Skip to main content
ad info

 
CNN.com technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  

 

  Search
 
 

 
TECHNOLOGY
TOP STORIES

Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent

(MORE)

TOP STORIES

More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections

(MORE)

MARKETS
4:30pm ET, 4/16
144.70
8257.60
3.71
1394.72
10.90
879.91
 


WORLD

U.S.

POLITICS

LAW

ENTERTAINMENT

HEALTH

TRAVEL

FOOD

ARTS & STYLE



(MORE HEADLINES)
*
 
CNN Websites
Networks image


New computer virus more destructive, but appears less infectious

graphic

May 19, 2000
Web posted at: 11:10 p.m. EDT (0310 GMT)

(CNN) -- While a new and potentially more destructive computer virus uses the same replication scheme as the "ILOVEYOU" virus, the new bug's ambitious destruction program may curb its spread and eventually cause it to fizz out on its own, according to one computer expert.

Mikko Hypponen, director of virus research at anti-virus company F-Secure in Finland, said that while this virus -- dubbed "NewLove" -- can make a computer unbootable, it is not nearly as stealthy as "ILOVEYOU." The new computer worm is much less widespread than previous outbreaks and has built-in problems that will eventually make the virus expire on its own. A worm is a virus that is self-replicating.

  ALSO
 
  MESSAGE BOARD
  •  Insurgency
  •  Managing the net
  •  Internet society
 

"Unlike the original 'ILOVEYOU' virus, this one appears to have started, at least in significant part, in the United States rather than spreading from Asia to Europe to the United States," said Michael Vatis of the FBI's National Infrastructure Protection Center.

U.S. federal sources said they would not rule out that the same people involved in launching the "ILOVEYOU" virus a few weeks ago may have been involved in this one.

Officials said apparently no U.S. government computers have been affected. Warnings were disseminated before the start of business Friday. "Hopefully, that will minimize the effects," said one federal government source.. "But it's too early to say what the impact has been or will be."

Despite its name, "NewLove" is not very similar to "ILOVEYOU," also known as Love Letter or Love Bug. The two are written in the same computer language, and Hypponen said the e-mail replication loop -- how the virus sends itself out to everyone in the user's Outlook address book -- is the same. Despite that, they are two different viruses.

"Otherwise, it's totally new code. But there's a common idea," Hypponen said.

Like the Love Letter virus, it only affects users of the Microsoft Windows 98 or 2000 operating systems, or Windows 95 users also running Internet Explorer 5.0. The virus also needs Microsoft's Outlook mail program to proliferate. The consumer version, Outlook Express, is not affected.

Rather than the same subject line each time, "NewLove" is polymorphic. Each time, it takes the name of a recently accessed file on the user's machine and uses that name, along with "FW:". This can work much better than "ILOVEYOU," because users can't be on the lookout for a specific subject line. Instead, the subject line may be a file name that is trusted -- especially among co-workers.

"It's really quite clever," Hypponen said. "It uses realistic file names and sends those to people you know. It's social engineering, just like we saw with Love Letter."

After replicating itself, the virus begins obliterating files. While Love Letter destroyed only JPEG image files, NewLove targets every single file on a user's hard drive. The worm will go through all local drives and all subdirectories. For each file, the worm creates a new file using the same name with the additional extension ".vbs" and deletes the original file. The new file is empty, effectively destroying all data on the machine. Then it does the same to networked hard drives, common in a company atmosphere.

The virus only does this to files for which the user has "write" permission, and files that are not currently in use. Still, it immediately makes the computer crash and become unbootable.

As frightening as that may be for users, it is also NewLove's downfall, Hypponen said.

"It's too destructive to become widespread," he said. "When you get hit by Love Letter, you may not notice it. The next time you hear about it is when someone calls you up and complains. But with NewLove, you open the attachment and immediately your machine crashes and won't boot again.

