ILOVEYOU Doesn't

BOSTON (05/15/2000) - Last week we deferred further discussion about audio technology to bring you a burst of spleen and fury. If you were waiting for the continuation of this topic, Gearhead apologizes. Due to a number of inquiries received about the recent Internet worm outbreak, we will defer this topic once more.

In case you've just come back from a yacht trip or an expedition to Mount Everest, allow us to set the scene: On May 4, a whole new wave of nasty code spread across the country. This code wasn't, as some have reported, a virus. It was a worm. The worm is called ILOVEYOU.

The difference between a worm and a virus has been open to heated academic dispute over the past few years: ("The thing that makes academic infighting so nasty is that the stakes are so low" - Anon.).

Simply and practically put, a worm is a Trojan horse (a program that stands alone and has a hidden agenda) that spreads itself via networks.

The ILOVEYOU worm is a Visual Basic program that is attached to e-mail messages. When a "dumb user" opens the attachment, the program executes, opens the local user's address book and mails itself to all the addresses it can find.

And just to ice the cake, the little beast erases all of the MP3 and JPG files it can find, although not in a sophisticated manner - you can undelete the files without much hassle.

Now, Gearhead does not use the term "dumb user" lightly. It takes a particular kind of denseness to a) open an attachment without knowing exactly what it is b) open an attachment named LOVE-LETTER-FOR-YOU.TXT.vbs c) open the attachment if it comes from someone who hasn't previously declared their interest in you and d) open the attachment if it comes from your boss.

Since May 4 at least five variants of ILOVEYOU have been found, including MOTHER'S DAY which informs you that you have just been charged $326.92 for jewelry and deletes all your INI and BAT files. The actual Trojan is in the attached "invoice" that the message encourages you to examine.

Rather than going on in detail about what this code does, Gearhead suggests you check out F-Secure Corp.'s Web pages at www.f-secure.com/v-descs/love.htm. The company was one of the first to produce a detector and eradicator for the Trojan and lists variants labeled .A through .K they have discovered.

What is so interesting about this worm is how quickly it spread, estimated by some experts as the fastest spreading malicious code ever. The previous bad boy of the worm world was Melissa, which stopped sending copies of itself after the first 50 address book entries. Because ILOVEYOU attempts to send to all entries, it spread far more rapidly than Melissa.

So what can you do to protect your network? Gearhead suggests that you first instruct your users that if they don't know who or what is being sent, don't open it. Second, take a look at server or gateway filtering solutions that can remove and quarantine attachments. Third, don't allow dangerous attachments to be sent. We know your people need to send documents around, but ensure they choose a safe format like text or rich text format.

Best of luck in keeping this new problem at bay. Tales of battle to gh@gibbs.com.

Join the newsletter!

Error: Please check your email address.

More about F-SecureGateway

Show Comments

Market Place