[Esa-l] Email worm warning: ILOVEYOU.vbs
John D. Hardin
jhardin at wolfenet.com
Thu May 4 13:52:51 PDT 2000
I suppose most of you have heard about this by now.
Please add "*.vbs" to your poisoned executables list if you haven't
already. This will prevent propagation of the ILOVEYOU worm. The
poisoned executables list is not case sensitive.
The HTML file included within it is also effectively defanged by the
executable-HTML mangler.
If you are running an HTTP proxy you may also want to block the
following URLs:
www.skyinet.net/~young1s
www.skyinet.net/~angelcat
www.skyinet.net/~koichi
www.skyinet.net/~chu
They appear within the worm, and may be alternate methods of
propagation or extra attack payloads. IMPORTANT NOTE: the above URLs
are not complete, so you'll have to do a regex match. The full URLs
are rather long, but I think it's safe to assume the above accounts
are compromised so *no* content from them should be trusted.
The current version of the Procmail Email Sanitizer is 1.102
It is available via:
US: ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html
EU: ftp://kanon.net/pub/jhardin/antispam/procmail-security.html
From the Rave Reviews department:
On Thu, 4 May 2000, Thomas Paquet wrote:
> The best security-based filter I have come across (for a very
> simple solution to e-mail based virii) is:
>
> http://www.wolfenet.com/~jhardin/procmail-security.html
>
> It allows you to block a list of executables and/or filenames
> which may arrive as an attachment. We successfully blocked the
> ILOVEYOU today without knowing about it. We block all .VBS files
> as possible malicious code in our "poisoned" file list.
>
> Thank god for Mr. Hardin's script....
All I can say is: Thanks! That's why I did this.
--
John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/
jhardin at wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin
768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Your mouse has moved. Windows NT must be restarted for the change
to take effect. Reboot now? [ OK ]
-----------------------------------------------------------------------
178 days until Daylight Savings Time ends
Return-Path: <owner-esa-l at spconnect.com>
Delivered-To: esa-l at spconnect.com
Received: from lariat.lariat.org (unknown [206.100.185.2])
by merlin.spconnect.com (Postfix) with SMTP id ED3C18F026
for <esa-l at spconnect.com>; Thu, 4 May 2000 14:06:31 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org at lariat.org [12.23.109.2])
by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id PAA06946;
Thu, 4 May 2000 15:06:24 -0600 (MDT)
Message-Id: <4.3.1.2.20000504150342.04144100 at localhost>
X-Sender: brett at localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.1
Date: Thu, 04 May 2000 15:06:16 -0600
To: "John D. Hardin" <jhardin at wolfenet.com>,
Email Security Announce list <esa-l at spconnect.com>
From: Brett Glass <brett at lariat.org>
Subject: Re: [Esa-l] Email worm warning: ILOVEYOU.vbs
Cc: spamtools at abuse.net
In-Reply-To: <Pine.LNX.4.10.10005041341060.5320-100000 at gypsy.rubyriver.c
om>
References: <4.3.1.2.20000504114417.00b78960 at mail.ciholding.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: esa-l-admin at spconnect.com
Errors-To: esa-l-admin at spconnect.com
X-BeenThere: esa-l at spconnect.com
X-Mailman-Version: 2.0beta2
Precedence: bulk
List-Id: Email Security <esa-l.spconnect.com>
On Thu, 4 May 2000, Thomas Paquet wrote:
> The best security-based filter I have come across (for a very
> simple solution to e-mail based virii) is:
>
> http://www.wolfenet.com/~jhardin/procmail-security.html
>
> It allows you to block a list of executables and/or filenames
> which may arrive as an attachment. We successfully blocked the
> ILOVEYOU today without knowing about it. We block all .VBS files
> as possible malicious code in our "poisoned" file list.
>
> Thank god for Mr. Hardin's script....
I've gotta second that. We use a modified version of John's script
with a few of our own filters added. I woke up this morning to
find more than a dozen blocked messages -- all the "Barney Trojan" --
in the postmaster queue. John's code had stopped them from reaching
their targets.
--Brett Glass
"You're not just e-mailing her, you're e-mailing anyone she's ever
e-mailed."
-- Dayton Daily News Cartoonist Mike Peters on the "Melissa virus"
Return-Path: <owner-esa-l at spconnect.com>
Delivered-To: esa-l at spconnect.com
Received: from hirs.brooks.af.mil (msa1835.brooks.af.mil [140.140.180.35])
by merlin.spconnect.com (Postfix) with SMTP id 7C9B38F026
for <esa-l at spconnect.com>; Thu, 4 May 2000 14:40:06 -0700 (PDT)
Received: from hirs.brooks.af.mil by hirs.brooks.af.mil (SMI-8.6/SMI-SVR4)
id QAA04510; Thu, 4 May 2000 16:39:28 -0500
Message-ID: <3911ED1A.735C5EB4 at hirs.brooks.af.mil>
Date: Thu, 04 May 2000 16:35:22 -0500
From: David Patterson <dpatters at hirs.brooks.af.mil>
Reply-To: dpatters at hirs.brooks.af.mil
X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: esa-l at spconnect.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: [Esa-l] Problem with the procmail defang deal
Sender: esa-l-admin at spconnect.com
Errors-To: esa-l-admin at spconnect.com
X-BeenThere: esa-l at spconnect.com
X-Mailman-Version: 2.0beta2
Precedence: bulk
List-Id: Email Security <esa-l.spconnect.com>
'Aloo,
I have 2 sendmail boxen. One is linux with the latest version of
sendmail. The other is Solaris 5.6 and sendmail 8.6.x. I have the
Sanitizing kit on both boxen. On the linux box, everything is peachy.
