'ILOVEYOU' e-mail worm invades PCs

Melissa-like e-mail worm -- identified by the phrase 'ILOVEYOU' in the subject line of e-mail -- is sweeping through Asia and is now in the U.S. and the UK.


By Margaret Kane, ZDNet News
UPDATED May 4, 2000 2:35 PM PT


A destructive computer worm swept several continents Thursday, touching tens of thousands of individual users as well as the Central Intelligence Agency, Ford Motor Co. and Britain's Parliament.
Over a five-hour period the worm spread across Asia, Europe and the United States via e-mail messages titled "ILOVEYOU." The menace clogged Web servers, overwrote personal files and caused corporate IT managers to shut down e-mail systems.

The FBI said Thursday it was investigating the so-called "Love Bug" virus. FBI spokeswoman Debbie Weierman said the investigation, coordinated by the agency's National Infrastructure Protection Center, would try to determine whether there have been any violations of the federal Computer Abuse Act.

A scan of the Visual Basic code included in the attachment reveals that the virus may be corrupting MP3 and JPEG files on users' hard drives, as well as mIRC, a version of Internet Relay Chat. It also appears to reset the default start page for Internet Explorer.

The attack may have originated in the Philippines. Sky Internet Inc., the Quezon City, Philippines, Internet service provider that inadvertently hosted some of the "ILOVEYOU" worm code, said Thursday that the company is hunting the writer.

Numerous corporations have reported problems with the bug, and several have shut down e-mail servers to prevent it spreading and to implement fixes.

Sources at San Francisco-based Pacific Bell said the company shut down its e-mail servers to stop the bug's spread. A company spokeswoman said "there's been no significant impact for any Pacific Bell company," but she didn't know the extent of the infection.

A Pentagon office that compiles news clippings sent the "ILOVEYOU" message to all recipients on its mailing list, including contacts at the Central Intelligence Agency, Civil Air Patrol, General Accounting Office, military commands and the National Infrastructure Protection Center.

The British Parliament was also said to be affected, with the House of Commons shutting down its e-mail system for about two hours on Thursday to safeguard against the virus.

Ford Motor Co. said it shut down its e-mail system, serving more than 100,000 employees worldwide, this morning after the virus infiltrated its system in Europe.

In New York, a spokeswoman for brokerage house Merrill Lynch confirmed the company had been infected with the virus, saying it was "currently being eradicated and has had no impact on the business."

Spreading quickly

Virus hunters say the bug has spread quickly, particularly when compared with previous infections.

When a user running the e-mail program Microsoft Outlook clicks on the attachment, the virus sends a copy of itself to every person in his or her address book.

A Microsoft security spokeswoman told ZDNet News the company currently has no plans to issue a patch or security warning to its customers. Instead, Microsoft is simply reminding its users to "continue to follow best security practices, such as to be leery of dubious e-mail."

"This is a virus. The anti-virus companies are the experts here," the spokeswoman said. "We are working closely with the anti-virus community to provide them with any information we can." She added that, right now, Microsoft has no plans to temporarily shut down its own internal mail servers -- something the company did to halt the proliferation of the Melissa virus last year.

Melissa was limited; 'Love' bug isn't

"Melissa was limited to 50 (addresses). That's the big reason why we think it's been spreading so fast," said Narender Mangalam, director of security strategy at Computer Associates.

The good news is that the huge publicity generated by Melissa seems to have made computer users and corporations far more alert to the problems of viruses.

"The reaction times (are much faster) compared to a year ago with Melissa. Last year we were talking days for some to react. Now we're talking almost minutes to react," said Vincent Weafer director of the Symantec AntiVirus Research Center.

And that helped limit the damage somewhat caused so far.

"There's less of an impact in terms of actually bringing down (e-mail servers), but the footprint is much larger," said Computer Associates' Mangalam. "Our UK division says that almost 15 percent of business are affected. We haven't seen one that goes out that far since Melissa."

Not restricted to Outlook

But users should be aware that the damage is not limited to simple propagation, nor is it restricted to Outlook users.

Once activated, the virus will attempt to rename files with the following extensions: MP3, JPEG, VPOS, JS, JSE, CSS, WSH, SCT and HTA.

It also attempts to spread itself via Internet Relay Chat and tries to access files located on the Web.

"It tries to go up to four separate Web sites and bring down code that can obviously allow the guys who own the Web site access to the (users) computer. But the Web sites seem to be down. There's no immediate danger," Mangalam said.

Symantec said it has reports of more than 1,000 infections. The bug, which the company called VBS.LoveLetter.A, uses Microsoft Outlook to replicate itself, sending messages with the message "kindly check the attached LOVELETTER coming from me."

The name of the attachment is "LOVE-LETTER-FOR-YOU.TXT.vbs."

Once the attachment is opened, the worm replicates itself and adds several files to the user's computer.

Origin in the Philippines

The file may have originated from a user dubbed "spyder" in the Philippines. The text of the virus script also contains the phrase "i hate to go to school."

Sky Internet Inc., the ISP that inadvertently hosted some of the "ILOVEYOU" worm code, said on Thursday that the company is hunting the writer.

According to Ronald Eociario, a system administrator for the ISP, the four Web pages that acted as remote download sites for the worm have been shut down, and the company has traced back the source of those accounts to another hosting provider in the Philippines.

"Our service was used as a gateway," said Eociario. "We already have pinpointed the suspect. They are within the Philippines, but we are not sure whether they are host."

Melissa brought worldwide attention to the problems of computer viruses when it struck e-mail systems in March 1999. The program knocked out e-mail servers at dozens of corporations and is estimated to have caused millions of dollars' worth of damage.

David L. Smith, the alleged author of the Melissa virus, was recently arraigned in a New Jersey court on charges of interruption to public communications, conspiracy to commit the offense and attempt to commit the offense.

ZDNet UK, ZDNet Germany, Robert Lemos and Reuters contributed to this repor