Renamed Love Letter Worm Still Spreads
- — 05 May, 2000 12:01
PC users should watch for two variants of the worm spreading rapidly through e-mail, as the Love Letter virus that has wreaked havoc Thursday is apparently renamed and still spreading.
Loveletter.B is a variant of the VBS/LoveLetter.A worm, according to antivirus experts at Computer Associates. The only differences are that instead of the subject line "ILOVE YOU," the variant's subject line is "fwd: Joke" and the trouble-causing attachment is named "Very Funny.vbs" instead of "LOVE-LETTER-FOR-YOU.TXT.vbs." Computer Associates has posted the updated information at its InoculateIT Virus Information Center.
Like the Love Letter virus, the variant spreads when the 10307-byte attachment is opened. In the original version, the message text reads, "kindly check the attached LOVELETTER coming from me." In both versions, the .vbs extension indicates a Visual Basic Script. If you open the attachment, the script inserts a number of files into Windows system directories. The virus then sends a copy of itself to all the addresses in a Microsoft Outlook or Outlook Express directory.
In addition, both versions invoke the Internet Relay Chat client called MIRC, and each attempts to replicate itself to all recipients of chat channels and everyone who joins afterwards. In IRC, the variation is called "Very Funny.HTM" instead of "LOVE-LETTER-FOR-YOU.HTM."
Industry sources report the worm was launched by a Filipino virus writer at 3 a.m. Eastern Time Thursday, and first appeared in Hong Kong, affecting banks and public relations firms. It quickly spread into Europe. As the day has progressed, it's become widespread in the United States as well.
Peter Tippett, president of the ICSA, a security organization that certifies antivirus software, says this worm is "the most virulent, expensive, and fast-spreading infection in virus history."
Who can resist opening an e-mail message with a subject line that reads, "ILOVE YOU"? Apparently, not too many people. ICSA expects the worm will cost companies up to $1 billion, and it is expected to infect as many as half of all U.S. corporations before it runs its course. By 9 a.m. Eastern Time Thursday morning, estimates were that it had already infected over a million PCs.
Besides affecting companies, the worm struck the British houses of parliament. Both the House of Commons and House of Lords were hit, leading to a shutdown of e-mail that lasted a couple of hours.
"The message was noticed before lunch. It was a message sending love to you, which is the sort of message a lot of us here don't expect to be receiving," says Muir Morton, the deputy sergeant at arms for the House of Commons.
You should immediately delete the message and the attached file, "even if it's from your spouse," says Narender Mangalam, Computer Associates' director of security.
Worm Trashes Music, Graphics
Despite initial reports that Loveletter didn't cause any additional damage, virus researchers soon found that the worm contains an even more destructive payload. It looks for 12 types of files, including popular .jpg graphics and .mp3 music files, and overwrites them with itself. It does not affect standard data files such as .doc files.
Worse, the worm doesn't just affect files on a local computer. If your PC is connected to a local-area network, the worm finds all of the 12 types of files on all accessible machines on the network and overwrites them, also infecting the other machines.
Most major antivirus software makers have already released updates of their virus signature files to detect and remove Loveletter. But if files have been overwritten, there remains the expensive and time-consuming job of restoring those files from backups, if backups exist.
If your antivirus software has an automatic update feature, you should use it as soon as possible to download the solution.
Meanwhile, if you haven't been infected, the best advice is to immediately delete any message that contains the "ILOVE YOU" subject line. (Note the lack of a space between the I and the L.) In any case, do not open the attachment, which is the only way the virus can spread.
ICSA also suggests that network administrators set filters on e-mail servers to reject all messages with "LOVE" in the subject, as well as block all messages with .vbs attachments and block Internet Relay Chat.
(IDG News Service contributed to this report.)