Table of Contents

CERT Advisory CA-2000-04 Love Letter Worm

Original release date: May 4, 2000
Source: CERT/CC
A complete revision history is at the end of this file.

Systems Affected
* Systems running Microsoft Windows with Windows Scripting Host enabled

Overview

The "Love Letter" worm is a malicious VBScript program which spreads in a variety of ways. As of 2:00pm EDT(GMT-4) May 4, 2000 -- the CERT Coordination Center has received reports from more than 250 individual sites indicating more than 300,000 individual systems are affected. In addition, we have several reports of sites suffering considerable network degradation as a result of mail, file, and web traffic generated by the "Love Letter" worm.

I. Description

You can be infected with the "Love Letter" worm in a variety of ways, including electronic mail, Windows file sharing, IRC, USENET news and possibly via webpages. Once the worm has executed on your system, it will take the actions described in the Impact section.

Electronic Mail

When the worm executes, it attempts to send copies of itself using Microsoft Outlook to all the entries in all the address books. The mail it sends has the following characteristics:

* An attachment named "LOVE-LETTER-FOR-YOU.TXT.VBS"
* A subject of "ILOVEYOU"
* A body which reads "kindly check the attached LOVELETTER coming from me."

People who receive copies of the worm via electronic mail will most likely recognize the sender. We encourage people to avoid executing code, including VBScripts, received through electronic mail regardless of the sender without firsthand prior knowledge of the origin of the code.

Internet Relay Chat

When the worm executes, it will attempt to create a file named script.ini in any directory that contains certain files associated with the popular IRC client mIRC. The script file will attempt to send a copy of the worm via DCC to other people in any IRC channel joined by the victim. We encourage people to disable automatic reception of files via DCC in any IRC client.

Executing Files on Shared File Systems

When the worm executes, it will search for certain types of files and replace them with a copy of the worm (see the Impact section for more details). Executing (double clicking) files modified by other infected users will result in executing the worm. Files modified by the worm may also be started automatically, for example from a startup script.

Reading USENET News

There have been reports of the worm appearing in USENET newsgroups. The suggestions above should be applied to users reading messages in USENET newsgroups.

II. Impact

When the worm is executed, it takes the following steps:
Replaces Files with Copies of the Worm

When the worm executes, it will search for certain types of files and make changes to those files depending on the type of file. For files on fixed or network drives, it will take the following steps:

* For files whose extension is vbs or vbe it will replace those files with a copy of itself.
* For files whose extensions are js, jse, css, wsh, sct, or hta, it will replace those files with a copy of itself and change the extension to vbs. For example, a file named x.css will be replaced with a file named x.vbs containing a copy of the worm.
* For files whose extension is jpg or jpeg, it will replace those files with a copy of the worm and add a vbs extension. For example, a file named x.jpg will be replaced by a file called x.jpg.vbs containing a copy of the worm.
* For files whose extension is mp3 or mp2, it will create a copy of itself in a file named with a vbs extension in the same manner as for a jpg file. The original file is preserved, but its attributes are changed to hidden.

Since the modified files are overwritten by the worm code rather than being deleted, file recovery is difficult and may be impossible.
Users executing files that have been modified in this step will cause the worm to begin executing again. If these files are on a filesystem shared over a local area network, new users may be affected.

Creates an mIRC Script

While the worm is examining files as described in the previous section, it may take additional steps to create a mIRC script file. If the file name being examined is mirc32.exe, mlink32.exe, mirc.ini, script.ini or mirc.hlp, the worm will create a file named script.ini in the same folder. The script.ini file will contain:

[script]
n0=on 1:JOIN:#:{
n1= /if ( $nick == $me ) { halt }
n2= /.dcc send $nick DIRSYSTEM\LOVE-LETTER-FOR-YOU.HTM
n3=}
where DIRSYSTEM varies based on the platform where the worm is executed. If the file script.ini already exists, no changes occur.
This code appears to define a script such that whenever the user joins a channel in IRC, a copy of the worm will be sent to others on the channel via DCC. The script.ini file is created only once per folder processed by the worm.

Modifies the Internet Explorer Start Page

If the file \WinFAT32.exe exists, the worm sets the Internet Explorer Start page to one of four randomly selected URLs. These URLs all refer to a file named WIN-BUGSFIX.exe, which presumably contains malicious code. The worm checks for this file in the Internet Explorer downloads directory, and if found, it is added to the list of programs to run at reboot. The Internet Explorer Start page is then reset to "about:blank". Information about the impact of running WIN-BUGSFIX.exe will be added to this document as soon as it is available.

