Copycats of ‘I Love You’ Worm Spread

Copycat versions of the “I Love You” virus, which wreaked havoc on computers around the world Thursday, began appearing soon after warnings went out about the initial virus.

In Europe, by midday Friday, five different versions of the “I Love You” worm had been identified with more expected to appear over the weekend, according to Mikko Hypponen, manager of Anti-Virus Research at F-Secure Corp. in Espoo, Finland. The Melissa outbreak last year, which followed a similar pattern, has lead to the creation of about 40 versions of that virus.

Forty-five million e-mail users reportedly received the original “I Love You” virus in its first day of circulation. The virus is an e-mail worm using VBScript which spreads by sending itself to e-mail addresses in victims’ address books and destroys some media files.

Michael Erbschloe, vice president of Research for Computer Economics Inc., said his firm estimates the virus has already caused $2.61 billion in damages.

The first copycat identified, a version called “Very Funny” circulating in an e-mail headed “FWD: Joke,” was just like the “I Love You” virus. It had simply been renamed. But Elias Levy, of Security Focus, wrote to the Bugtraq security mailing list, “At least in some instances it seems tabs in the virus code have been changed to spaces. That means the code looks the same but it’s not. Some antivirus products may be fooled by this.”

But more copycats are on the way, security experts warned Friday morning. The McAfee unit of Network Associates warned of a variant in an e-mail with the subject header “Susitikim shi vakara kavos puodukui…” Hypponen said this e-mail was modified in Lithuania. The subject header, in Lithuanian, means “Let’s meet this evening for a cup of coffee…”

Another insidious variant reads “Mothers Day Confirmation Order” in the e-mail subject line. It informs the recipient of a credit card charge in the amount of $326.92 made for a Mother’s Day diamond special, and instructs readers to print out the attachment, an order invoice.

“The Mother’s Day version of this worm is quite cunning,” Hypponen said. “When users get such e-mails they assume there is some mistake and will naturally open the attachment, infecting their computer. With only eight days to go until Mother’s Day, this attack is quite credible.”

And the Mother’s Day variant does not attack media files. It deletes all files with .ini or .bat extensions. Windows uses .ini extensions to configure information like printer and font defaults used when a program is launched.

The author of the Mother’s Day variant used a free e-mail service from subDIMENSION.com.

“Last night, I guess, someone registered an account and they sent off some e-mails with a variation of that virus,” said Patrick Nadeau, operator of the subDIMENSION.com site. Nadeau said that subDIMENSION does have the author’s IP address but will not turn it over to authorities until a court order has been issued. He said that upon reciept of a court order, subDIMENSION.com deletes the offender’s e-mail account and turns over the IP address.

The last variant is almost identical to the original worm but the coding has been altered slightly to make it undetectable to some virus programs.

Because the worm eludes some virus scanners, the easiest way to protect against future .vbs worms is to disable Windows Scripting. To do this, go to Control Panels, select Add/Remove Programs, choose Windows SetUp and click on Accessories. Once in the Accessories folder, unselect Windows Scripting Host.

But GFI, developer of fax server and e-mail security software for Windows NT, said it expects virus variants to appear that use not only VBScript but also Windows Scripting host, Java scripts and HTML scripts. The company said that the only

way to avoid infections of these types of viruses is to block scripts at the e-mail server level.

“Quarantining such e-mails in this way will ensure that e-mail users are not infected,” said Nick Galea, chief executive officer of GFI. “It is true that this will give rise to some false alarms, but it is also the only surefire way to prevent infection — especially as much more dangerous variants are likely to be released.”

It is believed the original virus was authored by a person using the handle spyder. The virus has a comment that may indicate the author:

rem barok -loveletter(vbe)

rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila, Phillippines.