|
PureBytes Links
Trading Reference Links
|
RT Members,
There has recently been a virus inadvertently sent by Ashok Garg, an RT
member called the Love Letter Virus. Message number 1354 has been deleted in
which this virus appeared. Those of you who get digest mode will not be affected
by this problem. Those who receive individual emails will only be affected if
they opened the attachment.
Mr. Garg's ability to post has been temporarily
suspended until he has cleaned his machine appropriately.
Also, while we are talking about viruses, there also appears
to be a resurgence of the NAVIDAD virus around this time of year as well.
DO NOT OPEN ANY MESSAGES WITH AN ATTACHMENT OF
NAVIDAD.EXE.
It is suggested not to open any attachments other
than JPG or GIF-type picture files unless you have virus protection in
place.
For more information on the Love Letter Virus, please read the
following text below.
Love Letter
Virus
Not just
Outlook
Because the virus is being propagated
via E-mail using Microsoft Outlook as the mailer program, some people have the
misconception that if they are not using Microsoft Outlook they will not catch
the virus. The truth of the matter is that you can still catch the virus even if
you are not using Microsoft Outlook if your system has the Windows Scripting
Host (WSH) installed. You will not, however, be able to pass the virus around by
e-mail if you do not use Outlook. By default, WSH is installed on Windows 98 and
Windows 2000. It is not installed on Windows 95 and Windows NT 4 systems unless
Internet Explorer version 5 has been installed.
Some news sources reported that the
LoveLetter virus can be activated by simply reading the e-mail and without
opening the virus attachment. But while there are other VBS virus that can be
activated by simply opening the e-mail, (such as the BubbleBoy and the KakWorm),
most virus experts that have seen the LoveLetter source codes say that
the LoveLetter virus can only be activated if the e-mail attachments are
opened.
To protect your system from the
LoveLetter Virus
The CERT Advisory offers the following
solutions to prevent the LoveLetter virus from infecting your system
(http://www.cert.org/advisories/CA-2000-04.html):
1. Update Your Anti-Virus
Product
It is important for users to update
their anti-virus software. Some anti-virus software vendors have released
updated information, tools, or virus databases to help prevent and combat this
worm. A list of vendor-specific anti-virus information can be found in Appendix
A (listed below).
2. Disable Windows Scripting
Host
Because the worm is written in VBS, it
requires the Windows Scripting Host (WSH) to run. Disabling WSH prevents the
worm from executing. For information about disabling WSH, see: <A
href="http://www.sophos.com/support/faqs/wsh.html";>http://www.sophos.com/support/faqs/wsh.html
This change may disable functionality
the user desires. Exercise caution when implementing this
solution.
3. Disable Active Scripting in
Internet Explorer
Information about disabling active
scripting in Internet Explorer can be found at: <A
href="http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps";>http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps
This change may disable functionality
the user desires. Exercise caution when implementing this
solution.
4. Disable Auto-DCC Reception in
IRC Clients
Users of Internet Relay Chat (IRC)
programs should disable automatic reception of files offered to them via
DCC.
5. Filter the Worm in
E-Mail
Sites can use email filtering
techniques to delete messages containing subject lines known to contain the
worm. The article at listed at:
<A
href="http://www.cert.org/advisories/CA-2000-04.html";>http://www.cert.org/advisories/CA-2000-04.html
offers some examples of how this can
be implemented for sites running UNIX.
6. Exercise Caution When Opening
Attachments
Exercise caution with attachments in
email. Users should disable auto-opening or previewing of email attachments in
their mail programs. Users should never open attachments from an untrusted
origin, or that appear suspicious in any way.
