Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IL0VEY0U worm

From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Thu, 4 May 2000 12:15:50 -0700

Some futher comments.

Jose Nazario <jose () biocserver BIOC CWRU Edu> has been kind enough to
put up a rulseset for sendmail 8.9.x and 8.10.x that stops messages with
"ILOVEYOU" in the subject file. You can find it at:
http://biocserver.cwru.edu/~jose/iloveyouhack.txt

Mike Iglesias <iglesias () draco acs uci edu> and
"Frasnelli, Dan" <dfrasnel () corewar com> pointed out I had a
typo. The executable file name is WIN-BUGSFIX.exe, not WIN-BUGFIX.exe.

Zoa_Chien <zoa_chien () iname com> points out that the WIN-BUGSFIX.exe
program connects to the SMPT server at 199.108.232.1 port 25 to
send out its email message. You should block the address at your
firewall. The message looks as follow:

To: mailme () super net ph
Subject: Barok... email.passwords.sender.trojan
X-Mailer: Barok... email.passwords.sender.trojan---by: spyder

Host: kakker
Username: Default
IP Address: 10.67.101.123

RAS Passwords:

Cache Passwords:

BLABLA\MPM: xxx
BJORN\MUSIC: xxx
TOM\SHARED: xxx
TOM2\MP3: xxx
www.server.com/: xxx:xxx
MAPI: MAPI

where all xxx's stand for plaintext usernames and passwords of SMB shares
in the subnet.

CERT is trying to on determining scope of the worm infection. They are
asknig people that run into the worm to email cert () cert org with a
subject line of "CERT#35894" and report the incident.

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
Previous By Date Next
Previous By Thread Next

Current thread: