dcsimg
RealTime IT News

Another Virus Swamps E-mail Systems

A computer virus spread by e-mail messages and IRC began tainting computer systems worldwide Thursday, striking Asia before quickly spreading to the United States and Europe.

The virus, an e-mail worm known as "I love you" or "love letter," is a VBScript virus that includes a damage component that overwrites certain media files on a hard drive or network. It originally included a component which sent network passwords cached by Windows to an attacker's site when an infected user connects to the Internet. That feature, which worked through a backdoor created in the Philippines, has been disabled.

If the attachment holding the virus is opened, the virus multiplies by finding other e-mail addresses and prompting the computer to generate new e-mail. Victims sometimes receive dozens of e-mail messages, all contaminated with the virus.

The virus, which appeared in Hong Kong late Thursday afternoon, seemed to particularly hit, among other businesses, public relations firms and investment banks. Dow Jones and the Asian Wall Street Journal offices in Asia were among its victims.

In Hong Kong, Japanese brokerage Nomura International Ltd. was one of the first to get hit. It also struck the company's London office, he said. "It just multiplies through the system and eradicates whole address books."

The e-mail system of the British House of Commons was shut down and around ten per cent of U.K. businesses were seriously affected by the .

Several companies that sell anti-virus software waded in with advice, although for many users they were too late. One of the quicker ones, GFI, warned that the latest outbreak was proof that e-mail was becoming the main means of mounting virus attacks.

Nick Galea, chief executive officer of GFI, said it was easy to block the virus using anti-viral software such as his company's Mail essentials.

"Just set Mail essentials to block VBS attachments in the Content Checking tab. This will block any incoming/outgoing infected mail. This way, the Mail essentials resolution will block all viruses of this kind as it will quarantine any attachments using a VB script," explained Galea.

Among the British companies affected by the virus were the BBC, BT, Cable & Wireless, and Compaq. Others were said to have their email systems overloaded by extra traffic as a result of the outbreak.

Other places affected by the virus included the Dow Jones Newswires and the Asian Wall Street Journal, the Florida Lottery Web site in the United States, and the Danish parliament and many companies in Denmark including telecom company Tele Danmark and channel TV2.

A spokesman at Network Associates claimed to have the name of the person who had originated the virus, but refused to disclose the culprit's identity.

Forewarned, systems administrators in the United States were able to take remedial action, lessening the impact of the virus on U.S. companies - although many thousands of computers were affected in early morning.

The virus arrives as either an e-mail attachment or via IRC. If received by e-mail, the subject of the message is "ILOVEYOU" and the body of the message says "kindly check the attached LOVELETTER coming from me."

The name of the attachment is LOVE-LETTER-FOR-YOU.TXT.vbs. However, if the system is not configured to show the extensions of files, it will look like a .txt file to the user.

If the virus is received via IRC, it appears as a file called LOVE-LETTER-FOR-YOU.HTM.

When executed, the virus makes copies of itself under the names MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs in the Windows System directory and under the name Win32DLL.vbs in the Windows directory. It then modifies the Registry, causing the files Win32DLL.vbs and MSKernel32.vbs to execute every time Windows is launched.

The virus then modifies the Registry again, altering the startup page ofI