Novell Home

My Favorites

Close

Please to see your favorites.

How to deal with the ILOVEYOU virus in a GroupWise environment.

(Last modified: 29Jan2003)

This document (10052696) is provided subject to the disclaimer at the end of this document.

goal

How to deal with the ILOVEYOU virus in a GroupWise environment.

fact

Novell GroupWise 5.5

Novell GroupWise 5.2

GroupWise Enhancement Pack

Microsoft Outlook

Outlook Express

symptom

Users receive mail messages with the Subject of "ILOVEYOU"

MP3 and JPEG files are corrupted by this virus

cause

The virus known as " ILOVEYOU", was discovered on May 3, 2000.

The ILOVEYOU virus is similar to the Melissa virus. However, unlike the "Melissa" virus, "ILOVEYOU" is more destructive. First, it copies itself to two critical system directories and adds triggers in the Windows registry. This ensures that it's running every time the computer reboots.

The mail user receives a message in the following format.

Subject:ILOVEYOU
Body:kindly check the attached LOVELETTER coming from me.
Attachment:LOVE-LETTER-FOR-YOU.TXT.vbs


INFECTION

The ILOVEYOU virus is a VBScript worm. It spreads via e-mail like a chain letter. ILOVEYOU can be activated by a user that has Windows Host Scripting enabled opening the infected VBS file--the open can happen from GroupWise, Outlook, Windows Expolrer etc...

With WSH enabled the worm will do its destructive payload and spread targeting Windows 98, Windows 2000 by default and Windows NT 4.0 and Windows 95 if the Windows Scripting Host (WSH) engine is installed. The worm will copy itself to multiple subdirectories using different names. The worm will then spreads itself by generating an email, attaching itself and sending that e-mail to all recipients in all Outlook address books.

While GroupWise 4.x and 5.x clients can be impacted by the viruses destructive payload if WSH is enabled, the virus however will not automatically spread through the GroupWise client through opening the Virus unless a Windows Address Book (address book used by Outlook and Outlook Express) is available. I.E. the propagation of the Virus works through a MAPI call (e.g. a GroupWise MAPI send) to all of the users in the Windows Address Book. So if the user doesn't have a Windows Address Book or doesn't have any entries in the book, the virus won't be able to spread.

IMPACT

The virus corrupts MP3 and JPEG files on users hard drives. mIRC (a version of Internet Relay Chat) and Internet Explorer and can propagate through the whole e-mail system.

PROPAGATION

The virus uses the workstations default MAPI application e.g. GroupWise or Outlook and the Microsoft Outlook address book (Windows Address Book) to replicate itself, sending messages with the message "kindly check the attached LOVELETTER coming from me." The name of the attachment is "LOVE-LETTER-FOR-YOU.TXT.vbs"

When the attachment is opened, the worm replicates itself and adds several files to the user's computer. Below is the MAPI calls that the Virus makes to replicate through the default MAPI application using the Windows Address Book.

set regedit=CreateObject("WScript.Shell")
set out=WScript.CreateObject("Outlook.Application")
set MAPI=out.GetNameSpace("MAPI")
for ctrlists=1 to mapi.AddressLists.Count
set a=mapi.AddressLists(ctrlists)
x=1
regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a)
if (regv="") then
regv=1
end if (int(a.AddressEntries.Count)>int(regv)) then
for ctrentries=1 to a.AddressEntries.Count
malead=a.AddressEntries(x)
regad=""
regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead)
if (regad="") then
set male=out.CreateItem(0)
male.Recipients.Add(malead)

CAN GROUPWISE CLIENTS BECOME INFECTED OR SPREAD THE VIRUS?

1. Does GroupWise 4.x or any other 16 bit client use the MAPI 32 address book which the ILOVEYOU Virus can access and send out messages to everyone in the address book?

The Virus can not automatically spread the virus through the GroupWise 4.1a client because the 16 bit client and does not use the MS Windows Messaging system which includes the MAPI 32. However, GroupWise 4.1a users can receive an email with the virus-infected attachment, open the attachment, and infect their workstation.

2. Can GroupWise 5.x users be infected by this virus?

GroupWise 5.x clients can be infected but can not spread the virus unless Outllook was installed and entries exist in the Windows Address Book that can be used to distribute the Virus.
.

fix

PREVENTION
1. The best prevention is not to open up strange attachments, use client virus scanning software and keep the virus definitions up to date.