Unfortunately, the sun box is being...testy. It will rename a file (for
example, .vbs to -vbs), however, the message gets through. No email is
sent to the administrator like on the linux box. No warning email is
sent to the user like on the linux box. The name just get 'DEFANGED'
and renamed a bit. How do I fix this? I have check and double checked
just about everything. Any pointers would be great.
--
David Patterson
Unix/Linux Administrator
Health Information Resources Service (HIRS)
HQ AFMSA/SGSJH (HIRS)
2510 Kennedy Circle Ste. 208
Brooks AFB TX 78235-5121
210-536-2694
Return-Path: <owner-esa-l at spconnect.com>
Delivered-To: esa-l at spconnect.com
Received: from lariat.lariat.org (lariat.org [12.23.109.2])
by merlin.spconnect.com (Postfix) with SMTP id B91C78F026
for <esa-l at spconnect.com>; Fri, 5 May 2000 22:59:52 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org at lariat.org [12.23.109.2])
by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id XAA24204;
Fri, 5 May 2000 23:59:30 -0600 (MDT)
Message-Id: <4.3.1.2.20000505235009.043b8b30 at localhost>
X-Sender: brett at localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.1
Date: Fri, 05 May 2000 23:57:05 -0600
To: "John D. Hardin" <jhardin at wolfenet.com>,
Email Security Announce list <esa-l at spconnect.com>
From: Brett Glass <brett at lariat.org>
In-Reply-To: <Pine.LNX.4.10.10005041341060.5320-100000 at gypsy.rubyriver.c
om>
References: <4.3.1.2.20000504114417.00b78960 at mail.ciholding.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: [Esa-l] Additional extensions for "poisoned" executables file
Sender: esa-l-admin at spconnect.com
Errors-To: esa-l-admin at spconnect.com
X-BeenThere: esa-l at spconnect.com
X-Mailman-Version: 2.0beta2
Precedence: bulk
List-Id: Email Security <esa-l.spconnect.com>
In a recent message, John mentioned adding "*.vbs" to one's "poisoned
executables" file to get rid of the ILOVEYOU worm (which we've been calling
the "Barney bug"). You may also want to add the following additional
extensions:
*.chm
*.hlp
*.hta
*.shs
*.vbs
*.vbe
*.wsf
*.wsh
The last three of these were not in the sample file last time I checked,
and could be use to slip by the filter. So far, all of the instances of the
bug we've seen had script files whose extension
was .vbs.
--Brett Glass
"You're not just e-mailing her, you're e-mailing anyone she's ever
e-mailed."
-- Dayton Daily News Cartoonist Mike Peters on the "Melissa virus"
Return-Path: <owner-esa-l at spconnect.com>
Delivered-To: esa-l at spconnect.com
Received: from klingon.netkonect.net (klingon.netkonect.co.uk [194.62.44.61])
by merlin.spconnect.com (Postfix) with SMTP id DE3718F027
for <esa-l at spconnect.com>; Fri, 5 May 2000 01:40:20 -0700 (PDT)
Received: from fredo1.fredo.co.uk (homepageuk.netkonect.co.uk [194.164.43.140])
by klingon.netkonect.net (8.9.3+Sun/8.9.3) with ESMTP id JAA06065;
Fri, 5 May 2000 09:41:55 +0100 (BST)
Received: (from mail at localhost)
by fredo1.fredo.co.uk (8.9.3/8.9.3) id JAA00304;
Fri, 5 May 2000 09:32:54 +0100
Message-Id: <200005050832.JAA00304 at fredo1.fredo.co.uk>
X-Authentication-Warning: fredo1.fredo.co.uk: mail set sender to <markjt at fredo.co.uk> using -f
Received: from fredom.fredo.co.uk(10.0.0.3) by fredo1.fredo.co.uk via smap (V2.1)
id xma000302; Fri, 5 May 00 09:32:43 +0100
From: "Mark Tiramani" <markjt at fredo.co.uk>
Organization: FREDO
To: "John D. Hardin" <jhardin at wolfenet.com>,
Email Security Announce list <esa-l at spconnect.com>
Date: Fri, 5 May 2000 09:40:05 +0100
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: [Esa-l] Email worm warning: ILOVEYOU.vbs
Reply-To: markjt at fredo.co.uk
Priority: normal
In-reply-to: <4.3.1.2.20000504150342.04144100 at localhost>
References: <Pine.LNX.4.10.10005041341060.5320-100000 at gypsy.rubyriver.c om>
X-mailer: Pegasus Mail for Win32 (v3.12b)
Sender: esa-l-admin at spconnect.com
Errors-To: esa-l-admin at spconnect.com
X-BeenThere: esa-l at spconnect.com
X-Mailman-Version: 2.0beta2
Precedence: bulk
List-Id: Email Security <esa-l.spconnect.com>
I must chip in and thank John as well on behalf of two local government
authorities over here (UK) that were protected by John's filters yesterday.
A third authority that relies on NT + commercial virus scanning was hit.....
> On Thu, 4 May 2000, Thomas Paquet wrote:
>
> > The best security-based filter I have come across (for a very
> > simple solution to e-mail based virii) is:
> >
> > http://www.wolfenet.com/~jhardin/procmail-security.html
>
> I've gotta second that. We use a modified version of John's script
> with a few of our own filters added. I woke up this morning to
Mark
Mark Tiramani
FREDO Internet Services
markjt at fredo.co.uk
More information about the esd-l
mailing list