A new Internet worm that spreads via an e-mail message purporting to be a love letter is wreaking havoc around the globe today.
It is already estimated that hundreds of thousands of computers will be hit by the "ILOVEYOU" worm-a software script. It was first detected last night, according to Computer Associates. And today the virus has begun making a global sweep.
Sites throughout the world - starting in Asia, then Europe and then the U.S.-have reported being infected by the virus. This virus is particularly troublesome because, unlike the notorious Melissa virus, which attached itself to the first 50 e-mail addresses in address books, the "ILOVEYOU" worm attaches itself to the entire address book, says Narender Mangalam, director of security at CA.
Besides affecting companies, the worm also struck the two houses of the British Parliament - House of Commons and House of Lords. The attack forced the two houses to shut down their e-mail systems for a couple of hours.
"The message was noticed before lunch. It was a message sending love to you, which is the sort of message a lot of us here don't expect to be receiving," says Muir Morton, the deputy sergeant at arms for the House of Commons.
The Visual Basic script worm arrives in an e-mail message with the subject "ILOVEYOU," according to information from antivirus vendors, and carries an attached file titled LOVE-LETTER-FOR-YOU.TXT.vbs and the text "kindly check the attached LOVELETTER coming from me." Because it is based on Visual Basic script, the worm infects only computers that have Visual Basic, which is included with Windows 2000.
Users are advised to immediately delete the message and the attached file, "even if it's from your spouse," Mangalam says. He further advised that computer users immediately update antivirus software. Upgrades are available at the Internet sites of various antivirus vendors.
If opened, the worm inserts the following files: MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs in the Windows system directory, Win32DLL.vbs in the Windows directory, WinFAT32.EXE and WIN-BUGSFIX.EXE in the Internet download directory and script.ini in the mIRC directory.
It is particularly adept at hiding itself "so you can't really tell where it's going," Mangalam says.
When it first was detected, the worm also would go out to four different Internet sites and pull software from those to download on infected computers, allowing hackers to possibly break into those computers, Mangalam says. The Internet sites have been shut down.
One of the companies hit by the worm was Adaco AB, a Stockholm food wholesaler with approximately 120 users.
"We were hit at around 2 p.m., but were quite lucky-only three of our users got infected," Adaco's IT Manager Conny Björling says.
Björling immediately isolated the worm's code, which he says consists of around nine A4-sized pages of Visual Basic script and carries the signature of a Manila, Philippines hacker calling himself "Spyder."
"Although it is too early to say how serious a problem this really is, it certainly spreads like wildfire," he says.
Within five minutes, the worm had infected around 800 files, including some register and system files, Björling says.
The worm seems to have originated in the Philippines, agreed F-Secure, an antivirus software vendor in Espoo, Finland.
Additional reporting by Laura Rohde in London, Terho Uimonen in Stockholm and Margret Johnston in Washington, D.C.
RELATED LINKS
