|
|
|
|
|
|
|
|
|
||
|
|
||
|
Be a Commerce Partner |
Stopping the ILOVEYOU Virus at the Server
Members of the ISP-Tech list discuss how they are protecting customers from the rampant ILOVEYOU virus.
| [May 5, 2000] |
 |
Recently on the ISP-Tech list, J asked:
"What is everyone doing to try to combat the new "ILOVEYOU" virus out there? From what I've read there isn't a fix yet. Is this true?"
[RS had a solution for MS Exchange servers] "Here is a scan (free) that will scan all mailboxes for infection: LOVESCAN ASaP! http://www.mycio.com/asp_subscribe/ExchangeScan.asp
'SERVER PROTECTION: The I Love You virus is currently infecting millions of messages stored in your Exchange E-mail servers. These two utilities are the first and only solutions to clean your Exchange servers. LoveScan Downloads is a downloadable utility that you can run on your exchange message stores e-mails to detect and remove VBS/LOVELETTER worm. To use this downloadable utility, Unzip this file ExchScan.zip into a local directory. Log in on your exchange server as an administrator and launch the command line utility, exchscan.exe. This will scan all mailboxes in the message information store and remove infected messages.' "
[TW, on a UNIX system, replied] "Actually, there are lots of fixes and at least 5 different variants of the LoveLetter virus. Ugh! Here is what we have done: We use sendmail on a UNIX system. I am using a combination of AMaViS and Sophos Sweep to scan all incoming email. Sophos had a virus definition for the VBS/LoveLet.A before 7AM my time yesterday. I was able to apply that to my server before we received any love letter viruses. Our system stopped over 60 messages yesterday and we only have 500 mail accounts! None of our systems were infected. Additionally, I am using procmail for local mail delivery. I have added some procmail filters to look for and quarantine suspicious email attachments, including *.vbs attachments. Here are some resources:
- http://www.sophos.com
- http://www.amavis.org
- http://www.sendmail.org
- http://www.procmail.org
- ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html
Let me know if you have any questions!"
[JM said] "Education is the first step. Yes there is/are fixes. Go to www.cert.org and search for ILOVEYOU."
[or see the CERT advisory, "CERTŪ Advisory CA-2000-04 Love Letter Worm"]
[We add] On the advice of our in-house tech gods, we looked up Symantec. Their press release describes the virus in general, and here is their detailed description of the virus:
http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html
Basically, Symantec says, "This worm sends itself to email addresses in the Microsoft Outlook address book. It spreads itself via mIRC and infects files on local and remote drives including files with the following extensions: .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .mp3, and .mp2. It also tries to download a password-stealing Trojan horse program from a Web site."
As of morning, May 5, Symantec reported the following two variants:
VBS.LoveLetter.B (Lithuania) email subject: "Susitikim shi vakara kavos puodukui..."
VBS.LoveLetter.C (Very Funny) email subject: "fwd: Joke" attachment name: "Very Funny.vbs"
And warn your customers!
Related Articles
"House
Call: Free Online Virus Scanning" from Internet
Product Watch
"Costly Virus Highlights Security Flaws" from CNBC.
CERT advisory, "CERTŪ Advisory CA-2000-04 Love Letter Worm"
The New York Times' latest article, "New Disguise for Computer Bug"
"Copycats of 'I Love You' Worm Spread" from internetnews.com
—End
ISP-Planet's
RSS feed
