Software

Dealing with the ILoveYou virus on a GroupWise system

The ILoveYou e-mail virus and its relatives have been the most damaging e-mail viruses in history. John Sheesley explains how the ILoveYou virus reacts in a GroupWise environment.


Unless you’ve been off the planet for the last week, you’ve probably heard of the ILoveYou e-mail virus and all of its mutations. You may have even received a few of the infected e-mails or had the virus affect your network. If you use or are considering using GroupWise as your messaging system, you may be curious to know how the ILoveYou virus and its ilk affect GroupWise systems. In this article, I’ll show you how the ILoveYou virus affects GroupWise and what you can do to deal with it.

How safe are you?
You may think that just because you aren't running Microsoft Exchange, you’re safe. Unfortunately, this isn’t the case. Like the Melissa virus outbreak of last year, the ILoveYou virus exploits features in Microsoft Outlook (the e-mail client portion of Exchange) that are supposed to simplify the process of integrating e-mail messages with other data.

I won’t go into great detail about how the ILoveYou virus does its dirty work. You can find out more information about the ILoveYou virus in "SECURITY ALERT: No love in ILoveYou worm." The Reader’s Digest condensed version is that when you open the .VBS attachment in the e-mail message, the virus attaches itself to your workstation’s registry, deletes files from your workstation, reads your Outlook Address Book, and finally e-mails itself to everyone in your Address Book.

Therefore, if you’re using Outlook as the e-mail client for your GroupWise server using the GroupWise Enhancement Pack, then you'll have just as many problems with the ILoveYou virus as your Exchange-running counterparts. However, if you only use the GroupWise clients for your workstations, you’ll be in better shape.

If one of your users opens an ILoveYou virus-infected attachment when using a GroupWise client, his or her machine will still become infected. The Visual Basic Script will still run, infecting the user’s workstation and deleting files. However, the virus will go no further, because the script can’t make the necessary calls to read the GroupWise address book from the client, nor can it use the GroupWise client to e-mail itself to anyone else. In effect, the user catches the virus and the virus does its damage, but it goes no further on your network.

Making sure all of your users only use the GroupWise client is an effective way of minimizing the potential damage that the virus can cause. Unfortunately, it may not be a politically popular choice. Users and/or management may rebel at the thought of dropping Microsoft Outlook for the native GroupWise client. Therefore, you need to have other means of dealing with the virus and possible infections.

Dodging the bullet
You’ve probably already done the first and most important thing to prevent the virus from affecting your network: warning your users not to open .VBS attachments to e-mail messages. If your users simply delete the messages before opening the attachment, then the virus won’t go anywhere.

However, why should your users do all the work? Although GroupWise won’t natively filter messages for content, you can install third-party scanners to filter the messages for you. One of the most popular GroupWise scanners is called Guinevere .

With Guinevere and a virus scanner, you can intercept and kill virus-infected messages before they hit your server. Your users won’t have to worry about deleting the messages or becoming infected because they won’t see the messages in the first place.

Mopping up after an attack
If you’ve already been attacked by the virus, you can use Novell’s GWCheck utility to clean the GroupWise message store of virus-infected messages. GWCheck comes with GroupWise 5.5. You’ll find it on your GroupWise 5.5 CD in the Admin\Utility\GWCheck directory. If you’re running GroupWise 5.2, then you must download GWCK524.EXE from Novell’s Web site .

GWCheck allows you to purge items from users' mailboxes based on the contents of the subject line. You must be very careful when using this utility because when you use GWCheck to delete messages, you can't get the messages back. You may want to make sure you have a complete backup of your Post Office directory structure, even though it still contains virus-infected files.

To use GWCheck, you must first create a text file called ITEMPURG. The easiest way to do this is to go to an MS-DOS prompt on your administration workstation, type COPY CON ITEMPURG, and press [Enter]. You’ll notice the cursor drop below the MS-DOS prompt.

Next, type the subject line of the e-mail message you want to purge. You can only type the first 27 characters of the line. If you type more than 27 characters, the purge won’t find any matches. GWCheck works from left to right and doesn’t match substrings in the middle or end of the string. Don’t press [Enter] when you’re done. Instead, press [F6] and then press [Enter] to save the ITEMPURG file. Copy this file to your GroupWise server’s Post Office directory.

Next, launch the GWCHK32.EXE file. When the GroupWise Mailbox/Library Maintenance window appears, you must make a few adjustments. First, make sure that Post Office radio button is selected in the Database Type box. Next, enter into the Database Path field the path where the WPHOST.DB resides. You then must enter the NDS name for the Post Office in the Post Office Name field. Next, make sure that the Post Office radio button is selected in the Object Type box.

On the right side of the window, make sure that Analyze/Fix Databases is selected in the Action drop-down list box. You should also make sure that only the Contents and Fix Problems check boxes are selected under the Action drop-down list box. Finally, at the bottom of the screen, make sure that only the User Database check box is selected.

After you’ve configured GWCheck, click Run to run it. If the check runs successfully, you’ll find a log file named GWCHK32.LOG in the directory where you ran GWCheck. This log file will contain lines for each user who was e-mailed an infected message, or more precisely, was e-mailed a message that matches the scan you indicated in ITEMPURG.

Don’t forget that several mutations of the ILoveYou virus exist, each having a different subject line. You must edit the ITEMPURG file, reenter the particular subject line to search for, save the file, and rerun GWCheck for each mutation.

Conclusion
The ILoveYou e-mail virus and its relatives have been the most damaging e-mail viruses in history. In this article, I’ve shown you how the ILoveYou virus reacts in a GroupWise environment.

John Sheesley has been supporting networks since 1986, when he got his hands on NetWare 2.2. Since then, he’s worked with the Jefferson County Police Department in Louisville, KY and the Genlyte-Thomas Group. John’s been a technical writer for several leading publishers, including TechRepublic, The Cobb Group, and ZDJournals. If you’d like to contact John, send him an e-mail .

The authors and editors have taken care in preparation of the content contained herein, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks

Free Newsletters, In your Inbox