Copycat viruses following 'ILOVEYOU' computer bug are no joke

May 4, 2000
Web posted at: 11:15 p.m. EDT (0315 GMT)

In this story: FBI on trail of virus author 'LOVE' already costing much Senate has no love for 'LOVE' History nearly lost How it works 'It's very clever' RELATED STORIES, SITES

(CNN) -- Hours after the self-propagating and destructive "ILOVEYOU" virus destroyed critical files and jammed countless electronic mail systems, computer network administrators battled at least one copycat virus dubbed "very funny."

The new variants can elude anti-virus software designed to block the "ILOVEYOU" bug and could potentially cause the same damage.

"We predict at least a dozen copycats within the next 24 hours," said computer security expert Peter Tippett, who works for ICSA.net of Reston, Virginia, which measures the frequency and cost of viruses on 1 million machines per year.

"There'll be hundreds of these" in the coming days, he said, "maybe thousands."

He said he didn't expect the copycats to cause the widespread damage that Thursday's "ILOVEYOU" virus did -- which is estimated at tens of millions of dollars in damage worldwide and could reach $1 billion by Monday.

However, Tippett said the copycats should not be underestimated.

VIDEO San Francisco Bureau Chief Greg Lefevre speaks with Network Associates president Peter Watkins about the 'ILOVEYOU' virus. Windows Media 28K 80K Technology Correspondent Ann Kellan shows what to do if you find the 'ILOVEYOU' virus in your e-mail. QuickTime Play Real 28K 80K Windows Media 28K 80K San Francisco Bureau Chief Greg Lefevre explains what the 'ILOVEYOU' virus does once it has been executed. QuickTime Play Real 28K 80K Windows Media 28K 80K     ALSO 'I Love You' virus sweeps the U.S.     MESSAGE BOARD Insurgency     QUICKVOTE How many 'ILOVEYOU' e-mails did you get? None 0-20 20-40 More than 40 View Results     Bracing for Cyberwar Hacking Primer Hacking: Two Views Timeline Gallery Discussion TIME: Counterhacking 101 Related Sites

The latest copycat virus comes via e-mail with "fwd:joke" on the subject line and an attachment "very funny.vbs." The copycat first appeared Thursday afternoon.

It is believed to have been re-sent from the earlier "ILOVEYOU" virus, rather than that virus written to rename itself.

Tippett urges computers users and companies to block all e-mails that have attachments as a precaution, or if they can, simply block attachments with .vbs files.

"Quarantine or block anything coming into your organization with an attachment," he said.

Experts estimated that 60 percent to 80 percent of U.S. companies were infected by the "ILOVEYOU" virus. Additionally, several U.S. government agencies and the Senate were hit, as well as more than 100,000 servers in Europe.

The "ILOVEYOU" virus was first reported in Hong Kong and spread gradually west as Thursday dawned, infecting government and business computers. Anti-virus companies in the United States fielded thousands of calls from corporate customers reporting widespread infections.

Several anti-virus companies have developed "virus definition" files for the "ILOVEYOU" virus, which is currently known to spread through the Microsoft Outlook e-mail program and through a popular Internet Relay Chat program. Those files have so-called "fingerprints" for the virus, allowing those programs to detect and eliminate it.

The malicious code is a hybrid virus and worm. Like the Melissa and Explore.Zip worms, it propagates itself through networks -- in this case, e-mail. But unlike those two, it also destroys and replicates itself by manipulating files, in this case JPEG and MP3 files on a user's hard drive, like a traditional virus.

"This is fairly big time," Tibbett said of the "ILOVEYOU" virus.

The FBI has begun investigating the "ILOVEYOU" virus. Officials at the National Infrastructure Protection Center were meeting Thursday to discuss the attack's impact. Two clues within the virus code indicate that it may have originated in the Philippines.

