Subj : New Virus To : All From : Geo. Date : Sun Feb 18 2001 10:21 pm From: "Geo." -----BEGIN PGP SIGNED MESSAGE----- Early last week a second virus/worm was released apparently hoping to spread on Valentine's Day. Some names being used; Trend Micro: VBS_VALENTIN.A NAI Avert Labs: VBS/Valentin@MM F-Secure: Valentine Sophos: VBS/Valentin-A Symantec: VBS.Valentin@mm The basic operation of this worm is to attempt to exploit the old Scriptlet.TypeLib vulnerability first discovered in August 1999. That ActiveX control, marked safe for scripting when it shouldn't have been, allowed attackers to create files on the local machine through a VBScript (web page/email). This one, if executed, creates LOVEDAY14.HTA and places it in the Startup folder. The HTA will cause a mass mailing to occur upon the next reboot of the machine. Further, on the 8, 14, 23, 29 of any month it will replace all files on the disk with .TXT files of the same name (but not the same content), effectively eliminating the contents of the drive(s). TruSecure has noted a significant attempt by the author to spread this worm over the weekend (2/18-19), presumably attempting to reclaim lost deluded glory. We fear that many corporate users may find this message already in their Inbox on Monday morning and cause it to spread significantly. TruSecure sends such warning notices to its customers when circumstances warrant it. I, as Surgeon General of TruSecure Corporation, attempt to advise you in the hopes that we may be able to minimize the spread of any such worms. Even though all popular Anti-Virus products currently purport to be able to catch this one (with latest definitions), the nature of its operation could still cause quick spreading. As many of you may already be aware, some versions of Outlook/Outlook Express automatically execute scripting via the Preview Pane unless; a) You're using Outlook 2000 b) You've specifically modified the Trust Zone Outlook uses to prevent Active Scripting. Its our belief that the vast majority of Outlook users do have Preview Pane enabled (its enabled by default on every folder and must be explicitly disabled), and probably have their Trust Zone settings set to Medium (the default for the Internet Zone). This combination means that most users who do receive a copy of this worm (either by email or by Usenet News through Outlook Express) will automatically execute the script. Assuming the above, what happens next depends on the system. If the system has had the Scriptlet.TypeLib patch applied; http://www.microsoft.com/technet/security/bulletin/ms99-032.asp (or has upgraded to any version of IE 5 beyond its original version (e.g. IE 5.01 or above), then the user will be prompted with a system dialog indicating that something has attempted to execute an ActiveX control not marked Safe for Scripting. They will be given the option to execute it or not, albeit with a warning. We believe there will be enough users out there who will tell it to proceed, thereby allowing the control to create the .HTA, causing infection and eventually distribution. If the system has not had the Scriptlet.TypeLib patch applied then the script will execute without any prompt or warning. Users of Outlook 2000, Outlook 98 or Outlook Express with Trust Zones set to High Security, or users employing the Outlook Email Security Update will all be protected and should see some sort of warning message indicating a message tried to do something insecure but wasn't allowed to (wording varies depending on software in use). Effective Defenses: 1. Outlook Email Security Update. 2. Patched Scriptlet.TypeLib/Up-to-date version of IE 5.01+ 3. Outlook 2000 (see http://ntbugtraq.ntadvice.com/outlookviews.asp for explanations as to why Outlook 2000 affords more protection against such worms) 4. Gateway or Email client rule which scans the message header (in this case looking within a MIME part of Content-Type: Text/HTML) for the string ("Scriptlet.TypeLib Such an Outlook 2000 rule would look like this; i. Create a new rule ii. Choose "Check messages when they arrive", click Next iii. Choose "with in the message header" and place "("Scriptlet.Typelib"" (include the quotes) in the iv. Choose "delete it". v. Choose "Stop processing more rules", click Finish This rule will be a server side-rule, preventing your users from seeing the message at all, and allowing them to be processed whether the client is connected and running or not. This type of rule filtering is only available with Outlook 2000 (since its the first version that can scan the header during rules processing To think that a vulnerability first discovered almost 2 years ago is still being attempted today might seem silly, but another worm (KAK) is still rated within the Top 10 active worms and it relies on the same vulnerabilities. Clearly there are still a lot of systems out there that have not yet been protected/updated (This problem is also obvious in IIS installations and the number of prominent companies that have some publicly available server defaced daily either due to RDS or ../) Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.2 iQCVAwUBOpDc/xBh2Kw/l7p5AQHuYAP/WHlbztnT0zh2CT3aDPn0l57ALzyV3Dzl nKXiuK9ixWTIEuAon7KASmIahCxenEJmq9ukq/gBW+ZCRXYFnzUnrEjqIO4E1IUN 2+fJwjKEAoOp4YX4JPv101eIRk3O1Kjt4/Hjfw7bxerfZjS/VX107H/KopTY6WTL /yukIq6ew/I= =/BOT -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- Delivery co-sponsored by eEye Digital Security ============================================================================ Protect Your Data with Retina 3.0 from eEye...Think Like A Hacker! Traditional security measures such as firewalls and intrusion detection systems are not enough. Retina, the Network Security Scanner, scans, monitors, alerts, and automatically fixes network security vulnerabilities with a touch of a button. Free 30-day trial available at http://www.eeye.com/click.asp?referrer=ntbt&P;=Retina ---------------------------------------------------------------------------- --- BBBS/NT v4.00 MP * Origin: telnet://HarborWebs.com http://HarborWebs.com:8081 (1:379/45) .