Virus Includes Password-Stealing Trojan Horse

FRAMINGHAM (05/05/2000) - The "I Love You" e-mail virus, which forced the shutdown of e-mail servers around the world yesterday, contains a Trojan Horse program that sent the cached Windows passwords of unsuspecting recipients who opened the virus-laden attachment to an e-mail account in the Philippines.

Security experts said the Trojan Horse program also has the ability to steal passwords to dial-up Internet services from end-user PCs. Infected users should take care to change passwords that may have been compromised, the experts warned.

Elias Levy, a security analyst at SecurityFocus.com in San Mateo, Calif., said the Love virus modified Internet Explorer start pages to point to one of four Web sites hosted by a Philippine-based Internet service provider called skyinet.

The virus -- which is contained in a Visual Basic scripting attachment called "LOVE-LETTER-FOR-YOU.TXT.vbs" -- configured compromised PCs to recognize the Philippine Web sites as their default IE homepage and then to download an executable called WIN-BUGSFIXE.exe. The executable in turn siphoned off Windows and dial-up passwords and sent them to mailme@super.net.ph, a Philippine e-mail address.

A Microsoft Corp. spokesperson confirmed that the Philippine Web sites were stealing passwords, but said that these sites had been taken down. The company insisted that any passwords downloaded would have been encrypted and therefore present no risk to users.

But Levy argued that companies infected by the malicious program before the Web sites were disabled could have inadvertently shipped sensitive and accessible passwords to an unknown attacker. "Anybody that finds the executable on their PC should change passwords on any accounts that you use your computer from," he said.

"It is actually one of the more complex viruses that we have seen because it fits the category of a virus, a worm and Trojan Horse code that masquerades as one thing and then does something else in the background," said Tanya Candia, vice president of worldwide marketing at F-Secure Corp. F-Secure, a security software vendor in Espoo, Finland, claims to have discovered the virus.

The Pittsburgh-based Computer Emergency Response Team (CERT) said it had received reports that more than 300,000 computers at 250 sites had been affected as of 2 p.m. eastern time on Thursday. Organizations that were hit by the Love virus included large companies such as Merrill Lynch & Co. and Dow Jones & Co., plus e-mail users at Department of Defense agencies and the U.S.

Senate and House of Representatives.

The scope of the infection is being compared to the damage wrought by the widely publicized Melissa worm last year. For example, Network Associates Inc., a Santa Clara, Calif., vendor that develops the McAfee VirusScan tools, said up to 80% of its Fortune 100 clients were affected by the Love virus.

A variation of the virus, called VeryFunny.vbs and featuring the subject line "fwd: Joke," emerged later yesterday and hit companies such as International Data Corp. in Framingham, Mass., and Zona Research Inc. in Redwood City, Calif.

Anti-virus companies, most of which offered no defense against the virus until its signature was discovered, found themselves swamped by anxious users. Web servers at anti-virus companies such as Computer Associates International Inc. and Symantec Corp. were bogged down, preventing users from downloading fixes from the sites.

Many companies have had to shut down their mail servers and disconnect from the Internet to clean out the virus and infected files. "We have seen a tremendous disruption in business," Candia said. "You have to believe that anything that can cause that kind of load on a corporate network is going to affect all kinds of services."

Christa Carone, a spokesperson at Xerox Corp. in Rochester, N.Y., said Xerox workers in the U.S. were alerted about the virus by European colleagues at 5 a.m. eastern time on Thursday morning. The early warning gave IT managers the opportunity to isolate the virus at the server level before it reached company desktops, she said.

But thousands of infected messages were found on the company's Microsoft Exchange server, which had to be brought down for two hours so the virus could be purged before the start of the business day. The company also shut down its external e-mail traffic until noon.

By the time normal business hours started, Carone said, Xerox had also deployed updates to its McAfee anti-virus software and broadcast voicemail messages, e-mail flyers and notices on the company's public-address system warning employees about the virus.

"These efforts helped us, and there were no confirmed reports of damage to the system (that were) related to the virus," Carone said. "The response team has had a horrific day and worked around the clock. However, it has been seamless to (other) Xerox employees."

Schebler Co., a Bettendorf, Iowa, maker of sheet metal, also was affected.

"I've gotten nailed by this one. This one is bad," said Marty Cox, Schebler's information systems manager.

Cox said his Internet services provider brought down its e-mail server to clean out the virus. Meanwhile, he couldn't access the Web site of Schebler's applications software vendor, Made2Manage Systems in Indianapolis, and Cox said Made2Manage's e-mail system also appeared to be down.

"It could really hurt us if it ends up to be long term," Cox said. "We rely on e-mail to send (computer-aided design) drawings back and forth between companies, and to do it via snail mail would really slow us down."

The virus, which was reported in more than 20 countries, spread via e-mail, Internet Relay Chat and shared file systems. The presence of files named MSKernal132.vbs and Win32DLL.vbs indicate that a system has been infected.

In infected e-mail messages, the subject line reads "ILOVEYOU" and the body of the message typically asks recipients to "kindly check the attached LOVELETTER coming from me." The attachment file, which is written in the Visual Basic language, is likely to be called "LOVE-LETTER-FOR-YOU.TXT.vbs."

The virus targets Microsoft's Outlook e-mail program, automatically sending messages with the virus to everyone in the address book of the infected user.

Microsoft said Outlook users can protect themselves simply by not opening the messages.

But for users who have both Outlook and a companion product called Windows Scripting Host, simply previewing the message is enough to activate the virus, CERT reported. "Advice to avoid clicking on unsolicited mail doesn't help in this case, though it does help users of e-mail programs other than Outlook," CERT said in a statement.

Huge volumes of outgoing mail triggered by the virus's self-replicating worm feature clogged corporate networks around the world. According to Levy, the virus also overwrites files ending in js, jse, css, wsh, sct and hts and then renames them to end with vbs.

It does the same thing with image files ending with jpg and jpeg, Levy said. He added that the virus also finds MP3 files and creates vbs files in the same name, but in that case the original files are simply hidden and can be recovered.

Candia said F-Secure discovered the virus Wednesday evening, when the security vendor got a call from an infected user in Norway. F-Secure suspects that the virus originated in the Philippines because the author of the Trojan Horse program included a message in the software reading "Copyright 2000, GRAMMERSoft Group, Manila, Phil."

But while all indications point to a Philippines-based attacker, it could be an effort by the virus author to mask his or her identity, Candia noted.

"It could be someone sitting in New York who could have an account on a Philippine ISP," Levy agreed. "He could be sitting in the Bronx in his shorts and laughing.

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesCERT AustraliaComputer Emergency Response TeamDow JonesF-SecureMade2Manage SystemsMcAfee AustraliaMicrosoftSecurityFocusSymantecXeroxZona Research

Show Comments

Market Place