Love Bug Virus Update:
The "I Love You" virus now also appears in the subject line as "Joke."
The attachment is titled: "Very Funny.vbs"
Two stories follow. One is from CNBC, and the other from Internetnews.com
FAC
=========
'Love' virus gets new name, new life
Bug spent the day spreading around the globe, deleting images, music files; and we're not out of the woods yet
msnbc.com
by Bob Sullivan
MSNBC
May 4 ? Computer technicians around the globe
are holding their breath tonight, hoping they've
largely beat back the ILOVEYOU virus. Perhaps
tens of millions of computers have been infected
by the bug, say experts, and it's already being
called the worst virus outbreak ever. But there is
evidence that ILOVEYOU may yet do more
damage before the worst is over.
JUST AS REPORTS of infections by the ILoveYou virus started to slow
down, a new version of the program is winging its way around the Internet.
This one has the subject line "FW: JOKE" and contains an attachment called
"Very Funny.vbs." The alterations might allow the program to sneak around
some antivirus programs, adding to the pain the ILOVEYOU virus has already
inflicted around the world today.
Even before the mutation, there was evidence the original ILOVEYOU virus
was still flying around the Internet. Free e-mail provider mail.com said it was
detecting a version of of the virus on its service every 20 seconds late
Thursday afternoon ? more frequently than it had been detected in the middle
of the day.
"I don't think it's over," said Joe Wells, a long-time antivirus industry observer.
"Melissa came and went because it had limitations. This thing doesn't turn itself
off."
That might be bad news for the thousands of businesses that forced to shut
down entire networks on Thursday in order to quarantine computers from
infection. If even one copy of the virus remains on a network, restarting mail
services could restart Thursday's ordeal all over again. So many employees left
work Thursday night with no guarantee things would be back to normal by
Friday morning.
Where to get help
Several antivirus companies and computer pros are offering
information and tools to help remove the ILOVEYOU virus from
PCs. Many sites are working slowly because of high traffic.
?
ZDNet ILOVEYOU Anti-Virus Center
?
McAfee.com Anti-Virus
?
F-Secure's info on how ILOVEYOU works
?
Trend Micro's HouseCall online virus scanner
?
Info from thePope.org on removing ILOVEYOU
"ILOVEYOU" went on a worldwide rampage Thursday, shutting down e-mail
servers and deleting files. Researchers say the virus is spreading faster than the
infamous Melissa virus, which brought companies to a standstill last year. But
"love" already has had much more devastating effects. The statistics are
staggering. Nearly 30 percent of businesses in Great Britain, and nearly 80
percent in Sweden, have been infected by the virus, according to anti-virus
research firm Network Associates. In fact, the company says, ATM cash
machines in Belgium were knocked offline thanks to the deluge of e-mail traffic
created by the virus.
The federally funded CERT Coordination Center says so far it has received
reports that 294,000 computers have been infected ? and that only
represents those systems where administrators have registered the infections
with CERT.
The coverage of Love
?
"Love" virus strikes around the globe
?
How to beat the worm
?
Your tales of Love gone bad
?
The rest of your stories
?
Tell us your tale
Many companies ? and even the Army and the Navy, NASA ? have
resorted to simply shutting down their e-mail systems while the virus worms its
way around the Internet.
"This is the worst I've ever seen in my nine years in the business," said Mikko
Hypponen, manager of anti-virus research at F-Secure Corp. "We actually
don't know why it's so widespread, why it's spreading so fast."
For example, one European magazine has lost its photograph archive, and the
U.K.'s House of Commons closed down its e-mail systems temporarily over
concerns about the virus.
The virus targets users of Microsoft Outlook and only works under the
Windows operating system. (Microsoft is a partner in MSNBC.)
Internet users are advised to update their virus scanning software as soon as
possible. But throughout the day, anti-virus Web pages have been swamped
with traffic and largely unreadable. So for now, the best bet is to avoid
opening attachments entirely.
Researchers say the technology that spreads the virus is no smarter than that of
previous viruses, leaving them a bit baffled over LoveLetter's worldwide
rapage. One possible reason ? victims can't resist opening an attachment that
claims to be a love letter.
