As New Strains of the “Love Bug” Strike World’s Largest Businesses, Corporations and Banks and Causes Damage in Billions “New Love” Hits Hard [Archives:2000/22/Science & Technology]

By Bassam Al-Sabri
Yemen Times
Thursday, May 4 2000, U.S., Asian and European computers were infected pretty hard by a computer virus which spread by e-mail messages titled “ILOVEYOU”. Millions of computer systems around the world have been infected by the ILOVEYOU virus, which hit systems from the British Parliament to the Pentagon putting the whole world on alert. The virus was first detected in Hong Kong, spreading through Microsoft Outlook e-mail systems and a popular Internet Relay Chat program mIRC. Early Thursday, the virus hit European parliaments, big companies and financial traders. Experts estimated that 60% to 80% of U.S. companies were infected by ILOVEYOU virus.
The Virus
Users received an e-mail message from someone they know, asking them to check an attached “Love Letter”. This latter is a Visual Basic script that contains the virus payload. If deleted before being opened, the computer would not be infected by the attachment. However, once a computer is infected, the virus, also named “Love Bug”, transmits itself through e-mail using Outlook’s address book. The Love Bug is extremely destructive. First, it copies itself to two critical system directories and adds triggers in the Windows registry. This ensures that it will run every time the computer reboots. Then it starts affecting data files associated with Web development. Those are overwritten with files in the Visual Basic programming language while the original files are deleted. Besides, it destroys multimedia files and affects JPEGs and MP3s and again, it overwrites the original file with a Visual Basic file that bears a similar name. Aside from mailing itself and damaging files, the virus also tries to send users to Sky Internet web pages to download and run an executable file called “WIN-BUGSFIX.exe” which the suspected virus author has uploaded onto Sky Internet servers. It does this by changing users’ Microsoft Internet Explorer start page to one of four accounts at Sky Internet. This executable file is a second part of Love Bug. It searches a user’s hard drive for user name and password combinations. Once it does so, it then sends them off to the e-mail address [email protected]. Fortunately, a European Internet provider tipped off Sky Internet and the (executable file) was completely removed by 4:30. Luckily, it has only attacked a couple hundred people in Europe. Experts said if that part of the attack had reached more people, the results could have been catastrophic. If the second part hit the world approximately 40 million people would have needed to change their passwords from every infected computer.
This virus is far much more aggressive than its predecessor Melissa. The latter virus only sent copies to the first 50 addresses whilst this one sent copies to all addresses. The virus can also transmit through the Internet Relay Chat client mIRC to every user who enters the chat room. Several anti-virus companies have developed “virus definition” files for ILOVEYOU. Those files act as “fingerprints” for the virus, allowing those programs to detect and eliminate it. One company was McAfee which released a software patch that can identify the virus on Thursday afternoon.
Experts say that despite all the damages the e-mailed virus has caused, it was written in plain code which made its detection and removal easier. They also stated that the virus could have been made more adaptable and much more difficult to stop. However, the virus has also battled copycat attacks, including one called “very funny”. This new variants can elude anti-virus software that are designed to block the “ILOVEYOU” bug and could potentially cause the same damage. Experts stated that we should expect dozens more copycat attacks. They explained further attacks are very likely since the virus was developed using an easy-to-understand programming language. The code of this virus is very easy to read, and there will be more and more copycats. It would not be difficult for a teenager who understands a bit of Visual Basic to download the virus, modify it and launch a new strain.
As a matter of fact, as many as five new strains of the “ILOVEYOU” virus appeared just 24 hours after the first version was released, one of which was labeled “fwd: Joke,”. So far, 25 strains of the virus with different levels of destructiveness have been detected and there is no reason to believe that these would be the last.
Some technology experts have attributed the rapid spread of the virus to the vulnerability of Microsoft products saying the company could have taken precautions to make its products more secure. In response, Microsoft worked on a new patch of Outlook 98 and 2000 that breaks a lot of functionality, yet provides unprecedented security. The patch blocks all attachments that have .exe, .vbs or .bat extensions along with 35 other extensions. Aside from this tight security measure, the patch won’t permit other programs to access the Outlook Address Book in any form. This new tactic, however, does not seem to have been met with total agreement. Many believe that Microsoft has gone too far making it impossible to run certain files from Outlook.
