Love Stinks: Virus-Worm Hybrid Wreaks Havoc

SAN FRANCISCO (05/05/2000) - A widely circulated e-mail "Love Letter" is in fact turning out to be every network administrator's nightmare. The new virus-worm hybrid is quickly spreading throughout corporations, deleting files and sending itself to all recipients in Microsoft Corp. Outlook e-mail address books.

Several Fortune 500 companies and a major news publishing company have reported problems as a result of the VBScript worm, according to Dan Takata, a spokesman at San Jose, Calif.-based F-Secure, a vendor of antivirus, encryption and other security software. "Love Letter" targets Microsoft Outlook. The virus-worm hybrid is believed to have originated in the Philippines because it caches network log-in passwords and sends them in a text file to an e-mail address in that country, Takata says.

"Most network administrators are shutting down their e-mail servers and updating their virus definitions to include this new one," says Takata. "It's tricking people and causing havoc." Network Associates has discovered that about 60 percent of its customers in the Netherlands and in Sweden were affected by the virus, at least 30 percent in Germany, 40 percent in the U.K. and 30 percent so far in the U.S. "The most startling piece of information is that people still haven't learned that they shouldn't just double click on attachments and open them up," says Vincent Gullotto, director of NAI's McAfee Anti-Virus Emergency Response Team in Beaverton, Ore.

"People need to become more wise and savvy when reading e-mail." Discovered May 4 in Hong Kong, the worm first hit Asia and Europe, attacking the Dow Jones and Wall Street Journal offices in Asia before bringing down at least three U.K. corporate e-mail servers. Others also were bogged down, including the House of Commons' e-mail system, according to an alert from Jerry Irvine, a spokesman for iDefense, a security consultant in Alexandria, Va.

The virus aspect of the hybrid overwrites audio files, such as MP3 and Visual Basic files, and deletes image files, such as JPEG and Web-related scripts like JavaScript. It then creates new files using old names and adds .vbs extensions.

In addition, the worm is also spread via Internet Relay Chat, so IRC users are being urged not to accept files from others. Infected e-mails carry the subject line: "ILOVEYOU" and ask the recipient to "kindly check the attached LOVELETTER coming from me." The attached file is named "LOVE-LETTER-FOR-YOU.TXT.vbs." Computer users should delete infected e-mail messages and avoid opening e-mail attachments in general.

Network administrators are being urged to update their antivirus software to identify the new virus and configure e-mail servers to filter out e-mail messages with the "ILOVEYOU" subject line. Most antivirus vendors already have software updates to protect against this virus. The "Love Letter" worm has been spreading more rapidly than the Melissa e-mail virus, which hit in March 1999 and resulted in an estimated $80 million in damages to compensate network administrators for time spent cleaning up the fallout from the virus.

Melissa hit on a Friday afternoon, when many people had already begun their weekends, and it never deleted any data, but it instead resent itself to 50 people in the recipient's address book. A virus is designed to copy itself from one file to another on a single computer; a worm spreads from one computer to multiple computers.

"[The Love Letter] is not the end of the world as far as data loss," says Carey Nachenberg, chief researcher at Symantec's antivirus research center in Santa Monica, Calif. "But it's going to be a problem to clean up. You will have to slog through these hard drives and network drives looking for every last infection."