Got hit with a virus in the office this morning - I usually pass right by these types of messages, but this particular virii is very nasty. If you receive an email with the titile ILOVEYOU or a file attachment called I-LOVE-YOU.TXT.VBS, delete it immediately. This sucker is spreading like wildfire today, and is wreaking havoc on quite a few networks. Fortunately, we immediately recognized receiving the virus, isolated the virus to a single computer and pulled the network cable immediately. This puppy is nasty and you WILL lose data if you catch it. NAV and McAfee Shield *will not catch it* at this time, although both are now offering remedies.
-- Anonymous, May 04, 2000
Answers
Thanks,
A couple different friends also sent a warning... ABCNews...
Virus Attack
�ILOVEYOU� E-Mail Plague
Spreads Worldwide
http://abcnews.go.com/sections/tech/DailyNews/
virus_000504.html
[Fair Use: For Educational/Research Purposes Only]
The
"vbs.loveletter.a" virus spreads
through Microsoft Windows' Internet
extensions and replaces all JPG and
MP3
files it finds with copies of
itself. It then sends itself to
everyone in an infected user's
Microsoft Outlook address book. (Hand
Out)
May 4 � U.S. corporations and military bases have
been
infected by a massively destructive virus that
clogs networks
and erases graphics and music files.
�We�re dealing with a monster,� a Pentagon
spokesperson said.
Unclassified State Department and military
computers were infected by
the virus this morning, officials said. The
federal antivirus office first
noticed the attack at 5:18 a.m ET. The State
Department noticed they had
been hit at 6:30 a.m., and officials there said
they stopped the virus�s
spread within an hour.
�We are eradicating it, getting rid of it,
destroying it,� said State
Department spokesman Richard Boucher.
But military bases have disconnected from
their infected, unclassified
networks and are using only classified networks
to communicate, sources
said. The classified systems are protected
against the virus.
The virus spreads through e-mails with the
subject line �ILOVEYOU�
containing an attached file. Computer users who
receive the e-mail should
just delete it without opening the attachment,
and they won�t be infected.
The virus apparently originated in the
Philippines and hit Europe and
Asia early this morning, said Eric Chien, chief
researcher at the Symantec
Antivirus Research Center in the Netherlands.
Symantec and other virus companies have
already come up with
vaccination and cure programs, but their Web
sites were swamped by
users this morning.
Clogs Up Networks
The virus uses similar tricks to last year�s
feared Melissa virus, but it�s
even more widespread and destructive, Chien said.
First, �loveletter� resets a user�s Internet
Explorer Start Page to a
Web page containing an executable file. The page
has since been taken
down, Chien said. He said researchers are unsure
what the executable file
does when launched.
Then, the virus searches for all files with
the extensions JPG, JPEG,
MP2, and MP3 � the most popular graphics and
sound formats � as
well as other, more obscure extensions. It erases
the files and replaces
them with copies of itself under the same name,
with the extension VBS
tacked on.
Chat room aficionados are even more
vulnerable. The virus infects the
popular mIRC chat program, so the next time a
user starts chatting, the
virus goes out to everyone in the room.
Finally, the program multiplies by hijacking
Microsoft Outlook and
e-mailing itself to everyone in an Outlook
address book.
Anyone running Windows 98, Windows NT 4.0,
or both Windows 95
and Internet Explorer 5.0 is vulnerable, Chien
said. The virus needs
Microsoft Outlook to spread. Macintosh and
Linux users are not
vulnerable.
The virus spreads through corporate
firewalls because most are not
configured to reject attachments with a .txt.vbs
extension, a relatively
uncommon type of file, information systems
managers said.
Bored Student?
The virus �appears to have been written by a
student, probably 14 to 28
years old and probably male as well,� Chien said,
citing code within the
virus and past experience with virus writers.
�He seemed to just write it because he was
bored. He probably has no
idea he�d cause so much chaos,� Chien said.
Two lines within the virus identify the
author as �Spyder,� part of the
�@GRAMMERsoft Group� from Manila, Philippines and
say �I hate
go to school.� He also offers his opinion of his
work: �simple but I think
this is good ...�
�The group name is not familiar,� said
security consultant Brian
Martin. And �Spyder� is a common name in the
electronic underground.
But the virus contains an e-mail address that
should make it �easy to track
him,� Martin said.
