The Register guide to beating the Love Bug. Not
Dumb dumb, deeper than dumb...
Special report When we wrote about how not to defend yourself against ILOVEYOU yesterday, we thought there were quite a few dumb people out there. But we were wrong. We asked Register readers for their virus war stories and - sheesh - there's a virtually infinite number of dumb people out there.
And they're even dumber than we could have possibly conceived. We'd been kidding ourselves that the BOFH was a somewhat fictionalised account of our dear Simon Travaglia's career too, but no - that's got to be 100 per cent true as well.
Furthermore, it seems our BOFH sector readership sings in virtual unison of the folly and stupidity of their managers, users and the companies they work for. Wow. So we thought we'd better not name anybody. A fine effort people, for which much thanks. Any more good ones out there, go ahead and send them and we'll update.
Oh, and a special mention to those of you who sent us messages with added Microsoft smartquotes - these things are viruses, doncha know? But anyway here, in no particular order, is what Register readers did in the Love Bug War:
Disproportionate violence: Special BOFH Award #1
We didn't get hit, mainly due to the fact that after the last vbs mailer to go around, we (in BOFH-ish fashion) stalked around the office, waving tire irons and shouting "DEATH TO THE ATTACHMENT OPENERS!" and pummeling those who appeared in our inboxes with "Check this" as a subject header.
Well, that's what we imagined we were doing when really just politely reminding people "if you could not click wildly on anything that lands in your inbox like a monkey on crystal meth, that'd make my job much easier, see?".
Forget virus scanning. It's all about luser "re-education". Preferably in the parking lot, with said tire iron.
Get the cure wrong and wipe out your own Intranets
When I got to work that morning at 5:00 AM, the virus had not yet hit in a big way, so there was not much noise. Of course, it wasn't long before there were a couple hundred ILOVEYOU messages in the ol' inbox (because of the way our company likes to handle internal mailing lists, everyone got at least THREE virus messages from EACH person who opened the attachment. With a company of over a thousand employees, you can imagine how that went...
Being a very proficient VB programmer, I proceeded to go through the virus line by unformatted line, and came up with a list of everything the virus did. I gave the list to the IS manager when he came in around 8:00 AM, and after a few minutes the message came down the line: a new EXTRA.DAT (McAfee virus definition file) would be copied in the login script, so reboot and log back in. Of course, if the manager had actually read the list that I gave him, he would have realised that the virus runs on startup, BEFORE the login script runs...
So, after another round, someone develops a "serum.vbs" that they have the login script copy into the "StartUp" folder, and later on a "serumII.vbs" showed up there too. The effect of these two horribly-written scripts is to remove the registry entries that run the virus on startup, and to delete EVERY js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, or mp2 file that exists on any drive accessible from the system. Imagine as 200 users log in sumultaneously and each start a script that chuggs through the network share of 889 MBs (25,000+ files) that was already slow. It was an interesting time. Not to mention the fact that, again, if someone had read my list (or had any common sense at all) they would know that .jpg and .jpeg files aren't infected, they're DELETED and replaced with .vbs files, and that .mp3 and .mp2 files are HIDDEN and .vbs files are created in thier place. Nevertheless, our fearless and unthinking IS departement did the safe thing and wiped out many a intranet website...
Viruses only come out at night
My company decided it would let the mail servers run for the day and then take them offline at night to avoid the virus. Brilliant plan wouldn't you say!?
I eventually got a Board member to tell them to terminate the inbound internet email.
Close down via a self-administered DDOS attack
I was dismayed to receive multiple copies of this in response to some automated emails one of my systems sends out:
Date: Sat, 06 May 00 20:34:16 -0700
From: WSM Administrator <ITD-MISRENM112-WSVL@paccar.com>
Subject: <EMAIL REJECTED> Daily Digest of General.
1 Shown 10 lines Text
2 Shown 1.1 KB Message, "Daily Digest of General."
2.1 Shown 0 lines Text
Because of PACCAR's Computer Virus Prevention Policy, your email has been rejected. We are doing this to ensure PACCAR is not at risk for newly discovered viruses. When the virus risk is acceptable, we will discontinue this email rejection policy.
If this email has business critical requirements, please contact the recipient directly for alternative communication options. We apologize for any inconvenience this may cause.
