Sponsor Sponsor
Channel4000Technology

HOME NEWS TIPS CONTACT US SEARCH SITE MAP
Minneapolis/St. Paul, MN
Technology Index
Toolbox

WEATHER   
SPORTS   
MONEY   
TECHNOLOGY   
ENTERTAINMENT   
HEALTH   
LIVE CAMS   
WCCO TV   
TOWN TALK   
EDUCATION   
FOOD, ETC   
DATING   
TRAFFIC   

'NewLove' Virus Dangerous, Sneaky

'Love Bug' Variant Changes Subject Line Constantly, Can Render PCs Inoperable


Dan Bernard, Staff Writer
May 19, 2000, 4:37 p.m. EDT

MINNEAPOLIS -- FW virusA devious new variation on the "ILOVEYOU" computer virus spreads itself in e-mails whose subject line starts with "FW" -- and ends with words that change with each PC that it infects.

Although the constantly changing subject line makes the spinoff virus difficult to detect, The Associated Press reported Friday that the bug was not spreading nearly as rapidly as the original Love Bug, which cut a destructive swath through worldwide computer systems on May 4.

'LOVE BUG' VIRUS

  • May 19, 2000: 'NewLove' Virus Changes Its Name
  • Details about 'NewLove' from CERT and anti-virus companies Symantec and Trend Micro
  • Trend Micro will scan your PC for free at this link
  • Advisories from the FBI's National Infrastructure Protection Center

    THE ORIGINAL LOVE BUG

  • What Programs 'Love Bug' Attacks
  • Fighting Back
  • To Fix Virus' Changes To Computer System, Download Free Patch From Symantec

    CONTINUING COVERAGE

  • June 29, 2000: 'Love Bug' Suspect Charged
  • June 9, 2000: Charges May Be Dropped In Virus Case
  • May 18, 2000: Feds Chided For Slow Response
  • May 17, 2000: Filipino Officials Lack An Applicable Law
  • May 16, 2000: Evidence Found
  • May 11, 2000: Student: Maybe I Launched Virus By Accident
  • May 10, 2000: Students Named In Probe
  • May 8-9, 2000: Man Arrested After Raid ... Then Released
  • May 5, 2000: Beware Of 'Love' Virus Copycats

    HOW IT AFFECTS YOU

  • Why 'Love Bug' Adores Microsoft Outlook
  • Discussion: Was Your PC Infected?
  • Prepare For Future Viruses

    GETTING TECHNICAL

  • The Help! Menu: How PC's Fall In 'Love'
  • Timeline: Recent Viruses

    FREE VIRUS PROTECTION

  • Computer Associates InoculateIT
  • Network Associates/McAfee
  • ProLand Software
  • Sophos
  • Symantec/Norton AntiVirus
  • TrendMicro
    • The AP said the virus, christened "NewLove," infected thousands of computers around the world on Wednesday and Thursday but failed to achieve the avalanche-like spread of "Love Bug" because many companies were able to block infected e-mails.

    The damage to those affected was much greater, however, since "NewLove" erases almost all files on a computer it infects and causes it to crash. The "Love Bug" and its initial spinoffs erased a few types of files such as images and audio files.

    The anti-virus firm Symantec alerted Channel 4000 about the dangerous offshoot with an e-mail advisory Thursday evening. The "FW" bug changes its subject line by infecting a computer and swiping the name of a document that was recently opened on that PC.

    That makes it trickier to spot the latest "Love Bug" knockoff, which virus experts have nicknamed "NewLove" or "Spammer." But it is even more destructive, capable of destroying vital files and rendering the infected computer "inoperable," Symantec said.

    Like the original Love Bug, the "FW" variant e-mails itself to everyone in the Microsoft Outlook address book of each PC that it infects, clogging e-mail systems.

    Like the original, the FW virus is passed as a file with a ".vbs" extension. Cupertino, Calif.-based Symantec AntiVirus Research Center sent out a warning Thursday evening that e-mail system administrators should erect filters that block e-mails with .vbs attachments; many already did so after the Love Bug attack.

    "Once the attachment is opened, the virus overwrites numerous files and renders the computer inoperable," Symantec spokeswoman Sherri Walkenhorst said.

    Symantec classified the spinoff, "VBS.LoveLetter.FW.A" as "dangerous" and "difficult to contain."

    Outbreak Contained?

    The May 4 Love Bug was the fastest-spreading computer virus ever, tearing through computer systems around the world in hours. "FW" doesn't appear to be that sort of a speed demon -- perhaps because, burned before by Love, computer users are more wary this time.

    According to The AP, the government-chartered CERT Coordination Center had received "no direct reports of infections related to this virus" as of 8 a.m. Eastern time.

