Bugtraq mailing list archives
Re: IL0VEY0U worm
From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Thu, 4 May 2000 12:15:50 -0700
Some futher comments. Jose Nazario <jose () biocserver BIOC CWRU Edu> has been kind enough to put up a rulseset for sendmail 8.9.x and 8.10.x that stops messages with "ILOVEYOU" in the subject file. You can find it at: http://biocserver.cwru.edu/~jose/iloveyouhack.txt Mike Iglesias <iglesias () draco acs uci edu> and "Frasnelli, Dan" <dfrasnel () corewar com> pointed out I had a typo. The executable file name is WIN-BUGSFIX.exe, not WIN-BUGFIX.exe. Zoa_Chien <zoa_chien () iname com> points out that the WIN-BUGSFIX.exe program connects to the SMPT server at 199.108.232.1 port 25 to send out its email message. You should block the address at your firewall. The message looks as follow: To: mailme () super net ph Subject: Barok... email.passwords.sender.trojan X-Mailer: Barok... email.passwords.sender.trojan---by: spyder Host: kakker Username: Default IP Address: 10.67.101.123 RAS Passwords: Cache Passwords: BLABLA\MPM: xxx BJORN\MUSIC: xxx TOM\SHARED: xxx TOM2\MP3: xxx www.server.com/: xxx:xxx MAPI: MAPI where all xxx's stand for plaintext usernames and passwords of SMB shares in the subnet. CERT is trying to on determining scope of the worm infection. They are asknig people that run into the worm to email cert () cert org with a subject line of "CERT#35894" and report the incident. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
Current thread:
- ILOVEYOU worm Elias Levy (May 04)
- Formated and commented loveletter. The Hidden (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Alert: Listserv Web Archives (wa) buffer overflow Cerberus Security Team (May 03)
- Reminder: MaxClientRequestBuffer Marc (May 03)
- Internet Security Systems Security Advisory: Vulnerability in Quake3Arena Auto-Download Feature Aleph One (May 03)
- Alert: DMailWeb buffer overflow Cerberus Security Team (May 03)
- Security Bulletins Digest (fwd) Justin Tripp (May 04)
- Aladdin eToken 3.3.3.x Hardware USB Key Private Data Extraction Kingpin (May 04)
- Trend Micro InterScan VirusWall Remote Overflow NAI Labs (May 04)
- How we defaced www.apache.org Peter van Dijk (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Mac OS X Signature Omachonu Ogali (May 03)
- Re: IL0VEY0U worm Elias Levy (May 04)