Aladdin Security Alert - Love Letter's New Variants

Business Wire, May 5, 2000

Business Editors/Technology Writers

CHICAGO--(BUSINESS WIRE)--May 5, 2000

Aladdin's eSafe products offer comprehensive protection from vandals -

Free eSafe Desktop software available on Aladdin's website:

www.eAladdin.com

Aladdin Knowledge Systems (NASDAQ: ALDN)

THE SECURITY RISK

Different versions of the quick spreading LOVELETTER vandal are making their way to PCs around the globe. Now, with three new subjects and attachments, the virus' malicious emails are becoming more difficult to notice. In addition to the already announced "LOVE-LETTER-FOR-YOU.TXT.vbs," "I love you," "ILOVEYOU" and "love letter for you" subjects, three new subjects and attachments are now appearing. The vandals are using the upcoming Mother's Day celebrations as a lure in its newest subjects and attachments. Aladdin's Content Security Response Team discovered the following new variants in the wild (B, C and D):

--  VBS.LoveLet.B comes in an email with a subject: "fwd: Joke" and
    attachment named: "Very Funny.vbs"

--  VBS.LoveLet.C comes in an email with a subject: "Susitikim shi
    vakara kavos puodukui..."

--  VBS.LoveLet.D comes in an email with a subject: "Mothers Day Order
    Confirmation" and attachment named: "mothersday.vbs"

Just as the first version of the vandal, these variants are auto-spamming worms that distribute themselves by sending an email message with one of the above subjects. Upon opening the file, the vandal sends the attachment to all addresses inside a user's Outlook address list. It also spreads by using mIRC chat programs, sending itself to all users in the current channel.

Also known as VBS.ILoveYou.Worm, these variants can arrive with a TXT, JPG, MP3 or other extensions. When this occurs, a "double extension" takes place and makes the variants appear more innocent. The vandal attempts the following malicious actions:

1.  Attempt to send itself to all the e-mails in the address book.

2.  On Windows 98 machines it will attempt to download and execute a
    Trojan in a file named "WIN-BUGSFIX.exe" from several web sites.

3.  The downloaded file "WIN-BUGSFIX.exe" will install the Trojan
    under the name WinFAT32.exe and run it on every boot.

4.  This Trojan can collect information about the user, host, user IP
    number and passwords and sends the information to an e-mail
    address in the Philippines.

5.  It will set the homepage of Internet Explorer to a blank page.

6.  It will search all the connected drives and infect VBScript,
    JavaScript, JScript, and the following file types vbs, vbe, js,
    jse, css, wsh, sct, and hta.

7.  It will search for all mp3, mp2, jpg, and jpeg files, create a VBS
    file with the infected file name and a VBS extensions. For
    example, if it finds a file named mysong.mp3 it will create an
    infected file with the name mysong.mp3.vbs. If this file is run it
    will infect the system.

8.  It will try to send an infected HTML file, named
    "LOVE-LETTER-FOR-YOU.htm" to mIRC clients.

PROTECTING AGAINST THE THREAT

Aladdin's eSafe products protect all users from the original vandal, as well as all variants. eSafe Gateway provides protection at the Internet gateway, filtering out the vandal and safeguarding email content. Aladdin also provides free solution for home users, anyone can download a free copy of eSafe Desktop at www.eAladdin.com.

Aladdin's Content Security Response Team (CSRT) recommends you begin protecting against the vandal and its variants with the following steps:

1.  Do not open an e-mail with the subject lines listed above. The
    body of the message will sometimes say "kindly check the attached
    LOVELETTER coming from me."

2.  If you suspect you were infected, search and delete the following
    files:

--  MSKernel32.vbs
--  Win32DLL.vbs
--  LOVE-LETTER-FOR-YOU.vbs
--  LOVE-LETTER-FOR-YOU.TXT.vbs
--  LOVE-LETTER-FOR-YOU.htm
--  WinFAT32.exe in Windows download directory
--  WIN-BUGSFIX.exe in Windows download directory
--  script.ini in the mIRC

3.  eSafe Gateway users should filter the attachment with the names:

--  LOVE-LETTER-FOR-YOU.vbs
--  LOVE-LETTER-FOR-YOU.htm.
--  Or filter out ALL "VBS" attachments.

4.  eSafe Gateway users should also block emails with the subject
    lines:

--  IloveYou
--  ILOVEYOU
--  love letter for you
--  fwd: Joke
--  Susitikim shi vakara kavos puodukui...
--  Mothers Day Order Confirmation

4.  A HOT Update to all eSafe users is available on Aladdin's website:
    www.eAladdin.com

ABOUT eSAFE

Aladdin's eSafe product suite, which includes eSafe Desktop, eSafe Enterprise and eSafe Gateway, provides the most comprehensive protection available against hostile elements on the Internet and gives users confidence in their ability to navigate the Internet safely.

eSafe is the only comprehensive suite of content security solutions on the market to provide proactive protection from the gateway to the desktop. It also is the only one to provide Total Sandbox Quarantine(TM) protection against all forms of malicious content including viruses, vandals and worms. A unique feature found only in Aladdin's eSafe solutions, the sandbox erects a protective wall around vital system files and isolates all potentially dangerous viruses, vandals and worms in a sterile environment, preventing them from damaging, infecting or stealing from system resources.