Telecom and Logistics Associates 

Security NEWs Service: TLAnews
publication: Christian ALT  new6.gif (1031 bytes) TLAalert    Security Service 
Translate this page from:  Save Time and Money 

19.5.2000 SecuritySymantec informs of a new worm
Security software maker Symantec Corp. warned computer users and businesses of a new, destructive worm -- apparently based on ILOVEYOU -- that had hit three Israeli and European clients by Thursday night

En français: Symantec nous informe d'un nouveau vers
La société Symantec avertit les utilisateurs d'informatique et les entreprises d'un nouveau vers destructifs -- apparamment basé sur ILOVEYOU -- qui a atteint trois clients israeliens et européens dans la nuit de jeudi

 

English version
 For most users, if you are infected with the virus, it means you need to have your machine rebuilt," said Vincent Weafer, director of the Symantec AntiVirus Research Center, referring to rebuilding the computer's files from backup.

The malicious code is mailed to users as an apparent attachment from a friend, with the subject line "FW:" followed by a random file name. The attached file has that name plus the .VBS extension.

The VBS.NewLove.A is a worm, and spreads by sending itself to all adressees in the Outlook address book when it is activated. The attachment name is randomly chosen, but will always have a .Vbs extension. The subject header will begin with "FW: " and will include the name of the randomly chosen attachment (excluding the .VBS extension) Upon each infection, the worm introduces up to 10 new lines of randomly generated comments in order to prevent detection.

Résumé en français

Pour la plus part des utilisateurs si vous êtes infectés par ce virus ce la signifie que vous devez reconstruire votre ordinateur.

Le code est envoyé par messagerie, comme un fichier attaché provenant d'un ami, avec le champs sujet qui commence par FW: ensuite suivi d'un nom de fichier aléatoire.

l'extension du fichier est de type .vbs

par exemple "FW: monFichier.vbs"

Il s'agit d'un vers qui se propage en utilisant la messagerie et le carnet d'adresses. Lors de chaque infection le vers introduit une dizaine de lignes aléatoires afin de se rendre indétectable.

Conséquences de ILOVEYOU: nous avons cité quelques chiffres reçus du gouvernement americain.

For example, the worm might find the file "mydoc.txt" on the user's system and send off a message with the subject line "FW: mydoc.txt" and an attachment of "mydoc.txt.vbs".

The current variant also adds a twist found in other viruses: Polymorphism.

The worm adds a few characters to its script's comment lines, thereby changing the length and "fingerprint" by which most virus software recognizes the code for what it is. That feature could make the virus harder to stop.

Steps to stop it There are three ways to stop the virus, said Weafer.

First, the network administrator can block all e-mail containing VBS scripts.
Second, users of Outlook should download Microsoft's newest patch and turn off VBS scripts.
Finally, users can turn off the Windows Scripting Host in Windows 98 by using the Control Panel/Add-Remove Programs/Windows Settings Tab/Acessories and uncheck the element "Windows Scripting Host."

Technical description:

This polymorphic Loveletter variant will overwrite ALL files that are not currently in use regardless of extension. It arrives as an email message with a subject of "FW: FILENAME.EXT" and an attachment named "FILENAME.EXT.VBS" (where FILENAME.EXT is derived from the infected user's recently opened documents list.) If no documents have been used recently, this name is randomly generated. If the message has been generated by a system running Windows NT or Windows 2000, then the filename will be omitted and the subject of the message will be "FW: .EXT" and the attachment name will be ".EXT.VBS" (again, the file extension will vary depending on the recently opened documents list of infected machines.)

Removal:

The contents of all files will be replaced with the source code of the worm, thus destroying the original contents. The worm will also append the extension '.vbs' to each of these files. For example, the file calc.exe will become calc.exe.vbs. Since this worm overwrites all files regardless of extension, proper removal can only be achieved by restoring the affected files from known clean backups.

 

Some Consequences of the LoveLetter virus

The Love Bug computer virus crippled some US government networks for as long as six days.

Eight of 20 surveyed federal agencies reported email outages lasting longer than a day.

At the Department of Defense, home to about one-third of the government's 6,300-plus most critical networks, "enormous efforts were expended containing and recovering from this virus

"Terrorists could use cyber-based tools and techniques to disrupt military operations, communications networks, and other information systems or networks."

The Department of Health and Human Services took as long as six days to restore full email services after being swamped with some three million messages.

At least 1,000 files at the National Aeronautics and Space Administration were damaged, and not all could be restored.

Recovery at the Labor Department required more than 1,600 employee hours and more than 1,200 outside contractor hours.

 

 

 

Author information.
Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved.
Revised: mai 19, 2000 .

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.