Officials at Spyder�s e-mail provider,
mail.com, are �working on the
problem,� a mail.com spokeswoman said.
Despite the simplicity of the code, the
writer does have a good idea of
psychology. By adding the phrase �kindly check
the attached
LOVELETTER coming from me� to the e-mails, he
makes users think it
might be a personal message.
�If you send an attachment with, �I�m a
virus, run me,� people won�t
run it. But with this, people say, �oh, look,
it�s a love letter, I think I�ll
open it,�� Chien said.
The answer, security experts said, is
simple: Never, ever, ever, open an
attached file that comes as a surprise, no matter
who it seems to be from,
or how �loving� it seems to be.
Stunning Spread
Experts said they were stunned by the speed and
wide reach of the virus.
�Many, many tens of thousands of machines
have been infected by
it,� said Symantec spokesman Richard Saunders.
In the U.S., the virus has affected the
Pentagon, the federal Department
of Agriculture, the Florida Lottery, the
Wisconsin Legislature, and media
organizations including Time Warner Inc.,
according to employees of
affected companies and officials of anti-virus
companies.
�It is literally anybody who is running
Microsoft Outlook, and that is
the most common e-mail client in the world,� said
Richard Jacobs,
president of anti-virus firm Sophos.
The bug appeared in Hong Kong late in the
afternoon, spreading
throughout e-mail systems once a user opened one
of the contaminated
messages. It later moved into European
parliamentary houses and through
the high-tech systems of big companies and
financial traders.
�I have to tell you that, sadly, this
affectionate greeting contains a virus
which has immobilized the House�s internal
communication system,� said
Margaret Beckett, leader of Britain�s House of
Commons. �This means
that no member can receive e-mails from outside,
nor indeed can we
communicate with each other by e-mail.�
Companies in Denmark, Norway, the
Netherlands and Switzerland
were also hit.
ABCNEWS� Sascha Segan and The Associated Press
contributed to this
story.
Curing the Virus
May 4 � All the major anti-viral companies have
released free
trial versions of their software that can fix
the new virus. Try
going to
http://www.symantec.com, http://
www.mcafee.com, or http://
www.sophos.com.
You�ll be cured, but you won't be able to
get your JPEG and MP3
files back unless you've made backups.
To prevent further infections by copycat
viruses, Richard Jacobs
of Sophos recommends you turn off your Windows
Scripting Host. In
Windows 98, that means go to your Start Menu and
choosing
Settings, then Control Panel. Double-click on
the Windows
Components control panel, and then choose the
Accessories option.
Uncheck the box for Windows Scripting Host,
which should be the
last one on the list.
Melissa and ILOVEYOU both use Windows
Scripting Host to
propagate, but very few users need it in their
day-to-day lives,
Jacobs said.
The number-one lesson, antiviral experts
agree, is to scrutinize
e-mail closely.
�It�s so important for people to think
about what they�re opening
in their e-mail. Very few people get large
numbers of love letters
via email,� Jacobs said.
-- Anonymous, May 04, 2000
Here is a breakdown of the virus.
NAME:
LoveLetter
VBS/LoveLetter is a VBScript worm. It spreads thru email as a
chain
letter.
The worm uses the Outlook e-mail application to spread. LoveLetter
is
also a overwriting VBS virus, and it spreads itself using mIRC client
as well.
When it is executed, it first copies itself to Windows System
directory
as:
MSKernel32.vbs
- LOVE-LETTER-FOR-YOU.TXT.vbs
and to Windows directory:
- Win32DLL.vbs
Then it adds itself to registry, so it will be executed when the
system
is restarted. The registry keys that it adds are:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKer
nel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServic
es\Win
32DLL
Next the worm replaces the Internet Explorer home page with a link
that
points to an
executable program, "WIN-BUGSFIX.exe". If the file is
downloaded, the
worm
adds this to registry as well; causing that the program will be
executed when
the system is
restarted.
The executable part that the LoveLetter worm downloads from the web
is a
password stealing trojan. On startup the trojan tries to find a
hidden window
named
'BAROK...'. If it is present, the trojan exits immediately, if not -
the main
routine
takes control. The trojan checks for the WinFAT32 subkey in the
following
Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
If the WinFAT32 subkey key is not found, the trojan creates it,
copies
itself to \Windows\System\ directory as WINFAT32.EXE and then
runs the
file
from
that location. The above registry key modification makes the trojan
become
active every time Windows starts.
