NEWSFLASH LOVE LETTER VIRUS -
A SIMPLE PROGRAM THAT ROCKS THE WORLD (An In-depth report by Rey Q. Carolino, PHNO Technology writer) CyberSpace, May 8, 2000 - Computer programmers around the world who have seen the source codes of the LoveLetter virus are united in saying that it is such a simple program that even a 12-year old with Visual Basic Scripting (VBS) knowledge can assemble in a few hours. The virus took only over 300 lines of VBS programming codes and yet it proved to be a nightmare to a lot of network administrators around the world within the first 24 hours of its attack. Ironically, its simplicity probably contributed to its widespread distribution over the Net. Because of its brevity, the source codes of the virus was easily passed on to other people through various Internet mailing lists and newsgroups and was quickly dissected and analyzed by copycat virus programmers. The first variant of the virus appeared in less than 24 hours. As of May 7, leading anti-virus software maker Symantec has discovered 12 variations of the LoveLetter virus (see list at the bottom). Who actually wrote the virus is still undetermined at this time. Some reports point to a Filipina hacker, others point to a 27-year old man who uses the online handle "Spyder", one report said the suspect is a 23-year old man from the Pandacan neighborhood in Manila, another lead point to a 22-year old student and a prominent virus researcher concluded that the culprit is a German exchange student living in Australia. Microsoft is the villain Whoever wrote the virus seems to be irrelevant to a lot of people who felt that the real villain in this worldwide drama is Microsoft. Microsoft took a lot of the heat on the issue because only systems running the Microsoft's Windows Scripting Host (WSH) are vulnerable to the virus. Some computer experts say that this is a wake-up call to Microsoft to enhance the security of their Operating System software and the very popular Microsoft Outlook e-mail program.
Computers running other operating systems such as Linux and the Macintosh were not affected by the LoveLetter virus and interest in other non-Microsoft mail programs, such as Eudora and Pegasus Mail, have increased since the virus was discovered last May 4. [The first UNIX variant of the virus was reported today by Norman, a firm dealing with data security (see http://www.norman.com/virus_info/vbs_loveletter.shtml).] Leo Wong wrote in the alt.comp.virus newsgroup: "That Microsoft fails to provide anything but a useless general warning in even the easiest cases (as with the "LoveBug" script) and fails to protect the user's system and resources shows its disdain for computer security and borders on negligence."
More than one culprits? The possibility of more than one person being involved in the spread of the LoveLetter virus is very likely as there are two main elements of the virus, each of these could have different masterminds. The first element is the LoveLetter virus program itself that can be passed on to computer systems through the opening of an e-mail attachment, through a one-on-one Internet Relay Chat session, or through the sharing of infected computer files with another system. The damage being rendered by this part of the virus is the deletion of some files in the system (notably JPEG graphics and MP2 and MP3 multimedia files). There is a second element of the virus however that could have given the author of the virus (and subsequent copycat writers) access to confidential password information from the infected system. This is done by using a password-stealer program that could have been created by a person who is not necessarily the author of the LoveLetter virus program. The program (called Win-Bugsfix.exe) was set to be downloaded from four different websites hosted by Sky Internet, an Internet Service Provider based in the Philippines. Jimmy Kuo, director of anti-virus research for McAfee reported that this program resembles a "Trojan Horse" program named "Barok", which steals computer passwords and written by a man in the Philippines last year. Once this program is transferred to the infected system, it will find some password information that the user of that system has stored in it. For example, if you choose to save your password when you logon to your Internet account or if you are entering a website that requires a password and you choose to instruct your browser to remember your passwords, those passwords will be saved somewhere in your system and those are the files the password-stealer program will try to hunt. If it finds them, they will be e-mailed to an account (probably belonging to the virus creator) being hosted by Super.Net, a service provider in Manila and Cebu City in the Philippines that sells prepaid internet access cards. What the virus creators will do with those passwords are now pure speculations because this part of the virus did not go very far. Sky Internet was alerted a few hours after the LoveLetter virus was first spotted on the loose and they were quick to shut-down the sites where the password-stealer program was being downloaded from. Majority of the people who were infected by the virus after Sky Internet has closed those sites down were greeted instead by a notice from Sky Internet that their system had been infected by the LoveLetter virus. However, it didn't last very long either as Sky Internet was forced to shutdown its servers completely several hours after the attack because of the heavy load that the virus had put on their Servers. With the source of the password-stealer program deactivated, the virus was unable to steal the passwords of infected users as planned. And because the files being deleted by the virus are not really significant, the damages done by this virus are restricted mainly to lost manhours in containing the virus and fixing its damages as well as the inability of users to access their system until proper safeguards have been implemented therein.