    But antivirus software maker Trend Micro Inc. told The AP that on Thursday evening, the virus was detected at several large companies, including one at which 5,000 computers were infected.

    And software company Computer Associates International Inc. of Islandia, N.Y., heard reports of thousands of computers across the United States being infected.

    "If this gets to 100,000 machines, vs. millions for the 'Love Bug,' that's more damaging" because of the way it crashes computers, Computer Associate International's Simon Perry told The AP.

    Getting Technical

    Following is the text of Symantec's advisory as updated Friday morning:

    VBS.NewLove.A

    SARC, in conjunction with other anti-virus vendors, has renamed this worm from VBS.LoveLetter.FW.A to VBS.NewLove.A.

    The VBS.NewLove.A is a worm, and spreads by sending itself to all addresses in the Outlook address book when it is activated. The attachment name is randomly chosen, but will always have a .Vbs extension. The subject header will begin with "FW: " and will include the name of the randomly chosen attachment (excluding the .VBS extension).

    Upon each infection, the worm introduces up to 10 new lines of randomly generated comments in order to prevent detection.

    Also known as: VBS/Loveletter.ed, VBS/Loveletter.Gen, VBS_SPAMMER, VBS.Loveletter.FW.A

    Category: Worm

    Infection length: Variable

    Virus definitions: May 18, 2000 (available)

    Threat assessment:

    • Damage: High
      • Payload: Overwrites files
      • Payload trigger: .VBS email attachment is executed
        • Large scale e-mailing: Sends itself to all addresses in Microsoft Outlook Address Book
        • Modifies files: Overwrites every file on the system that is not currently in use including mapped local drives. Files in the root directory of any drive will not be affected.
        • Degrades performance: Could clog e-mail servers
        • Causes system instability: Overwrites critical system files
    • Distribution: High
      • Subject [line] of e-mail: Variable; "FW: filename.ext" (where filename.ext is dervied from the user's recently opened documents list)
      • Name of attachment: Variable; "filename.ext.vbs" (where filename.ext is dervied from the user's recently opened documents list)
      • Size of attachment: Variable
      • Target of infection: Overwrites all files that are not currently in use regardless of extension.
      • Shared drives: Will overwrite files on all mapped local drives (with the exception of files in root directories)
    • Wildness: Medium
      • Number of infections: More than 1,000
      • Number of sites: 3-9
      • Geographic distribution: Medium
      • Threat containment: Moderate
      • Removal: Difficult
      Technical description:

      This polymorphic Loveletter variant will overwrite ALL files that are not currently in use regardless of extension. It arrives as an e-mail message with a subject of "FW: FILENAME.EXT" and an attachment named "FILENAME.EXT.VBS" (where FILENAME.EXT is derived from the infected user's recently opened documents list.) The body of the email is empty. If no documents have been used recently, this name is randomly generated.

      If the message has been generated by a system running Windows NT or Windows 2000, then the filename will be omitted and the subject of the message will be "FW: .EXT" and the attachment name will be ".EXT.VBS" (again, the file extension will vary depending on the recently opened documents list of infected machines.)

      Registry entries modified:
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run
      HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

      The actual key name will be the filename that is attached to the email. However for the Run key, it will be
      randomname = WindowsSystemDir \ randomname.ext.VBS

      and the RunServices will be
      randomname = WindowsDir \ randomname.ext.VBS

      Please also be aware it will create the files:

      WindowsSysDir\randomname.Ext.VBS WindowsDir\randomname.Ext.VBS

      in addition to: WindowsSystemDir\RecentUsedFile.Ext.VBS

      The term 'randomname' is the name of the file attachment of the e-mail.

      Removal:

      The contents of all files will be deleted, leaving the affected files with a byte length of zero.

      The worm will also append the extension '.vbs' to each of these files. For example, the file calc.exe will become calc.exe.vbs. Since this worm overwrites all files regardless of extension, proper removal can only be achieved by restoring the affected files from known clean backups. The user may need to reinstall the operating system as well since system files may have been destroyed.

      Copyright 2001 by Channel 4000. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
    Stock Quotes
    provided
    by:
    Updated 4:03 EDT
     Dow 9865.75 
     Nasdaq 1943.91 
     NYSE 579.63 
    Quick Quotes
     
    enter name or symbol
    Quotes delayed a minimum of 20 min.
    Advertising

    Advertising
    Looking For WCCO Links

    Considered Becoming A Mentor?
    More WCCO Links

    Looking to advertise?
    Information about our privacy policy, terms of use,
    Entire Site © 2002, Internet Broadcasting Systems, Inc.
    Reviewed by TRUST-E: site privacy statement

    Stock Box Copyright ©2002 , Standard & Poor’s,
    a division of The McGraw-Hill Companies, Inc.
    All rights reserved.