-----BEGIN PGP SIGNED MESSAGE-----

Early last week a second virus/worm was released apparently hoping to
spread on Valentine's Day.

Some names being used;

Trend Micro: VBS_VALENTIN.A
NAI Avert Labs: VBS/ValentinMM
F-Secure: Valentine
Sophos: VBS/Valentin-A
Symantec: VBS.Valentinmm

The basic operation of this worm is to attempt to exploit the old
Scriptlet.TypeLib vulnerability first discovered in August 1999. That
ActiveX control, marked safe for scripting when it shouldn't have
been, allowed attackers to create files on the local machine through
a VBScript (web page/email).

This one, if executed, creates LOVEDAY14.HTA and places it in the
Startup folder. The HTA will cause a mass mailing to occur upon the
next reboot of the machine. Further, on the 8, 14, 23, 29 of any
month it will replace all files on the disk with .TXT files of the
same name (but not the same content), effectively eliminating the
contents of the drive(s).

TruSecure has noted a significant attempt by the author to spread
this worm over the weekend (2/18-19), presumably attempting to
reclaim lost deluded glory. We fear that many corporate users may
find this message already in their Inbox on Monday morning and cause
it to spread significantly.

TruSecure <http://www.trusecure.com> sends such warning notices to
its customers when circumstances warrant it. I, as Surgeon General of
TruSecure Corporation, attempt to advise you in the hopes that we may
be able to minimize the spread of any such worms. Even though all
popular Anti-Virus products currently purport to be able to catch
this one (with latest definitions), the nature of its operation could
still cause quick spreading.

As many of you may already be aware, some versions of Outlook/Outlook
Express automatically execute scripting via the Preview Pane unless;

a) You're using Outlook 2000
b) You've specifically modified the Trust Zone Outlook uses to
prevent Active Scripting.

Its our belief that the vast majority of Outlook users do have
Preview Pane enabled (its enabled by default on every folder and must
be explicitly disabled), and probably have their Trust Zone settings
set to Medium (the default for the Internet Zone).

This combination means that most users who do receive a copy of this
worm (either by email or by Usenet News through Outlook Express) will
automatically execute the script.

Assuming the above, what happens next depends on the system. If the
system has had the Scriptlet.TypeLib patch applied;

http://www.microsoft.com/technet/security/bulletin/ms99-032.asp

(or has upgraded to any version of IE 5 beyond its original version
(e.g. IE 5.01 or above), then the user will be prompted with a system
dialog indicating that something has attempted to execute an ActiveX
control not marked Safe for Scripting. They will be given the option
to execute it or not, albeit with a warning.

We believe there will be enough users out there who will tell it to
proceed, thereby allowing the control to create the .HTA, causing
infection and eventually distribution.

If the system has not had the Scriptlet.TypeLib patch applied then
the script will execute without any prompt or warning.

Users of Outlook 2000, Outlook 98 or Outlook Express with Trust Zones
set to High Security, or users employing the Outlook Email Security
Update will all be protected and should see some sort of warning
message indicating a message tried to do something insecure but
wasn't allowed to (wording varies depending on software in use).

Effective Defenses:

1. Outlook Email Security Update.

2. Patched Scriptlet.TypeLib/Up-to-date version of IE 5.01+

3. Outlook 2000 (see http://ntbugtraq.ntadvice.com/outlookviews.asp
for explanations as to why Outlook 2000 affords more protection
against such worms)

4. Gateway or Email client rule which scans the message header (in
this case looking within a MIME part of Content-Type: Text/HTML) for
the string

("Scriptlet.TypeLib

Such an Outlook 2000 rule would look like this;

i. Create a new rule
ii. Choose "Check messages when they arrive", click Next
iii. Choose "with <specific words> in the message header" and place
     "("Scriptlet.Typelib"" (include the quotes)
     in the <specific words>
iv. Choose "delete it".
v. Choose "Stop processing more rules", click Finish

This rule will be a server side-rule, preventing your users from
seeing the message at all, and allowing them to be processed whether
the client is connected and running or not. This type of rule
filtering is only available with Outlook 2000 (since its the first
version that can scan the header during rules processing

To think that a vulnerability first discovered almost 2 years ago is
still being attempted today might seem silly, but another worm (KAK)
is still rated within the Top 10 active worms and it relies on the
same vulnerabilities. Clearly there are still a lot of systems out
there that have not yet been protected/updated (This problem is also
obvious in IIS installations and the number of prominent companies
that have some publicly available server defaced daily either due to
RDS or ../)

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBOpDc/xBh2Kw/l7p5AQHuYAP/WHlbztnT0zh2CT3aDPn0l57ALzyV3Dzl
nKXiuK9ixWTIEuAon7KASmIahCxenEJmq9ukq/gBW+ZCRXYFnzUnrEjqIO4E1IUN
2+fJwjKEAoOp4YX4JPv101eIRk3O1Kjt4/Hjfw7bxerfZjS/VX107H/KopTY6WTL
/yukIq6ew/I=
=/BOT
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
Delivery co-sponsored by eEye Digital Security
============================================================================
Protect Your Data with Retina 3.0 from eEye...Think Like A Hacker!
Traditional security measures such as firewalls and intrusion detection
systems are not enough. Retina, the Network Security Scanner, scans,
monitors, alerts, and automatically fixes network security vulnerabilities
with a touch of a button. Free 30-day trial available at
http://www.eeye.com/click.asp?referrer=ntbt&P;=Retina
----------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]