"It's never going to go around like Love Letter," he said, "because it's so obvious."

After being urged for more than one year to make Outlook less risky, the company is expected to offer a software patch next week.

"They've really done a 180 on this," said Chris Le Tocq of the Gartner Group. "The new fix that they have in Beta right now for Outlook completely removes programmability except as manually authorized in each case by the user.

"And this will break, frankly, a large number of corporate applications, but for the general user this is the right thing to do," he added.

Another quirk in the code can also limit how far NewLove gets around. Each time the virus replicates, it adds junk lines to its code. This, Hypponen said, is to keep the file size changing and make it more difficult to detect. However, NewLove only keeps adding junk lines to itself; it never takes them away. So every time it replicates, it grows.

Once the file size gets huge, slowdown and company limits on attachment size would stop the virus in its tracks.

"Eventually, it'll become 10 megs, 100 megs, 1 gig," Hypponen said. "It'll kill itself off. It becomes too fat."

graphic
The 'NewLove' virus will obliterate files which have 'write' permission  

Hypponen's predictions have so far been borne out by the lack of infection reports.

"We haven't received a single direct report of being infected," he said. "We've received secondhand reports from partners in the industry, but the total (companies infected) are 10 or 11." Those reports have been in Israel, central Europe and the United States.

But at each company, many computers could be affected and all data lost. At one firm, 5,000 computers were infected, according to Dave Perry, a spokesman at the anti-virus software company Trend Micro Inc. in Cupertino, California.

But now, Trend Micro is downplaying the total outbreak, saying it's not nearly as bad as expectations.

"It has hit a handful of companies," said spokeswoman Kristin Zoega, "but it's definitely not as widespread as Love Letter was."

As of late Thursday night, another anti-virus company, Symantec, reported three to nine companies had been hit. This is not even a drop in the bucket compared to Love Letter, which crippled mail servers and destroyed image files at tens of thousands of networks around the world just several weeks ago.

Love Letter spawned at least 25 copycats with varying levels of destructiveness. Computer Economics, a Carlsbad, California-based research company, estimated that the virus and its variants caused $6.7 billion of damage.

Hypponen expects variants on this virus, too. "Perhaps one that won't increase its size so much," he predicts.

Existing anti-virus updates against Love Letter are unlikely to affect this new virus. Hypponen suggests instead that users uninstall Windows Scripting Host, the program that allows VisualBasic scripts to run. Hypponen has detailed instructions on how to do this on F-Secure's Web site.

He said that "99.5 percent of users have no need for Windows Scripting Host. But a whole bunch of virus writers use it. I rest my case."

CNN Interactive Technology Editor D. Ian Hopper, Technology Correspondent Rick Lockridge and CNNfn Correspondent Steve Young contributed to this report.



RELATED STORIES:
New strain of virus hits computer e-mail
May 19, 2000
Microsoft Outlook update impedes functionality, but enhances security
May 16, 2000
Investigator: Dropout may be admitting role in virus attack
May 12, 2000
Authorities seek to question pair in "Love Bug' attack
May 11, 2000
Hotmail, Yahoo scramble after email security flaws exposed
May 10, 2000
'Love bug' investigation turns to 2 computer school students in Philippines
May 10, 2000
Former computer student investigated in 'ILOVEYOU' attack
May 10, 2000

RELATED IDG.net STORIES:
New e-mail virus may hurt worse than 'Love'
May 12, 2000
New e-mail virus may hurt worse than 'Love'
May 12, 2000
Security experts say hackers have the edge
May 11, 2000
Techniques and tools of the hacker
May 10, 2000

RELATED SITES:
McAfee.com
  • Anti Virus - VBS/Newlove.a Help Center
ICSA.net
CERTĘ Coordination Center
  • CERT/CC Computer Virus Resources
F-Secure Web - Main index
   • Virus Info Center
BUGTRAQ: Introduction

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

 Search   

Back to the top  © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.