"Only human nature to want to open a letter that leads off with 'I love you,'"
said David Perry, public education director at anti-virus research firm Trend
Micro. He also suspects that because it's been several months since the last
virus scare, computer users are a bit more gullible than they were perhaps a
year ago, in the wake of the Melissa virus.
The file attachment is called "LOVE LETTER FOR YOU.TXT.vbs," which
might also be adding to the confusion for consumers. It offers the appearance
of being a harmless text file, and the "vbs" extension, which stands for Visual
Basic Script, may also mislead users who are now trained to be skeptical of
executable files with the extension .exe.
First reports of the virus came late Thursday afternoon Hong Kong time and
early in the morning in Europe. Network Associates says it's first sample of the
virus arrived at 5 p.m. PT on Wednesday night ? from an infected company
in Manilla, Philippines.
Ingram Micro, the world's largest computer parts distributor, was one of
several companies forced to shut down all e-mail services.
"Our whole system is down," said facilities maintenance manager Chris
Hernandez. "And we do almost all our business over e-mail." E-mail service
has since been returned, and was lost for only about an hour, according to a
company spokesperson.
Hypponen said a major European magazine lost its entire image database for
the past two years to the virus. The magazine's publishing date was supposed
to be Friday.
"Right now they are scrambling to figure out what to do," said Hypponen.
The virus first hit in Asia and is believed to have originated in the Philipines.
Dow Jones Newswires and the Asian Wall Street Journal were among the
early victims.
"It crashed all the computers," said Daphne
Ghesquiere, a Dow Jones spokeswoman in
Hong Kong. "You get the message and the
topic says ILOVEYOU, and I was among
the stupid ones to open it. I got about five at
one time and I was suspicious, but one was
from Dow Jones Newswires, so I opened it."
But corporations aren't the only victims. One doctor who e-mailed MSNBC
said the virus had been arriving every five minutes to his pager, which receives
incoming e-mails. Several readers also report having received the virus by
FAX, since both pagers and fax numbers can be listed in an Outlook address
book.
HOW IT WORKS
ILOVEYOU arrives as an e-mail attachment in a message automatically sent
apparently by a colleague.
A message sent to MSNBC.com by a venture capitalist included the text,
"kindly check the attached love letter coming from me."
If a victim is tricked into opening the attached program, which is written in
Microsoft's Visual Basic script, the virus renames every jpg image file and mp3
music file it can find. The images are deleted, but the mp3 files are backed up
elsewhere on the victim's computer. The program also deletes a host of other
files with the following extensions: .VBS, .VBE, .JS, .JSE, .CSS, .WSH,
.SCT and *.HTA
But before deleting image and music files, the virus e-mails itself to every
person or destination in the victim's various address books, including any
corporate distribution lists. That's why it spreads so fast.
But the virus also has another trick up its sleeve. After infection, it changes the
victim's Internet start page to one of four Web pages hosted by skyinet.net, a
Philippines-based Internet service provider. There, the victim's computer is
instructed to download a password-stealing program called
WIN-BUGSFIX.EXE .
Ronald Elciario, a network administrator at skyinet.net, told MSNBC those
Web pages have since been removed and the account holder's services have
been terminated.
"This virus came from a hacker outside our service. They used our service as a
gateway to spread it," Elciario told MSNBC.
The Tech array
?
Tools and Toys: Products for productivity and fun
?
Goofs and Glitches: Bug of the Day, Bug Alerts, viruses, attacks,
vulnerabilities, hacks
?
Space News: Developments on the final frontier
?
The ZDNet Zone: Reviews, downloads, tips and more
?
Tech BBS: Discuss technology issues on the Technology Bulletin
Board
WHO IS BEHIND THE VIRUS?
In the virus's source code, an individual named "spyder" takes credit for
authoring the program. Hypponen said the name is unknown on the virus
scene.
In a bit of programming understatement, the code contains a comment, likely
by the author, suggesting the virus is "simple but i think this is good."
The code also references Manila, Philippines, but that doesn't necessarily
indicate the author lives there.
There are no other hints as to who "spyder" might be other than this cryptic
message within the code: "barok -loveletter(vbe) "i hate go to school"."
