Virus posing as a "virus ALERT!!!

From: Grassroots Information Coordination Center (GICC

Link

NATIONAL NEWS

Love bug begets tribe of insidious offspring

By PAUL HEINRICHS and BRENDAN NICHOLSON Sunday 7 May 2000 The "ILOVEYOU" virus hit 45 million users and was estimated to cost $US1 billion in computer damage and downtime

Australian companies and governments will face another maximum-alert tomorrow morning to deal with variations of the rampant "love bug" e-mail virus that crippled world communications on Friday.

The flashpoint will occur when several million office workers decide whether to open e-mail that may contain as many as 10 variations of the "ILOVEYOU" virus that hit 45 million users and was estimated to cost $US1 billion in computer damage and downtime.

Top-secret installations at the Pentagon and the State Department came under attack from the variants, which include the so-called Mother's Day virus and even an insidiously deceptive virus posing as a "virus ALERT!!!" message from the Symantec AntiVirus Research Centre in the US.

Symantec is warning that the "alert" is not authorised, and that it deletes .bat and .com files. The "alert" should be deleted immediately.

According to Steve Gottwals, of the US group F-Secure, the Mother's Day virus is even more destructive than Friday's bug because it can corrupt .ini, or initialisation files, preventing a computer from rebooting or starting.

All Commonwealth Government departments have warned staff returning to work after the weekend to avoid opening suspect e-mails.

The spokeswoman for Canberra's troubleshooter on communications problems, Senator Ian Campbell, said everyone using public service computer systems would be greeted with a warning about the e-mails when they next logged on. Technical staff were reminded to ensure the latest anti-viral systems were installed.

A spokesman for Treasurer Peter Costello said he was confident that Treasury officials had safeguarded Tuesday's budget material.

Meanwhile, Philippine crime busters and Internet service providers say they have identified a 23-year-old man whom they suspect to be "spyder", author of the virus, which is believed to have originated in Manila.

Almer Mallari, an agent of the anti-fraud unit of the Philippine National Bureau of Investigation (NBI), said: "We have a suspect. We are working on the leads." Jose Carlotta, chief operating officer of Internet service provider Access Net Inc, was quoted in The Philippine Star newspaper saying that a comparison of notes by providers had reduced the suspects to a 23-year-old man living in the lower-middle-class district of Pandacan in Manila.

A message left by the virus had the words "Manila, Philippines" and "I hate to go to school" embedded, leading to speculation that the hacker was a schoolboy in the Philippines.

Access supplied spyder with the two e-mail addresses from which the virus originated.

Mr Carlotta said the person behind spyder had paid for one e-mail address with a pre-paid plastic card and acquired others by hacking, as Access had no current name and address.

Peter Tibbet, of icsa.net, in Virginia, which was used by the US Justice Department to quantify the damage caused by the similar, milder Melissa virus, said he believed the scale of losses would reach $1billion by Monday, by which time half of all US companies would be infected.

In Britain, the Consumers' Association said 30 to 50 per cent of UK businesses were affected.

The ingenuity of the virus was that it combined a simple, effective means of spreading itself and causing damage with a deft psychological trick - it came disguised as a love letter. When IT workers tried to open the letter by clicking on it, they launched the virus.

The virus spreads by mailing itself to every e-mail address in a recipient's notebook, it overwrites picture and music files and downloads another piece of software from one of four remote websites that reads a user's secret passwords and mails them to the virus author.

Those remote websites have now been shut down. But other websites can be substituted and a new version launched to scan more passwords. That is what happened yesterday, with at least three other versions of the ILOVEYOU virus emerging.

One, "Very Funny", masquerades as a joke. Another purports to be an e-mail about Mother's Day. A third is called "Susitikim", which means "let's meet" in Lithuanian.

Pierre Vandeveune, of the Belgian firm Datarescue, asked why it was that in Microsoft's e-mail application Outlook Express a single click by a naive user was all it took to launch an alien program that could mess up the entire computer.

"The problem with Microsoft is that all the pieces link together too well. The system works so well you don't think about it; you just click, and this virus can e-mail your password outside," said Mr Vandeveune. - With agencies and GUARDIAN

http://www.theage.com.au/news/20000507/A45890-2000May6.html

-- Martin Thompson (mthom1927@aol.com), May 06, 2000

Thanks Martin!!!

-- Flash (flash@flash.hq), May 07, 2000

Answers

Sorry, I hot-linked the wrong address.

Another try:

Link

-- Flash (flash@flash.hq), May 07, 2000.

Flash,

AS far as you know are all of these viruses Microsoft related? Any Mac strains loose?

-- capnfun (capnfun1@excite.com), May 07, 2000.

Cap,

So far, all of this recent stuff is Microsoft-related. They want to cause maximum damage with as little work as possible, so they usually concentrate on Windows stuff, especially OUTLOOK. That doesn't mean that the rest of us can afford to let our guard down, however. There don't seem to be near as many viruses that affect MAC's. I run Windows, but use old NETSCAPE 3.1 and EUDORA 4.0, so am less open to worms/trojans/viruses that target the state-of-the-art MS stuff. An updated virus-checker such as NORTON or MCAFEE is advisable. Just updated mine this morning.

-- Flash (flash@flash.hq), May 07, 2000.

Flash:

Since the worm (it's not really a virus) is written in VB scripting language, why couldn't it cause any problems for a Mac? It seems to me that VB script can be run as easily on a Mac as on a PC.