Then the trojan sets Internet Explorer startup page
to 'about:blank'.
After that the trojan tries to find and delete the following keys:
Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePw
ds
Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdC
aching
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\Hi
deShar
ePwds
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\Di
sableP
wdCaching
Then trojan registers a new window class and creates a hidden
window
titled 'BAROK...' and remains resident in Windows memory as a
hidden
application.
Immediately after startup and when timer counters reaches the
certain
values, the trojan loads MPR.DLL library, calls
WNetEnumCashedPasswords
function and sends stolen RAS passwords and all cached Windows
passwords to
'mailme@super.net.ph' e-
mail address
that most likely belongs to trojan's
author. The trojan uses the 'smpt.super.net.ph' mail server to send e-
mails.
The e-mail's subject
is 'Barok... email.passwords.sender.trojan'.
There's the author's copyright message inside the trojan's body:
barok ...i hate go to school suck ->by:spyder @Copyright (c)
2000
GRAMMERSoft Group >Manila,Phils.
There are also some encrypted text messages in the trojan's body used
for
its internal purposes. After that, the worm creates a HTML
file,
"LOVE-LETTER-FOR-YOU.HTM", to the Windows System directory.
This file
contains the worm, and it will be sent using mIRC whenever the
user joins
an
IRC channel.
Then the worm will use Outlook to mass mail itself to everyone in
each
address book.The message that it sends will be as follows:
Subject: ILOVEYOU
Body: kindly check the attached
LOVELETTER
coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
LoveLetter sends the mail once to each recipient. After a mail has
been sent,
it adds a marker to the registry and does not mass mail itself any
more. The
virus then searches for certain filetypes on all folders on all local
and
remote drives
And overwrites them with its own code. The files that are overwritten
have
either "vbs" or "vbe" extension.
For the files with the following extensions: ".js",
".jse",
".css",
".wsh", ".sct" and ".hta",the virus
will create a
new file with the same
name, but using the extension ".vbs". The original file
will be
deleted.
Next the the virus locates files with ".jpg",
".jpeg",
".mp3" or ".mp2", adds
a new file
next to it and deletes the original file. For example, a picture
named
"pic.jpg" will cause a new file called
"pic.jpg.vbs" to be
created.
LoveLetter was found globally in-the-wild on May 4th, 2000. It looks
like the
virus is
Philippine origin. At the beginning of the code, the virus contains
the
following text:
rem barok -loveletter(vbe)
rem &
nbsp;
;
by:
spyder / ispyder@mail.com
/ @GRAMMERSoft Group /
Manila,Philippines
[Analysis: Katrin Tocheva, Mikko Hypponen, Alexey Podrezov and
Sami
Rautiainen,
F-Secure]
-- Anonymous, May 04, 2000
Nom:
I heard about in the early hours [4 am]. I got a bunch of copies,
which makes me believe that I have a lot of unhappy friends. Do you
know how this accesses mailing lists. Does it use the personal address
list or the global one. Since I got so many, my guess is the former. I
am at a big organization. I couldn't have gotten that many from the
global list [when folks next door got none]. Just wondered.
Best wishes,,,
-- Anonymous, May 04, 2000
At an organization I consult with, they got two of them this morning.
Fortunately the Admin. Assit. thought it looked suspicious and deleted
without opening.
Diane
-- Anonymous, May 04, 2000
This comes from someone I know in Silicon Valley, from some he knows in
Silicon Valley.
Diane
'''
At 10:24 AM -0700 5/4/00, [] wrote:
The F-Secure Europe site is accessible; Symantec US and McAfee are
swamped right now. Incidentally, F-Secure has a fix out already.
http://
www.europe.f-secure.com/v-descs/love.htm
My apologies in advance. Because so many sites are swamped with users
attempting to verify and or recovery from the LoveLetter virus. Also
because it was mention here on the list, I decided to post the Alert
notice with repair, and protection information that we send our list
members, and
associates.
.......................................................................
Nonprofit Tech Virus Alert Thursday, 4 May 2000
.......................................................................
LoveLetter Virus Cause Record Amounts of Damage
Spring is in the air, and with it the bitter retributions of love.