Sky Internet claimed that the accounts where the password-stealer was being downloaded from was hacked by someone belonging to another Internet Service Provider in the Philippines, ImpactNet. Rodney Banzon Consunji, Director of Business Development of ImpactNet, sent an e-mail to their subscribers explaining that the hacker responsible for planting the password-stealer program at Sky Internet used a valid ImpactNet account belonging to an innocent subscriber whose computer was hacked probably through the use of this password-stealer program. "Hacking Internet accounts is very common here in the Philippines." Consunji wrote. "We need to educate all Philippine Internet users about the reality of Viruses and Hacking. As what we have seen, these hackers and viruses can wreck havoc globally in a small span of time. We encourage clients of all ISP's to ensure the security of their PCs by installing any known anti-virus and anti-trojan software." Not just Outlook Because the virus is being propagated via E-mail using Microsoft Outlook as the mailer program, some people have the misconception that if they are not using Microsoft Outlook they will not catch the virus. The truth of the matter is that you can still catch the virus even if you are not using Microsoft Outlook if your system has the Windows Scripting Host (WSH) installed. You will not, however, be able to pass the virus around by e-mail if you do not use Outlook. By default, WSH is installed on Windows 98 and Windows 2000. It is not installed on Windows 95 and Windows NT 4 systems unless Internet Explorer version 5 has been installed. Some news sources reported that the LoveLetter virus can be activated by simply reading the e-mail and without opening the virus attachment. But while there are other VBS virus that can be activated by simply opening the e-mail, (such as the BubbleBoy and the KakWorm), most virus experts that have seen the LoveLetter source codes say that the LoveLetter virus can only be activated if the e-mail attachments are opened. To protect your system from the LoveLetter Virus The CERT Advisory offers the following solutions to prevent the LoveLetter virus from infecting your system (http://www.cert.org/advisories/CA-2000-04.html): 1. Update Your Anti-Virus Product It is important for users to update their anti-virus software. Some anti-virus software vendors have released updated information, tools, or virus databases to help prevent and combat this worm. A list of vendor-specific anti-virus information can be found in Appendix A (listed below). 2. Disable Windows Scripting Host
Because the worm is written in VBS, it requires the Windows Scripting Host (WSH) to run. Disabling WSH prevents the worm from executing. For information about disabling WSH, see: http://www.sophos.com/support/faqs/wsh.html
This change may disable functionality the user desires. Exercise caution when implementing this solution. 3. Disable Active Scripting in Internet Explorer
Information about disabling active scripting in Internet Explorer can be found at: http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps This change may disable functionality the user desires. Exercise caution when implementing this solution. 4. Disable Auto-DCC Reception in IRC Clients Users of Internet Relay Chat (IRC) programs should disable automatic reception of files offered to them via DCC. 5. Filter the Worm in E-Mail Sites can use email filtering techniques to delete messages containing subject lines known to contain the worm. The article at listed at:
http://www.cert.org/advisories/CA-2000-04.html offers some examples of how this can be implemented for sites running UNIX. 6. Exercise Caution When Opening Attachments Exercise caution with attachments in email. Users should disable auto-opening or previewing of email attachments in their mail programs. Users should never open attachments from an untrusted origin, or that appear suspicious in any way. Appendix A. Anti-Virus Vendor Information
Aladdin Knowledge Systems http://www.aks.com/home/csrt/valerts.asp
Command Software Systems, Inc. http://www.command.co.uk/html/virus/love.html http://www.commandcom.com/virus/love.html
Computer Associates http://www.ca.com/virusinfo/virusalert.htm
F-Secure http://www.f-secure.com/download-purchase/updates.html
Finjan Software, Ltd. http://www.finjan.com/attack_release_detail.cfm?attack_release_id=34
McAfee / Network Associates http://vil.nai.com/villib/dispVirus.asp?virus_k=98617 http://www.cert.org/advisories/CA-2000-04/nai.dat
Proland Software http://www.pspl.com/virus_info/worms/loveletter.htm
Sophos http://www.sophos.com/virusinfo/analyses/vbsloveleta.html http://www.sophos.com/virusinfo/analyses/trojloveleta.html
Symantec http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html
Trend Micro http://www.antivirus.com/vinfo E-Mail Attachment Security Updates Microsoft is strongly suggesting that the E-Mail Attachment Security Updates of the following Microsoft products be installed:
1. Outlook 97 http://officeupdate.microsoft.com/downloadDetails/O97attch.htm
2. Outlook 98 http://officeupdate.microsoft.com/downloadDetails/O98attch.htm
3. Outlook 2000 http://officeupdate.microsoft.com/2000/downloadDetails/O2Kattch.htm According to Microsoft, the above updates will make it more difficult to inadvertently launch attachments. The updates provide a more explicit warning dialogue, and prevent attached executables from being launched directly from e-mails; instead, they must be saved to disk and launched as a separate step. The update also is included as part of Office 2000 SR1. If you are already infected:
If your system is already infected by the LoveLetter virus, you will have plenty of help from the web in cleaning this virus. Be aware however that some of the LoveLetter cleaners being made available for free could have been developed for a system that is different than yours and might cause problems if implemented. A
good place to find the right cleaner for your system is to ask at the alt.comp.virus newsgroup. This newsgroup can be accessed at DEJA.COM (http://www.deja.com/). The following links (not tested and verified by the author) provide free cleanup utility programs to remove the virus from your system:
http://www.PlanetNetworks.com
http://www.rassoft.com/needafix/faq.html
http://www.isds.dk/fixlovebug.htm
http://www.wapydo.com/loveletter.htm
http://www.js-inc.com/
http://johncpratt.homepage.com/iloveyoucleaner.htm
http://www.symantec.com/avcenter/venc/data/fix.vbs.loveletter.html
For users of the Microsoft Exchange Server, Microsoft Product Support Services is offering a new utility called ISSCAN to remove the Love Letter virus and repair both the private and public information store. Refer to: http://support.microsoft.com/support/exchange/love_letter.htm.
All the programs above will remove the virus from your system but you will be unable to recover the files that would have been deleted by the virus. If you need to recover those files, Ontrack has developed a USD50 Easy Recovery Software that will help you recover JPEG, JPG, MP3 and MP2 files on Win95, Win98 and WinNT systems that the LoveLetter virus would delete. This software can be downloaded at: http://www.ontrack.com/easyrecovery/worm.asp
List of known LoveLetter variants as of May 7, 2000 from the Symantec website (http://www.symantec
No comments:
Post a Comment