Computer systems around the globe continue to be struck today by the so-called "I Love You" virus. Passing unnoticed through corporate firewalls as an email attachment, the virus deletes critical systems files and infects others.
One victim had hundreds of file names appended with a ".vbs" extension. Another victim's system was infected when accessing a server that had been previously infected.
According to Symantec Corp.'s Antivirus Research Center, the "VBS.LoveLetter.A" is an extremely fast-spreading computer virus, of a type known as a worm, that uses mIRC and Microsoft Outlook to email itself as an attachment.
Symantec's engineers report that VBS.LoveLetter.A appears as an attachment with the subject line ILOVEYOU along with an attachment called LOVE-LETTER-FOR-YOU.TXT.vbs.
Tips on eradicating the virus
- From Symantec: The quick fix for now is for network or email administrators to set a filter for the attachment name (LOVE-LETTER-FOR-YOU.TXT.vbs) and subject line (ILOVEYOU) immediately.
- From a user suggestion: Reboot the infected PC and roll back to a previous version of the Windows registry.
Antivirus vendors Symantec, McAfee, and Panda Software all expect to post remedies to their Websites sometime today.
The Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University in Pittsburgh said that it had received more than 150 reports of the virus as of 10 a.m. ET today. Experienced managers at CERT said this is an unusually high number of reports for an email virus.
The following information was obtained from the US military:
ILOVEYOU is a VBScript worm. It spreads through email as a chain letter. The worm uses the Outlook email application to spread. LoveLetter is also a overwriting VBS virus, and it spreads itself using mIRC client as well. When it is executed, it first copies itself to Windows System directory as:
and to the Windows directory:
Then it adds itself to registry, so it will be executed when the system is restarted. The registry keys that it adds are:
Next the worm replaces the Internet Explorer home page with a link that points to an executable program, "WIN-BUGSFIX.exe". If the file is downloaded, the worm adds this to registry as well; causing that the program will be executed when the system is restarted.
After that, the worm creates a HTML file, "LOVE-LETTER-FOR-YOU.HTM", to the Windows System directory. This file contains the worm, and it will be sent using mIRC whenever the user joins an IRC channel. Then the worm will use Outlook to mass mail itself to everyone in each address book. The message that it sends will be as follows:
Body: kindly check the attached LOVELETTER coming from me.
LoveLetter sends the mail once to each recipient. After a mail has been sent, it adds a marker to the registry and does not mass mail itself any more.
The virus then searches for certain file types on all folders on all local and remote drives and overwrites them with its own code. The files that are overwritten have one of these extensions: ".vbs", ".vbe", ".js", ".jse", ".css", ".wsh", ".sct", ".hta".
The virus also tries to use companion techniques, adding a secondary file next to existing file -- hoping that the user will click on the wrong file. This is done so that the virus locates files with jpg, jpeg, mp3 and mp2 and adds a new file next to it. For example, a picture named "pic.jpg" will cause a new file called "pic.jpg.vbs" to be created.
LoveLetter was found globally in the wild on May 4th, 2000. It looks like the virus is of Philippine origin.