Another Virus Swamps E-mail Systems

A computer virus spread by e-mail messages and IRC began tainting computer systems worldwide Thursday, striking Asia before quickly spreading to the United States and Europe.

The virus, an e-mail worm known as “I love you” or “love letter,” is a VBScript virus that includes a damage component that overwrites certain media files on a hard drive or network. It originally included a component which sent network passwords cached by Windows to an attacker’s site when an infected user connects to the Internet. That feature, which worked through a backdoor created in the Philippines, has been disabled.

If the attachment holding the virus is opened, the virus multiplies by finding other e-mail addresses and prompting the computer to generate new e-mail. Victims sometimes receive dozens of e-mail messages, all contaminated with the virus.

The virus, which appeared in Hong Kong late Thursday afternoon, seemed to particularly hit, among other businesses, public relations firms and investment banks. Dow Jones and the Asian Wall Street Journal offices in Asia were among its victims.

In Hong Kong, Japanese brokerage Nomura International Ltd. was one of the first to get hit. It also struck the company’s London office, he said. “It just multiplies through the system and eradicates whole address books.”

The e-mail system of the British House of Commons was shut down and around ten per cent of U.K. businesses were seriously affected by the .

Several companies that sell anti-virus software waded in with advice, although for many users they were too late. One of the quicker ones, GFI, warned that the latest outbreak was proof that e-mail was becoming the main means of mounting virus attacks.

Nick Galea, chief executive officer of GFI, said it was easy to block the virus using anti-viral software such as his company’s Mail essentials.

“Just set Mail essentials to block VBS attachments in the Content Checking tab. This will block any incoming/outgoing infected mail. This way, the Mail essentials resolution will block all viruses of this kind as it will quarantine any attachments using a VB script,” explained Galea.

Among the British companies affected by the virus were the BBC, BT, Cable & Wireless, and Compaq. Others were said to have their email systems overloaded by extra traffic as a result of the outbreak.

Other places affected by the virus included the Dow Jones Newswires and the Asian Wall Street Journal, the Florida Lottery Web site in the United States, and the Danish parliament and many companies in Denmark including telecom company Tele Danmark and channel TV2.

A spokesman at Network Associates claimed to have the name of the person who had originated the virus, but refused to disclose the culprit’s identity.

Forewarned, systems administrators in the United States were able to take remedial action, lessening the impact of the virus on U.S. companies – although many thousands of computers were affected in early morning.

The virus arrives as either an e-mail attachment or via IRC. If received by e-mail, the subject of the message is “ILOVEYOU” and the body of the message says “kindly check the attached LOVELETTER coming from me.”

The name of the attachment is LOVE-LETTER-FOR-YOU.TXT.vbs. However, if the system is not configured to show the extensions of files, it will look like a .txt file to the user.

If the virus is received via IRC, it appears as a file called LOVE-LETTER-FOR-YOU.HTM.

When executed, the virus makes copies of itself under the names MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs in the Windows System directory and under the name Win32DLL.vbs in the Windows directory. It then modifies the Registry, causing the files Win32DLL.vbs and MSKernel32.vbs to execute every time Windows is launched.

The virus then modifies the Registry again, altering the startup page ofI

nternet Explorer to download a file named WIN-BUGSFIX.exe from one of four possible places on http://www.skyinet.net (randomly selected) and the Registry is modified so that this file is executed the next time Windows is launched. This was the portion that collected network passwords. A system administrator at Sky Internet, the company that owns www.skyinet.net, said the four URLs that were collecting the passwords were shut down at about 5 a.m. EST.

Then the virus creates an HTML version of itself, in a file named LOVE-LETTER-FOR-YOU.HTM in the Windows System directory.

Next, the virus starts a copy of Outlook in the background (only Outlook 98 or 2000 will work – not Outlook 97 or Outlook Express). It examines all Outlook Address Books and, if an Outlook Address Book contains more addresses than the Windows Address Book, the virus mass-mails itself to all addresses in that Outlook Address Book. (The virus does NOT mass-mail itself to any addresses in the Windows Address Book.)

Finally, the virus examines all directories on all hard and network drives. If a file has one of the following extensions: VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, MP2, MP3, JPG or JPEG, the virus overwrites the file with a copy of itself. If the extension was not VBS or VBE, the virus adds the extension VBS to the name of the file. For instance, PICTURE.JPG becomes PICTURE.JPG.vbs. If a MP2 or MP3 file was overwritten, the virus also sets its file attribute to ReadOnly.

If, during this directory traversal, the virus finds the files mirc32.exe, mlink32.exe, mirc.ini, script.ini or mirc.hlp, it drops a file in that directory named SCRIPT.INI which begins with the comments ;mIRC Script ; Please dont edit this script… mIRC will corrupt, if mIRC will corrupt… WINDOWS will affect and will not run correctly. thanks ; ;Khaled Mardam-Bey ;http://www.mirc.com

This file tries to send the file LOVE-LETTER-FOR-YOU.HTM from the Windows System directory via IRC’s command /DCC to all users joining the IRC channel which the infected user is on.

The virus sets or modifies the following Registry keys:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindows Scripting HostSettingsTimeout
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunMSKernel32
  • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesWin
  • 32DLL HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDownload
  • Directory HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainStart.

Jeff Carpenter, senior Internet security technologist with Carnegie Mellon’s CERT Coordination Center, said preliminary analysis indicates that the virus is similar to Melissa in that it spreads through e-mail attachments. He said CERT is currently studying the virus and is working with virus experts to understand how the virus works and how to recover. He added that CERT received more than 150 reports of the virus as of 10 a.m. Thursday, higher than normal for an average virus.

Mikko Hypponen, manager of Anti-Virus Research at F-Secure Corp. in Espoo, Finland, said, “We’ve had two big media houses who’ve had their photo archives overwritten by this thing.”

Hypponen said that organizations struck by the worm should take a number of steps. “If you’re not sure what to do, the first thing you should do is to stop incoming mail and outgoing mail, then think what to do next,” he said. “I know it sounds drastic, but it gives you time to react. And if you are spooling incoming and outgoing messages, you’re not going to lose much if you keep it down for an hour or two until you have time to react.

“After you have down that, number two on your list, is disable scripting in outlook clients if you have outlook clients in your organization. By disabling scripting or support for Windows scripting hosts, you are not vulnerable to this attack at all.”

“Number three, update your anti-virus to handle this.”

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web