BOSTON (05/08/2000) - Of all the variations of the "I Love You" e-mail virus that emerged late last week, computer security experts said one that entices users with a come-on about a Mother's Day gift order is the most clever -- and the most dangerous.
The Mother's Day variant can do more permanent damage to systems than the original virus by deleting all the .ini and .bat files used for storing system configurations on disk drives and in directories. It may also do serious damage to network files while leaving computers unbootable, analysts said.
The variant also cunningly preys on consumer concerns about e-commerce fraud in an attempt to get unsuspecting users to open the virus-laden attachment contained in the message.
According to F-Secure Corp., a Finland-based vendor of antivirus software, the virus appears as a confirmation of an apparent order for a "Mothers Day diamond special." The message arrives with a subject line reading "Mothers Day Order Confirmation," and once opened it offers an attached file, called mothersday.vbs, that appears to be an invoice.
The Visual Basic script (.vbs) extension should tip off users who already got burned by the "I Love You" virus, which was written in the same scripting language. But on a default Windows system, the .vbs extension isn't visible, F-Secure officials said.
In addition, the body of message was cleverly designed to maximize the chances that users will override warnings from information technology managers and open the unknown attachment. The message reads:
"We have proceeded to charge your credit card for the amount of $326.92 for the Mothers Day diamond special. We have attached a detailed invoice to this email.
Please print out the attachment and keep it in a safe place. Thanks Again and Have a Happy Mothers Day! Mothersday@subdimension.com."
"This is a work of social engineering to find new ways to (get users to) activate the virus code," said Pirkka Palomaki, director of product marketing at F-Secure.
When users do open the Mother's Day attachment, the message is sent to everyone listed in their Microsoft Outlook address books. That's similar to the way the original "I Love You" virus acts, but the original overwrites only image and music files -- not the system-configuration files that the Mother's Day variant attacks.
By midday Friday, five variants of the "I Love You" virus had been identified, including the original form that was spread around the world in wildfire fashion Thursday.
According to F-Secure, one of the other variants apparently was modified in Lithuania. The subject field of the e-mail message reads, "Susitikim shi vakara kavos puoduki . . . -- Lithuanian for, "Let's meet this evening for a cup of coffee."
Another variant has a subject field of "fwd: Joke," and its accompanying attachment is called "Very Funny.vbs." The final variant is identical to the original "I Love You" worm but has been slightly modified in an effort to make it undetectable to some antivirus programs.
Palomaki said it isn't easy to catch copycat virus writers, partly because not all countries have laws against writing computer viruses. He noted that virus writers can also cover their tracks with spoofed e-mail accounts or break into legitimate Web sites and e-mail and then operate from them. "It makes it very hard to track the virus writers," Palomaki said.