2. Also, Windows Script Hosting should likely be turned off. ZDNET has a good article about "how to" and the pros and cons of turning of script hosting "http://www.zdnet.com/zdhelp/stories/main/0%2C5594%2C2568111%2C00.html".

3. Make sure that all Outlook users are patched. Outlook users have been even more susceptible to VBS worms because the client would automatically start processing VBS even before the user opened the attachment. Microsoft states that subsequent security updates to Outlook have fixed VBS virus problems in Outlook see http://support.microsoft.com/support/kb/articles/Q235/3/09.ASP.

HOW TO GET RID OF THE VIRUS ON THE CLIENT WORKSTATION:

1. Notify all email users to not open any email message with the subject line: "ILOVEYOU". Instruct the users to delete such email messages. The virus cannot be spread unless you open or view the message.

2. Several virus checking applications have already created new pattern files to help identify and remove the virus from your system. Check with your virus checking vendor to see if they have the new pattern for the ILOVEYOU virus. Below are a couple of sites that have the new pattern files.
The list below is not inclusive.
         - McAfee (www.mcafee.com)
         - Inoculan (www.cheyenne.com)

NOTE: Although the above applications can't scan email attachments stored in GW databases, they can still be used to help stop the spread of the virus.

HOW TO REMOVE BAD MESSAGES FROM THE MESSAGE STORE:

There is a feature built into the standalone version of GWCHECK for both GroupWise 5.2 and GroupWise 5.5. This feature is a switch that will allow the administrator to purge items from user's mailboxes based upon the contents of the subject line. This utility can be found on the GW 5.5 cd under admin\utility\gwcheck. For GroupWise 5.2 users, the utility can be downloaded from:
http://support.novell.com/cgi-bin/search/download?/pub/updates/grpware/grpwise/gwck524.exe&sr (go to support.novell.com and click on file finder. Type in gwck524.exe). Make sure you have downloaded this latest gwcheck for GW 5.2 post offices. Older versions may not support the above options.

WARNING: This feature is dangerous and should be used with caution. If an administrator makes a mistake when creating this file, valuable data could be lost. This feature removes messages from users mailboxes.

1. Backup the entire post office directory structure.

2. Create a text file called 'itempurg" without double quotes or a file extension.

3. Place this file in the directory where GWCHECK will be run.

4. Edit the itempurg file to include EXACTLY the subject line of the e-mail message to be purged. Include only the first 27 characters of the line. If more than 27 characters are included in the itempurg file the item purge will not find any matches and will fail. If the subject line in an e-mail message is longer than the string specified in itempurg but the string in itempurg matches exactly the first part of the line in the subject of the e-mail, then the e-mail item will be declared a match and will be deleted in the gwcheck run. Note: the matching algorithm works from left to right and does not match portions in the middle of the string or the end of the string. Rather, it looks for matches starting with the left-most part through the first 27 characters of the string

(You may have to run the Item Purge to cover an instance where the user forwarded the message. Replies should not be an issue because when you reply the message does not contain the attachment. So make sure the subject line is exactly right when doing the itempurge to remove forwarded messages)

For example: If the subject line to be found is "ILOVEYOU", the line in the text file might read "ILOVEYOU ".

If the subject line reads: "Fw: ILOVEYOU" make sure the "RE" or "Fw" or whatever else is also included in the text file.

5. Launch the gwchk32.exe file.

6. Configure GWCHECK with the following options:
         - Database Type = Post Office
         - Database Path = [Path where the wphost.db resides]
         - Post Office Name = [name of the NDS object for the post office]
         - Object Type = Post Office
         - Action = Analyze/Fix Databases with Contents check and Fix problems selected
         - Databases = User

7. Run GWCHECK

8. If the check was successful, the log file (located in the directory where GWCHECK is run from) will have lines for each user infected which will say something like the following:

259 ITEM_RECORD check
- Item matches subject "ILOVEYOU"
- Item 259 purged successfully
.

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

  • Document ID:
  • 10052696
  • Solution ID: NOVL9702
  • Creation Date: 04May2000
  • Modified Date: 29Jan2003
    • NovellGroupware

      NetWare

Did this document solve your problem? Provide Feedback