As a sys admin, I've always felt it's best not to respond to an emergency by shutting systems down -- many crackers would love to shut you down anyway, so why do it for them? It's a denial of service attack in its own right, a bit like VAG (US) shutting down their web servers over the new year in case... ummm... some Y2K bug shut down their web servers over the new year :-)
I love the bit about "when the virus risk is acceptable". Translates as "when we've got bored of this game and everyone's forgotten about it, we'll stop pissing you off". Another gotcha is the bit about "please contact the recipient directly for alternative options". By the time you've phoned him, you may as well just tell him, 'cos you certainly can't email him about the problem.
Don't let anybody tell you about it
When the news of the mutation appeared I tried to send my IT security department an email with the "Warning - ILOVEYOU mutations are loose".
I received a nice little automatic message saying that the virus name was detected in the title of the message so my message had been deleted.
Clever clogs rapid reaction - Special BOFH Award #2
As it happens, we had installed an e-mail virus scanner a day or two previously (since all our users have finally been switched to Exchange mail and Outlook, I thought it was high time we did *something* to protect the corporate network, and as half the IT team, I have a pretty free hand as long as I don't need to spend any actual money). We had nine copies of the virus arrive, get disinfected, and get passed on to the addressees as a "castrated" virus. No problems at all; I do have one user who wanted to know if he could copy the virus to a floppy disk (without activating it) so he could take it home and send it to someone else. As I was a bit tired and muzzy by that time, I simply told him it was harmless by the time he received it. In future, should the question arise, I'll give him a live one (suitably modified to contain his real-world name and address) on a floppy, and call the FBI about an hour after he leaves work. Bloody users...
Retro computing - utterly invulnerable
Absolutely nothing. I am stuck administering a network of win3.1 clients and VMS servers. We just got a whole lot of attachments to delete. For some reason I don't feel overly happy about my savior from the virus, strange.
Use a dud service provider
I'm happy to report that at the Brunts School, Mansfield, we had absolutely no problem with the ILOVEYOU virus. In fact, we couldn't possibly have any problem with any Internet virus.
BT Internet had employed the most effective firewall possible and crashed. And not only that, but soon the entire network was taken down by a repair technician. Result: one thousand annoyed pupils unable to access coursework and all-important "Record of Achievement statements".
Intercept it, but reproduce the effect anyway
You wanted submissions for the stupid things companies were doing? Well, you will get a kick out of what my company did. They configured NAV to scan every message for ILOVEYOU virus, but instead of it just discarding the message...it sends a notice to all recipients that a virus was detected in their e-mail! While it was keeping the actual virus from spreading, it was still having almost the same effect because of the loads of virus notifications being sent out to everyone!
Death by filtration
My company (a major software house) sent an e-mail around giving step-by-step instructions on how to set up a filter in Outlook to remove any and all e-mails with those words in the title. It worked brilliantly, even going so far as to delete the e-mail with the instructions (and a few other innocent virus-related messages).
Of course, the filter only moved the messages to the 'Deleted Items' folder, somewhat akin to sweeping them under the carpet.
Gratuitous piece of Unix smuggery
YOU also may be interested in another variant of the virus currently running around linux user groups here (quoted below):
Subject: Unix variant of "love bug"
This virus works on the honor system:
If you're running a variant of unix or linux, please forward this message to everyone you know and delete a bunch of your files at random."
Alerts are an unexpected side-effect of our product (advertisement)
We make a product called MailSecure which is a plug-in for Outlook which does full-strength S/MIME crypto. It will optionally prompt you on whether you want to sign and/or encrypt a message. I received this email this morning from one of our sales guys:
"I heard a good story from a customer. Whilst going through his mail his mailsecure dialogue box suddenly appeared prompting him to sign his message, what message? He hadn't written one. The penny dropped and he shut down his machine killing the Luv Bug."
Hide for three days, then all hold hands and crash the network
To stop the spread of the virus into and out of the internal net they disabled all external links for 3 days, then proceeded to tell everyone to use Norton liveUpdate, an internet service, to update Norton antivirus !!?! I believe many an hour was lost with people waiting for liveupdate to finish before carrying on with their work ;o)
Clever clogs #2, Special BOFH Award #3
You wanted to know what Admins did the day the bug came?
Easy: Nothing. Sit back, relax, and laugh about all the myriads of idiots out in the net. Complain that the damage routine of the virus was way too weak to force the idiots to learn this lesson.
We have patched the email frontend more than a year ago to look for all sorts of potentially harmful code, and when there is an attachment like .exe, .vbs, .com, .vbe, .js, (and many more), they have to click through so many requesters (in bold red large letters!) to get at their mail that it comes down even on the dumbest of our users that this email is in a certain way special.
And, we don't use Outlook. But I think this is obvious from my rant, isn't it? ®
Sponsored: Transform Your IT Infrastructure