OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[ISN] 'Love' Worm Spreading Fast

From: William Knowles (wkC4I.ORG)
Date: Thu May 04 2000 - 11:14:13 CDT

http://www.wired.com/news/technology/0,1282,36119,00.html

by Michelle Finley
11:25 a.m. May. 4, 2000 PDT

A new, virulent worm known as the "Love Bug" infested computer
networks throughout the world beginning Wednesday night, shutting down
major email servers, including those belonging to the Pentagon, the
British Parliament, and NASA.

Experts say it might exceed the infamous Melissa worm in both speed
and destructiveness.

The self-replicating worm can clog email programs and destroy MP3 and
JPEG files on PCs and through connected networks.

It evidently can only be spread through PCs via the Microsoft Outlook
email program. It does not affect Macintosh, Linux, or Unix operating
systems.

The worm, spread through an email visual basic script (.vbs)
attachment with the subject header "ILOVEYOU," began invading U.S.
networks overnight after being first detected in Europe.

Companies with branch offices in Europe and Asia first reported the
arrival of the worm on their networks. The worm caused system
administrators to shut down email servers at the Space Center in
Houston, Ford Motor Co., Vodafone AirTouch, the Jet Propulsion Lab,
Philips Customer Call Centers, and Ticketmaster Citysearch.

The "Love Bug" also was reportedly sent to the CIA, the General
Accounting Office, and the Civil Air Patrol, when a Pentagon office
inadvertently transmitted it with its daily news clippings.

"This worm spreads at an amazing speed", said Mikko Hypponen, manager
of anti-virus research at F-Secure Corporation. "We got the first
report around 9 a.m. on Thursday from Norway, and by 1 p.m. we had
reports from over 20 countries."

Hypponen estimate that total number of infected machines is already in
the tens of thousands.

"We've got it and it killed our Intranet for two hours" said Joe
Gleason from ArtStart, a Manhattan printing production company. "We've
got associates in London, and the 'ILOVEYOU' email literally flooded
all morning. This thing spreads like wildfire. It appears to be way
worse than Melissa was."

Gleason's IT director, Jonathan Antipass, was not as concerned. "We
were getting heavily bombed with this virus, but we've told users not
to open the emails. It doesn't do anything unless you tale a peek at
it, which some people oddly seem compelled to do."

Antipass says that the worm may have passed through corporate
firewalls because most are not set up to reject attachments with a
.txt.vbs extension.

He also notes that the worm seems to be deleting JPEG graphic files
and replacing them with copies of the .vbs virus file.

Chicago attorney Melvin Golden also says his network was infected, to
the point where partners who have extensive dealings with European
clients have had their computers removed from the network.

"We are now watching the emails come in at a rate of about 10 an hour.
We thought it was strange that so many of our European clients
suddenly decided they loved us," he said.

The virus is believed to have originated in the Philippines, where it
was called "the Manila Killer." It arrives in an email with a subject
line that reads 'ILOVEYOU.' The email contains a one-line message
reading, "kindly check the attached LOVELETTER coming from me" and an
attachment titled LOVE-LETTER-FOR-YOU.TXT.VBS.

Once the attachment is opened the virus spawns copies of itself to
everyone in the victim's Microsoft Outlook email address book. It also
infects VBS files on the recipient's drives as well as overwriting
JPEG and local HTML files with its own code and searches for mIRC chat
files.

If found, the virus inserts a custom script in it to infect other mIRC
users, and then sends itself to every contact in the infected
computer's address book.

LOVE-LETTER-FOR-YOU will also try to download an BUGFIX.EXE file from
four Internet sites, although what the downloaded file will then do
was not immediately known.

The virus, officially called "vbs.loveletter.a" by virus company
Symantec, also clogs up networks with thousands of copies of the
replicated message.

European computer systems were hit hard by the virus, which shut down
networks at the British Parliament for several hours. Dow Jones
reported that the worm has also affected networks in Hong Kong and
Singapore, hitting investment banks and public relations firms
particularly hard.

Symantec released an update to its antiviral software application, but
warned computer users that the best action was simply not to open any
"ILOVEYOU" messages.

The confusion over whether the worm destroys data is because the worm
modifies Internet Explorer's start page to point to a Web page that
then downloads a binary called WIN-BUGSFIX.exe. The worm randomly
selects between four different URLs which may cause it to react in
different ways, depending on what version of the BUGSFIX it downloads.

"I've not been able to obtain copy of the binary to figure out what it
does," said Elias Levy at SecurityFocus.com.

*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".