First published: 19th May 2000
New computer virus is dangerous but has not caused much real-world problemsHONG KONG, China, May 19th, 2000 - F-Secure Corporation (formerly Data Fellows) [HEX: FSC], a leading provider of security for mobile, distributed enterprises, is warning e-mail users of a new version of the VBS/LoveLetter virus. The new version is known as NewLove, and it carries much more dangerous payload than LoveLetter. However, NewLove is not widespread at all.
This worm spreads by e-mail, much like LoveLetter. However, the subject field of the e-mail and the name of the attached file are random. NewLove operates under Windows operating system and needs Microsoft Outlook to spread itself further via e-mail. F- Secure Anti-Virus detects and disinfects the virus, with the latest update available from www.F-Secure.com .
"This worm is too destructive to go very far", comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation. "When people were hit by LoveLetter, they didn't notice it until they were contacted by people who they had sent the virus to. With NewLove, you're computer crashes immediatly and you loose your files. It's difficult to miss that."
"We have had no reports of this in Hong Kong", comments Allan Dyer, Technical Director at Yui Kee Computing. "Also, discussion between international anti-virus researchers indicates that NewLove has not spread much."
The spreading technique of the virus is tricky; it picks up a filename from the list of recently used files. This name could be, for example "Comments from Bob.txt". Then the virus would copy itself to a similar name: "Comments from Bob.txt.vbs" and e-mail that file as an attachment to people found from the address book. Subject of the e-mail would be "FW: Comments from Bob.txt". The results is quite realistic looking e-mail, which might be opened even by careful users.
With default settings Windows would hide the ".vbs" extension of the attachment. If the user would open the file, the worm would immediatly e-mail itself further and then start to delete all accessible files on the local hard drive and in the company network. As a result, the computer crashes on won't boot.
Currently, there's no information on where the virus may originate from. There's no obvious clues in the source code of the virus.
"The virus is programmed so that it keeps on changing it's code by adding random junk text into it", comments Mikko Hypponen. "This makes the virus larger and larger as it spreads - eventually making it so large it can't be e-mail as an attachment any more. This is another factor that limits the spreading of this virus."
"After all, technology is not all that matters for a virus to spread. It also needs to get lucky."
A technical description of the virus is available in the F-Secure virus description database at: http://www.F-Secure.com/v-descs/newlove.shtml
Sample pictures of the code of the VBS/LoveLetter worm is
available in the F-Secure virus screenshots center at:
http://www.F-Secure.com/virus-info/v-pics/