STOCKHOLM (05/05/2000) - Users should beware of e-mail messages with the subject line "Mothers Day Gift Confirmation." Attached in the message is one the latest variants of the "Love Letter" worm that since yesterday has hit millions of computers around the world -- carrying the same destructive load.
Unlike the original "love bug," which by all accounts originated in the Philippines, this version appears to have been born in the U.S., according to Mikko Hypponen, manager of antivirus research at security software supplier F-Secure Corp., in Espoo, Finland.
"We received the first sample of 'Mothers Day' at 2 p.m. today our time (GMT +2) from the U.S.," said Hypponen. "Since the text in the message also refers to U.S. dollars, it certainly appears to be from America, but we have not confirmed that yet."
Antivirus vendors so far have spotted at least five different variants of the worm, but Hypponen said that Mother's Day is the most cunning variant his company has come across so far.
"Not all virus writers are stupid," he said. "It has since been spotted in five or six countries, so it is definitely getting around, although it is not spreading as fast as the first one."
The message field of the Mother's Day e-mail reads: "We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place. Thanks Again and Have a Happy Mothers Day! firstname.lastname@example.org."
The attached file is titled mothersday.vbs.
For consumers, vendors such as F-Secure are now recommending that they turn off a feature called Windows Scripting Host that is one of the default settings in Microsoft Corp.'s software. By turning this feature off, users will not be affected by any VBScript worms such as the original love letter and its variants.
"This is what we recommend now, since the feature is of no use to most users, and we have posted instructions for how to do it on our Web site," said Hypponen. "It is probably the next best way to protect your PC. The best fix is to de-install Windows and install Linux."
There are other variants of the "Love Letter" worm, and they are hitting as system administrators spend the day completing the fixes they began running yesterday, according to the Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburgh.
CERT itself has confirmed that more than 600,000 PCs at 500 locations, including businesses, government agencies and home users, were affected by the "Love Letter" worm, said Jeffrey Carpenter, senior Internet security technologist at CERT. The cost of recovery is running into tens of thousands of dollars at some locations, Carpenter said, and in some cases, damage is difficult to measure. One organization reported losing 40G bytes of JPEG files, Carpenter said.
"A lot of sites have not yet completely recovered, and their e-mail gateways are still down," he said. "They had so much mail to go through. Some places have had to reinstall the operating system because the resources spent recovering would have been more than rebuilding the machine."
Reports of variants, which are the work of hackers who are using the original "Love Letter" code, started appearing last night, Carpenter said.
Among other variants that have been identified, one uses the subject line "fwd:
Joke" with an attachment titled "Very Funny.vbs." Another is in Lithuanian and reads "Susitikim shi vakara kavos puodukui ," which translates into English, according to F-Secure, as "Let's meet this evening for a cup of coffee..."
These variants may behave differently than the original worm and impact different files, according to an alert issued by the National Infrastructure Protection Center located in the FBI's headquarters in Washington.
Carpenter said CERT, whose primary role is to provide technical information to system and network administrators, expects to continue receiving reports of the spread of the worm, including the variants, over the next couple of days.
The FBI, meanwhile, says it has begun an investigation to determine the origin of the "Love Letter" worm, which has been compared with the Melissa macrovirus that affected corporate and consumer e-mail systems worldwide last year. The hacker who created that virus, David Smith, is in jail.
F-Secure, in Espoo, Finland, can be reached at +358-9-8599-0688, or at http://www.f-secure.com/.