[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Re: IL0VEY0U worm [CERT Advisory CA-2000-04]

To: linux-india-general@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: IL0VEY0U worm [CERT Advisory CA-2000-04]
From: "Sthitaprajna" <sthitaprajna@xxxxxxxxxxxxxxx>
Date: Fri, 5 May 2000 16:59:58 +0530
Organization: Nell
Reply-to: sthitaprajna@xxxxxxxxxxxxxxx


III. Solution

Update Your Anti-Virus Product

   It is important for users to update their anti-virus software. Some
   anti-virus software vendors have released updated information, 
tools,
   or virus databases to help prevent and combat this worm. A list of
   vendor-specific anti-virus information can be found in Appendix A.
   
Disable Windows Scripting Host

   Because the worm is written in VBS, it requires the Windows 
Scripting
   Host (WSH) to run. Disabling WSH prevents the worm from executing.
For
   information about disabling WSH, see:
   
   http://www.sophos.com/support/faqs/wsh.html
          
   This change may disable functionality the user desires. Exercise
   caution when implementing this solution.
   
Disable Active Scripting in Internet Explorer

   Information about disabling active scripting in Internet Explorer 
can
   be found at:
   
   http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps
          
   This change may disable functionality the user desires. Exercise
   caution when implementing this solution.
   
Disable Auto-DCC Reception in IRC Clients

   Users of Internet Relay Chat (IRC) programs should disable 
automatic
   reception of files offered to them via DCC.
   
Filter Virus in E-Mail

   Sites can use email filtering techniques to delete messages
containing
   subject lines known to contain the worm. For sites using unix, here
   are some possible methods:
   
Sendmail

   The following sendmail rule will delete all messages with the
Subject:
   line ILOVEYOU:

   HSubject:[tab][tab][tab]$>Check_Subject
   D{MPat}ILOVEYOU
   D{MMsg}This message may contain the ILOVEYOU virus
   SCheck_Subject
   R${MPat} $*[tab]$#error $: 553 ${MMsg}
   RRe: ${MPat} $*[tab]$#error $: 553 ${MMsg}
   RFW: ${MPat} $*[tab]$#error $: 553 ${MMsg}

PostFix

   Add the following line in /etc/postfix/header_checks:

   /^Subject: ILOVEYOU/ REJECT

Procmail

   This procmail rule also deletes any messages with the Subject: line
   containing "ILOVEYOU":

   :0 D
   * ^Subject:[[tab] ]+ILOVEYOU
   /dev/null

   Note that in all of these examples, [tab] represents a literal tab
   character, and must be replaced with one for this to work 
correctly.
   
   It is important to note that these three methods, as described, do
not
   prevent the worm from spreading if the Subject: line of the email 
has
   changed. Administrators can use more complicated procmail rules to
   block the worm based on the body of the email, but such methods
   require more processing time on mail servers, and may not be 
feasible
   at sites with high volumes of email traffic.
   
Exercise Caution When Opening Attachments

   Exercise caution with attachments in email. Users should disable
   auto-opening or previewing of email attachments in their mail
   programs. Users should never open attachments from an untrusted
   origin, or that appear suspicious in any way.
========================================
Sthitaprajna
            @mailandnews.com
========================================

Prev by Subject: Re: IL0VEY0U worm
Next by Subject: RE: Re: IL0VEY0U worm [CERT Advisory CA-2000-04]
Previous by thread: Re: IL0VEY0U worm
Next by thread: RE: Re: IL0VEY0U worm [CERT Advisory CA-2000-04]
Index(es):
- Subject
- Thread