'NewLove' contained: What went right

[William Knowles <wk () C4I ORG>]

http://dailynews.yahoo.com/h/zd/20000519/tc/_newlove_contained_what_went_right_1.html

Friday May 19 06:31 PM EDT
By Robert Lemos, ZDNet News

It had the potential to be a crippling virus, but NewLove has done
little damage. Thank more-savvy users and better virus protection.

Dire warnings fell flat on Friday when the "NewLove" worm -- loosely
based on the "ILOVEYOU" worm that spread like wildfire at the
beginning of May -- failed to infect a significant number of computers
and seemed to be under control.

The containment of the latest outbreak may demonstrate that users are
becoming more savvy when handling unknown e-mail and that virus
fighters are better prepared to knock down infections quickly.

"We have not gotten a single report," said Tanya Candia, vice
president of global marketing with anti-virus software maker F-Secure.
"While it evades detection -- quite successfully -- by making itself
hard to find, none of our clients are reporting infections."

The Computer Emergency Response Team at Carnegie Mellon University
also announced Friday that its members had not seen any infections.

And clients of security software maker Network Associates Inc.
submitted only two samples of the new virus to researchers there. "We
don't have reports of widespread damage nor prevalence," said Vincent
Gullotto, director of the Network Associates' AVERT research lab. In
total, less than 20 of the company's clients reported infections.

On Friday afternoon the AVERT lab downgraded the threat from the virus
to a "medium" risk from the "high risk" rating earlier.

Referred to as VBS/NewLove, the worm-type outbreak has failed to cause
much disruption all in the computer world, experts said, after raising
fears that a rival of the Love bug outbreak was about to hit the
computer world.

NewLove like old friend

Based loosely on its cousin ILOVEYOU, the Visual Basic script virus
known as NewLove is mailed to users as an apparent attachment from a
friend, with the subject line "FW:" followed by a random file name.
The attached file has the same name plus the .VBS extension.

For example, the worm might find the file "mydoc.txt" on the user's
system and send off a message with the subject line "FW: mydoc.txt"
and an attachment of "mydoc.txt.vbs".

After that, the virus trashes the system by deleting all files by
setting their lengths to zero.

The current variant also adds a twist found in other viruses:
Polymorphism. The worm adds several more comment lines to itself every
time it reproduces, thereby changing the length and "fingerprint" by
which most virus software attempts to recognize the code.

That feature made the virus harder to stop, but has also made the
virus its own worst enemy. Growing at 100KB every time that it infects
a computer, the worm should soon be too large to spread through e-mail
systems unnoticed.

Started in Israel

The virus popped up earlier in the week in Israel when a handful of
companies became infected. Thursday night, software maker Symantec
Corp.raised the red flag when three of its Israeli and European
clients reported being infected with the destructive virus.

Other anti-virus vendors followed suit with their own press releases
as soon as a fix became available. Even the FBI jumped into the fray
announcing that it had decided to try and hunt the creator of the
ILOVEYOU knockoff.

Cary Nachenberg, chief scientist for Symantec, said the industry
reacted quickly and appropriately to the new virus.

"If you looked how this started out, it had the same pattern as
ExploreZip. That virus took out a fair number of computers," he said.
"If anything our announcements raised people's awareness, and I don't
think it caused any harm at all."

ExploreZip, which hit the Net a year ago, had a similar modus
operandi, trashing files and sending itself to e-mails taken from the
Outlook address book.

Protections caused more e-mail

However, while a minor consideration, the warnings and pre-emptive
network shutdowns probably cause far more e-mail traffic than the
virus did, said Rob Rosenberger, editor of Computer Virus Myths, an
independent Web site that keeps an eye on the anti-virus industry.

"I think there is more spamming going on because of warnings than
because of the virus. The military, for one, is pumping out alerts,"
he said.

The ILOVEYOU swamped servers and computers with a far greater amount
of e-mail.

According to a survey by the Pew Internet and American Life Project,
the ILOVEYOU virus appeared in the inboxes of 15 percent of the U.S.
Internet-using populace, and roughly a quarter of those that received
on the e-mail opened the attachment, infecting themselves.

"Viruses seem to be a growing part of our lives," said John Horrigan,
analyst with the project.


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".