The "love bug" virus knocked out systems at Mitel last night and at least
one Canadian federal agency. Be advised that Norton Antivirus does NOT, at
this time, detect it and McAffee probably  doesn't either. The worm
propagates by sending messages to everyone on your personal address list. I
have received two copies so far from unsuspecting sources.

The only protection is not to open the .exe file with "loveletter" in the
title.

Harry

"Solemnity is the shield of idiots"

               -  Montesquieu, "Pensées et jugements" (1899)

Harry Needham, M.A., CFE, etc.
President
Harry Needham Consulting Services Inc.
Training & consulting services for heritage institutions - and others!
74 Abbeyhill Drive
Kanata, Ontario K2L 1H1
Canada
email: [log in to unmask]
(Voice) +1.613.831-1068
(Fax) +1.613.831-9412
----- Original Message -----
From: Eric Siegel <[log in to unmask]>
To: <[log in to unmask]>
Sent: Thursday, May 04, 2000 2:46 PM
Subject: Virus Alert


> 'Love' Worm Spreading Fast
> by Michelle Finley
>
> 8:00 a.m. May. 4, 2000 PDT
>
>
>
>  A new, virulent worm known as the "Love Bug" infested computer networks
> throughout the world beginning Wednesday night, shutting down major email
> servers, including the Pentagon's, the British Parliament's, and NASA's.
>
> Experts say it might exceed the infamous Melissa worm in both speed and
> destructiveness.
>
> Early reports indicating that the "Love Bug" worm is not destructive to
> computer data may have been wrong.
>
> The virus, spread through an email visual basic script attachment with the
> subject header "ILOVEYOU," began invading U.S. networks overnight Thursday
> after being first detected in Europe.
>
>
>
>
>
>
>
>
> Corner Store
>
>
> - - - - - - - -
> Editorial policy
>
>
>
>
>
>  Dear All...
>
> See below for a description of a very...virulent...new email virus.  We
got
> hit with it, which is why I am taking the time to notify such a large list
> of people.  DO NOT open any emails with "I LOVE YOU" in the subject line
(as
> tempting as it may be.)  The extent of the destructiveness of the virus
has
> not yet been nailed down, apparently, and fixes require the use of
> symantec's anti-virus program (or other major name brand anti-virus
> products.) More info at www.symantec.com.
>
> Eric Siegel
> Director, Planning &
> Program Development
> New York Hall of Science
>
> ==========================================================
>
> Techies: Victims of 'Love'
>
> Companies with branch offices in Europe and Asia have been reporting the
> arrival of the worm on their networks. There are also reports that Johnson
> Space Center in Houston has been hit, along with Jet Propulsion Lab,
Philips
> Customer Call Centers, and Ticketmaster Citysearch.
>
> "This worm spreads at an amazing speed", said Mikko Hypponen, manager of
> anti-virus research at F-Secure Corporation. "We got the first report
around
> 9 a.m. on Thursday from Norway, and by 1 p.m. we had reports from over 20
> countries."
>
> Hypponen estimate that total number of infected machines is already in the
> tens of thousands.
>
> "We've got it and it killed our Intranet for two hours" said Joe Gleason
> from ArtStart, a Manhattan printing production company. "We've got
> associates in London, and the 'ILOVEYOU' email literally flooded all
> morning. This thing spreads like wildfire. It appears to be way worse than
> Melissa was."
>
> Gleason's IT director, Jonathan Antipass, was not as concerned. "We were
> getting heavily bombed with this virus, but we've told users not to open
the
> emails. It doesn't do anything unless you tale a peek at it, which some
> people oddly seem compelled to do," he said.
>
> Antipass says that the worm is passing through corporate firewalls because
> most are not set up to reject attachments with a .txt.vbs extension.
>
> He also notes that the worm seems to be deleting JPEG graphic files and
> replacing them with copies of the .VBS virus file.
>
> Antipass says he's isolated the virus on a non-connected machine and is
now
> watching to see what sites it's trying to connect with so he can block
those
> sites from ArtStart's network. He believes that is an essential next step
> for any company that has been infected.
>
> Chicago attorney Melvin Golden also says his network was infected, to the
> point where partners who have extensive dealings with European clients
have
> had their computers removed from the network.
>
> "We are now watching the emails come in at a rate of about 10 an hour. We
> thought it was strange that so many of our European clients suddenly
decided
> they loved us," he said.
>
> The virus is believed to have originated in the Philippines, where it was
> called "the Manila Killer." It arrives in an email with a subject line
that
> reads 'ILOVEYOU.' The email contains a one-line message reading, "kindly
> check the attached LOVELETTER coming from me" and an attachment titled
> LOVE-LETTER-FOR-YOU.TXT.VBS.
>
> Once the attachment is opened the virus spawns copies of itself to
everyone
> in the victim's Microsoft Outlook email address book. It also infects VBS
> files on the recipient's drives as well as overwriting JPEG and local HTML
> files with its own code and searches for mIRC chat files. If found, the
> virus inserts a custom script in it to infect other mIRC users, and then
> sends itself to every contact in the infected computer's address book.
>
> LOVE-LETTER-FOR-YOU will also try to download an BUGFIX.EXE file from four
> Internet sites, although what the downloaded file will then do was not
> immediately known.
>
> The virus, officially called "vbs.loveletter.a" by virus company Symantec,
> doesn't seem to destroy any data, but it clogs up networks with thousands
of
> copies of the replicated message.
>
> European computer systems were hit hard by the virus, which shut down
> networks at Britain's Parliament and the London House of Commons for
several
> hours. Dow Jones reported that the worm has also affected networks in Hong
> Kong and Singapore, hitting investment banks and public relations firms
> particularly hard.
>
> Symantec has already released an update to its antiviral software
> application, but warns computer users that the best action is simply not
to
> open any "ILOVEYOU" messages.
>
> The confusion over whether the worm does or doesn't destroy data seems to
be
> due to the fact that the worm modifies Internet Explorer's start page to
> point to a web page that then downloads a binary called WIN-BUGSFIX.exe.
The
> worm randomly selects between four different URLs which may cause it to
> react in different ways, depending on what version of the BUGSFIX it
> downloads.
>
> I've not been able to obtain copy of the binary to figure out what it
does,"
> said Elias Levy at SecurityFocus.com (http://www.securityfocus.com) but he
> noted that the worm's ability to download means that it has dynamic
> components that may change its behavior any time the binary is changed and
a
> new one downloaded.
>
>
>
>
> Eric Siegel
> Director, Planning & Program Development
> New York Hall of Science
> [log in to unmask]
> www.nyhallsci.org
>
> =========================================================
> Important Subscriber Information:
>
> The Museum-L FAQ file is located at
http://www.finalchapter.com/museum-l-faq/ . You may obtain detailed
information about the listserv commands by sending a one line e-mail message
to [log in to unmask] . The body of the message should read "help"
(without the quotes).
>
> If you decide to leave Museum-L, please send a one line e-mail message to
[log in to unmask] . The body of the message should read "Signoff
Museum-L" (without the quotes).
>

=========================================================
Important Subscriber Information:

The Museum-L FAQ file is located at http://www.finalchapter.com/museum-l-faq/ . You may obtain detailed information about the listserv commands by sending a one line e-mail message to [log in to unmask] . The body of the message should read "help" (without the quotes).

If you decide to leave Museum-L, please send a one line e-mail message to [log in to unmask] . The body of the message should read "Signoff Museum-L" (without the quotes).