[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
RE: Re: IL0VEY0U worm [CERT Advisory CA-2000-04]
The worm ~HAS~ morphed. Best solution - turn off windoze scripting and
throw outlook in the dustbin. Use a decent client like Pegasus Mail on
'doze (or check yr mailbox using mutt / pine / emacs ....
FWIW, about procmail recipes - yours is a bit restrictive.
See this
Update (refined filtering) and recipe now sends an autoack to the sender
Also, the worm downloads a payload from www.skyinet.net [206.101.197.226].
Block port 80 for this IP at your border or firewall.
# Catch ILOVEYOU email worm and notify sender his computer is infected
:0 D
* ^Subject:\s+ILOVEYOU$
* ^Content-Type:\s+multipart/mixed
{
# EMail notice to infected sender
:0 B c
* name=\"LOVE-LETTER-FOR-YOU.TXT.vbs\"
| (formail -r -A"X-Mailer: procmail"; \
cat /home/sysadmin/mail/ILOVEYOU.txt) \
| $SENDMAIL -oi -t -f postmaster@xxxxxxxxxxxxxx
# Safely stash email worm away
:0 B
* name=\"LOVE-LETTER-FOR-YOU.TXT.vbs\"
/home/sysadmin/mail/I-LOVE-YOU.worm
}
content of I-LOVE-YOU.worm file -
To Whom It May Concern,
An e-mail you sent to a customer of YOUR-COMPANY-NAME-HERE triggered this
virus protection filter on our mail server. There is currently a virus on
the Internet that propagates itself via e-mail. Unfortunately, it appears
that your computer has become infected and is currently e-mailing the
virus to other users in an attempt to infect other computer systems.
Please visit http://www.mcafee.com and download the latest McAfee Virus
Scan software along with the latest DAT files to fix this problem. A free
demo version of the software is available from McAfee.
Additional information on this virus can be found at:
http://news.bbc.co.uk/hi/english/uk/newsid_736000/736080.stm
Sincerely,
YOUR NAME OR COMPANY HERE
hth
-s
--
Suresh Ramasubramanian + President, CAUCE India
http://india.cauce.org + suresh@xxxxxxxxxxxxxxx
--
Even bytes get lonely for a little bit.