Virus Still Showing Lots of "Love"

FRAMINGHAM (05/05/2000) - The "ILOVEYOU" virus is becoming like a persistent ex-paramour - it keeps coming back for another try.

The so-called LoveLetter Worm, which exploded onto desktops yesterday, is now showing up in several different forms, according to the U.S. Federal Bureau of Investigation, anti-virus watch groups and security software vendors.

"This makes Melissa look tame," said Eric Hemmindinger, an analyst at Boston-based Aberdeen Group Inc., referring to a widely publicized e-mail worm that appeared last year.

Melissa spread fast, clogged e-mail and was seen as a nuisance, Hemmindinger said. But the LoveLetter worm "has all of this plus it self-replicates, and the nasty thing is it infects files," he said.

According to Network Associates Inc., a security vendor in Santa Clara, California, there are now five variants being spread around via e-mail. By Monday, one or two more may appear from copycats, Hemmindinger said.

Central Command Inc.'s Emergency Virus Response Team (EVRT) today reported the variants are spreading just as fast as the original I-Worm.LoveLetter worm. The subject lines of the known versions of the worm include:

Subject: ILOVEYOU

Subject: Susitikim shi vakara kavos puodukui ...

Subject: fwd: Joke

Jeff Carpenter, a senior Internet security technologist at the Computer Emergency Response Team's (CERT) Coordination Center in Pittsburgh, this morning said the variants have different message content and attachment names than the original virus that burst into the world's computers yesterday.

According to Central Command, a Medina, Ohio-based anti-virus vendor, an estimated 2.5 million PC users in the U.S. alone have been hit by the Love worm or its counterparts.

Carpenter said CERT has received "several hundred reports" from industry, government, academic institutions and home users indicating that more than 600,000 computers have been infected by the worm. CERT bases its figures on direct reports that it receives from users, and Carpenter said the actual number of infected PCs is probably much higher.

The Love worm is rejecting users in the form of an e-mail message with an attachment called "LOVE-LETTER-FOR-YOU.TXT.VBS." The ".vbs" extension may not appear on a default Windows system, which could lead users to believe the attachment is a harmless text file.

But once the attachment is opened, the worm uses Microsoft Outlook - if it's installed - to send the message to everyone in the infected user's address book. The worm can also propagate through a Windows-based Internet Relay Chat client called MIRC if that program is installed, security experts said.

As a result, e-mail servers suffer overloads and more personal files and files stored in shared directories on a victim's PC are overwritten by the virus.

And now the FBI is getting involved, launching an investigation into the Love worm's origination.

The government agency's National Infrastructure Protection Center (NIPC) said the worm has been reported in at least 20 countries. It also warned that the LoveLetter can capture affected caches and transfer this information to a third party.

Aberdeen's Hemmindinger said the LoveLetter worm has "a much nastier payload" than Melissa did, but he added that users in the U.S. may not be impacted as badly this time around because of their experiences with Melissa last year.

However, companies may have to suffer the same kind of lost time and decreased worker productivity that they did a year ago because of the need to shut down e-mail systems to eradicate the worm, Hemmindinger said.

Join the newsletter!

Error: Please check your email address.

More about Aberdeen GroupCERT AustraliaComputer Emergency Response TeamFBIFederal Bureau of InvestigationMicrosoftNIPC

Show Comments

Market Place