Renamed Love Letter Worm Still Spreads

PC users should watch for two variants of the worm spreading rapidly through e-mail, as the Love Letter virus that has wreaked havoc Thursday is apparently renamed and still spreading.

Loveletter.B is a variant of the VBS/LoveLetter.A worm, according to antivirus experts at Computer Associates. The only differences are that instead of the subject line "ILOVE YOU," the variant's subject line is "fwd: Joke" and the trouble-causing attachment is named "Very Funny.vbs" instead of "LOVE-LETTER-FOR-YOU.TXT.vbs." Computer Associates has posted the updated information at its InoculateIT Virus Information Center.

Like the Love Letter virus, the variant spreads when the 10307-byte attachment is opened. In the original version, the message text reads, "kindly check the attached LOVELETTER coming from me." In both versions, the .vbs extension indicates a Visual Basic Script. If you open the attachment, the script inserts a number of files into Windows system directories. The virus then sends a copy of itself to all the addresses in a Microsoft Outlook or Outlook Express directory.

In addition, both versions invoke the Internet Relay Chat client called MIRC, and each attempts to replicate itself to all recipients of chat channels and everyone who joins afterwards. In IRC, the variation is called "Very Funny.HTM" instead of "LOVE-LETTER-FOR-YOU.HTM."

Industry sources report the worm was launched by a Filipino virus writer at 3 a.m. Eastern Time Thursday, and first appeared in Hong Kong, affecting banks and public relations firms. It quickly spread into Europe. As the day has progressed, it's become widespread in the United States as well.

Peter Tippett, president of the ICSA, a security organization that certifies antivirus software, says this worm is "the most virulent, expensive, and fast-spreading infection in virus history."

Who can resist opening an e-mail message with a subject line that reads, "ILOVE YOU"? Apparently, not too many people. ICSA expects the worm will cost companies up to $1 billion, and it is expected to infect as many as half of all U.S. corporations before it runs its course. By 9 a.m. Eastern Time Thursday morning, estimates were that it had already infected over a million PCs.

Besides affecting companies, the worm struck the British houses of parliament. Both the House of Commons and House of Lords were hit, leading to a shutdown of e-mail that lasted a couple of hours.

"The message was noticed before lunch. It was a message sending love to you, which is the sort of message a lot of us here don't expect to be receiving," says Muir Morton, the deputy sergeant at arms for the House of Commons.

You should immediately delete the message and the attached file, "even if it's from your spouse," says Narender Mangalam, Computer Associates' director of security.

Worm Trashes Music, Graphics

Despite initial reports that Loveletter didn't cause any additional damage, virus researchers soon found that the worm contains an even more destructive payload. It looks for 12 types of files, including popular .jpg graphics and .mp3 music files, and overwrites them with itself. It does not affect standard data files such as .doc files.

Worse, the worm doesn't just affect files on a local computer. If your PC is connected to a local-area network, the worm finds all of the 12 types of files on all accessible machines on the network and overwrites them, also infecting the other machines.

Most major antivirus software makers have already released updates of their virus signature files to detect and remove Loveletter. But if files have been overwritten, there remains the expensive and time-consuming job of restoring those files from backups, if backups exist.

If your antivirus software has an automatic update feature, you should use it as soon as possible to download the solution.

Meanwhile, if you haven't been infected, the best advice is to immediately delete any message that contains the "ILOVE YOU" subject line. (Note the lack of a space between the I and the L.) In any case, do not open the attachment, which is the only way the virus can spread.

ICSA also suggests that network administrators set filters on e-mail servers to reject all messages with "LOVE" in the subject, as well as block all messages with .vbs attachments and block Internet Relay Chat.

(IDG News Service contributed to this report.)

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Stan Miastkowski

PC World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?