New Love Hits
Thursday 18 May, a new and potentially more dangerous strain of the “Love Bug” was released. The new bug was dubbed “VBS/New Love.a”. Experts say it could be more destructive than the “Love Bug” if widely spread. This new strain can prompt rampant damage. At the same time the recently released “Love Bug” antivirus programs cannot detect it. Still, McAfee updated its detection software within two hours of detecting the virus and advised users to update their virus scanners as soon as they could.
Despite the similarity in name, replication scheme and the language with which they were written, the new bug has totally new code and approach of destruction. Yet, both bugs target users of Windows 98 or 2000 or those who run Internet Explorer 5 on Windows 95.
The “New love” variant is described to be polymorphic. Each time it replicates, it uses a different subject line and changes its size. It follows a very clever procedure which makes it hard to detect. The “New Love” bug sends realistic file names with subject lines starting with “FW:” to people you know or businesses you deal with. It utilizes the same tactic of its predecessor the “Love Bug” to send itself to all e-mails in your address book. Once the virus replicates, it starts writing over your files. Unlike the “ILOVEYOU” virus which obliterated JPEG and MP3 files, this new strain hungrily targets each and every file on a user’s hard drive that has a “write permission”. The new bug searches through all local drives and subdirectories. Then, it deletes original files and replaces them with new empty ones using the same name with the new extension “.vbs”. Moreover, all networked hard drives would be destroyed in the same manner. After the bug strikes, your computer immediately breaks down and becomes unbootable. In this case, you will need to reinstall the operating system along with all the other programs you used to run. Recovering the deleted files is out of the question since they are already overwritten and erased by the bug. The only sure and safe method to recover files is from backup files stored separately by users themselves.
Experts say that the damage of this virus is tempered by several factors. First, people tend to be more cautious especially after the recent “Love Bug” stroke. Furthermore, the virus appears to has a built-in problem that will limit how far it would get around. “New Love” tends to add junk line to its code each time it replicates in order to change its size. This feature was designed to make it harder to detect. Luckily enough, the bug does not tend to remove these junk lines away. Therefore, as it replicates, it grows in size and soon it would be stopped by limitations that companies make on attachment size.
“Eventually, it’ll become 10 megs, 100 megs, 1 gig” Mikko Hypponen, Director of the virus search and antivirus company F-Secure in Finland, said. “It’ll kill itself off. It becomes too fat.”
What are viruses? How can we avoid them?
Computer viruses are short strings of software code that have three properties: First, they replicate very fast spreading from machine to machine in a similar way to that of virus; second, they hide themselves inside benign files and programs; and third, they cause deadly damages to you computer. Unfortunately, there is no perfect cure for computer viruses. Every time someone invents a new immunization, another invents a new virus. However, we can still take few precautions to buffer us against many of the virus attacks:
-Do not open attachments you receive from someone you don’t know. You have also got to avoid downloading any sort of data from dubious Web sites.
-Scan all new downloaded files of application immediately with antivirus software.
-Keep a spare disk drive hooked to your PC and regularly back up your data. Try to save redundant copies of all your files. Note: Remember, you need to perform a virus check first before you make a backup.
-Use good virus-checking software of companies that keep their products up-to-date. However, you should know that there is no one program that fixes every virus. When a new bug spreads, you will need to wait for the release of a new updated program.
-Postpone your upgrade of new versions of the most popular software since they attract virus writers.
If you would like to protect yourself against VBScript worms, visit the F-Secure’s web site: http://www.F-Secure.com/virus-info/u-vbs/
Experts estimate damages in billions for the bug
More than 45 million computers around the globe have been infected by various strains of the virus. Experts estimated $US 2.61 billion of damage done within the first week. The damages were growing by $US 1 billion to $US 1.5 billion a day until the virus was terminated. Now, the total estimation of the damages worldwide amounted to $US 6.7 Billions.
In conclusion, viruses evolved even before we came to know the PC in its form today. However, not all viruses are necessarily malignant. Some viral techniques can be valuable programming tools if used properly. On the other hand, if inappropriately used, believe me, nothing can be more destructive.

——
[archive-e:22-v:2000-y:2000-d:2000-05-29-p:./2000/iss22/techno.htm]