I posted something similar over in the Pit, but thought I’d post a quick defense here. Please, everyone who opened one of those attachments isn’t ‘stupid’. A friend of mine received an e-mail from her daughter’s e-mail addy. The ‘ILOVEYOU’ was attached. With Mother’s Day coming up, my friend assumed this was something sweet and loving from her daughter, and opened it.
According to McAfee, there is also a variant that claims to be a virus update from Symantec! I believe that when I checked this morning, there were 8 variants listed.
Considering Outlook runs the .vbs file in the preview pane and the mail will come from someone you know (it uses address books) its not the user’s fault, for the most part. Their only fault is using Outlook, it is not secure and MS targets new computer users with their advertising.
Really? Never having used outlook I wouldn’t know, but I imagined the preview pane to be a preview of the attachment.
Even if an executable comes from a friend I still ask them what it was and where they got it before running it. Some of my friends would forward pretty much anything.
Another contributing factor is MS’s belief that everything has to have a scripting language buried in it somewhere. Hence, you get viruses transmitted by things like word doc’s and excel spread sheets which, to the casual user, seem like read-only things which ought to be “safe”.
I fully understand how such features get proposed - it provides sort of an “ultimate escape hatch” to allow people to do all kinds of stuff you couldn’t explicitly provide functionality for, and probably wouldn’t have thought of in the first place. I’ve made arguments like that myself.
Trouble is, it can be very difficult to keep such a mechanism in desired boundaries, or even define what those boundaries are. For instance, it might be useful for me to be able to provide a word doc for you that is tailored using information obtained by looking at configuration files on your system, rather than having to say “go look at foo.config, and if it says ‘farblesnarb’ do this …” … but giving the word doc access to the file system, even read-only access, may be a bad idea.
If we’re really going to operate in an interconnected environment like this, both OS security and users are going to have to grow up. Something which talks to the outside world, like a mailer or a browser really needs to provide a “playpen” for its attachments to run in, there needs to be a negotiated contract with the attachment concerning the sorts of communication / system access services it needs, and the user should be prepared to have some picture of what this implies (“do you want to let this attachment read files on your machine …?”). Off the top of my head, in the current Windows environment, I would provide “permission aware” DLL’s and a special linkage operation for running things like viewers and helper app’s out of mailers which would keep them from using the normal Windows SDK. They’d run slower, but more securely (“naughty attachment! I didn’t tell you you could write files …”).
I’ve heard a lot of people sniff and say the virus code is amatuerish and simple, but in looking at it I think it has several clever points. It showed me some things I could do with VBS that I didn’t know about. In fact, I lifted some of the code to make a couple cool utilities for myself.
And if someone with my limited skills can do that, how many copycats will there be?
I agree with all of the following points, however:
Don’t open strange attachments, etc.
Windows and Outlook have huge security holes, etc.
The disruption caused by it was awful, and the creator was lame. At least they could have pretended to have a Cause or something, not “i hate go to school”. Yup, no way are you a loser.
Excellent advise in any case, but rarely followed through on except by paranoid nutcases like us. innocent look
I got this straight off the bugtraq archives, I’m posting it in its entirety despite it being a bit long - those who understand it can talk about it, those who don’t can ask about it, but information is always good to have.
And 'cause I’m too lazy to type the whole explanation out.
-Elthia
“ILOVEYOU” virus analysis
Forum: Denial of service attack against tcpdump
Date: May 04, 17:22
From: Steve Wolfe <telomere@INCONNECT.COM>
A brief analysis of the “iloveyou” virus that’s now hitting quite a few
people…
Disclaimer: This is information provided in good-faith, with the intent to
assist those afflicted by the virus. I am not responsible for any
consequence of reading or using this information.
“iloveyou” is a virus/trojan that is spreading very prolifically, and
creating a headache for many IT employees. It is written in VBScript, and
proliferates itself via email.
Introduction. The virus proliferates itself via email, sending letters
with the subject “ILOVEYOU”, and in the body, “kindly check the attached
LOVELETTER coming from me.”
Attached is a VBScript file called "I-LOVE-YOU.TXT.vbs". The
capitalization is apparently an attempt to fool users if they are not
looking carefully, upon seeing the “.TXT”, they think the file is a (safe)
text file, and run it.
Once executed, the script does the following:
If the key “HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout” is set to a positive number in the registry, it is
set to zero. If it is not present, it is not affected.
Changes the MSIE home page to a presumably malicious URL. If the file
“WinFAT32.exe” exists, then it sets the startup page (contained in the
registry setting (HKCU\Software\Microsoft\Internet Explorer\Main\Start
Page) to one of the following URL’s:
I haven’t looked at those executables, but persumably, they are also of
malicious intent. The sites above were not reachable, I assume that the
onslaught has brought their web servers to their knees, or the
administrators have simply shut them down/blocked traffic.
