"Love Bug" virus continues to wreak havoc

A new Internet "worm" that spreads via an e-mail message purporting to be a love letter is wreaking havoc around the globe today.

Hundreds of thousands of computers are already estimated to be hit by the "ILOVEYOU" worm — a Visual Basic software script that was first detected last night and has been more in evidence today as it began its global sweep.

Sites throughout the world — first in Asia, followed by Europe and the U.S. — have reported being infected by the virus, which is particularly troublesome. Unlike the notorious Melissa virus, which attached itself to the first 50 e-mail addresses in address books, the "ILOVEYOU" worm attaches itself to the entire address book, said Narender Mangalam, director of security at software vendor Computer Associates International Inc. in Islandia, N.Y.

Besides affecting companies, the worm also struck the two houses of the British Parliament. Both the House of Commons and House of Lords were hit, leading to a shutdown of e-mail that lasted a couple of hours.

"The message was noticed before lunch," said Muir Morton, the deputy sergeant at arms for the House of Commons in London. "It was a message sending love to you, which is the sort of message a lot of us here don't expect to be receiving."

The Visual Basic script worm arrives in an e-mail message with the subject "ILOVEYOU" and carries an attached file titled "LOVE-LETTER-FOR-YOU.TXT.vbs" and a text message that asks the recipient to "kindly check the attached LOVELETTER coming from me."

The worm only infects only computers that have Visual Basic, which is included with Windows 2000.

Users are advised to immediately delete the message and the attached file, "even if it's from your spouse," Mangalam said. He further advised that computer users immediately update their antivirus software. Upgrades are available at the Internet sites of various antivirus vendors.

If opened, the worm inserts the following files: MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs in the Windows system directory, Win32DLL.vbs in the Windows directory, WinFAT32.EXE and WIN-BUGSFIX.EXE in the Internet download directory and script.ini in the mIRC directory.

The worm is particularly adept at hiding itself, "so you can't really tell where it's going," Mangalam said.

When it first was detected, the worm also would go out to four different Internet sites and pull software from those to download to infected computers, allowing hackers to possibly break into those computers, Mangalam said. But those Internet sites have been shut down, Mangalam added.

One of the companies hit by the worm was Adaco AB, a Stockholm-based food wholesaler with approximately 120 users.

"We were hit at around 2 p.m., but were quite lucky — only three of our users got infected," said Conny Bjýrling, IT manager at Adaco. Bjýrling immediately isolated the worm's code, which he said consists of around nine A4-sized pages of Visual Basic script and carries the signature of a Manila, Philippines-based hacker calling himself "Spyder."

"Although it is too early to say how serious a problem this really is, it certainly spreads like wildfire," Bjorling said. Within five minutes, the worm had infected around 800 files at Adaco, including some register and system files, he added.

The worm seems to have originated in the Philippines, agreed F-Secure Corp., an antivirus software vendor in Espoo, Finland.

(Additional reporting by Laura Rohde in London, Terho Uimonen in Stockholm and Margret Johnston in Washington, D.C.)

Related:

Copyright © 2000 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon