The "Love Letter" Internet worm that crawled out of Asia and then spread
around the world on Thursday like wildfire, may have infected up to one in
ten PCs in the UK, and "tens of millions" of computers worldwide, according
to antiviral experts.
Besides affecting companies, the worm has struck the houses of parliament.
Both the House of Commons and House of Lords were hit, leading to a shutdown
of e-mail that lasted a couple of hours.
"The message was noticed before lunch. It was a message sending love to you,
which is the sort of message a lot of us here don't expect to be receiving,"
says Muir Morton, the deputy sergeant at arms for the House of Commons.
Victims also include blue chip companies such as Barclays and AT&T. The
worm followed the sun, hitting Asia first, then Europe and then the U.S.
Like last year's Melissa, the Love Letter spreads by e-mailing itself to
addresses in a user's name and address book. But while Melissa sent itself
to only the first 50 addresses, the love worm sends itself to the entire
The words "I Love You" or "Love Letter" appear in the subject line of
e-mails. Messages also contain an attached file titled
LOVE-LETTER-FOR-YOU.TXT.vbs and the text "kindly check the attached
LOVELETTER coming from me." Users are advised to delete such an e-mail
The worm affects users of Microsoft Outlook Express program whose computers
support Visual Basic Scripting, which includes most modern Windows PCs.
Because the virus sends out such a huge amount of e-mail it can clog up or
disable networks entirely. The love bug also attempts to delete certain
files on a user's computer, including JPEG image files and MP3 music files.
Perhaps more disturbing is that the virus attempts to steal passwords. It
does this by connecting a user's browser to a particular Web page in the
Philippines where it downloads another, executable file. That file attempts
to steal any passwords stored in a PC's cache memory and then send them to
an e-mail address, also in the Philippines, experts said.
Passwords that can be stored a computer's cache memory include passwords to
Windows NT networks and to e-mail accounts. Exactly which passwords are
vulnerable depends on how individual PCs and networks have been configured.
Various antivirus vendors have contacted the Philippine ISP Sky Internet,
which has since disabled three Web sites that were acting as a source for
the executable that steals passwords. What this means is that while the
virus may still be clogging e-mail networks, it's probably no longer a
threat to passwords.
While Sky has identified the owners of the three Web pages, it said the
viruses might have been uploaded to the pages from another network in the
Philippines. The company has provided information to the Federal Bureau of
Investigation (FBI), which is investigating the origins of the virus.
Comments in the code of the virus indicate that it originated in the
Philippines capital city Manila, and that it was written by a hacker who
goes by the name "Spyder," according to various sources, although they said
the evidence isn't conclusive.
Experts said the virus wasn't particularly tough to write and that anyone
with knowledge of Microsoft's Visual Basic and a malicious bent could have
Meanwhile, reports of copycat versions of the Love Bug virus have already
started to surface. One such variant has been dubbed 'Very Funny' and
carries the subject field "fwd: joke,". The attached file is called
"VeryFunny.vbs." Other characteristics of the virus are the same as Love
Experts are warning that the mutating virus may prompt a wave of copycat
activity this weekend and in the coming weeks.
Businesses can fight the virus by blocking incoming e-mails that have Visual
Basic Scripting attachments. Home users should not open any attachments to
e-mails unless they know where they came from, particularly attachments that
end in .vbs.
Antivirus software vendors including Network Associates, Computer Associates
and Symantec each said they have posted various fixes to the problem on
their Web sites -- http://www.nai.com/, http://www.cai.com and
Network Associates is offering a free program at its MyCIO.com Web site that
scans Exchange servers and automatically deletes infected files. For desktop
users the company also has a program available called LoveScan ASAP.