The beginning of the virus code states, in comments, the alias "spyder," and contains an anonymous e-mail address and a company name. It is also signed "Manila, Philippines," and with the comment, "i hate go to school."

Additionally, the virus tries to set the user's Internet Explorer start page to a Web site registered in Quezon, Philippines. It attempts to trigger a program called "WIN-BUGSFIX.exe" on one of four user accounts through the same site. The site belongs to one of the largest Internet Service Providers in the Philippines.

Tippett estimated $100 million in software damage and lost commerce had been caused by 9 a.m. Thursday in North America alone and predicted the price tag would exceed $1 billion by Monday morning.

ICSA.net has 200,000 clients, among them financial institutions, government agencies and corporations, Tippett said. The Department of Justice used the company's estimates for damage caused by last year's Melissa virus, he said.

"This beats Melissa hands down," Tippett said.

According to ICSA.net, the Melissa virus infected 20 percent of North American companies' computer systems. "We anticipate this'll exceed 50 percent of North American companies by Monday," Tibbett said.

The "ILOVEYOU" virus is "widespread" at the U.S. Senate computer system, according to Elizabeth McAlhany of the Senate Sergeant At Arms office. Every Senate office has been paged to alert them to the virus. The Senate's internal e-mail system was shut down.

Effects were minimal at the U.S. House of Representatives, although "hundreds of thousands" of copies of the virus were deleted, according to the Committee on House Administration, which is overseeing the defense efforts.

"By all looks, it doesn't appear to be too bad," committee spokesman Jason Poblete told CNN. "No one knew it was coming. But we won't know about permanent technical damage until it's over," he said. The House e-mail system is still operating, Poblete said.

The White House and federal agencies reported minimal effects.

Britain's House of Commons was also hobbled by the virus.

"I have to tell you that, sadly, this affectionate greeting contains a virus which has immobilized the House's internal communication system," said House leader Margaret Beckett.

In Hong Kong the "ILOVEYOU" virus appeared late in the afternoon, and is reported to have hit public relations firms and investment firms particularly hard. Dow Jones Newswires and the Asian Wall Street Journal were among the victims.

In Europe, the "ILOVEYOU" virus reached European parliaments, big companies and financial traders early Thursday. Officials at the Norwegian anti-virus company Norman said they first heard of the virus around 10 p.m. Central Europe Time (CET) Wednesday.

"The virus first showed up on my desk one hour ago", virus analyst Snorre Fagerland at Norman told CNN Norway. "Usually we get a few days notice until the virus reaches us, thus this virus seems to be very aggressive."

In Denmark, the TV2 channel, the telecom company Tele Danmark and the Danish parliament were all victims.

"More than 100,000 mail servers in Europe have been taken down or stuck out by the virus," virus specialist Stein Mollerhaug in Compaq Norway told CNN Norway. "And the servers with anti-virus programs have huge problems. Millions of people are trying to get the latest anti-virus programs," he says.

Compaq first noticed the "ILOVEYOU" virus Thursday at 7:30 a.m. CET. "One of our employees then received the virus from one of our partners in Malaysia. We knew we had a problem when he received 200 more copies of the same mail within minutes," Mollerhaug said.

Mollerhaug fears copycats will start a new wave of the virus in Asia and Europe.

The Norwegian photo agency ScanPix lost some 4,500 photos. Had the "ILOVEYOU" virus struck three days earlier, photos from the Norwegian war archives would have been lost.

"Between 6,000 and 6,500 photos was deleted by the virus, and we only managed to rescue 1,500 of them. The rest seem to be lost," ScanPix managing editor Tore Sannum told CNN Norway.

The agency has between 700,000 and 800,000 photos in their archives, but good backup routines saved most of the photos. The deleted photos were in a transit database for the latest incoming photos to the agency.

The war archive was gathered by Norway's exile government in London during World War II. ScanPix has been working on the archive -- which is a part of the Norwegian national archives -- for more than two years.

