FYI aja lah :)
---------------------- Forwarded by WARSONO/MIS/UNITED_TRACTORS on 05/05/2000
01:26 PM ---------------------------
One final update for the day. It seems a couple of variations of the worm
are going around. At least one uses a subject line of "Joke" or "fw: Joke"
and the attachment is called VeryFunny.vbs. Thanks to Patrick Cantwell
<[EMAIL PROTECTED]> and Mitchell Patenaude <[EMAIL PROTECTED]> for pointing
this out.
At least in some intances it seems tabs in the virus code have been
changed to spaces. That means the code looks the same but its not.
Some antivirus products may be fooled by this. Trend Micro Interscan for
mail servers, Solaris version, seems to be affected. Thanks to
Brett Dikeman <[EMAIL PROTECTED]> for pointing this out.
A VB script to disinfect your system is available at
http://www.thepope.org/fix.vbs. It seems to do a good job
but I think it misses a number of extensions like js, jse, css, sct, hta,
jpg, jpeg and wsh.
Matt Davis <[EMAIL PROTECTED]> points out that you can modify
John D. Hardin's procmail filters to stop the worm. You can find them
at ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html
Adele Shakal <[EMAIL PROTECTED]> had a few tips.
Sendmail.com has a rule to filter the worm based on the subject header
at http://www2.sendmail.com/loveletter. It works with Sendmail 8.9
and newer. You should probably add "Joke" to the subject lines it
scans for.
If you are a Postfix users you can stop the virus by doing the
following:
* Make sure your version of postfix supports the header_checks directive.
* Add the line "header_checks = regexp:/etc/postfix/header_checks"
to your main.cf file.
* Create a /etc/postfix/header_checks file with a line of:
/^Subject:.*ILOVEYOU/ REJECT
or better yet
/Content.*\.vbs/ REJECT
* Execute "postfix reload".
For Exchange Steve Willocks <[EMAIL PROTECTED]> recommends
Mail essentials for Exchange/SMTP. Its a commercial product that
you configure to block messages based on types of attachments or
keyword matches among other features. You can find it at
http://www.gfi.com/mesindex.htm
CERT has a small summary of the outbreatk at
http://www.cert.org/current/current_activity.html#loveletter
More antivirus updates:
Alladin: http://www.aks.com/home/csrt/valerts.asp
CA: http://www.ca.com/virusinfo/virusalert.htm
DrSolomon: http://www.drsolomons.com/home/extra.zip
F-Secure: http://www.f-secure.com/download-purchase/updates.html
Finjan:
http://www.finjan.com/attack_release_detail.cfm?attack_release_id=34
McAffe: http://download.mcafee.com/extrafiles/love-4.zip
NAI: http://vil.nai.com/villib/dispVirus.asp?virus_k=98617
Proland: http://www.pspl.com/virus_info/worms/loveletter.htm
Sophos: http://www.sophos.com/virusinfo/analyses/vbsloveleta.html
Sophos: http://www.sophos.com/virusinfo/analyses/trojloveleta.html
Symantec: http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html
TrendMicro:
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_LOVELETTER-O
spiff <[EMAIL PROTECTED]> relates that pop3d on OpenBSD seems to reject the
infected messages with an error message of "Attachment Corrupted", thus
their users are not affected.
Michael Damm <[EMAIL PROTECTED]> seems to think that Norton
Antivirus stops the worm without the latest update. It seems Norton
confuses the virus with VBS.BubbleBoy and stops it. His virus
definition fileis 135 days old. Go figure.
Dan Stromberg <[EMAIL PROTECTED]> has developed a Python script
that removes the virus from a set of mbox-formatted mail files. Its
attached. It replaces the infected message with a warning that indicated
who send the mail. Use at your own risk.
If you use Content-length, this program could mess up your mailbox.
Content-length usage is indicated, I believe, by the "v" option on
your local ("Mlocal" line) mail delivery agent in sendmail.cf.
Please consider the program copylefted.
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
* Gunadarma Mailing List -----------------------------------------------
* Archives : http://milis-archives.gunadarma.ac.id
* Langganan : Kirim Email kosong ke [EMAIL PROTECTED]
* Berhenti : Kirim Email kosong ke [EMAIL PROTECTED]
* Administrator: [EMAIL PROTECTED]
