Just when it seemed safe to get back in the water a new virus is making life difficult for users of Microsoft Corp.‘s Outlook e-mail program. Experts say this one, known as VBS/Spammer.A Worm or VBS.NewLove.A, carries a potentially more destructive payload than the “I Love You” worm which struck two weeks ago.
The new virus is a polymorphic worm, meaning it changes its code with each new infection. New lines of random code are added each time the virus spreads itself which means the virus keeps increasing in size. Also, the worm renames the attached file name and subject header with each iteration making it very difficult to detect. According to Symantec Corp.‘s AntiVirus Research Center (SARC), while the attachment name is randomly chosen, it will always have a VBS extension.
“It’s designed to elude detection and the standard virus blocking methods — for instance filtering,” said Kristin Zoega of antivirus software developer Trend Micro Inc. . “You’re not going to be able to use those products.”
NewLove infects Windows 95/98/NT/2000 and sends itself to every address in a Microsoft Outlook address book. Once it has copied itself, it goes through all directories and renames all files to include a VBS extension. It then sets file sizes to zero bytes, making computer systems and networks inoperable.
The virus was reported in the United States and Israel Thursday. Computer Associates International , a business software company, has said the worm originated in Israel.
Originally, NewLove was believed to be a variant of I Love You, but Zoega said the worm is an original virus, not a variant. Other antivirus firms, including Computer Associates and McAfee.com Corp. have agreed.
The good news is that the virus is not spreading as quickly as I Love You.
“It hasn’t spread very rapidly,” Zoega said. “We’ve heard of a few incidents, but it didn’t spread in Europe today and didn’t take off in Asia. It could be that everyone is more on guard now. People aren’t opening up their attachments.”
Zoega also noted that I Love You was spread through IRC while NewLove seems to be restricted to e-mail.
Symantec said that proper removal of NewLove can only be achieved by restoring the affected files from known clean backups.
