|myCNN | Video | Audio | Headline News Brief | Free E-mail | Feedback||
'ILOVEYOU' computer bug bites hard, spreads fast
(CNN) -- By midday Thursday, the self-propagating and destructive "ILOVEYOU" virus had already wrought hundreds of millions of dollars in software damage and lost commerce, analysts said.
The virus was first reported in Hong Kong and spread gradually west as a new day dawned, infecting government and business computers. Anti-virus companies in the United States fielded thousands of calls from corporate customers reporting widespread infections.
Two anti-virus companies, Symantec, which makes Norton Anti-Virus, and F-Secure, have developed posted "virus definition" files for the "ILOVEYOU" virus, which is currently known to spread through the Microsoft Outlook e-mail program and through a popular Internet Relay Chat program. Those files have so-called "fingerprints" for the virus, allowing those programs to detect and eliminate it.
"This is fairly big time," said computer security expert Peter Tibbett, who works for ICSA.net of Reston, Virginia, which measures the frequency and cost of viruses on 1 million machines per year.
'LOVE' already costing much
He estimated $100 million in software damage and lost commerce had been caused by 9 a.m. Thursday in North America alone and predicted the price tag would exceed $1 billion by Monday morning.
ICSA.net has 200,000 clients, among them financial institutions, government agencies and corporations, Tibbett said. The Department of Justice used the company's estimates for damage caused by last year's Melissa virus, he said.
"This beats Melissa hands down," Tibbett said.
According to ICSA.net, the Melissa virus infected 20 percent of North American companies' computer systems. "We anticipate this'll exceed 50 percent of North American companies by Monday," Tibbett said.
The malicious code is a hybrid virus and worm. Like the Melissa and Explore.Zip worms, it propagates itself through networks -- in this case, e-mail. But unlike those two, it also destroys and replicates itself by manipulating files on a user's hard drive, like a traditional virus.
Senate has no love for 'LOVE'
The virus is "widespread" at the U.S. Senate computer system, according to Elizabeth McAlhany of the Senate Sergeant At Arms office. Every Senate office has been paged to alert them to the virus. The Senate's internal e-mail system was shut down.
Effects were minimal at the House of Representatives, although "hundreds of thousands" of copies of the virus were deleted, according to the Committee on House Administration, which is overseeing the defense efforts.
"By all looks, it doesn't appear to be too bad," committee spokesman Jason Poblete told CNN. "No one knew it was coming. But we won't know about permanent technical damage until it's over," he said. The House e-mail system is still operating, Poblete said.
The White House and federal agencies reported minimal effects.
The FBI has begun investigating the virus. Officials at the National Infrastructure Protection Center were meeting Thursday to discuss the attack's impact.
Britain's House of Commons was also hobbled by the virus.
"I have to tell you that, sadly, this affectionate greeting contains a virus which has immobilized the House's internal communication system", said House leader Margaret Beckett.
In Hong Kong the virus appeared late in the afternoon, and is reported to have hit public relations firms and investment firms particularly hard. Dow Jones Newswires and the Asian Wall Street Journal were among the victims.
In Europe, the virus reached European parliaments, big companies and financial traders early Thursday. Officials at the Norwegian anti-virus company Norman said they first heard of the virus around 10 p.m. CET.
"The virus first showed up on my desk one hour ago", virus analyst Snorre Fagerland at Norman told CNN Norway. "Usually we get a few days notice until the virus reaches us, thus this virus seems to be very aggressive."
In Denmark, the TV2 channel, the telecom company Tele Danmark and the Danish parliament were all victims.
"More than 100,000 mailservers in Europe have been taken down or stuck out by the virus," virus specialist Stein Mollerhaug in Compaq Norway says to CNN Norway. "And the servers with anti-virus programs have huge problems. Millions of people are trying to get the latest anti-virus programs," he says.
Compaq first noticed the virus at 7:30 a.m. CET. "One of our employees then received the virus from one of our partners in Malaysia. We knew we had a problem when he received 200 more copies of the same mail within minutes," Mollerhaug says.
He now fears copycats will start a new wave of the virus in Asia and Europe.
How it works
Security experts at F-Secure have analyzed the virus thoroughly. Users usually get an e-mail, sometimes from someone they know, asking them to check the attached "Love Letter." That file is a VisualBasic script, which contains the virus payload. As long as the user deletes the e-mail without opening the attachment, their computer is safe from harm. Once a computer is infected, the virus transmit itself through e-mail using Outlook's address book.
"What makes this virus so much more aggressive than Melissa is that this virus sends copies to all the addresses, whilst Melissa only sent copies to the first 50 addresses," Fagerland said.
The virus can also travel through the Internet Relay Chat client mIRC, according to F-Secure, which has analyzed the malicious code.
Unlike the "Melissa" virus, which traveled in a similar fashion, "ILOVEYOU," also known as the Love Letter worm, is more destructive. First, it copies itself to two critical system directories and adds triggers in the Windows registry. This ensures that it's running every time the computer reboots.
The virus then starts affecting data files. Files associated with Web development, including ".js" and ".css" files, will be overwritten with a file in the VisualBasic programming language. The original file is deleted. It also goes after multimedia files, affecting JPEGs and MP3s. Again, it deletes the original file and overwrites it with a VisualBasic file with a similar name.
'It's very clever.'
Since it affects popular filetypes, there is a chance that re-infection could occur by overlooking those replaced files.
"If you don't do a full scan," says Carey Nachenberg, chief researcher at the Symantec Anti-Virus Research Center, "you'll click on one of those things, and whammo! You'll infect everybody again. It's very clever."
Nachenberg calls the virus a "corporate-flavored" worm, because it affects scripting files common to company networks. It also only affects Windows 98 and NT operating systems. Windows 95 users are susceptible if Windows Scripting Host is installed. Researchers are also checking whether it affects Outlook Express, the consumer version of Microsoft Outlook, to see how vulnerable end users could be.
The beginning of the virus code indicates a possible origin. In comments, the virus is signed by "spyder," and contains an anonymous e-mail address and a company name. It is also signed "Manila, Philippines," and with the comment, "i hate go to school."Taking a lighter view of the virus, British Commons leader Beckett said she did not know whether to be "sorry or pleased that as far as I'm aware, I have not received an e-mail saying 'I love you.'"
Morton Overbye of CNN Norway, CNN producer Ted Barrett and Congressional Correspodent Frank Black contributed to this report.
Government computers: The ultimate hackers' proving ground
F-Secure Web - Main index
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.