Early May
2000, a new virus walked into town, swearing vengeance and wrecking
havoc on
hundreds of thousand of email users. The new VBS.LoveLetter introduces
itself
as an email with the subject "ILOVEYOU!" Don't be fooled between the
hours of
3am EST and 9am EST, the virus caused damage in excess of $100 million
dollars.
Don't let your nonprofit suffer the consequences.
An Overview
The LoveLetter virus is yet another worm virus, much like BubbleBoy and
Melissa, that we've alerted you to prior. The virus is created using
Microsoft's Visual Basic Script (VBS). This is the same language used
extensively throughout all Microsoft products.
Nonprofits using Microsoft Outlook and Microsoft Exchange Servers may
be
infected regardless if your users actually open the enclosed email
attachment.
Any user, whether using Microsoft Outlook, Outlook Express, Netscape,
and/or
Eudora that opens the attached "Love-Letter-for-You.txt.vbs" file will
be
infected. Macintosh users with Microsoft Office 98 and Visual Basic
installed
may also experience some symptoms of the virus is they attempt to open
the
attachment.
The Basics
In a nutshell, the virus spreads by using visual basic script to
reproduce
itself. It then sends the virus to all names in the address book of
Microsoft
OutLook. It next attempt to download the file "Win-Bugsfix.exe" (a
password
stealer application). It will then search your computer and computer
network
for any Windows-based Internet Relay Chat (IRC) application. If it
locates an
IRC application on your computer or own your computer network, it will
then
attempt to infect the chat client as well. Finally it will seek to
overwrite
and cause unrecoverable damage to files in a variety of popular
web-based
format, including MP3 files.
The Technical
The virus will install itself or be installed by a user opening the
"Love-Letter-for-You.txt.vbs" attachment. The virus is very dangerous.
It will
overwrite files on your computer and especially hazardous to email
servers, web
servers, individuals who perform web publishing, print publishing,
media
publishing, and music publishing as part of the job.
The virus seeks and destroys files of the following types: Visual Basic
Script
(.vbs), JavaScript (.js), and Cascading Style Sheets (.css). It will
also
target the most common and popular web formats for music, and
images--.jpg,
..jpeg, .mp3, and .mp2. Files with the extensions .vbe, .jse, .wsh,
.sct, and
..hta will also be overwritten. See the enclosed 0504howiloveworks.gif
to view
the CNEt GIF of how the file works, or click on the below link for more
information.
http://news.cnet.com/Images/News/Emed/2000/05/
0504howiloveworks.gif
Prevention Notes
If you are a user of Microsoft Office 95 or higher, and haven't
received the
email yet, you have a variety of options for prevention purposes.
1.) Update Virus Definitions: All major anti-virus software providers
have
released virus definition updates that counter-effect this virus and
its new
strands.
2.) If you use Netscape, and or Eudora for your email client, don't
open the
email with the title "LoveLetter" or Fwd: Joke: Love Letter for You.
Immediately trash it and it's related attachment.
3.) If your a Windows user running any version of Microsoft Office 95,
check to
see if you have Windows Scripting Host (WSH) installed. If so, disable
it. This
will render the virus harmless.
Disabling Windows Scripting Host
Enter Start:Settings:Control Panel. Open Add/Remove Programs. Choose
the
Windows Setup tab. Double-click on "Accessories" and make sure Windows
Scripting Host check mark is removed.
4.) Back-up your important computer files in case of infection, and
subsequent
loss of data
5.) Users of OutLook, Outlook Express, and Exchange Servers the best
prevention
method for you can be provided by your network administrators or system
administration staff. Email servers, and web servers should be
configured to
automatically repel messages with the attachment LoveLetter, or
subsequent
variations.
6.) Users of OutLook, Outlook Express, and Exchange Servers should also
DISABLE
Windows Scripting Host (WSH) this is essential to prevent infection.
Since
users of Outlook, Outlook Express, and Exchange Servers are vulnerable
to the
virus regardless of if they open the attachment.
Repair Notes
To the best of our knowledge, the only current repair options are those
that
maybe provided to you by your Virus Scanner. So far, we have heard of
no one
who was infected that has been able to recover their files without
going to a
back-up. This means that, your anti-virus software can remove the
virus, but
may not be able to repair any damage that it caused in your files.