If the “WIN-BUGSFIX.exe” file exists, it then sets it to run at boot:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFI
X = > (download directory)\win-bugsfix.exe
and also sets the MSIE startup page to about:blank (a blank page).
It then prints out HTML, containing these messages:
This HTML file need ActiveX Control
To Enable to read this HTML file
Please press #-#YES#-# button to Enable ActiveX
The ActiveX then sets the registry entries to make it run at boot, as
in step #3, and writes the files as in step 2.
The virus spreads itself. It opens up a MAPI connection to your
Outlook address list, and sends a copy of itself to each of the entries.
Enumerates disk drives and infects files.
In infecting the files, it searches each of the drives found, and does
the following:
(A) Any file with the extensions .vbs, .vbe, .js, .jse, .css, .wsh,
.sct, .hta, .jpg, or .jpeg are relaced with a copy of the virus. Then, it
appears that a copy of the virus is also written to the name of the file
with “.vbs” attached - for example, “logo.jpg” would be replaced with the
virus, and a file called “logo.jpg.vbs” would be created as well.
(B) If any file with the extensions .mp2 or .mp3 is encountered, it
will mark that file as hidden, then it will create a copy of itself with
that name with the .vbs extensions - for example, “macarena.mp3” would be
hidden, and a copy of the virus written to “macarena.mp3.vbs”.
Removing the virus is easy enough, but as another author said ("The
Pope"), it is painful, and if you have useful VBScript, WSH or other files
of similar nature (listed below), you may have already lost very valuable
data. The steps are:
Remove the registry entries
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting
Host\Settings\Timeout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Wi
n32DLL
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
remove all instance of the following files:
Find hidden files of .mp2 and .mp3 extensions, and remove the “hidden”
bit.
It is also a good idea to clear the “documents” folder.
Now, for .jpg and .jpeg files… technically, they should be removed.
However, since jpg’s are not executable, I do not see how they could affect
anything, but then again, I’m not all-knowing. Also, they did not appear
to have been infected on the machine I looked at, but that doesn’t mean
that they won’t be infected on your machine. The safest bet is to remove
them as well.
Prevention:
Delete the email if you receive it, and are using one of the MS Outlook
programs, do not open it if you receive it via IRC.
Overall comments
This virus doesn’t really represent any new technology or technique, just
a mix of some commonly-known methods. The single semi-unique aspect is
using VBScript. By using unique capitalization of files
(LOVE-LETTER-FOR-YOU.TXT.vbs), it is possible to make many people think
that it’s just a regular text file.
As to the origin of the virus, a commen section in the code claims
creation by “spyder”, giving an email address, what appears to be a
company, and “Manila,Philippines”. Whether the author would actually put a
real email address and location is questionable.
steve
Who’s missing what??? It doesn’t matter WHY the Mac is less susceptible. It only matters, to me anyway, that it IS!!!
However, your assessment is not entirely correct. Desire and targetability are not the only reasons Mac viruses are not popular. Viruses for the Mac are much more difficult to propagate because the OS was designed to guard against them.
More like Switzerland, I’d say.
Back on topic…
I remember, many years ago, when I first started hearing about email viruses. The conventional wisdom, at the time, was that all email viruses were hoaxes because no one would be stupid enough to build a mail program with an embedded programming language… Microsoft, once again, proved that they were up to the challenge and did what the experts said shouldn’t be done…
For me, this clearly falls into the realm of “what were they thinking?!”. The time is really ripe for this kind of attack, because so many computer users now have MS Outlook pre-installed and most average users don’t know how dangerous that software really is… after all, if you can’t trust Microsoft to look out for your best interest, who can you trust?
I predict, now that so many people have seen how easy it is to wreak this kind of havoc, there will be a continuing outbreak of cut & paste terrorism.
Will mail itself to everyone in your address list if you use Outlook.
Changes the homepage of your browser to an ISP in the Phillipines where it would download password capture software to your pc (the pages in the Phillipines have been shutdown by that ISP so this no longer works).
The program deletes all files with the following extensions and creates a file with the same name but with a VBS extension in its place: vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg Also, all MP3 and MP2 files will be hidden and a new file with the same name but a VBS (instead of MP3) extension will be created.
Of the above JPG are probably the most common (JPG files are pictures).
Some of the new variants have slightly different payloads but I’m not sure of the differences between each one. I do know that the relatively rare Mother’s Day variant will delete INI files from your PC which can very possibly force the user to rebuild their PC from scratch (depending on how good the user has been with backing up system files).