-- Jim Cooke (JJCooke@yahoo.com), May 07, 2000.

Jim,

Maybe you're right. I didn't think about that. I'll keep looking for more info.

-- Flash (flash@flash.hq), May 07, 2000.

VIRUS ALERT!

VBS/LoveLetter.worm is a dangerous VBScript worm, discovered 5/4/00.

**UPDATE**: 12:00 pm, 5/7/00 -- The number of variants continues to grow.

There are a growing number of variants of this worm being transmitted via email attachment. The most common are:

SUBJECT: "ILOVEYOU" MESSAGE: "kindly check the attached LOVELETTER coming from me." ATTACHMENT: "LOVE-LETTER-FOR-YOU.TXT.vbs"

SUBJECT: "Virus ALERT!!!" MESSAGE: A long message that pretends to be information from Symantec Corp. about VBS/LoveLetter.worm ATTACHMENT: "protect.vbs"

SUBJECT: "Dangerous Virus Warning" MESSAGE: "There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it." ATTACHMENT: "virus_warning.jpg.vbs"

SUBJECT: "Joke" MESSAGE: NONE ATTACHMENT: "VeryFunny.vbs"

SUBJECT: "Important ! Read carefully !!" MESSAGE: "Checked the attached IMPORTANT coming from me !" ATTACHMENT: "IMPORTANT.TXT.vbs"

SUBJECT: "Mothers Day Order Confirmation" MESSAGE: "We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place.Thanks Again and Have a Happy Mothers Day!" ATTACHMENT: " mothersday.vbs"

SUBJECT: "Susitikim shi vakara kavos puodukui..." MESSAGE: "kindly check the attached LOVELETTER coming from me." ATTACHMENT: "LOVE-LETTER-FOR-YOU.TXT.VBS"

This worm attempts to send copies of itself through mIRC to the IRC channels and through Outlook to all address book entries. It then attempts to overwrite several types of files, including .jpg and .mp3.

VBS/LoveLetter.worm also attempts to download and install an executable file that will email any cached passwords it finds to a predetermined address.

Link

-- Flash (flash@flash.hq), May 07, 2000.

In scope, impact and pervasiveness, this sounds worse than anything y2k ever did. Where are the dominoes? Imagine what we'd have been saying if we *knew* this was coming and how much damage it would cause. Sure glad I had my stockpile handy.

-- Flint (flintc@mindspring.com), May 07, 2000.

People using Eudora should add "vbs" to the parameter list specified for WarnLaunchExtensions in the previous post regarding Security Hole Found in Eudora.

Link

-- Flash (flash@flash.hq), May 07, 2000.

http://abcnews.go.com/sections/tech/DailyNews/virus_000507.html

Beware The Resumes New Version of ILOVEYOU Virus Takes Yet Another Name

By Maria F. Durand

May 8  Just when you thought it was safe to open your e-mail again, yet another version of the bitter Love Virus is making its way into in-boxes worldwide.

And, like earlier versions, the latest bugs are diabolically clever.

The newest virus appears to be a resume submitted from a German address.

We are still seeing new variants coming out today, said Narender Mangalam, of Compter Associates, a research firm in Carlsbad, Calif.

Recent variants include versions disguised as a cure for the very bug it conceals, and a receipt for a holiday gift purchase.

More

-- (new@news.now), May 08, 2000.

While it's true that Outlook/Outlook Express users are the only ones that will *spread* these virii, due to the fact that they exploit the Outlook address book structure; other users can still experience damage if they open the attachment they got from an Outlook user.

A corporate client's secretary, who uses Netscape Messenger, clicked on the attachment the other day, and it executed. While it didn't replicate and send itself to everybody in her address book, it did cause some inconveniences, such as wiping out her "pref.js" file, which saves Netscape preferences (e-mail server names, passwords, etc.). And wiped out all her .jpg's (they do a lot of digital photography, dealing with electronic devices they do repair work on.)

-- Chicken Little (panic@forthebirds.net), May 08, 2000.

This virus is very destructive. My computer at work was infected by this virus on Thursday. I didn't even try to open the attachment but tried to move the entire e-mail mesage to quaruntine in Norton's ( how stupid can you be, like I was going to study this and find a cure!). Anyway this triggered the virus and my at work "computer expert" and I screwed around all day Friday trying to clear it and assess the damage. By quitting time we had figured out that 5,680 files on my computer were trashed and were very grateful that i did not use outlook express or the entire network might have been infected. Tomorrow we (excuse me, he) will decide to wipe everything and try to do a backup restore or just delete the infected stuff and take my computer away from me. I just heard today that our local hospital was hit and have 180,000+ files infected.

Too bad Diane Squires wasn't with me to save my ass. She would have deleted on sight figuring the subject header meant that it had to be from a polly. Really it is enough to make you quite using e-mail. Or at least pay attention to what you are clicking.

-- Monkey Spanker (spanking@way.com), May 08, 2000.

""The problem with Microsoft is that all the pieces link together too well. The system works so well you don't think about it; you just click, and this virus can e-mail your password outside," said Mr Vandeveune. "

This Microsoft problem is addressed by Steve Gibson on his Shields UP! website. He gives a step by step instruction on how to set the only network bindings needed to access the internet. Microsoft has everything binded to everything else, thus causing such security problems as with this virus. I recommend you bookmark Steve Gibson's page and take the time to read and study it. One needs not be a PC guru to follow his recommendations and instructions.

-- (y@x.x), May 08, 2000.