Prevention
is the best effort
Protect Notes
To protect yourself from this virus download new virus definitions
for your antivirus program:
AntiVirus Application Download Site
Norton AntiVirus:
http://
www.symantec.com/avcenter/download.html
Dr. Solomon
http://
www.nai.com/asp_set/download/dats/find.asp
McAffeeVirusScan
http://download.mcafee.com/
Virex 5.9.x
http://
www.nai.com/asp_set/download/dats/find.asp
DataFellows
http://www.datafellows.com/download-purchase/updates.html
http://www.sophos.com/downloads/ide/index.html#loveleta
http://
www.thepope.org/index.pl?node_id=140
Read More
To find out more about this virus go to the following sites:
ICSA.net
http://
www.icsa.net/html/hypeorhot/index.shtml
IBM
http://
www.av.ibm.com/Virus_Alerts/Love/love.html
Sophos
http://www.sophos.com/downloads/ide/index.html#loveleta
CNET
http://2.digital.cnet.com/cgi-bin2/flo?x=dAEuhuBgKBwKhYguo
Disclaimer
Nonprofit Tech provides the above enclosed virus notice as part of
its E-Update, or Membership Benefits services. All updates have
been verified for accuracy, but this by no means guarantees that
provided repair notes will work equally well on all computers.
If the repair notes require that your remove, upgrade, or modify
application components, please test all modifications first to make
sure that they are compatible with your computer system. Whenever
making modifications to your computer, you should back-up all
important documents.
Nonprofit Tech assumes no responsibility for errors or omissions
contained within the data provided, or software linked to. All
software linked to or referenced is covered by its manufacture's
warranty.
Virus Image
The virus image is contained as an attachment to this email. The
file is a graphics .gif file only. Recipients with email clients
such as Eudora 3.x or higher, OutLook Express, and Netscape 4.x or
higher should receive the display directly within the email message.
Recipients with other email client may need to click on the
attachment link to display the image file. If you feel uncomfortable
receiving attachments from us, please delete the attach file.
--
.........................................
Alnisa Allgood
Executive Director
Nonprofit Tech
(ph) 415.337.7412 (fx) 415.337.7927
(url) http://www.nonprofit-
tech.org
(url) http://www.tech-
library.org
.........................................
Nonprofit Tech E-Update
mailto:nonprofit-tech-subscribe@egroups.com
.........................................
applying technology to transform
.........................................
[snip]
-- Anonymous, May 05, 2000
From: NHNE < nhne@nhne.com >
Date: Fri, 05 May 2000 00:03:24 -0700
Reply-to: nhne-owner@egroups.com
Subject: [nhne] Virus Alert: "Love" Virus Mutates In "Joke"
Hello Again Everyone,
As if the love worm weren't enough to send shivers up and down the
spine of
all PC users (Mac folks are apparently immune), another version of the
bug
has emerged. Thanks to Dianne Brannen for the heads up.
I am sending this message to both NHNE's main list, and news list
again, so
some of you will be receiving it twice. I don't plan to make a habit of
this, but want to be sure all of us stay a step ahead of this nasty
bug.
The article below is followed by a list of antivirus companies and
computer
pros who are offering information and tools to help remove the ILOVEYOU
virus from PCs.
David Sunfellow
------------
'LOVE' VIRUS GETS NEW NAME, NEW LIFE
By Bob Sullivan
Thursday, May 4, 2000
MSNBC
Complete article:
http://www.msnbc.com/
news/403350.asp
Excerpt:
Computer technicians around the globe are holding their breath tonight,
hoping they have largely beat back the ILOVEYOU virus. Perhaps tens of
millions of computers have been infected by the bug, experts said, and
it is
already being called the worst virus outbreak ever. But there is
evidence
that ILOVEYOU may yet do more damage before the worst is over.
JUST AS REPORTS of infections by the ILoveYou virus started to slow
down, a
new version of the program began winging its way around the Internet.
This
one has the subject line "FW: JOKE" and contains an attachment called
"Very
Funny.vbs." The alterations may allow the program to sneak around some
antivirus programs, adding to the pain the ILOVEYOU virus has already
inflicted around the world.
Even before the mutation, there was evidence the original ILOVEYOU
virus was
still flying around the Internet. Free e-mail provider mail.com said it
was
detecting a version of of the virus on its service every 20 seconds
late
Thursday afternoon P more frequently than it had been detected in the
middle
of the day.
"I don't think it's over," said Joe Wells, a long-time antivirus
industry
observer. "Melissa came and went because it had limitations. This thing
doesn't turn itself off."
