<< Back to article Print this page Loading page, please wait...

Love Letter Worm Rated Most Damaging Ever

David Legard and Stephen Lawson (Computerworld)
05 May, 2000 12:01

SINGAPORE (05/05/2000) - The Love Letter computer worm launched yesterday at approximately 3 a.m. Eastern U.S. time by a teenager in the Philippines is by far the worst, most expensive, most pervasive and most damaging virus in history, according to Internet security company ICSA.net.

Love Letter is technically a worm with virus qualities, according to Singapore's Infocomm Development Authority (IDA), which is coordinating the country's response to the rapidly-spreading virus.

ICSA.net estimates that by 9 a.m. Eastern U.S. time, the virus had already infected more than a million computers causing in excess of US$100 million in damage. The final bill will exceed $1 billion from lost data, interrupted work, and the cost of fixing the damage, ICSA.net Chief Scientist Peter Tippett said in a statement.

ICSA.net said it expected to see multiple variants of the worm distributed soon.

Although most users are alert to the Love Letter message, the danger is not over yet, an Australia-based official of Computer Associates International Inc.

(CA) said today.

Variants of the virus are easy to create and are likely to hit computer systems this weekend and beyond, said Frances Ludgate, business manager for CA's Etrust security software.

"As each variant comes along, there will be another little peak. I think we can expect to have this around for another couple of weeks," Ludgate said.

Few countries in Asia, where the virus first struck, have been spared as the virus propagates through the popular Microsoft Corp. Outlook and Outlook Express e-mail clients.

The New Zealand government reported that two of its departments had been affected, and businesses in Australia, Singapore, Taiwan and Vietnam all reported being hit.

Singapore's Computer Emergency Response Team (SingCERT) reported many instances of the virus, as the country has large numbers of small businesses with few in-house computer skills.

"All our e-mails today have some virus attached to them," said Gabriel Wong, an associate with East-West Public Relations Ltd. in Singapore. "We've had the network people in, but we can't seem to get rid of the virus. We're now worried about sending e-mails out in case we affect other people."

The virus has also hit several private sector companies in Vietnam and will probably hit government departments as well, according to Ho Chi Minh City-based Internet consultant Andrew Marshall.

The purported author calls himself "Spyder" and is apparently a teenager in the Philippines, according to investigators who tracked the worm's origin to two e-mail addresses in the Philippines. But there is no proof the hacker was based in the Philippines, since the service was prepaid and there is no way to trace who owned the accounts, the investigators said.

The virus uses Visual Basic Script (VBS), which is used extensively to automate all common Microsoft office products as its mechanism for infection, spread and damage. It also invokes a particular Windows Internet Relay Chat (IRC) client called MIRC and may attempt to replicate to all recipients of the chat channel or those who join afterwards, ICSA.net said.

All LAN machines are also infected. The virus exists with numerous first names, but always with a file extension of VBS (*.VBS) and always exists as a file with size of 10,309 bytes. Preliminary analysis suggests that the virus may also steal passwords from a user's machine and attempt to send these to another site on the Internet, ICSA said.

The impact of the virus in Australia has been less widespread than in Europe or North America probably because many businesses were closed for the day before the virus messages arrived on Thursday, said Computer Associates' Ludgate.

"Not having it happen during our working hours means we have been able to deal with it," Ludgate said.

Helping to dull the impact, both China and Japan have been out on holidays this week, she added.

"China and Japan should be well aware of this when they come back, but they probably will still be hit" to a lesser degree when businesses reopen on Monday and users find variants of the virus message in their inboxes, Ludgate said.

An extended May Day holiday in China seems likely to reduce the impact of the virus there, said Christine So, a representative of Symantec Corp. in Hong Kong. Symantec received no inquiries or infection reports from China, she said, though it received about 60 inquiries and several reports of infection in Hong Kong.

However, the virus caught some Asian businesses before the end of the day yesterday.

A business manager at one public relations agency in Hong Kong got the Love Letter e-mail late Thursday afternoon and opened the attachment.

"What fooled me with this virus was that it actually replicated to our internal e-mail system," said David Croasdale, business manager at Newell Public Relations, in Hong Kong. Croasdale said he uses Microsoft Exchange for internal e-mail and another application for external mail.

The virus infected 800 files on his PC and reset his Internet home page from Yahoo to the site of an Internet service provider in the Philippines, Croasdale said. The infected files included mostly JPEG graphics files, as well as Internet Explorer temporary files of Web sites, Croasdale said.

"I assume they're all lost, but that's not a big deal, because other people in the office have copies of those files," Croasdale said.

An executive at the Hong Kong office of one multinational software company said his office is without e-mail because of the virus.

"We haven't been affected in Hong Kong, but our mail server is connected to the States," said James Cottrell, marketing manager at SAS Institute Hong Kong. "A few people there have had this, so as a safety precaution, they've taken down the mail server."

Cottrell said he expected the mail system to be restored later today. In the meantime, the loss of e-mail capability is an inconvenience, he said.

"We're doing things by fax and other means of communication," Cottrell said.

Ted Cheng, Greater China manager for Onyx Software Corp., in Hong Kong, was doubly infected Thursday night. Sick at home with a viral fever, he received the Love Letter message and opened the attachment. Microsoft Outlook immediately began propagating it through e-mail messages.

"I tried to unplug the telephone line from the computer, then I tried to delete all those mails that were in the out box. By then, it was about 140 messages," Cheng said. He estimates 20 actually went out from his computer.

Today, still sick at home, he was forced to use the company's backup Web-based email system, an inconvenience, because all his past messages are still in Outlook.

"I have a virus and a virus," Cheng said. He had one piece of advice to pass on: "Don't fall in love at first sight."

ICSA.net can be found online at http://www.icsa.net/.