NEWSFLASH
LOVE
LETTER VIRUS - A SIMPLE PROGRAM THAT ROCKS THE WORLD
(An In-depth report by Rey Q. Carolino,
PHNO Technology writer)
CyberSpace, May 8, 2000 - Computer programmers around the world who have seen the source codes of the LoveLetter virus are united in saying that it is such a simple program that even a 12-year old with Visual Basic Scripting (VBS) knowledge can assemble in a few hours. The virus took only over 300 lines of VBS programming codes and yet it proved to be a nightmare to a lot of network administrators around the world within the first 24 hours of its attack.
Ironically, its simplicity probably contributed to its widespread distribution over the Net. Because of its brevity, the source codes of the virus was easily passed on to other people through various Internet mailing lists and newsgroups and was quickly dissected and analyzed by copycat virus programmers. The first variant of the virus appeared in less than 24 hours. As of May 7, leading anti-virus software maker Symantec has discovered 12 variations of the LoveLetter virus (see list at the bottom).
Who actually wrote the virus is still undetermined at this time. Some reports point to a Filipina hacker, others point to a 27-year old man who uses the online handle "Spyder", one report said the suspect is a 23-year old man from the Pandacan neighborhood in Manila, another lead point to a 22-year old student and a prominent virus researcher concluded that the culprit is a German exchange student living in Australia.
Microsoft is the villain
Whoever wrote the virus seems to be irrelevant to a lot of people who felt that the real villain in this worldwide drama is Microsoft. Microsoft took a lot of the heat on the issue because only systems running the Microsoft's Windows Scripting Host (WSH) are vulnerable to the virus. Some computer experts say that this is a wake-up call to Microsoft to enhance the security of their Operating System software and the very popular Microsoft Outlook e-mail program.
Computers running other operating systems such as Linux and the Macintosh were not affected by the LoveLetter virus and interest in other non-Microsoft mail programs, such as Eudora and Pegasus Mail, have increased since the virus was discovered last May 4. [The first UNIX variant of the virus was reported today by Norman, a firm dealing with data security (see http://www.norman.com/virus_info/vbs_loveletter.shtml).]
Leo Wong wrote in the alt.comp.virus newsgroup:
"That Microsoft fails to provide anything but a useless general warning in even the easiest cases (as with the "LoveBug" script) and fails to protect the user's system and resources shows its disdain for computer security and borders on negligence."
More than one culprits?
The possibility of more than one person being involved in the spread of the LoveLetter virus is very likely as there are two main elements of the virus, each of these could have different masterminds.
The first element is the LoveLetter virus program itself that can be passed on to computer systems through the opening of an e-mail attachment, through a one-on-one Internet Relay Chat session, or through the sharing of infected computer files with another system. The damage being rendered by this part of the virus is the deletion of some files in the system (notably JPEG graphics and MP2 and MP3 multimedia files).
There is a second element of the virus however that could have given the author of the virus (and subsequent copycat writers) access to confidential password information from the infected system. This is done by using a password-stealer program that could have been created by a person who is not necessarily the author of the LoveLetter virus program. The program (called Win-Bugsfix.exe) was set to be downloaded from four different websites hosted by Sky Internet, an Internet Service Provider based in the Philippines.
Jimmy Kuo, director of anti-virus research for McAfee reported that this program resembles a "Trojan Horse" program named "Barok", which steals computer passwords and written by a man in the Philippines last year. Once this program is transferred to the infected system, it will find some password information that the user of that system has stored in it. For example, if you choose to save your password when you logon to your Internet account or if you are entering a website that requires a password and you choose to instruct your browser to remember your passwords, those passwords will be saved somewhere in your system and those are the files the password-stealer program will try to hunt. If it finds them, they will be e-mailed to an account (probably belonging to the virus creator) being hosted by Super.Net, a service provider in Manila and Cebu City in the Philippines that sells prepaid internet access cards. What the virus creators will do with those passwords are now pure speculations because this part of the virus did not go very far.
