I Love You: Profile Of A Killer Virus

The feeling definitely wasn’t mutual for corporate users on the receiving end of last week’s “ILoveYou” e-mail virus. IT managers at scores of companies spent the end of last week trying to repair the damage, while employees had to bide their time until their e-mail and other systems were restored after the fast-moving virus hit.

pkvAfter the initial wave, as many as five new strains of the virus began showing up Friday morning, including one labeled “fwd: Joke” and another, more destructive one labeled “Mother’s Day Order Confirmation.”

These, as well as many more versions expected in the coming days, are likely to keep corporations and computer users around the world on high alert for some time.

“It killed us; it absolutely destroyed us,” said Carl Ashkin, CEO of Darby Group Cos. Inc., a health care company in Westbury, N.Y., that had to shut down its e-mail server for an entire day.

Darby Group, which has 2,500 employees, lost data in shared files, artwork, logos and other materials, forcing its technical services team to work through the weekend. The company had to lock out its 300 outside salespeople to prevent the infection from spreading and undertook the costly process of having each laptop sent by overnight express to be checked out.

“This one was just particularly nasty. It hit us bad,” said Ashkin, an eWeek Corporate Partner. “We had 10,000 instances before we were able to get ahold of it.”

The virus, which contained the heading “I LoveYou” with an attachment titled “LOVE-LETTER-FOR-YOU.TXT.vbs,” hit more than 100,000 systems in its first hours, beginning in Asia and Europe and spreading west, according to security company F-Secure Corp., of Espoo, Finland. It primarily affected users of Microsoft Corp.‘s Outlook e-mail program, Windows 98 and Windows 2000, and in some cases, Windows 95 and Windows NT 4.0 when Version 5.0 of Microsoft’s Internet Explorer is installed.

“This is an indication of a scary world for the future,” said Peter Kastner, chief research officer and CIO for Aberdeen Group, a Boston- based consultancy that had to shut down its e-mail server for hours. A few early risers opened the attachment, spamming their co-workers and anyone else in their address books.

The virus propagates a worm that replicates to everyone in an infected user’s address book, wiping out sound and graphics files such as MP3 and JPEG files. Many users also had to reset their browser’s home page. Reminiscent of last year’s infamous Melissa virus, this latest strain, in terms of volume and damage, was much worse.

Tanya Candia, F-Secure’s vice president of worldwide marketing, said the company got its first reports around 9 a.m. from Norway. Four hours later, F-Secure had reports from 20 countries. Text of the message included the line “I hate to go to school” with the author identified as “spyder” and a Manila copyright tag. “It seems to be an order of magnitude vastly more disruptive than Melissa,” Candia said. “In the first hours, we had two or three times [more than] the reports of incidents with Melissa. Melissa spread itself to the first 50 names in an address book. This one doesn’t stop at all.”

The Mother’s Day virus includes a graph of text that states the recipient’s credit card has been charged for the amount of $326.92 for a Mother’s Day diamond special. The e-mail urges the recipient to examine the attached invoice carefully and save it. Once the fictional invoice is opened, the virus is in motion again.

Richard Jacobs, president of Sophos Inc., an anti-virus software maker in Wakefield, Mass., said this strain is likely to dupe more people because of the timing, with Mother’s Day coming up May 14, and because a bill is involved. The Mother’s Day virus is even nastier, Jacobs said, because instead of overriding JPEG files, it overrides and deletes BAT and INI files, which can cause more damage and prevent systems from booting up.

“This one could be more difficult to clean up,” Jacobs said. He added that more strains are expected, because anyone who receives a virus also receives the source code for it, making it very easy for someone to go in, intentionally change a few words and launch a new strain.

Leave a Reply