 |
|
 |
|
Back to technology Business Science The new millennium |
 |
|
Tutorial: MP3 |
 |
|
Technology forum Feedback Thoughts? Suggestions? Tell us what you think. |
05/04/2000
By Doug Bedell / The Dallas Morning News
The "ILOVEYOU" virus that struck e-mail systems worldwide Thursday employs tactics similar to those used by the Melissa strain that infected more than 1.2 millions computers across North America last year.
But the author of the new virus has added a twist by creating features that overwrite picture and music files.
"It's not pretty," said Ross Wilson, the Singapore-based Southeast Asia director of Symantec Corp., maker of anti-virus software. "It's got the capability of spreading very, very quickly."
Like Melissa, ILOVEYOU exploits Windows systems running the Microsoft Outlook e-mail program. Once a user opens the "Love-Letter-For-You.TXT.vbs" attachment, the virus uses address book entries to send out more infected files.
LoveLetter, first seen in the wild on May 4, stunned experts with the rapidity of its spread across the world Thursday morning.
Signs within the coding seem to indicate the virus originated in the Philippines, because the word "Manila" is included in the original e-mail. The original message comes from the e-mail address ispyder@mail.com. It also says, "I hate to go to school."
Antivirus experts say "Spyder" had been especially cunning in baiting his e-mails with "ILOVEYOU" and making them appear to have come from someone known to the recipient.
"It's irresistible," one said.
In the United Kingdom, where the attack jammed up servers at major commercial and governmental operations while North America slept, the press dubbed it, "The Killer from Manila." Major installations, including Parliament, were severely infected. E-mail operations there and across the world had to be shut down to cleanse systems of thousand of infected e-mails.
This particular virus is of a breed called a "worm," which can replicate itself if the message is opened. The virus then searches for music and picture files on the users' hard disk and overwrites files with .jpg, .jpeg, .mp3 and .mp2 extensions.
The worm uses the Outlook e-mail application to spread but also can invade the mIRC chat program if installed.
When the attachment is opened, it first copies itself to the Windows System directory as MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs and to the Windows directory as Win32DLL.vbs.
The virus requires the Windows Scripting Host program, which is not normally present on Win95 or Windows NT machines unless Internet Explorer 5 has been installed.
I Love You also replaces the Internet Explorer home page with a link that points to an executable program, "WIN-BUGSFIX.exe". If the file is downloaded, the worm adds this to the registry as well, which then activates the virus when the system is restarted.
After that, the worm creates an HTML file, "LOVE-LETTER-FOR-YOU.HTM," to the Windows System directory. This file contains the worm, and it will be sent using mIRC whenever the user joins an IRC (Internet Relay Chat) channel, according to analysts at the F-Secure anti-virus site.
Then the worm will use Outlook to mass mail itself to everyone in each address book it can find. The message it sends is:
Subject: ILOVEYOU
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Spreading harmful viruses is a federal crime, but authors of viruses are seldom caught. Malicious hackers often build and modify successful exploits using tools distributed openly on Web sites throughout the world. Shutting down such activity has proved virtually impossible for governmental and police agencies.
The Associated Press contributed to this report.