[Tip] ILOVEYOU worm sendmail rules

Contributed by Dengue on 2000-05-05 from the lowest-common-denominator dept.

I wouldn't say I have a lot of sympathy for people who've been bitten by the ILOVEYOU worm.
[Updated mc file available]
[Updated yet again to handle the .F, .G, & .I variants]

Let's face it, if you click on anything attached to an email reading:

"kindly check the attached LOVELETTER coming from me."


    [ Part 2, Application/OCTET-STREAM (Name: ]
    [ "LOVE-LETTER-FOR-YOU.TXT.vbs")  10KB. ]
    [ Cannot display this part. Press "V" then "S" to save in a file. ]

You are naive and stupid.

Hey, brother, I have a BRIDGE I'd like to sell you.

I won't even go there about the Outlook mail client.

But I recognize that some of us are responsible for some of them, so courtesty of BUGTRAQ and SENDMAIL I present for you a modified openbsd-proto.mc that you can use to regenerate your /etc/sendmail.cf or /etc/mail/sendmail.cf . to do that:

m4 openbsd-proto-iloveyou.mc > sendmail-new.cf
cp /etc/sendmail.cf /etc/sendmail.bak
cp sendmail-new.cf /etc/sendmail.cf
kill -HUP `head -1 /var/run/sendmail.pid`

I recommend checking the maillog to make sure sendmail restarted correctly, and then testing the ruleset. You should see something like this:


May  5 04:52:25 eris sendmail[32355]:
restarting /usr/sbin/sendmail on signal
May  5 04:52:25 eris sendmail[13476]:
starting daemon (8.9.3): SMTP+queueing@00:30:00
May  5 04:52:39 eris sendmail[24874]: EAA24874:
ruleset=Check_Subject,
arg1=ILOVEYOU, relay=dengue@localhost, reject=553
This message may contain the LoveLetter virus.
May  5 04:52:39 eris sendmail[24874]: EAA24874:
from=

, size=365, class=0, pri=30365, nrcpts=1,
msgid=
,proto=ESMTP, relay=dengue@localhost

Now keep in mind, this is a BRAINDEAD® solution to this, since all you have to do to defeat it is change the subject line. A better fix would be attachment content scanning. I encourage everyone to submit better rulesets, and I will post them here.

This solution was built and tested on Sendmail 8.9.3 on OpenBSD 2.6. YMMV

-jim

(Comments are closed)

Comments

By Anonymous Coward () on 2000-05-05 07:50

Does anyone have a snort rule for this yet?
By Tyrann () Tyrann@Astux.com on 2000-05-05 07:56 http://www.Astux.com

It seems that other one are coming... They look like derivatives from the "ILOVEYOU" virus. Just prepare for another round of mail viruses.

Source: http://www.nai.com/asp_set/about_nai/press/releases/pr_template.asp?PR=/PressMedia/05042000-E.asp&Sel=750
By KG Higgins () tatlin@bootmail.com on 2000-05-05 22:54 mailto:tatlin@bootmail.com

I won't even go there about the Outlook mail client.
I will. If you went to an IS manager and told them "I'm going to install client software on all of your desktops that introduces subtle and frustrating inconsistencies into the way it handles the protocols it are supposed to be implementing. As an added bonus, this client will allow perfect strangers to send arbitrary code to it from anywhere, which it will then execute without reference to any sort of security model."
Strangely, they said yes. The fact that Outlook (or Active X within a browser) does this is just too farfetched I guess.
Back in - 1995? I think? - I remember getting a couple of panicked messages from people who had received the "Good Times" virus hoax message. I reassured them that although it was good to be cautious, there was no chance that a virus like this could exist. I'm thinking somehow Good Times got included in the requirements doc for MS Outlook by mistake, and they went ahead and built something that would make it possible.

Latest Articles

Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (11)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]