Appendix A. Anti-Virus Vendor
Information
Aladdin Knowledge Systems <A
href="http://www.aks.com/home/csrt/valerts.asp";>http://www.aks.com/home/csrt/valerts.asp
Command Software Systems, Inc.<A
href="http://www.command.co.uk/html/virus/love.html";>http://www.command.co.uk/html/virus/love.html
<A
href="http://www.commandcom.com/virus/love.html";>http://www.commandcom.com/virus/love.html
Computer Associates <A
href="http://www.ca.com/virusinfo/virusalert.htm";>http://www.ca.com/virusinfo/virusalert.htm
F-Secure <A
href="http://www.f-secure.com/download-purchase/updates.html";>http://www.f-secure.com/download-purchase/updates.html
Finjan Software, Ltd. <A
href="http://www.finjan.com/attack_release_detail.cfm?attack_release_id=34";>http://www.finjan.com/attack_release_detail.cfm?attack_release_id=34
McAfee / Network Associates <A
href="http://vil.nai.com/villib/dispVirus.asp?virus_k=98617";>http://vil.nai.com/villib/dispVirus.asp?virus_k=98617
<A
href="http://www.cert.org/advisories/CA-2000-04/nai.dat";>http://www.cert.org/advisories/CA-2000-04/nai.dat
Proland Software <A
href="http://www.pspl.com/virus_info/worms/loveletter.htm";>http://www.pspl.com/virus_info/worms/loveletter.htm
Sophos <A
href="http://www.sophos.com/virusinfo/analyses/vbsloveleta.html";>http://www.sophos.com/virusinfo/analyses/vbsloveleta.html<A
href="http://www.sophos.com/virusinfo/analyses/trojloveleta.html";>http://www.sophos.com/virusinfo/analyses/trojloveleta.html
Symantec <A
href="http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html";>http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html
Trend Micro <A
href="http://www.antivirus.com/vinfo";>http://www.antivirus.com/vinfo
E-Mail Attachment Security
Updates
Microsoft is strongly suggesting that
the E-Mail Attachment Security Updates of the following Microsoft products be
installed:
1. Outlook 97 <A
href="http://officeupdate.microsoft.com/downloadDetails/O97attch.htm";>http://officeupdate.microsoft.com/downloadDetails/O97attch.htm
2. Outlook 98 <A
href="http://officeupdate.microsoft.com/downloadDetails/O98attch.htm";>http://officeupdate.microsoft.com/downloadDetails/O98attch.htm
3. Outlook 2000<A
href="http://officeupdate.microsoft.com/2000/downloadDetails/O2Kattch.htm";>http://officeupdate.microsoft.com/2000/downloadDetails/O2Kattch.htm
According to Microsoft, the above
updates will make it more difficult to inadvertently launch attachments. The
updates provide a more explicit warning dialogue, and prevent attached
executables from being launched directly from e-mails; instead, they must be
saved to disk and launched as a separate step. The update also is included as
part of Office 2000 SR1.
If you are already
infected:
If your system is already infected by
the LoveLetter virus, you will have plenty of help from the web in cleaning this
virus. Be aware however that some of the LoveLetter cleaners being made
available for free could have been developed for a system that is different than
yours and might cause problems if implemented. A good place to find the right
cleaner for your system is to ask at the alt.comp.virus newsgroup. This
newsgroup can be accessed at DEJA.COM (<A
href="http://www.deja.com/";>http://www.deja.com/).
The following links (not tested and
verified by the author) provide free cleanup utility programs to remove the
virus from your system:
<A
href="http://www.planetnetworks.com/";>http://www.PlanetNetworks.com
<A
href="http://www.rassoft.com/needafix/faq.html";>http://www.rassoft.com/needafix/faq.html
<A
href="http://www.isds.dk/fixlovebug.htm";>http://www.isds.dk/fixlovebug.htm
<A
href="http://www.wapydo.com/loveletter.htm";>http://www.wapydo.com/loveletter.htm
<A
href="http://www.js-inc.com/";>http://www.js-inc.com/
<A
href="http://johncpratt.homepage.com/iloveyoucleaner.htm";>http://johncpratt.homepage.com/iloveyoucleaner.htm
<A
href="http://www.symantec.com/avcenter/venc/data/fix.vbs.loveletter.html";>http://www.symantec.com/avcenter/venc/data/fix.vbs.loveletter.html
For users of the Microsoft Exchange
Server, Microsoft Product Support Services is offering a new utility called
ISSCAN to remove the Love Letter virus and repair both the private and public
information store. Refer to: <A
href="http://support.microsoft.com/support/exchange/love_letter.htm";>http://support.microsoft.com/support/exchange/love_letter.htm.
eGroups Sponsor
To unsubscribe from this group, send an email to:
realtraders-unsubscribe@xxxxxxxxxxx
|