Sky Internet Inc., the Quezon City, Philippines, Internet service provider
which inadvertently hosted some of the "ILOVEYOU" worm code, said late
Thursday that the company has tracked the bug to another hosting service, but
its efforts have apparently stopped there.
"Our service was used as a gateway," said Ronald Eociario, a system
administrator for the ISP. "We already have pinpointed the (suspected
source)." The system administrator said he used log files to track the account's
users to another ISP in the Philippines. But, "We're not sure whether they're
the (originating) host," he said.
The worm contacts one of four Web pages hosted on Sky Internet to
download malicious code, in addition to its e-mail-spamming and infection
components. The function of that code is still a source of speculation, and Sky
Internet has since taken the file ? called WIN-BUGSFIX.exe ? offline.
The worm writer could have obfuscated his identity by passing through several
accounts before creating the four accounts that contained the code. That's a
common practice among traditional network attackers.
The four Web pages that acted as remote download sites for the worm have
been shut down, said Eociario.
OTHER VICTIMS
Many European computer systems shut down e-mail servers Thursday.
Britain's House of Commons was the latest U.K. organization to succumb to
the virus. The lower House of Commons shut down its e-mail system for about
two hours to safeguard against the virus.
Britain's Consumers Association and a major anti-virus firm said they also had
been bombarded by calls from businesses whose e-mail servers had been hit
by a blizzard of messages.
British Internet service provider Freeserve said it had set up a filter to screen
out any e-mails with the words "I love you."
===============
InternetNews - Business News
internetnews.com May 4, 2000
InternetNews - Business News Archives
Another Virus Swamps E-mail Systems
By John Lewell
A computer virus spread by e-mail messages and IRC began tainting computer systems worldwide
Thursday, striking before quickly spreading to the United States and Europe.
The virus, an e-mail worm known as "I love you" or "love letter," is a VBScript virus that includes a
damage component that overwrites certain media files on a hard drive or network. It originally
included a component which sent network passwords cached by Windows to an attacker's site
when an infected user connects to the Internet. That feature, which worked through a backdoor
created in the Philippines, has been disabled.
If the attachment holding the virus is opened, the virus multiplies by finding other e-mail addresses
and prompting the computer to generate new e-mail. Victims sometimes receive dozens of e-mail
messages, all contaminated with the virus.
The virus, which appeared in Hong Kong late Thursday afternoon, seemed to particularly hit,
among other businesses, public relations firms and investment banks. Dow Jones and the Asian
Wall Street Journal offices in Asia were among its victims.
In Hong Kong, Japanese brokerage Nomura International Ltd. was one of the first to get hit. It
also struck the company's London office, he said. "It just multiplies through the system and
eradicates whole address books."
The e-mail system of the British House of Commons was shut down and around ten per cent of
U.K. businesses were seriously affected by the .
Several companies that sell anti-virus software waded in with advice, although for many users they
were too late. One of the quicker ones, GFI, warned that the latest outbreak was proof that e-mail
was becoming the main means of mounting virus attacks.
Nick Galea, chief executive officer of GFI, said it was easy to block the virus using anti-viral
software such as his company's Mail essentials.
"Just set Mail essentials to block VBS attachments in the Content Checking tab. This will block
any incoming/outgoing infected mail. This way, the Mail essentials resolution will block all viruses of
this kind as it will quarantine any attachments using a VB script," explained Galea.
Among the British companies affected by the virus were the BBC, BT, Cable & Wireless, and
Compaq. Others were said to have their email systems overloaded by extra traffic as a result of the
outbreak.
Other places affected by the virus included the Dow Jones Newswires and the Asian Wall Street
Journal, the Florida Lottery Web site in the United States, and the Danish parliament and many
companies in Denmark including telecom company Tele Danmark and channel TV2.
A spokesman at Network Associates claimed to have the name of the person who had originated
the virus, but refused to disclose the culprit's identity.
Forewarned, systems administrators in the United States were able to take remedial action,
lessening the impact of the virus on U.S. companies - although many thousands of computers were
affected in early morning.