That might be bad news for the thousands of businesses that forced to
shut
down entire networks on Thursday in order to quarantine computers from
infection. If even one copy of the virus remains on a network,
restarting
mail services could restart Thursday's ordeal all over again. So many
employees left work Thursday night with no guarantee things would be
back to
normal by Friday morning.
WHERE TO GET HELP
Several antivirus companies and computer pros are offering information
and
tools to help remove the ILOVEYOU virus from PCs. Many sites are
working
slowly because of high traffic.
ZDNet ILOVEYOU Anti-Virus Center:
http://chkpt.zdnet.com/chkpt/hud0001100/
www.zdnet.com/downloads/toolkits/ant
ivirus/iloveyou.html
F-Secure's info on how ILOVEYOU works:
http://www.data-
fellows.com/v-descs/love.htm
Trend Micro's HouseCall online virus scanner:
http://
housecall.antivirus.com/
Info from thePope.org on removing ILOVEYOU:
http://
www.thepope.org/index.pl?node_id=140
McAfee.com Anti-Virus:
http://
www.mcafee.com/centers/anti-virus/
Symantec Page:
http://www.symantec.com/
[snip]
-- Anonymous, May 05, 2000
E-Mail Infected by `Love Bug'
Siren-song virus worms through Internet -- damage could hit $1
billion
Carolyn Said, Chronicle staff writer
Friday, May 5, 2000
)2000 San Francisco Chronicle
http://www.sfgate.com/cgi-bin/
article.cgi?file=/chronicle/archive/2000/05/05/MN12308.DTL
[Fair Use: For Educational/Research Purposes Only]
From the Pentagon to British Parliament to the Ford Motor Co., millions
of computers around the world yesterday were swamped by a new virus
attached to an e-mail titled
``I LOVE YOU.''
``It's the most virulent, the most damaging, the most costly and
the most rapidly spreading virus in the history of computing,'' said
Peter Tippett, chief scientist at
computer-security consultants ICSA.net.
Tippett estimated that at least half of all U.S. corporations
had been hit by the virus and that the price tag for the damage could
top $1 billion in lost productivity and the cost
of debugging systems and updating virus software.
The ``worm'' -- a self-replicating destructive program -- works
by infiltrating a recipient's Microsoft Outlook e-mail address book and
sending infected messages to all
contacts listed in the book. The virus is activated when a
recipient opens a file called ``LOVE-LETTER-FOR-YOU.TXT.vbs'' attached
to the e- mail, which looks like it comes
from a friend or acquaintance. A second variant, which was
unleashed yesterday afternoon, has the subject line ``fwd: Joke'' and
an attachment called ``VeryFunny.vbs.''
Both approaches resemble the methodology used by the Melissa
virus, which wreaked havoc on e-mail systems worldwide in March 1999,
causing an estimated $80 million in
damages. But the ``love bug'' appears to be even faster and more
destructive.
In addition to replicating itself via e-mail -- which clogged
hundreds of thousands of e-mail servers -- the new virus was spread via
Internet Relay Chat (IRC), a popular
instant- messaging system. And while Melissa sent itself to the
first 50 addresses stored on infected computers, the love-letter virus
sends itself to all stored addresses.
Once a computer is infected, the toxic valentine can wipe out
MP3 music files and JPEG picture files stored on the user's hard drive.
There were also reports that the virus had
a ``Trojan horse'' component that could search out passwords
stored in a computer's memory, and then attempt to e-mail them to a
mailbox in the Philippines, where experts
think the virus originated.
The original message carrying the virus, sent by someone called
``Spyder,'' contained the statement ``I hate to go to school.''
The FBI said it has opened a criminal investigation of the virus
assault. Wherever the love-bug originator is from, ``Every country is
going to want a piece of this person,'' said
Andrew Black, special agent with the FBI in San Francisco. ``But
if the person is ever identified, he or she will in all likelihood be
prosecuted in their own country.''
In the Melissa case, the perpetrator, David L. Smith of New
Jersey, was caught within weeks and is now serving a five-year jail
sentence.
Employees around the United States arrived at their offices
yesterday to find either an e-mail box overflowing with poison-pen love
notes or a message that there would be no
e-mail until administrators had safeguarded the system.
Throughout the day, numerous workers were lamenting the return to fax
and phone.
