Index

'Love Bug' Snarls E-mail Worldwide
Virus Jumps Continents Within Hours

May 4, 2000

By Jim Krane and David Noack

Hoag Levins
Damaged computers pile up at APBnews.com.

NEW YORK (APBnews.com) -- Sowing chaos as it proliferated among the world's e-mail users today, the stealthy computer virus dubbed "Love Bug" has trashed computer systems from Singapore to San Francisco.

The virus emerged late Wednesday in Hong Kong and spread further as the day dawned in Asia, disabling computers as it circumnavigated the globe from east to west, security experts say.

As the sun rose on the East Coast of the United States, the Love Bug worm began multiplying on computer networks here as workers opened infected e-mail.

"It's in full swing all around the world right now," said Ben Venzke, a computer security consultant for the Washington-based firm, I-Defense.

By mid-afternoon Eastern time, an Internet virus scanner operated by the Trend Micro computer security company detected almost 1.5 million infected computer files around the world, including more than 1.2 million in North America.

More powerful than speedy Melissa

The virus has been traced to a Philippines-based Internet provider called Skynet and to the handiwork of a hacker known only as "Spyder," said Rob Clyde, a security manager at the computer security firm Axent Technologies.

News reports quote a company spokesman as saying his service, using the domain www.skyinet.net, was an unwitting host to the attack. The debilitating worm is spread through e-mail messages in a similar manner to last year's Melissa worm that shut down much of the world's e-mail infrastructure.

Computer security experts say this new virus multiplies even faster than the Melissa infliction.

"This worm spreads at an amazing speed," said Mikko Hypponen, manager of Anti-Virus Research at F-Secure Corporation in Espoo, Finland. "We got the first report around 9 a.m. on Thursday from Norway, and by 1 p.m. we had reports from over 20 countries."

Spread worldwide in hours

While a number of anti-virus Web sites posted fixes to the bug, many users couldn't access them because of site traffic overloads. At the same time, stocks of Trend Micro and other makers of anti-virus software such as Symantec Corp. and Network Associates rose in New York, with shares of Trend Micro gaining by 17 percent.

The virus spread throughout e-mail systems in European parliamentary houses and through the high-tech systems of big companies and financial traders.

"I have to tell you that, sadly, this affectionate greeting contains a virus which has immobilized the House's internal communication system," said Margaret Beckett, leader of Britain's House of Commons.

The virus brought down 30 percent of Britain's company e-mail systems, according to Network Associates. In Sweden, the tally was 80 percent.

FBI spokeswoman Debbie Weierman said in Washington that the bureau has opened a criminal investigation into the attack and is assessing its impact domestically and internationally.

Government agencies just unplug

In Washington, where government bureaucracy is heavily dependent on e-mail and computers, many agencies unplugged their systems in order to stop the worm's spread.

"I'd assume there are a lot of places in town where people are just sitting around reading old magazines," said John Pike of the Federation of American Scientists.

While computer crime experts at the U.S. Department of Justice looked into the virus, spokesman John Russell said the rest of the staff had been warned not to turn on their computers.

At the State Department, computer technicians who discovered the virus this morning disconnected the department's e-mail network, a spokesman said. Soon after, the department sent a warning cable to U.S. embassies worldwide. This afternoon the department's e-mail servers were still shut down. The virus did not reach the State Department's classified areas.

Virus surfaces on Capitol Hill

The Pentagon's e-mail system was "up to its elbows" in messages with the attached affliction and had to be shut down briefly, said a Defense Department security consultant. The voluntary disconnecting of government e-mail servers was intended to prevent a repeat of Melissa virus damage, which disabled many government e-mail networks, the consultant said.

The virus surfaced on Capitol Hill today but caused few problems, congressional staffers said. In the House of Representatives, technicians discovered the virus at 6:30 a.m. and moved swiftly to set up filters and alert the some 10,000 House account holders to delete the suspect e-mail.

The servers were crowded by the overload of e-mail generated by the virus, but were not forced to shut down, while staffers and lawmakers remained connected to external e-mail.

On the Senate side, several committees took down their e-mail gateways as a precaution, but only did so for a couple of hours, said Senate Rules and Administration spokeswoman Tamara Somerville.

The Port Authority of New York & New Jersey, which oversees the three airports serving New York, said it shut down Web access and warned employees to delete e-mail containing the virus.

Worm burrows through address books

A worm is a virus designed to spread from one computer to another over any type of network. The Internet and e-mail have made the distributions of these kinds of viruses much easier, potentially striking countless computers in a matter of seconds.

