May 19, 2000
Web posted at: 11:10 p.m. EDT (0310 GMT)
(CNN) -- While a new and potentially more destructive computer virus uses the same replication scheme as the "ILOVEYOU" virus, the new bug's ambitious destruction program may curb its spread and eventually cause it to fizz out on its own, according to one computer expert.
Mikko Hypponen, director of virus research at anti-virus company F-Secure in Finland, said that while this virus -- dubbed "NewLove" -- can make a computer unbootable, it is not nearly as stealthy as "ILOVEYOU." The new computer worm is much less widespread than previous outbreaks and has built-in problems that will eventually make the virus expire on its own. A worm is a virus that is self-replicating.
"Unlike the original 'ILOVEYOU' virus, this one appears to have started, at least in significant part, in the United States rather than spreading from Asia to Europe to the United States," said Michael Vatis of the FBI's National Infrastructure Protection Center.
U.S. federal sources said they would not rule out that the same people involved in launching the "ILOVEYOU" virus a few weeks ago may have been involved in this one.
Officials said apparently no U.S. government computers have been affected. Warnings were disseminated before the start of business Friday. "Hopefully, that will minimize the effects," said one federal government source.. "But it's too early to say what the impact has been or will be."
Despite its name, "NewLove" is not very similar to "ILOVEYOU," also known as Love Letter or Love Bug. The two are written in the same computer language, and Hypponen said the e-mail replication loop -- how the virus sends itself out to everyone in the user's Outlook address book -- is the same. Despite that, they are two different viruses.
"Otherwise, it's totally new code. But there's a common idea," Hypponen said.
Like the Love Letter virus, it only affects users of the Microsoft Windows 98 or 2000 operating systems, or Windows 95 users also running Internet Explorer 5.0. The virus also needs Microsoft's Outlook mail program to proliferate. The consumer version, Outlook Express, is not affected.
Rather than the same subject line each time, "NewLove" is polymorphic. Each time, it takes the name of a recently accessed file on the user's machine and uses that name, along with "FW:". This can work much better than "ILOVEYOU," because users can't be on the lookout for a specific subject line. Instead, the subject line may be a file name that is trusted -- especially among co-workers.
"It's really quite clever," Hypponen said. "It uses realistic file names and sends those to people you know. It's social engineering, just like we saw with Love Letter."
After replicating itself, the virus begins obliterating files. While Love Letter destroyed only JPEG image files, NewLove targets every single file on a user's hard drive. The worm will go through all local drives and all subdirectories. For each file, the worm creates a new file using the same name with the additional extension ".vbs" and deletes the original file. The new file is empty, effectively destroying all data on the machine. Then it does the same to networked hard drives, common in a company atmosphere.
The virus only does this to files for which the user has "write" permission, and files that are not currently in use. Still, it immediately makes the computer crash and become unbootable.
As frightening as that may be for users, it is also NewLove's downfall, Hypponen said.
"It's too destructive to become widespread," he said. "When you get hit by Love Letter, you may not notice it. The next time you hear about it is when someone calls you up and complains. But with NewLove, you open the attachment and immediately your machine crashes and won't boot again.
"It's never going to go around like Love Letter," he said, "because it's so obvious."
After being urged for more than one year to make Outlook less risky, the company is expected to offer a software patch next week.
"They've really done a 180 on this," said Chris Le Tocq of the Gartner Group. "The new fix that they have in Beta right now for Outlook completely removes programmability except as manually authorized in each case by the user.
"And this will break, frankly, a large number of corporate applications, but for the general user this is the right thing to do," he added.
Another quirk in the code can also limit how far NewLove gets around. Each time the virus replicates, it adds junk lines to its code. This, Hypponen said, is to keep the file size changing and make it more difficult to detect. However, NewLove only keeps adding junk lines to itself; it never takes them away. So every time it replicates, it grows.
Once the file size gets huge, slowdown and company limits on attachment size would stop the virus in its tracks.
"Eventually, it'll become 10 megs, 100 megs, 1 gig," Hypponen said. "It'll kill itself off. It becomes too fat."
Hypponen's predictions have so far been borne out by the lack of infection reports.
"We haven't received a single direct report of being infected," he said. "We've received secondhand reports from partners in the industry, but the total (companies infected) are 10 or 11." Those reports have been in Israel, central Europe and the United States.
But at each company, many computers could be affected and all data lost. At one firm, 5,000 computers were infected, according to Dave Perry, a spokesman at the anti-virus software company Trend Micro Inc. in Cupertino, California.
But now, Trend Micro is downplaying the total outbreak, saying it's not nearly as bad as expectations.
"It has hit a handful of companies," said spokeswoman Kristin Zoega, "but it's definitely not as widespread as Love Letter was."
As of late Thursday night, another anti-virus company, Symantec, reported three to nine companies had been hit. This is not even a drop in the bucket compared to Love Letter, which crippled mail servers and destroyed image files at tens of thousands of networks around the world just several weeks ago.
Love Letter spawned at least 25 copycats with varying levels of destructiveness. Computer Economics, a Carlsbad, California-based research company, estimated that the virus and its variants caused $6.7 billion of damage.
Hypponen expects variants on this virus, too. "Perhaps one that won't increase its size so much," he predicts.
Existing anti-virus updates against Love Letter are unlikely to affect this new virus. Hypponen suggests instead that users uninstall Windows Scripting Host, the program that allows VisualBasic scripts to run. Hypponen has detailed instructions on how to do this on F-Secure's Web site.
He said that "99.5 percent of users have no need for Windows Scripting Host. But a whole bunch of virus writers use it. I rest my case."
contributed to this report.
digg it
del.icio.us