Send Copies of Itself via Email

The worm will attempt to use Microsoft Outlook to send copies of itself to all entries in all address books as described in the Description section.

Other Modified Registry Keys

In addition to other changes, the worm updates the following registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\WAB\*

III. Solution

Update Your Anti-Virus Product

It is important for users to update their anti-virus software. Some anti-virus software vendors have released updated information, tools, or virus databases to help prevent and combat this worm. A list of vendor-specific anti-virus information can be found in Appendix A.

Disable Windows Scripting Host

Because the worm is written in VBS, it requires the Windows Scripting Host (WSH) to run. Disabling WSH prevents the worm from executing. For information about disabling WSH, see:
http://www.sophos.com/support/faqs/wsh.html

This change may disable functionality the user desires. Exercise caution when implementing this solution.

Disable Active Scripting in Internet Explorer

Information about disabling active scripting in Internet Explorer can be found at:
http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps

This change may disable functionality the user desires. Exercise caution when implementing this solution.

Disable Auto-DCC Reception in IRC Clients

Users of Internet Relay Chat (IRC) programs should disable automatic reception of files offered to them via DCC.

Filter Virus in E-Mail

Sites can use email filtering techniques to delete messages containing subject lines known to contain the worm. For sites using unix, here are some possible methods:

Sendmail

The following sendmail rule will delete all messages with the Subject:

line ILOVEYOU:

HSubject:[tab][tab][tab]$>Check_Subject
D{MPat}ILOVEYOU
D{MMsg}This message may contain the ILOVEYOU virus
SCheck_Subject
R${MPat} $*[tab]$#error $: 553 ${MMsg}
RRe: ${MPat} $*[tab]$#error $: 553 ${MMsg}
RFW: ${MPat} $*[tab]$#error $: 553 ${MMsg}

PostFix

Add the following line in /etc/postfix/header_checks:
/^Subject: ILOVEYOU/ REJECT

Procmail

This procmail rule also deletes any messages with the Subject:
line containing "ILOVEYOU":

:0 D
* ^Subject:[[tab] ]+ILOVEYOU
/dev/null

Note that in all of these examples, [tab] represents a literal tab character, and must be replaced with one for this to work correctly.
It is important to note that these three methods, as described, do not prevent the worm from spreading if the Subject: line of the email has changed. Administrators can use more complicated procmail rules to block the worm based on the body of the email, but such methods require more processing time on mail servers, and may not be feasible at sites with high volumes of email traffic.

Exercise Caution When Opening Attachments

Exercise caution with attachments in email. Users should disable auto-opening or previewing of email attachments in their mail programs. Users should never open attachments from an untrusted origin, or that appear suspicious in any way.

The CERT Coordination Center would like to thank David Slade of Lucent Technologies for their help in constructing this advisory. We thank Christopher Lindsey for the providing the procmail rule.

The following people were involved in the creation of this document:
Jeff Carpenter, Cory Cohen, Chad Dougherty, Ian Finlay, Kathy Fithen, Rhonda Green, Robert Hanson, Jeff Havrilla, Shawn Hernan, Kevin Houle, Brian King, Jed Pickel, Joseph Pruzynski, Robin Ruefle, John Schaffer, and Mark Zajicek

The full version of this document with additional links is available from:
http://www.cert.org/advisories/CA-2000-04.html

This is a worm program that behaves similar to Happy99 Worm. This worm program was originally spread by email spamming from a French email address.

The attached program file is named "PrettyPark.EXE". The original report of this worm was submitted through our exclusive Scan&Deliver; system on May 28, 1999 from France.

When the attached program called "PrettyPark.EXE" is executed, it may display the 3D pipe screen saver. It will also create a file called FILES32.VXD in the WINDOWS\SYSTEM directory and modify the following registry entry value from "%1" %* to FILES32.VXD "%1" %* without your knowledge:

HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

Once the worm program is executed, it will try to email itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in your Internet address book.

It will also try to connect to an IRC server and join a specific IRC channel. The worm will send information to IRC every 30 seconds to keep itself connected, and to retrieve any commands from the IRC channel.

Via IRC, the author or distributor of the worm can obtain system information including the computer name, product name, product identifier, product key, registered owner, registered organization, system root path, version, version number, ICQ identification numbers, ICQ nicknames, victims email address, and Dial Up Networking username and passwords. In addition, being connected to IRC opens a security hole in which the client can potentially be used to receive and execute files.

Norton AntiVirus will detect PrettyPark.Worm as "Trojan Horse" with June 1, 1999 virus definitions. With the June 9, 1999 definitions or later, the worm will be detected as "PrettyPark.Worm."

