FRAMINGHAM (05/08/2000) - Companies around the world scrambled to purge the "I Love You" e-mail worm and follow-on variations from their systems last week in a hoax that surpassed the Melissa virus in scope, infecting 1 million computers, according to one security firm.
The havoc caused by the virus - clogged e-mail systems, communications stalled by servers taken off-line for inspection or the possible theft of passwords from infected systems - couldn't be quantified. But it showed once again the vulnerability of systems connected by the Internet and the reliance of business globally on e-mail.
"As long as we are intent on connecting to the Internet and using e-mail to communicate, there are going to be opportunities for crackers to go in and insert malicious code," said Tanya Candia, vice president of worldwide marketing at F-Secure Corp., a security software vendor in Espoo, Finland.
F-Secure claimed to have discovered the virus.
"We have built a worldwide network that lets us find out about incidents and come up with a fix, but there is always going to be some kind of lag," she said.
Internet security firm ICSA.net estimated that the worm had infected more than 1 million computers. Organizations hit included thousands of large companies, the U.S. Department of Defense agencies and Congress. It caused e -mail servers to be shut down at AT&T Corp., the Jet Propulsion Laboratory in Pasadena, California, Ford Motor Co., Philips Customer Call Center and The Walt Disney Co.
Antivirus companies, most of which offered no defense against the virus until its signature was discovered, found themselves swamped by anxious users. Web servers at antivirus companies such as Computer Associates International Inc. in Islandia, New York, and Symantec Corp. in Cupertino, California, were bogged down, preventing users from downloading fixes from the sites.
The virus, a Visual Basic software script, targets Microsoft Corp.'s Outlook e-mail program, automatically sending messages with the virus to everyone in the address book of the infected user. Microsoft said Outlook users can protect themselves by simply not opening the messages.
The virus also contained a Trojan Horse program that sent the cached Windows passwords of unsuspecting recipients to an e-mail account in the Philippines.
It had the ability to steal passwords to dial-up Internet services.
Microsoft insisted that any passwords downloaded would have been encrypted and therefore that any theft presented no risk to users.
Where controlling the virus was concerned, forewarned was forearmed.
At Xerox Corp. in Rochester, New York, workers were able to contain thousands of infected messages to the server because European colleagues alerted them to the virus at 5 a.m.
By the time normal business hours started, spokeswoman Christa Carone said, Xerox had purged the server and installed updates to its McAfee antivirus software. The company also alerted staff via voice mail, e-mail and notices on the company's public-address system.
"These efforts helped us, and there were no confirmed reports of damage to the system [that were] related to the virus," Carone said. The virus, which was reported in more than 20 countries, spread via e-mail, Internet Relay Chat and shared file systems. In infected e-mail messages, the subject line read "ILOVEYOU."
To avoid further infections, Candia said, IT managers should tell all company employees to delete virus-laden e-mails not only from their in-boxes but also from their deleted-file folders to ensure they aren't mistakenly opened later.
Software vendors stepped forward after the virus appeared to suggest that tools already exist to protect against "I Love You" and related threats.
W. Quinn Associates Inc. in Reston, Virginia, sells FileScreen 2000 for $195 per server to allow an administrator to prevent Visual Basic Scripts and other executables from being stored to a print, mail or file server.
"Unless your company has software developers, you have no real reason to store Visual Basic script, so you could just bar that with our product," said Steven Toole, marketing director at W. Quinn.
A variation of the "I Love You" virus, called VeryFunny.vbs, emerged later last week and hit companies including International Data Corp. in Framingham, Massachusetts, and Zona Research Inc. in Redwood City, California. The variation may defeat new antivirus provisions if it includes a significantly different signature from that of the original virus.
What to Do
Security experts advise taking the following measures to protect against the Love worm:
- Avoid clicking on e-mail attachments and shared files.
- Update antivirus software and halt the virus by disabling active scripting in Internet Explorer and e-mail programs.
- Internet Relay Chat users should disable the automatic receiving of files via the Direct Cable Connection file-sharing mechanism.
- The virus variation, which includes the subject line "fwd:Joke," can potentially be kept at bay by other technologies such as the MIMEsweeper product from Content Technologies Inc. in Bellevue, Washington. These technologies let users scan for certain words in the subject line of an e-mail and block those messages until an antivirus update can be installed.
- Systems administrators could protect against similar attacks by setting their Exchange servers to block all attachments written in Visual Basic script.
- Infected users should take care to change passwords that may have been compromised. The presence of files named MSKernal132.vbs and Win32DLL.vbs indicate that a system has been infected.