LISTSERV - MUSEUM-L Archives - HOME.EASE.LSOFT.COM

  Amy Fischetti <[log in to unmask]>,
          Alice S Wessen <[log in to unmask]>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

'Love' Worm Spreading Fast
by Michelle Finley

8:00 a.m. May. 4, 2000 PDT



 A new, virulent worm known as the "Love Bug" infested computer networks
throughout the world beginning Wednesday night, shutting down major email
servers, including the Pentagon's, the British Parliament's, and NASA's.

Experts say it might exceed the infamous Melissa worm in both speed and
destructiveness.

Early reports indicating that the "Love Bug" worm is not destructive to
computer data may have been wrong.

The virus, spread through an email visual basic script attachment with the
subject header "ILOVEYOU," began invading U.S. networks overnight Thursday
after being first detected in Europe.








Corner Store


- - - - - - - -
Editorial policy





 Dear All...

See below for a description of a very...virulent...new email virus.  We got
hit with it, which is why I am taking the time to notify such a large list
of people.  DO NOT open any emails with "I LOVE YOU" in the subject line (as
tempting as it may be.)  The extent of the destructiveness of the virus has
not yet been nailed down, apparently, and fixes require the use of
symantec's anti-virus program (or other major name brand anti-virus
products.) More info at www.symantec.com.

Eric Siegel
Director, Planning &
Program Development
New York Hall of Science

==========================================================

Techies: Victims of 'Love'

Companies with branch offices in Europe and Asia have been reporting the
arrival of the worm on their networks. There are also reports that Johnson
Space Center in Houston has been hit, along with Jet Propulsion Lab, Philips
Customer Call Centers, and Ticketmaster Citysearch.

"This worm spreads at an amazing speed", said Mikko Hypponen, manager of
anti-virus research at F-Secure Corporation. "We got the first report around
9 a.m. on Thursday from Norway, and by 1 p.m. we had reports from over 20
countries."

Hypponen estimate that total number of infected machines is already in the
tens of thousands.

"We've got it and it killed our Intranet for two hours" said Joe Gleason
from ArtStart, a Manhattan printing production company. "We've got
associates in London, and the 'ILOVEYOU' email literally flooded all
morning. This thing spreads like wildfire. It appears to be way worse than
Melissa was."

Gleason's IT director, Jonathan Antipass, was not as concerned. "We were
getting heavily bombed with this virus, but we've told users not to open the
emails. It doesn't do anything unless you tale a peek at it, which some
people oddly seem compelled to do," he said.

Antipass says that the worm is passing through corporate firewalls because
most are not set up to reject attachments with a .txt.vbs extension.

He also notes that the worm seems to be deleting JPEG graphic files and
replacing them with copies of the .VBS virus file.

Antipass says he's isolated the virus on a non-connected machine and is now
watching to see what sites it's trying to connect with so he can block those
sites from ArtStart's network. He believes that is an essential next step
for any company that has been infected.

Chicago attorney Melvin Golden also says his network was infected, to the
point where partners who have extensive dealings with European clients have
had their computers removed from the network.

"We are now watching the emails come in at a rate of about 10 an hour. We
thought it was strange that so many of our European clients suddenly decided
they loved us," he said.

The virus is believed to have originated in the Philippines, where it was
called "the Manila Killer." It arrives in an email with a subject line that
reads 'ILOVEYOU.' The email contains a one-line message reading, "kindly
check the attached LOVELETTER coming from me" and an attachment titled
LOVE-LETTER-FOR-YOU.TXT.VBS.

Once the attachment is opened the virus spawns copies of itself to everyone
in the victim's Microsoft Outlook email address book. It also infects VBS
files on the recipient's drives as well as overwriting JPEG and local HTML
files with its own code and searches for mIRC chat files. If found, the
virus inserts a custom script in it to infect other mIRC users, and then
sends itself to every contact in the infected computer's address book.

LOVE-LETTER-FOR-YOU will also try to download an BUGFIX.EXE file from four
Internet sites, although what the downloaded file will then do was not
immediately known.

The virus, officially called "vbs.loveletter.a" by virus company Symantec,
doesn't seem to destroy any data, but it clogs up networks with thousands of
copies of the replicated message.

European computer systems were hit hard by the virus, which shut down
networks at Britain's Parliament and the London House of Commons for several
hours. Dow Jones reported that the worm has also affected networks in Hong
Kong and Singapore, hitting investment banks and public relations firms
particularly hard.

Symantec has already released an update to its antiviral software
application, but warns computer users that the best action is simply not to
open any "ILOVEYOU" messages.

The confusion over whether the worm does or doesn't destroy data seems to be
due to the fact that the worm modifies Internet Explorer's start page to
point to a web page that then downloads a binary called WIN-BUGSFIX.exe. The
worm randomly selects between four different URLs which may cause it to
react in different ways, depending on what version of the BUGSFIX it
downloads.

I've not been able to obtain copy of the binary to figure out what it does,"
said Elias Levy at SecurityFocus.com (http://www.securityfocus.com) but he
noted that the worm's ability to download means that it has dynamic
components that may change its behavior any time the binary is changed and a
new one downloaded.




Eric Siegel
Director, Planning & Program Development
New York Hall of Science
[log in to unmask]
www.nyhallsci.org

=========================================================
Important Subscriber Information:

The Museum-L FAQ file is located at http://www.finalchapter.com/museum-l-faq/ . You may obtain detailed information about the listserv commands by sending a one line e-mail message to [log in to unmask] . The body of the message should read "help" (without the quotes).

If you decide to leave Museum-L, please send a one line e-mail message to [log in to unmask] . The body of the message should read "Signoff Museum-L" (without the quotes).