New computer virus targets Swiss bank

Source: AP|Published: Thursday August 17, 9:15 AM

WASHINGTON, Aug 16 - A new strain of the Love Letter computer virus was targeting customers of a Swiss bank, stealing their account information and sending it off to the virus writer, US computer security companies said today.

The virus, known as VBS/Loveletter.bd, was a variant of the original Love Letter virus that circulated in May, and many versions had been created using the original as a template.

This new strain replicated itself using Microsoft's Outlook e-mail program, and included a resume. A previous Love Letter version had a resume as well, of a Filipino student. The new resume was in German and represented a job applicant in Zurich, Switzerland.

The worst part of the virus payload is that it is new to Love Letter. The virus downloads a password-stealing program that copies online banking information - for the United Bank of Switzerland - off the infected computer.

Experts got the first infected reports this morning, and all said that the virus was not yet widespread. Because of its narrow focus, experts believe the virus won't spread very far, but that it was a proof of concept for future viruses targeting customers of any bank.

I'm a bit concerned that it may be all too easy, said Roger Thompson, a security expert for ICSA.net. If not the banks, the investment account aggregators could be targeted.

Due to the time zones, representatives for the United Bank of Switzerland could not be contacted - though experts did say that authorities in Europe were investigating the matter.

The virus downloads the password-stealer, called Hooker, from one of several computers on the Internet. A Kaspersky Labs spokesman, Denis Zenkin, said that among the possible download sites were computers at Michigan State University and the US National Institutes of Health.

Kaspersky Labs believes that the hacker placed the password-stealer there, in an area exposed to the public, for future access.

Messages left at Michigan State and health group had not been immediately returned.

http://www.theage.com.au/breaking/0008/17/A9683-2000Aug17.shtml

-- Martin Thompson (mthom1927@aol.com), August 16, 2000

Answers

08/16/00- Updated 04:04 PM ET

'Love bug' virus variant reappears New version of computer virus looks like job advertisement

From: Newsbytes News Network

By Steve Gold

The ILOVEYOU virus, which caused havoc earlier this year, has resurfaced with a vengeance, says Kasperksy Lab, the Moscow-based IT security company. The firm, which has taken to issuing updates to its antivirus software on a daily basis in recent times, says that a variant of the virus, known as "I-Worm.LoveLetter.bd," was spotted in the wild late on Aug. 15 by PC users in Switzerland and Russia.

Related stories:

Special report: The 'Love bug.'

The bad news is that the virus variant uses a well-known trick of making the recipient think the attachment is something other than what it actually is.

In the I-Worm variant of ILOVEYOU, the header of the attached file is RESUME.TXT, making the reader think the attachment is a resume enquiry from a Swiss Internet company, which is said to be looking for an Internet programmer.

Kaspersky Lab says that, after the infected attachment is executed, the virus automatically opens the Notepad word processor (bundled by default with all versions of Windows) and shows the following text:

"Knowledge Engineer, Zurich

Intelligente Agenten im Internet sammeln Informationen, erkluren Sachverhalte IM Customer Service, navigieren IM Web, beantworten Email Anfragen oder verkaufen Produkte.

[skipped]"

At the same time as this data is displayed, Kaspersky Lab says that the virus invisibly gains access to the host PC's Microsoft Outlook e- mail program (if present) and, just like the original ILOVEYOU worm, sends out copies of itself containing the attached infected resume file to all the entries in the hapless users' address book.

While an initial scan suggests that the I-Worm variant is a simple rework of the ILOVEYOU virus, Kaspersky Lab warns that the virus has been extensively recoded to perform various nasties on the host PC.

One of these appears to include the ability to download updated worms and Trojan horse applications across the Internet, allowing, for example, hackers to upload significant quantities of malicious code to the host PC, and so cause further havoc.

Early indications suggest that the upload feature of the I-Worm variant is flawed and will only work if an online banking package called USB PIN from the Union Bank of Switzerland is also installed on the host PC.

If this application is present, the I-Worm variant attempts to connect with at least three Web sites to download an application called HCHECK.EXE, an executable that contains a Trojan horse program called Hooker.

The Hooker program sucks up all variable data, including user keystrokes, user IDs and passwords, from the host PC and relays them to an anonymous mailbox.

Kaspersky Lab says that the Web sites with HCHECK.EXE include public file areas of servers operated by the Michigan State University and the US National Institute of Health. The IT security firm says it is working with site operators to remove copies of the offending program.

http://www.usatoday.com/life/cyber/nb/nb2.htm

-- Martin Thompson (mthom1927@aol.com), August 16, 2000.