People Around the World Bitten by Love Bug

FRAMINGHAM (05/05/2000) - It's springtime and love is in the air, or in this case, e-mail.

But with e-mail it's better not to have loved at all as a computer virus called "LoveLetter" began making the rounds this week infecting e-mail users, deleting multimedia and script files, attempting to steal password information and clogging mail servers. Not since the Melissa virus of a year ago has an e-mail-borne virus wreaked so much havoc.

Like Melissa, LoveLetter's main source of propagation is through e-mail. Users will get a message, usually from someone they know, with a subject line of "ILOVEYOU," a message of "kindly check the attached LOVELETTER coming from me," and an attachment called "LOVE-LETTER-FOR-YOU.TXT.vbs." To be infected, the user must attempt to open the attachment, which is not a message of sweet nothings, but a destructive virus.

There are reports that someone may have changed the name of the virus to "Very Funny" with a subject of "Fwd: Joke" to evade filters set for "I Love You."

LoveLetters does a number of things once a machine is infected, including replicating itself to everyone listed in a user's Microsoft Corp. Outlook address book. Melissa only replicated to the first 50 users listed. According to CERT's Web page, 250 sites representing some 300,000 Internet hosts had been infected with the virus last Thursday evening.

More than just causing a nuisance by clogging e-mail servers with bogus mail, the virus also copies itself into JPEG and MP3 files, among others, essentially destroying the original file. After doing so, LoveLetter changes the name of the file by adding a ".vbs" extension on the end. The search and destroy function is not limited to the user's local hard drive because the virus also seeks out any network drive that is connect to the machine.

When a user tries to open what they think is a picture file, they can unwittingly re-launch the virus, says Patrick Martin, product manager for Symantec Corp.'s Anti-virus Research Center. LoveLetter also creates a few VBScript files in the Windows System directory that are designed to look like system files. By modifying the infected machine's registry, the virus ensures that it is launched each time the system restarts.

The virus also changes the user's Internet Explorer start page, replacing it with a link to an executable file on www.skyinet.net. When downloaded, the file tries to steal password and network information and send the data to an e-mail address in the Philippines. Luckily, shortly after the virus was discovered, the Web site was made unavailable to the public, so any users that are just now being infected will not have their passwords stolen.

The virus also seeks out international recorder carrier clients on the target machine and attempts to send copies of itself through an infected ".htm" file to everyone in active chat rooms.

At GTSI in Chantilly, Virginia, hundreds of employees were hit early Thursday morning by the virus when about 10 employees opened the e-mail attachment, which spread further by mailing itself out via the Exchange directory. To combat the problem, GTSI shutdown its internal mail servers and had users install an update to their McAfee antivirus software that can detect the intruder, says GTSI Chief Information Officer Mays Nakashima.

Network World also sustained a minor hit, with six users unknowingly launching the virus. Fortunately, Network World does not use Outlook, so the virus was contained to our own servers.Backups also had been made of most of the corrupted files.

The Commonwealth of Massachusetts shut down its Internet mail servers in an effort to avoid infection, affecting 20,000 workers. United Messaging, an e-mail application service provider based in West Chester, Pennsylvania, was trapping 500 infected messages per hour on Thursday afternoon, according to Jim Dorsey, director of product management. His company was using the Sophos antivirus system to weed out bad messages for their corporate clients.

There were also published reports of the virus causing e-mail slowdowns on Capitol Hill and shutting down external e-mail at Britain's House of Commons.

Senior Editor Ellen Messmer contributed to this story.

Join the newsletter!

Error: Please check your email address.

More about CERT AustraliaGTSIMcAfee AustraliaMicrosoftSophosSymantecUnited Messaging

Show Comments

Market Place