Sky Internet was alerted a few hours after the LoveLetter virus was first spotted on the loose and they were quick to shut-down the sites where the password-stealer program was being downloaded from. Majority of the people who were infected by the virus after Sky Internet has closed those sites down were greeted instead by a notice from Sky Internet that their system had been infected by the LoveLetter virus. However, it didn't last very long either as Sky Internet was forced to shutdown its servers completely several hours after the attack because of the heavy load that the virus had put on their Servers.
With the source of the password-stealer program deactivated, the virus was unable to steal the passwords of infected users as planned. And because the files being deleted by the virus are not really significant, the damages done by this virus are restricted mainly to lost manhours in containing the virus and fixing its damages as well as the inability of users to access their system until proper safeguards have been implemented therein.
Sky Internet claimed that the accounts where the password-stealer was being downloaded from was hacked by someone belonging to another Internet Service Provider in the Philippines, ImpactNet. Rodney Banzon Consunji, Director of Business Development of ImpactNet, sent an e-mail to their subscribers explaining that the hacker responsible for planting the password-stealer program at Sky Internet used a valid ImpactNet account belonging to an innocent subscriber whose computer was hacked probably through the use of this password-stealer program.
"Hacking Internet accounts is very common here in the Philippines." Consunji wrote. "We need to educate all Philippine Internet users about the reality of Viruses and Hacking. As what we have seen, these hackers and viruses can wreck havoc globally in a small span of time. We encourage clients of all ISP's to ensure the security of their PCs by installing any known anti-virus and anti-trojan software."
Not just Outlook
Because the virus is being propagated via E-mail using Microsoft Outlook as the mailer program, some people have the misconception that if they are not using Microsoft Outlook they will not catch the virus. The truth of the matter is that you can still catch the virus even if you are not using Microsoft Outlook if your system has the Windows Scripting Host (WSH) installed. You will not, however, be able to pass the virus around by e-mail if you do not use Outlook. By default, WSH is installed on Windows 98 and Windows 2000. It is not installed on Windows 95 and Windows NT 4 systems unless Internet Explorer version 5 has been installed.
Some news sources reported that the LoveLetter virus can be activated by simply reading the e-mail and without opening the virus attachment. But while there are other VBS virus that can be activated by simply opening the e-mail, (such as the BubbleBoy and the KakWorm), most virus experts that have seen the LoveLetter source codes say that the LoveLetter virus can only be activated if the e-mail attachments are opened.
To protect your system from the LoveLetter Virus
The CERT Advisory offers the following solutions to prevent the LoveLetter virus from infecting your system (http://www.cert.org/advisories/CA-2000-04.html):
1. Update Your Anti-Virus Product
It is important for users to update their anti-virus software. Some anti-virus software vendors have released updated information, tools, or virus databases to help prevent and combat this worm. A list of vendor-specific anti-virus information can be found in Appendix A (listed below).
2. Disable Windows Scripting Host
Because the worm is written in VBS, it requires the Windows Scripting Host (WSH) to run. Disabling WSH prevents the worm from executing. For information about disabling WSH, see: http://www.sophos.com/support/faqs/wsh.html
This change may disable functionality the user desires. Exercise caution when implementing this solution.
3. Disable Active Scripting in Internet Explorer
Information about disabling active scripting in Internet Explorer can be found at: http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps
This change may disable functionality the user desires. Exercise caution when implementing this solution.
4. Disable Auto-DCC Reception in IRC Clients
Users of Internet Relay Chat (IRC) programs should disable automatic reception of files offered to them via DCC.
5. Filter the Worm in E-Mail
Sites can use email filtering techniques to delete messages containing subject lines known to contain the worm. The article at listed at:
http://www.cert.org/advisories/CA-2000-04.html
offers some examples of how this can be implemented for sites running UNIX.
6. Exercise Caution When Opening Attachments
Exercise caution with attachments in email. Users should disable auto-opening or previewing of email attachments in their mail programs. Users should never open attachments from an untrusted origin, or that appear suspicious in any way.
Appendix A.