"Just a few days ago, we burnt the latest photos from this archive on CD's. Otherwise, they would have been lost forever", Sannum said.

Among the deleted photos, Sannum feared wedding photos from Norway's native Lapp population might be lost. One of the agency's photographers had been working with the photos for several weeks.

"She took some fantastic photos," Sannum said. "Now I fear they might be gone. We are trying to reach her to see if she had any copies."

The virus is activated by opening the 'LOVELETTER' attachment

Security experts at F-Secure have analyzed the "ILOVEYOU" virus thoroughly. Users usually get an e-mail, sometimes from someone they know, asking them to check the attached "Love Letter." That file is a VisualBasic script, which contains the virus payload. As long as the user deletes the e-mail without opening the attachment, their computer is safe from harm. Once a computer is infected, the virus transmit itself through e-mail using Outlook's address book.

"What makes this virus so much more aggressive than Melissa is that this virus sends copies to all the addresses, whilst Melissa only sent copies to the first 50 addresses," Fagerland said.

The virus can also travel through the Internet Relay Chat client mIRC, according to F-Secure, which has analyzed the malicious code.

Unlike the "Melissa" virus, which traveled in a similar fashion, "ILOVEYOU," also known as the Love Letter worm, is more destructive. First, it copies itself to two critical system directories and adds triggers in the Windows registry. This ensures that it's running every time the computer reboots.

The virus then starts affecting data files. Files associated with Web development, including ".js" and ".css" files, will be overwritten with a file in the VisualBasic programming language. The original file is deleted. It also goes after multimedia files, affecting JPEGs and MP3s. Again, it deletes the original file and overwrites it with a VisualBasic file with a similar name.

Since it affects popular file types, there is a chance that re-infection could occur by overlooking those replaced files.

"If you don't do a full scan," said Carey Nachenberg, chief researcher at the Symantec Anti-Virus Research Center, "you'll click on one of those things, and whammo! You'll infect everybody again. It's very clever."

Nachenberg called the "ILOVEYOU" virus a "corporate-flavored" worm, because it affects scripting files common to company networks. It also only affects Windows 98 and NT operating systems. Windows 95 users are susceptible if Windows Scripting Host is installed. Researchers are also checking whether it affects Outlook Express, the consumer version of Microsoft Outlook, to see how vulnerable end users could be.

Richard M. Smith, the Internet consultant who tracked down the author of the "Melissa" virus, said the best hope in tracking down the "ILOVEYOU" author is through the e-mail address left on the virus code.

"Even if the person gave false information, if (the free, Web-based mail company) recorded the IP address, then they'd know if it came from the Philippines," he said. Smith also predicts some copycats, since the virus code is so easily found and manipulated.

A spokesperson for the mail company, Mail.com, refused to divulge account information, or even whether the account ever existed.

"We have investigated the matter thoroughly, and we have determined that there's no evidence that the virus originated from any of Mail.com's e-mail accounts," company spokesperson Kathy Holms Robb said. Robb would not comment on if the company was working with the FBI.

Taking a lighter view of the "ILOVEYOU" virus, British Commons leader Beckett said she did not know whether to be "sorry or pleased that as far as I'm aware, I have not received an e-mail saying 'I love you.'"

Technology Editor D. Ian Hopper, Morton Overbye of CNN Norway, CNN producer Ted Barrett and Congressional Correspondent Frank Black contributed to this report.

Government computers: The ultimate hackers' proving ground
March 23, 2000
'Melting Worm' slithers into the wild
March 17, 2000
Viruses boom on the Net
January 18, 2000
Protect against Trojan Horses
January 17, 2000
Viruses anew pop up post-Y2K
January 5, 2000

F-Secure Web - Main index
   •F-Secure Virus Info Center
Symantec Worldwide Homepage
   •Symantec AntiVirus Research Center
Norman

Note: Pages will open in a new browser window

External sites are not endorsed by CNN Interactive.