Aladdin Security Alert — How to Protect Against the New Love Letter Vandal; Aladdin's eSafe Products Offer Free Protection Against this Latest Vandal - Technology Tutorial - Tutorial

Edge: Work-Group Computing Report, May 8, 2000

VBS.LoveLet, a newly discovered vandal, is continuing to infect tens of thousands of PCs around the world. This fast-spreading VBScript is an auto-spamming worm that distributes itself by sending an email message with the subject "LOVE-LETTER-FOR-YOU.TXT.vbs," "I love you," "ILOVEYOU," "love letter for you" or a variant of that text. The vandal then sends this attachment to all addresses inside a user's Outlook address list. VBS.LoveLet also spreads by using mIRC chat programs, sending itself to all users in the current channel.

Also known as VBS.ILoveYou.Worm, this vandal can sometimes arrive with a TXT, JPG, MP3 or other extensions. When this occurs, a "double extension" takes place and makes the vandal appear more innocent. However, it remains just as dangerous. The vandal immediately attempts several malicious actions:

1.  Attempts to send itself to all the e-mails in the address book.

2.  On Windows 98 machines it will attempt to download and execute a
    Trojan in a file named "WIN-BUGSFIX.exe" from several web sites.

3.  The downloaded file "WIN-BUGSFIX.exe" will install the Trojan
    under the name WinFAT32.exe and run it on every boot.

4.  This Trojan can collect information about the user, host, user IP
    number and passwords and send the information to an e-mail
    address in the Philippines.

5.  It will set the homepage of Internet Explorer to a blank page.

6.  It will search all the connected drives and infect VBScript,
    JavaScript, JScript, and the following file types: vbs, vbe, js,
    jse, css, wsh, sct, and hta.

7.  It will search for all mp3, mp2, jpg, and jpeg files, create a VBS
    file with the infected file name and a VBS extensions. For
    example, if it finds a file named mysong.mp3 it will create an
    infected file with the name mysong.mp3.vbs. If this file is run it
    will infect the system.

8.  It will try to send an infected HTML file, named
    "LOVE-LETTER-FOR-YOU.htm" to mIRC clients.

Protecting Against the Threat

Aladdin's eSafe products can protect users from this vandal. Protection at the gateway is the best defense. Users can download a free copy of eSafe Desktop at www.eAladdin.com. Aladdin's Content Security Response Team recommends you begin protecting against the virus with the following steps:

1.  Do not open an e-mail with the subject line: "IloveYou,"
    "ILOVEYOU" or "love letter for You." The body of the message will
    say "kindly check the attached LOVELETTER coming from me."

2.  If you suspect you were infected, search and delete the following
    files:

       --  MSKernel32.vbs
       --  Win32DLL.vbs
       --  LOVE-LETTER-FOR-YOU.vbs
       --  LOVE-LETTER-FOR-YOU.TXT.vbs
       --  LOVE-LETTER-FOR-YOU.htm
       --  WinFAT32.exe in Windows download directory
       --  WIN-BUGSFIX.exe in Windows download directory
       --  script.ini in the mIRC

2.  eSafe Gateway users should filter the attachment with the names
    "LOVE-LETTER-FOR-YOU.vbs" and "LOVE-LETTER-FOR-YOU.htm." Or filter
    out ALL vbs attachments. Also, block emails with the subject lines
    "IloveYou", "ILOVEYOU" or "love letter for you."

3.  A HOT Update to all eSafe users will be issued Wednesday and will be
    posted on Aladdin's website.

Aladdin's eSafe product suite, which includes eSafe Desktop, eSafe Enterprise and eSafe Gateway, provides the most comprehensive protection available against hostile elements on the Internet and gives users confidence in their ability to navigate the Internet safely.

eSafe is the only comprehensive suite of content security solutions on the market to provide proactive protection from the gateway to the desktop. It also is the only one to provide Total Sandbox Quarantine protection against all forms of malicious content including viruses, vandals and worms. A unique feature found only in Aladdin's eSafe solutions, the sandbox erects a protective wall around vital system files and isolates all potentially dangerous viruses, vandals and worms in a sterile environment, preventing them from damaging, infecting or stealing from system resources.

Much more than anti-virus protection, the eSafe suite of products enables businesses to:

--  block users ability to alter vital system files, thereby reducing
    IT maintenance and repair costs.

--  stop access to web sites with inappropriate or malicious content,
    such as hate literature or pornography, or those sites known to
    propagate viruses.

--  restrict outgoing emails from sending classified or prohibited
    content.

Aladdin (Nasdaq:ALDN) is a global leader in securing digital content, from applications software to Internet use and access. Aladdin's products include HASP and Hardlock, software security systems that protect the revenues of developers and publishers; Privilege, a software licensing platform for the Internet; the eSafe line of anti-vandal, anti-virus and content filtering software for PCs and networks connected to the Internet; and eToken for Internet security and authentication. Aladdin serves its customers through eight offices located in the world's major software markets as well as a network of 50 distributors serving more than 100 countries. FMI: www.eAladdin.com.