That’s a little bizaare, since when I counted the ones listed in that FAQ, I came up with 54. Furthermore, as the FAQ notes, that is only major strains, not variants (and most viruses have many variants which accounts for the high Windows number, particularly with virus toolkits)
How was MacOS designed to guard against viruses? I am a little curious. From the fiddling I’ve done with it, it is, like Windows, very much a single user type platform. Since WinNT actually has some concept of file rights and security, one claim it was designed to guard against viruses too, but that was hardly it’s primary function.
In any case, I wrote a simple virus for the Power architecture in our Assembly class. I didn’t see much that made it harder. (except for the pain of having to do in 5 instructions what x86 CISC would allow us to do in 2)
I tried checking Apple’s site for more info, but their search engine, as usual, was crap. No real FAQs on viruses that I could find.
Reminded me of the time I had to get info on what the different bomb numbers meant by visiting a Mac fan website since there was nothing on Apple’s.
Well, OSX is BSD from what I here, so we can hope for a change.
At the moment, I love the PowerPCs… when running Yellow Dog Linux.
What is it that you think Microsoft shouldn’t have done? Design an email program that will run attachments if you double-click them? That is the only way this particular virus will spread.
It appears the WSH module is necessary to run the .vbs file, it is not at all clear that running it will happen accidently.
This article still claims it will take a double-click to run a .vbs file. Previewing an attachment normally launches some application that tries to do something with it. That is a more active role on the user’s part then simply clicking on an e-mail.
Again, the question is why people would even touch a .vbs, or any other attachment aside from a text or image file without adequate explanation of what it does.
I am somewhat confused… I use Outlook Express 5. In Tools/options/security I can set it to “internet” or “restricted” (this seems to work in conjunction with IE5 settings). If I set it to “restricted” will it prevent it from running VBS attachments in preview mode?
I have never received a VBS attachment so I do not know what it does. I know I can see JPG and GIF graphics in preview mode but in my experience all other attachments need to be opened, including TIF graphics.
Can anyone clarify this for me? Word and Excel have a setting that will preven running macros. I should thing OE would have a similar security feature.
Arnold, I posted a reply to you in the other thread that you posted this same response in. Basically, you need some evidence to back up your theory. All of my experiments refute your assertion that vbs files will run automatically.
Some of those listed are trojan horses. I don’t put trojan horses in the same class as viruses.
[quote]
Furthermore, as the FAQ notes, that is only major strains, not variants (and most viruses have many variants which accounts for the high Windows number, particularly with virus toolkits)
[quote]
In the Mac world, almost all of the ‘variants’ are identical except for the name of the resource. Few of them are true variants, in the sense that the virus code has been modified.
This is not the ideal place to explain this and I am not the ideal person to explain it. However, suffice it to say that the Macintosh has a very restricted and controlled mechanism for executing code and file I/O. Because of this, antivirus software for the Mac doesn’t need to know about every strain of every virus, it only needs to close all of the back doors, which Disinfectant did more than three years ago.
The Mac OS can’t do anything special to guard against Microsoft macro viruses because Microsoft built in the flexibility and power to let users do practically anything they want.
You developed this virus on the Mac? If so, I’m impressed. I have a hard enough time getting the Mac INIT and VBL mechanisms to do what they were designed for, much less tricky stuff like virus propagation. As for the PowerPC architecture, I don’t think it has any mechanisms to guard against virus attacks itself.
You probably just didn’t know where to look. Error code listings have been available on the Apple developer sites since the introduction of the Lisa (precursor to the Mac).
hardcore wrote:
This is a very reckless way to live your life, my son. A number of reputable virus experts have said that the vbs files can run automatically if you have “Windows Scripting Host” running with MS Outlook and possibly “Active Scripting” in Internet Explorer. This has been verified already by the CERT at Carnegie Mellon Software Engineering Institute. Sorry, but I find them to be infinitely more credible…
OK, fair enough. They never use the words “automatic launch” however it is implied by
(1) Their instructions to disable “Windows Scripting Host” and “Active Scripting”.
(2) They reference the “Sophos” site which does indicate the execution is automatic.
I’ve seen a couple of other trusted sites that claim that the virus can launch automatically. Plus, a number of sys admins at my company claim that they were infected, even though they never opened the message…
However, Microsoft’s official position is:
As the cnet article pointed out, the Love virus doesn’t use scripts buried in html, although I’m surprised it didn’t. I briefly mentioned in the other thread on this topic at http://boards.straightdope.com/sdmb/showthread.php?threadid=23703
how this could be done, but I didn’t want to give anybody any ideas.