Office 2000 SR1.




If you are already 
infected:
If your system is already infected by 
the LoveLetter virus, you will have plenty of help from the web in cleaning this 
virus. Be aware however that some of the LoveLetter cleaners being made 
available for free could have been developed for a system that is different than 
yours and might cause problems if implemented. A good place to find the right 
cleaner for your system is to ask at the alt.comp.virus newsgroup. This 
newsgroup can be accessed at DEJA.COM (<A 
href="http://www.deja.com/";>http://www.deja.com/).
The following links (not tested and 
verified by the author) provide free cleanup utility programs to remove the 
virus from your system:
<A 
href="http://www.planetnetworks.com/";>http://www.PlanetNetworks.com
<A 
href="http://www.rassoft.com/needafix/faq.html";>http://www.rassoft.com/needafix/faq.html
<A 
href="http://www.isds.dk/fixlovebug.htm";>http://www.isds.dk/fixlovebug.htm
<A 
href="http://www.wapydo.com/loveletter.htm";>http://www.wapydo.com/loveletter.htm
<A 
href="http://www.js-inc.com/";>http://www.js-inc.com/
<A 
href="http://johncpratt.homepage.com/iloveyoucleaner.htm";>http://johncpratt.homepage.com/iloveyoucleaner.htm
<A 
href="http://www.symantec.com/avcenter/venc/data/fix.vbs.loveletter.html";>http://www.symantec.com/avcenter/venc/data/fix.vbs.loveletter.html
For users of the Microsoft Exchange 
Server, Microsoft Product Support Services is offering a new utility called 
ISSCAN to remove the Love Letter virus and repair both the private and public 
information store. Refer to: <A 
href="http://support.microsoft.com/support/exchange/love_letter.htm";>http://support.microsoft.com/support/exchange/love_letter.htm.






eGroups Sponsor











To unsubscribe from this group, send an email to:
realtraders-unsubscribe@xxxxxxxxxxx