The new virus is distributed via e-mail as an attachment and is entitled "ILOVEYOU." When the attachment is opened, the virus sends copies of the same e-mail to everyone listed in the user's address book. At the same time, it connects to a computer server in Quezon City, Philippines, and downloads four executable programs onto the afflicted computer.

Since the computer worm was written in Visual Basic script, the operating systems affected include Windows 98 and Windows 2000. Windows 95 and Windows NT 4.0 users can also be vulnerable if they are using Microsoft's Internet Explorer 5 Web browser.

At this point, computer security experts say, it appears the only e-mail program affected is Microsoft's Outlook and Outlook Express. The virus, however, is also being spread via a program called mIRC, a popular software chat program.

There are also some discussions online of Lotus Notes being affected.

A 'LOVELETTER' for you

The virus works this way:

It replaces the Internet Explorer home page with a link to an executable program -- "WIN-BUGSFIX.exe" -- and creates a HTML file, "LOVE-LETTER-FOR-YOU.HTM," in the Windows system directory. The virus will then use Outlook to mail a copy of itself to everyone in each address book.

The message will be addressed:

Subject: I LOVEYOU
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

The worm then searches for files with extensions of .jpeg, .mp3, .mp2, jpg .js, .jse, .css, .wsh, .sct, and .hta on local and remote drives and overwrites them. Once overwritten, the worm changes the extension of those files to .vbs or .vbe.

Once these music and image files are overwritten, they cannot be retrieved or used again. They will have to be restored from backups.

Photo publishers vulnerable

Clyde said the virus was having an impact on publishing companies that send photos via e-mail.

"Everyone I have spoken to, everyone I know, has received copies of this virus via e-mail. It appears to be extremely widespread," Clyde said.

The Melissa virus worked on the same principle, infecting about a million computers, clogging whole networks in the United States and causing $80 million in damage. One of the key differences between the Love Bug and Melissa is that the latter only sent itself to the first 50 e-mail addresses. The Love Bug sends itself to all of the addresses.

Melissa forgotten already?

Despite the electronic carnage associated with the Melissa virus, many computer users have yet to understand the danger of opening e-mail attachments -- even those coming from a person the recipient knows.

"I'm surprised at the number of people going around and executing this," said Ray Kaplan, a consultant with Guardent, a private Internet security firm.

"If your boss sends you a message that says 'I love you,' be suspicious," said Kaplan's co-worker G. Mark Hardy.

Companies able to function

Many businesses said they were affected but were able to function.

At Dell Computer Corporation in Texas, employees who arrived at work saw fliers posted on doorways warning them about the virus. A spokeswoman said the company's 36,000 employees worldwide were told to limit their e-mail use.

"Voicemail has been distributed across the company. We're using as many communication vehicles as possible to let employees know about the virus," said spokeswoman Neisha Frank.

Traders at Donaldson, Lufkin & Jenrette in New York were warned about the virus. Analysts at Goldman Sachs said they were having trouble contacting clients.

"Right now I'm unable to send or receive e-mails," said Goldman Sachs airline analyst Glenn Engel. "All other parts of my computer are working fine. As long as I have a phone, I'm OK."

A spokeswoman for the New York Stock Exchange said the virus had not affected administrative or e-mail operations.

Microsoft's weakness

One problem affecting the spread of computer viruses is what Hardy called "digital monoculture" -- the fact that the majority of computers use compatible Microsoft software that promotes collaboration among computer users, but also leaves them extremely susceptible to viruses.

"A good farmer will never plant all his acres with one species of crop because one bug could wipe out everything," Hardy said. "But we have the same vendor creating our operating systems, our office applications, our e-mail programs, our Web browsers and the macro languages that are used among them."

In 1988, during the Internet's infancy, a virus named "Morris" spread through the system via a security vulnerability in the e-mail client used at the time, Sendmail, Hardy said.

"The Morris worm knocked out over 10 percent of the computers on the Internet," said Hardy, noting that the number of machines affected then was fewer than 7,000. "It ripped through the Internet, locking out a whole bunch of machines."

With an estimated 300 million users on the Internet -- the majority using Microsoft-compatible products -- the potential for damage is massive, Hardy said.

"That's pure ecstasy if you're a virus author," he said. "Everybody's on the same platform. If a worm will run on your home PC, it'll run anywhere. It'll run on the space shuttle."

Jim Krane is APBnews.com special projects editor (jim.krane@apbnews.com). David Noack is an APBnews.com staff writer (david.noack@apbnews.com). APBnews.com staff writers Carol Huang, James Gordon Meek and Amy Worden contributed to this report.

This report contains material from The Associated Press.


 ©Copyright 2000 APB Multimedia Inc. All rights reserved.