Repair Information

Removing this worm manually:

1. Using REGEDIT, modify the Registry entry
   
   HKEY_LOCAL_MACHINE\Software\Classes\exefile\
   shell\open\command
   
   from
   
   FILES32.VXD "%1" %* to "%1" %*
   
   

   (You may launch REGEDIT through Windows Start-menu-RUN. Then search for "FILES32.VXD" in REGEDIT.)
   
   

2. Delete WINDOWS\SYSTEM\FILES32.VXD
3. Delete the "Pretty Park.EXE" file.
4. Reboot your computer.

You need to do step #1 above; otherwise, executable files may not run properly if you simply delete FILES32.VXD

Safe Computing

This worm, and other trojan-horse type programs, demonstrate the need to practice safe computing. You should not launch any executable-file attachment (EXE, SHS, MS Word or MS Excel file) that comes from an untrusted email or newsgroup source.

Write-up by: Raul K. Elnitiarta & Eric Chien at Symantic
June 1, 1999
Updated: June 9, 1999

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   run = "C:\WINNT\System32\Explore.exe"

In each of the above cases, the effects of the malicious file are activated only when the file in question is executed. Social engineering is typically employed to trick a recipient into executing the malicious file. Some of the social engineering techniques we have seen used include
* Making false claims that a file attachment contains a software patch or update
* Implying or using entertaining content to entice a user into executing a malicious file
* Using email delivery techniques which cause the message to appear to have come from a familiar or trusted source
* Packaging malicious files in deceptively familiar ways (e.g., use of familiar but deceptive program icons or file names)

The best advice with regard to malicious files is to avoid executing them in the first place. CERT advisory CA-99-02 discusses Trojan horses and offers suggestions to avoid them (please see Section V).

http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html

CERT/CC Contact Information

Email:

cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A.

CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key. If you prefer to use DES, please call the CERT hotline for more information.

CERT publications and other security information are available from our web site http://www.cert.org/.

To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message.

Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html.

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office

Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Revision History

June 10, 1999:  Initial release

June 11, 1999:  Added information about the appearance of the attached file
	Added information from Aladdin Knowledge Systems, Inc.
	June 14, 1999:  Added information about the program's self-propagation via
    	networked shares; also updated anti-virus vendor URLs

MELISSA virus affects Outlook Express: Here is the official information concerning this virus from CERT. I have condensed it down to its essentials. For more information, look at http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html

The Melissa macro virus propagates in the form of an email message containing 
an infected Word document as an attachment.  The transport message has most
frequently been reported to contain the following Subject header
   Subject: Important Message From 
Where  is the full name of the user sending the message.
*NOTE* USER MAY BE A KNOWN FRIEND OF YOURS IF THEIR MACHINE IS INFECTED!
The body of the message is a multipart MIME message containing two sections. The
first section of the message (Content-Type: text/plain) contains the following text.
   Here is that document you asked for ... don't show anyone else ;-)
The next section (Content-Type: application/msword) was initially reported to be a
document called "list.doc".  This document contains references to pornographic web
sites. As this macro virus spreads we are likely to see documents with other names.
In fact, under certain conditions the virus may generate attachments with documents
created by the victim.
When a user opens an infected .doc file with Microsoft Word97 or Word2000, the macro
virus is immediately executed if macros are enabled.
Upon execution, the virus first lowers the macro security settings to permit all
macros to run when documents are opened in the future.  Therefore, the user will
not be notified when the virus is executed in the future.
* Users who open an infected document in Word97 or Word2000 with
    macros enabled will infect the Normal.dot template causing any
    documents referencing this template to be infected with this macro
    virus. If the infected document is opened by another user, the
    document, including the macro virus, will propagate. Note that
    this could cause the user's document to be propagated instead of
    the original document, and thereby leak sensitive information.
* Indirectly, this virus could cause a denial of service on mail
    servers. Many large sites have reported performance problems with
    their mail servers as a result of the propagation of this virus.

This virus will Email itself to other addresses in your Outlook Express address book, and it will randomly remail your personal Word DOC files to others.

SUMMARY:
* Do not open documents with "Important message from ..."
* DO NOT OPEN WORD ATTACHMENTS from these messages
* Read the advisory from CERT at the address given above
    http://www.microsoft.com/security/bulletins/ms99-002.asp
* Go to Microsoft's web site and read the
    http://www.microsoft.com/security/bulletins/ms99-002.asp

For more information and steps to innoculate your machine from contracting this virus, please see Removing the Hapyy Virus.