Anti-Virus Vendor Information
Aladdin Knowledge Systems
http://www.aks.com/home/csrt/valerts.asp
Command Software Systems, Inc.
http://www.command.co.uk/html/virus/love.html
http://www.commandcom.com/virus/love.html
Computer Associates
http://www.ca.com/virusinfo/virusalert.htm
F-Secure
http://www.f-secure.com/download-purchase/updates.html
Finjan Software, Ltd. http://www.finjan.com/attack_release_detail.cfm?attack_release_id=34
McAfee / Network Associates
http://vil.nai.com/villib/dispVirus.asp?virus_k=98617
http://www.cert.org/advisories/CA-2000-04/nai.dat
Proland Software
http://www.pspl.com/virus_info/worms/loveletter.htm
Sophos
http://www.sophos.com/virusinfo/analyses/vbsloveleta.html
http://www.sophos.com/virusinfo/analyses/trojloveleta.html
Symantec
http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html
Trend Micro
http://www.antivirus.com/vinfo
E-Mail Attachment Security Updates
Microsoft is strongly suggesting that the E-Mail Attachment Security Updates of the following Microsoft products be installed:
1. Outlook 97
http://officeupdate.microsoft.com/downloadDetails/O97attch.htm
2. Outlook 98
http://officeupdate.microsoft.com/downloadDetails/O98attch.htm
3. Outlook 2000
http://officeupdate.microsoft.com/2000/downloadDetails/O2Kattch.htm
According to Microsoft, the above updates will make it more difficult to inadvertently launch attachments. The updates provide a more explicit warning dialogue, and prevent attached executables from being launched directly from e-mails; instead, they must be saved to disk and launched as a separate step. The update also is included as part of Office 2000 SR1.
If you are already infected:
If your system is already infected by the LoveLetter virus, you will have plenty of help from the web in cleaning this virus. Be aware however that some of the LoveLetter cleaners being made available for free could have been developed for a system that is different than yours and might cause problems if implemented. A good place to find the right cleaner for your system is to ask at the alt.comp.virus newsgroup. This newsgroup can be accessed at DEJA.COM (http://www.deja.com/).
The following links (not tested and verified by the author) provide free cleanup utility programs to remove the virus from your system:
http://www.rassoft.com/needafix/faq.html
http://www.isds.dk/fixlovebug.htm
http://www.wapydo.com/loveletter.htm
http://johncpratt.homepage.com/iloveyoucleaner.htm
http://www.symantec.com/avcenter/venc/data/fix.vbs.loveletter.html
For users of the Microsoft Exchange Server, Microsoft Product Support Services is offering a new utility called ISSCAN to remove the Love Letter virus and repair both the private and public information store. Refer to: http://support.microsoft.com/support/exchange/love_letter.htm.
All the programs above will remove the virus from your system but you will be unable to recover the files that would have been deleted by the virus. If you need to recover those files, Ontrack has developed a USD50 Easy Recovery Software that will help you recover JPEG, JPG, MP3 and MP2 files on Win95, Win98 and WinNT systems that the LoveLetter virus would delete. This software can be downloaded at: http://www.ontrack.com/easyrecovery/worm.asp
List of known LoveLetter
variants
as of May 7, 2000 from the Symantec website (http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html)
1. VBS.LoveLetter.A
Norton AntiVirus detects as: VBS.LoveLetter.A(1)
ATTACHMENT: LOVE-LETTER-FOR-YOU.TXT.vbs
SUBJECT LINE: ILOVEYOU
MESSAGE BODY: kindly check the attached LOVELETTER coming from me.
2. VBS.LoveLetter.B (also
known as Lithuania)
Norton AntiVirus detects as: VBS.LoveLetter.B(1)
ATTACHMENT: same as A
SUBJECT LINE: Susitikim shi vakara kavos puodukui...
