Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Worm alert! LOVELETTER gets nastier

From: William Knowles <wk () C4I ORG>
Date: Thu, 18 May 2000 19:18:14 -0500
http://dailynews.yahoo.com/h/zd/20000518/tc/worm_alert_loveletter_gets_nastier_1.html

Thursday May 18 09:30 PM EDT
By Robert Lemos, ZDNet News

Several Symantec customers have revealed a new, destructive variant on
the loose. Damage has been limited ... so far.

Security software maker Symantec Corp. warned computer users and
businesses of a new, destructive worm -- apparently based on ILOVEYOU
-- that had hit three Israeli and European clients by Thursday night.

Aside from spreading by mailing itself out to everyone on the Outlook
address book, the virus also deletes all files on the victim's
computer -- and any mapped, network drives -- by setting the files'
lengths to zero.

"For most users, if you are infected with the virus, it means you need
to have your machine rebuilt," said Vincent Weafer, director of the
Symantec AntiVirus Research Center, referring to rebuilding the
computer's files from backup.

The malicious code is mailed to users as an apparent attachment from a
friend, with the subject line "FW:" followed by a random file name.
The attached file has that name plus the .VBS extension.

For example, the worm might find the file "mydoc.txt" on the user's
system and send off a message with the subject line "FW: mydoc.txt"
and an attachment of "mydoc.txt.vbs".

This one harder to stop?

The current variant also adds a twist found in other viruses:
Polymorphism.

The malicious code is mailed to users as an apparent attachment from a
friend, with the subject line "FW:" followed by a random file name.|
The worm adds a few characters to its script's comment lines, thereby
changing the length and "fingerprint" by which most virus software
recognizes the code for what it is. That feature could make the virus
harder to stop.

There are three ways to stop the virus, said Weafer.

- First, the network administrator can block all e-mail containing VBS
scripts.

- Second, users of Outlook should download Microsoft's newest patch
and turn off VBS scripts.

- Finally, users can turn off the Windows Scripting Host in Windows 98
by using the Control Panel/Add-Remove Programs/Windows Settings
Tab/Acessories and uncheck the element "Windows Scripting Host."


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: