First published: 05th May 2000
Hong Kong, China, May 5, 2000: The LoveLetter worm spread rapidly in Hong Kong yesterday and today but Yui Kee reported that calls about it were slowing down. Allan Dyer, Technical Director of Yui Kee Computing commented, "Now that almost everyone is aware of this it is not spreading so fast and systems administrators are working on getting back to normal." But this is not the end of the problem: By 6pm (Hong Kong time) on Friday, five different versions of the VBS/LoveLetter worm had been found in the wild. Several more are expected to appear over the coming weekend.
"The Mother's Day version of this worm is quite cunning", comments Mikko Hypponen,
Manager of Anti-Virus Research at F-Secure Corporation. "The e-mail appears to be a
confirmation of order for 'Mother's day diamond special', and the attachment file
mothersday.vbs is portrayed as if it would be an invoice. When users get such an e-mail they
assume there's some mistake and will naturally open the attachment - infecting their
computer. As there's only eight days to go until Mother's Day, this attack is quite
credible."
The worm arrives to users in e-mail message attachment called mothersday.vbs. On a default Windows system, the ".vbs" extension is not visible. If the recipient opens the attachment, the worm will use Microsoft Outlook (if installed) to send a message to everyone in any address books (including global access books of the organization these typically contains hundreds or thousands of addresses). The message looks like this:
From: Name-of-the-infected-user
To: Random-name-from-the-address-book
Subject: Mothers Day Order Confirmation
We have proceeded to charge your credit card for the amount of
$326.92 for the mothers day diamond special. We have attached
a detailed invoice to this email. Please print out the
attachment and keep it in a safe place.Thanks Again and Have a
Happy Mothers Day! mothersday@subdimension.com
Attachment: mothersday.vbs
As address books typically contain group addresses, the result of executing the
VBS/LoveLetter worm inside an organization is that the first infected user sends the message
to everybody in the organization. After this, other users open the message and send the
message again to everyone else. This quickly overloads e-mail servers.
In addition, this worm deletes all INI and BAT files from all drives and directories. This may leave the system in unbootable state and might serious damage to network files.
This variant is detected as VBS/LoveLetter.E by F-Secure Anti-Virus. Like the original version of the worm, VBS/LoveLetter.E is written in the VBScript language.
The other known variants of the worm are known as VBS/LoveLetter.A, B, C and D.
The A variant was the original LoveLetter worm.
The B variant has been modified in Lithuania, and the subject field of the sent e-mail messages is "Susitikim shi vakara kavos puodukui...", which is Lithuanian and means "Let's meet this evening for a cup of coffee..."
The C variant has the subject field of "fwd: Joke" and the attachment is called "Very Funny.vbs"
The D variant is almost identical to the original LoveLetter worm. It has been modified slightly, probably to make it undetectable to some anti-virus program.
The epidemic of the first variant, VBS/LoveLetter.A, started for Hong Kong Thursday afternoon and affected a wide range of organisations. "We have received reports from many sectors: Utilities, Transport, Banking and Finance, Media, Construction and others, such as a brewery" Dyer said. On Friday, Yui Kee Computing received over four times as many reports of LoveLetter as on Thursday. The Hong Kong Government was largely unaffected, "LoveLetter requires the Outlook mail client in order to email itself, and the Government has standardised on Notes so even if a few Government users received and opened a copy, it did not propagate. This is definitely a situation where it pays to be using different software" explained Dyer.
The damage caused by LoveLetter was mostly from the disruption to email systems and the time wasted by users deleting the junk messages. Some email servers became so flooded with copies of the virus they shut down, and in some cases, system administrators shut down email systems temporarily to prevent further spread. However, the worm could damage data, "It replaces JPG, picture files, and MP3 and MP2 music files with copies of itself, destroying them", said Allan, "but we have not had many reports of this type of damage, probably because these files are less common on most business systems."
Users are advised to keep their anti-virus software updated regularly, and to avoid opening email attachments unless they know who sent the message and why.