Nextel, a wireless firm in Virginia, turned off e-mail for all
of its 13,000 employees nationwide. ``It's an odd feeling when you're
used to checking your e-mail so frequently,''
said Susan Rosenberg, PR manager in the company's Walnut Creek
office. ``We also can't get to contacts or calendar information since
that's stored in Outlook too.''
At San Francisco online gaming company pogo.com, Garth Chouteau
received 60 to 80 declarations of love, mostly spread by people within
the 90-employee company. There
was an early flurry of the e-mails and then just as suddenly,
they stopped.
``They came really fast,'' Chouteau said. ``You could almost
visualize it bouncing around the company. Then either through just
abstinence or through some antiviral program
we ran, it seems to have been totally contained.''
In Detroit, Ford said its e-mail system won't be running until
today, affecting 125,000 workers worldwide. In the United States, the
bug affected everyone from Merrill Lynch,
AT&T and Congress to Delta Air Lines, National Public Radio,
Lucent, the Department of Transportation, Knight-Ridder Inc.'s
Philadelphia Inquirer, the Florida Lottery, Cox
Communications and Northwest Airlines.
Across the Atlantic, the damage was even more severe. ``It's in
epidemic proportions throughout Europe,'' said Sal Viveros, director of
McAfee, the antivirus division of Santa
Clara's Network Associates. ATMs in Belgium were shut down by
the virus; and about three-quarters of the enterprises in Germany, the
Netherlands and Sweden and about
one-third of those in England were forced to shut down their e-
mail systems, he said.
In Britain, the virus ``immobilized the House's internal
communication system,'' said Margaret Beckett, leader of the House of
Commons. ``This means that no member can
receive e-mails from outside, nor indeed can we communicate with
each other by e-mail.''
The virus rapid spread ``followed the sun, hitting Asia first,
then moving into Europe and then the United States,'' said Peter
Watkins, chief executive of Network Associates.
He said that 80 percent of Fortune 1,000 companies had been
affected.
The love bug bit hard in the nation's capital, where the State
Department, the Army, the Navy, the IRS and the Federal Emergency
Management Agency turned off their mail
servers during the course of the day.
People who used Unix systems, Macintosh computers or Lotus Notes
e-mail were immune to the virus, experts said.
LOVE HURTS
A new software virus, disguised in an e-mail with an amorous
message, spread around the globe yesterday, damaging corporate and
government computer networks. Here is
how one computer security company explained the virus' rapid and
efficient infection process.
Like a chain letter bearing a bomb, the LoveLetter virus spreads
primarily through the Windows-based e-mail application Outlook.
The virus invades when the attachment to an e-mail entitled
``ILOVEYOU'' is opened. It installs itself in the comp-uter's system to
launch when the machine is restarted.
The virus spreads by mailing itself to everyone in the user's e-
mail address book. Internet chat software, such as ICQ, also delivers
the virus.
LoveLetter does its damage by over-writing certain types of
files, like pictures (JPEG files) and music (MP3 files). It deletes
them and leaves infected copies in their place.
It also uses Internet Explorer's home page to try and download a
program that will steal passwords and mail them to an e-mail address in
the Philippines.
SELF-DEFENSE
Tips on containing the virus:
--If you see ``ILOVEYOU'' or ``fwd: Joke'' in the subject line
of your e- mail, delete the message immediately. Do not open the
attachments,
``LOVE-LETTER-FOR-YOU.TXT.vbs'' or ``VeryFunny.vbs.''
--Install antivirus software, if you haven't already done so --
for links to several antivirus Web sites, go to http://www.cert.org . Check with manufacturers' Web
sites for any updates
they may post to kill the virus.
--Network administrators should filter and delete incoming mail
with ``ILOVEYOU'' or ``fwd: Joke'' in the subject line and ``LOVE-
LETTER-FOR- YOU.TXT.vbs'' or
``VeryFunny.vbs'' as an attachment name.
E-mail Carolyn Said at csaid@sfgate.com. Chronicle staff writer
Benny Evangelista and Chronicle news services contributed to this
report.
)2000 San Francisco Chronicle
-- Anonymous, May 05, 2000
Well at least it doesn't play the Barney "I love you, you love me"
song!
Sounds like a lot of hassle. Fortunately, I have not gotten it.
Hooray for Netscape!
-- Anonymous, May 07, 2000
Moderation questions? read the FAQ