The virus arrives as either an e-mail attachment or via IRC. If received by e-mail, the subject of the
message is "ILOVEYOU" and the body of the message says "kindly check the attached
LOVELETTER coming from me."
The name of the attachment is LOVE-LETTER-FOR-YOU.TXT.vbs. However, if the system is
not configured to show the extensions of files, it will look like a .txt file to the user.
If the virus is received via IRC, it appears as a file called LOVE-LETTER-FOR-YOU.HTM.
When executed, the virus makes copies of itself under the names MSKernel32.vbs and
LOVE-LETTER-FOR-YOU.TXT.vbs in the Windows System directory and under the name
Win32DLL.vbs in the Windows directory. It then modifies the Registry, causing the files
Win32DLL.vbs and MSKernel32.vbs to execute every time Windows is launched.
The virus then modifies the Registry again, altering the startup page of Internet Explorer to
download a file named WIN-BUGSFIX.exe from one of four possible places on
skyinet.net (randomly selected) and the Registry is modified so that this file is executed
the next time Windows is launched. This was the portion that collected network passwords. A
system administrator at Sky Internet, the company that owns www.skyinet.net, said the four URLs
that were collecting the passwords were shut down at about 5 a.m. EST.
Then the virus creates an HTML version of itself, in a file named
LOVE-LETTER-FOR-YOU.HTM in the Windows System directory.
Next, the virus starts a copy of Outlook in the background (only Outlook 98 or 2000 will work -
not Outlook 97 or Outlook Express). It examines all Outlook Address Books and, if an Outlook
Address Book contains more addresses than the Windows Address Book, the virus mass-mails
itself to all addresses in that Outlook Address Book. (The virus does NOT mass-mail itself to any
addresses in the Windows Address Book.)
Finally, the virus examines all directories on all hard and network drives. If a file has one of the
following extensions: VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, MP2, MP3, JPG or JPEG,
the virus overwrites the file with a copy of itself. If the extension was not VBS or VBE, the virus
adds the extension VBS to the name of the file. For instance, PICTURE.JPG becomes
PICTURE.JPG.vbs. If a MP2 or MP3 file was overwritten, the virus also sets its file attribute to
ReadOnly.
If, during this directory traversal, the virus finds the files mirc32.exe, mlink32.exe, mirc.ini, script.ini
or mirc.hlp, it drops a file in that directory named SCRIPT.INI which begins with the comments
;mIRC Script ; Please dont edit this script... mIRC will corrupt, if mIRC will corrupt...
WINDOWS will affect and will not run correctly. thanks ; ;Khaled Mardam-Bey
;http://www.mirc.com
This file tries to send the file LOVE-LETTER-FOR-YOU.HTM from the Windows System
directory via IRC's command /DCC to all users joining the IRC channel which the infected user is
on.
The virus sets or modifies the following Registry keys:
HKEY_CURRENT_USERSoftwareMicrosoftWindows Scripting HostSettingsTimeout
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunMSKernel32
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesWin
32DLL HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDownload
Directory HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainStart.
Jeff Carpenter, senior Internet security technologist with Carnegie Mellon's CERT Coordination
Center, said preliminary analysis indicates that the virus is similar to Melissa in that it spreads
through e-mail attachments. He said CERT is currently studying the virus and is working with virus
experts to understand how the virus works and how to recover. He added that CERT received
more than 150 reports of the virus as of 10 a.m. Thursday, higher than normal for an average virus.
Mikko Hypponen, manager of Anti-Virus Research at F-Secure Corp. in Espoo, Finland, said,
"We've had two big media houses who've had their photo archives overwritten by this thing."
Hypponen said that organizations struck by the worm should take a number of steps. "If you're not
sure what to do, the first thing you should do is to stop incoming mail and outgoing mail, then think
what to do next," he said. "I know it sounds drastic, but it gives you time to react. and if you are
spooling incoming and outgoing messages. you're not going to lose much if you keep it down for an
hour or two until you have time to react.
"After you have down that, number two on your list, disable scripting in outlook clients if you have
outlook clients in your organization. By disabling scripting or support for Windows scripting hosts,
you are not vulnerable to this attack at all."
"Number three, update your anti-virus to handle this." |