MESSAGE BODY: same as A
3. VBS.LoveLetter.C (also
known as Very Funny)
Norton AntiVirus detects as: VBS.LoveLetter.C(1)
ATTACHMENT: Very Funny.vbs
SUBJECT LINE: fwd: Joke
MESSAGE BODY: empty
4. VBS.LoveLetter.D (also
known as BugFix)
Norton AntiVirus detects as: VBS.LoveLetter.A(1)
ATTACHMENT: same as A
SUBJECT LINE: same as A
MESSAGE BODY: same as A
MISC. NOTES: registry entry: WIN- -BUGSFIX.exe instead of WIN-BUGSFIX.exe
5. VBS.LoveLetter.E (also
known as Mother's Day)
Norton AntiVirus detects as: VBS.LoveLetter.Variant.E
ATTACHMENT: mothersday.vbs
SUBJECT LINE: Mothers Day Order Confirmation
MESSAGE BODY: We have proceeded to charge your credit card for the amount
of $326.92 for the mothers day diamond special. We have attached a detailed
invoice to this email. Please print out the attachment and keep it in a
safe place.Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com
MISC. NOTES: mothersday.HTM sent in IRC, & comment: rem hackers.com,
& start up page to hackes.com, l0pht.com, or 2600.com
6. VBS.LoveLetter.F (also
known as Virus Warning)
Norton AntiVirus detects as: VBS.LoveLetter.Variant.F
ATTACHMENT: virus_warning.jpg.vbs
SUBJECT LINE: Dangerous Virus Warning
MESSAGE BODY: There is a dangerous virus circulating. Please click attached
picture to view it and learn to avoid it.
MISC. NOTES: Urgent_virus_warning.htm
7. VBS.LoveLetter.G (also
known as Virus ALERT!!!)
Norton AntiVirus detects as: VBS.LoveLetter.Variant or VBS.LoveLetter.G
ATTACHMENT: protect.vbs
SUBJECT LINE: Virus ALERT!!!
MESSAGE BODY: a long message regarding VBS.LoveLetter.A
MISC. NOTES: FROM support@symantec.com. This variant also overwrites files
with .bat and .com extensions.
8. VBS.LoveLetter.H (also
known as No Comments)
Norton AntiVirus detects as: VBS.LoveLetter.A
ATTACHMENT: same as A
SUBJECT LINE: same as A
MESSAGE BODY: same a A
MISC. NOTES: the comment lines at the beginning of the worm code have been
removed.
9. VBS.LoveLetter.I (also
known as Important! Read carefully!!)
Norton AntiVirus detects as: VBS.LoveLetter.Variant
ATTACHMENT: Important.TXT.vbs
SUBJECT LINE: Important! Read carefully!!
MESSAGE BODY: Check the attached IMPORTANT coming from me!
MISC. NOTES: new comment line at the beginning: by: BrainStorm / @ElectronicSouls.
It also copies the files ESKernel32.vbs & ES32DLL.vbs, and MIRC script
comments referring to BrainStorm and ElectronicSouls and sends IMPORTANT.HTM
to the chat room.
10. VBS.LoveLetter.J
Norton AntiVirus detects as: under investigation
MISC. NOTES: This appears to be a slight modification of the G variant.
11. VBS.LoveLetter.K
Norton AntiVirus detects as: under investigation
12. VBS.LoveLetter.L (I
Cant Believe This!!!)
Norton AntiVirus detects as: VBS.LoveLetter.Variant
ATTACHMENT: KillEmAll.TXT.VBS
SUBJECT LINE: I Cant Believe This!!!
MESSAGE BODY: I Cant Believe I have Just Recieved This Hate Email .. Take
A Look!
MISC. NOTES: comment has phrase/words: Killer, by MePhiston, replaces GIF
& BMP instead of JPG & JPEG, hides WAV & MID instead of MP3
& MP2. NO IRC routine, there it will not infect chat room users. Copies
KILER.HTM, KILLER2.VBS, KILLER1.VBS to the hard disk.
[ABOUT THE AUTHOR: Rey Carolino is a computer consultant from MSCM.CA TECHNOLOGIES INC., an IT Consulting firm based in Toronto, Ontario, Canada. He can be reached by e-mail at: rcarolino@mscm.ca].
© Copyright, 2000 by PHILIPPINE
HEADLINE NEWS ONLINE
All rights reserved