FYI aja lah :) ---------------------- Forwarded by WARSONO/MIS/UNITED_TRACTORS on 05/05/2000 01:26 PM --------------------------- One final update for the day. It seems a couple of variations of the worm are going around. At least one uses a subject line of "Joke" or "fw: Joke" and the attachment is called VeryFunny.vbs. Thanks to Patrick Cantwell <[EMAIL PROTECTED]> and Mitchell Patenaude <[EMAIL PROTECTED]> for pointing this out. At least in some intances it seems tabs in the virus code have been changed to spaces. That means the code looks the same but its not. Some antivirus products may be fooled by this. Trend Micro Interscan for mail servers, Solaris version, seems to be affected. Thanks to Brett Dikeman <[EMAIL PROTECTED]> for pointing this out. A VB script to disinfect your system is available at http://www.thepope.org/fix.vbs. It seems to do a good job but I think it misses a number of extensions like js, jse, css, sct, hta, jpg, jpeg and wsh. Matt Davis <[EMAIL PROTECTED]> points out that you can modify John D. Hardin's procmail filters to stop the worm. You can find them at ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html Adele Shakal <[EMAIL PROTECTED]> had a few tips. Sendmail.com has a rule to filter the worm based on the subject header at http://www2.sendmail.com/loveletter. It works with Sendmail 8.9 and newer. You should probably add "Joke" to the subject lines it scans for. If you are a Postfix users you can stop the virus by doing the following: * Make sure your version of postfix supports the header_checks directive. * Add the line "header_checks = regexp:/etc/postfix/header_checks" to your main.cf file. * Create a /etc/postfix/header_checks file with a line of: /^Subject:.*ILOVEYOU/ REJECT or better yet /Content.*\.vbs/ REJECT * Execute "postfix reload". For Exchange Steve Willocks <[EMAIL PROTECTED]> recommends Mail essentials for Exchange/SMTP. Its a commercial product that you configure to block messages based on types of attachments or keyword matches among other features. You can find it at http://www.gfi.com/mesindex.htm CERT has a small summary of the outbreatk at http://www.cert.org/current/current_activity.html#loveletter More antivirus updates: Alladin: http://www.aks.com/home/csrt/valerts.asp CA: http://www.ca.com/virusinfo/virusalert.htm DrSolomon: http://www.drsolomons.com/home/extra.zip F-Secure: http://www.f-secure.com/download-purchase/updates.html Finjan: http://www.finjan.com/attack_release_detail.cfm?attack_release_id=34 McAffe: http://download.mcafee.com/extrafiles/love-4.zip NAI: http://vil.nai.com/villib/dispVirus.asp?virus_k=98617 Proland: http://www.pspl.com/virus_info/worms/loveletter.htm Sophos: http://www.sophos.com/virusinfo/analyses/vbsloveleta.html Sophos: http://www.sophos.com/virusinfo/analyses/trojloveleta.html Symantec: http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html TrendMicro: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_LOVELETTER-O spiff <[EMAIL PROTECTED]> relates that pop3d on OpenBSD seems to reject the infected messages with an error message of "Attachment Corrupted", thus their users are not affected. Michael Damm <[EMAIL PROTECTED]> seems to think that Norton Antivirus stops the worm without the latest update. It seems Norton confuses the virus with VBS.BubbleBoy and stops it. His virus definition fileis 135 days old. Go figure. Dan Stromberg <[EMAIL PROTECTED]> has developed a Python script that removes the virus from a set of mbox-formatted mail files. Its attached. It replaces the infected message with a warning that indicated who send the mail. Use at your own risk. If you use Content-length, this program could mess up your mailbox. Content-length usage is indicated, I believe, by the "v" option on your local ("Mlocal" line) mail delivery agent in sendmail.cf. Please consider the program copylefted. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum * Gunadarma Mailing List ----------------------------------------------- * Archives : http://milis-archives.gunadarma.ac.id * Langganan : Kirim Email kosong ke [EMAIL PROTECTED] * Berhenti : Kirim Email kosong ke [EMAIL PROTECTED] * Administrator: [EMAIL PROTECTED]