---------- Forwarded message ---------- Date: Thu, 4 May 2000 11:21:05 -0400 (EDT) From: John Geyssen <jgeyssen@valleynet.on.ca> To: directors@valleynet.on.ca Subject: Re: Virus alert I LOVE YOU (fwd) The following is a virus warning that was received by me from one of the mailing lists I belong to, this seems to be a real virus that is floating around. John PRESIDENT --- VALLEYNET...This is a freenet view our site CHAIRPERSON --- UPPER OTTAWA VALLEY GENEALOGICAL GROUP - U.O.V.G.G. Become a Volunteer, Help your Community ************************************************************************* [ Researching: ARTS, GEYSSEN/GEIJSSEN, ZOETERS in HOLLAND ] [ KNETEMANN in HOLLAND and WARDENBURG, GERMANY ] [ COPELAND in CANADA and PENNSYLVANIA ] [ EZARD/EZEARD, WOOD in CANADA ] [ PELLETT in CANADA and ENGLAND ] [ HOWARD in ENGLAND ] /////////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ http://www.valleynet.on.ca/~jgeyssen/ http://www.valleynet.on.ca http://www.valleynet.on.ca/Culture/Genealogy/UOVGG/index.html F-SECURE WARNS ABOUT LOVE LETTER EMAIL WORM New Melissa-like worm went world-wide in hours ESPOO, Finland, May 4th, 2000, F-Secure is warning users about a new e-mail worm called VBS/LoveLetter. This worm spread by e-mailing a file called LOVE-LETTER-FOR-YOU.TXT.vbs around. VBS/LoveLetter is written in the VBScript language. By default, programs written in VBScript operate only under Windows 98 and Windows 2000. However, Windows 95 and NT 4 users are vulnerable as well if they have installed version 5 of Microsoft Internet Explorer. The worm was most likely written in the Philippines. It was first spotted on early morning of Thursday the 4th of May. The worm arrives to users in e-mail message attachments named LOVE-LETTER-FOR-YOU.TXT.vbs. On a default Windows system, the ".vbs" extension is not visible, and users might mistake the file to be a harmless text file (.TXT). If the recipient open the attachment, the worm will use Microsoft Outlook (if installed) to send a message to everyone in any address books (including global access books of the organization - these typically contains hundreds or thousands of addresses). The messages look like this: From: Name-of-the-infected-user To: Random-name-from-the-address-book Subject: ILOVEYOU kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs As address books typically contain group addresses, the end result of executing the VBS/LoveLetter worm inside an organization is that the first infected user sends the message to everybody in the organization. After this, other users open the message and send the message again to everyone else. This quickly overloads e-mail servers. "This worm spreads amazingly fast", comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation, "we got the first report around 9:00 on Thursday morning from Norway, and by 13:00 we had reports from over 20 countries. We estimate that total number of infected machines is already in tens of thousands of macihnes." In addition to spreading over e-mail, the worm also tries to use companion techiques by greating new script files next to existing JPG and MP3 files and by overwriting existing local script and HTML files with its own code. The virus contains this text: barok -loveletter(vbe) <i hate go to school> by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines A technical description of the virus is available in the F-Secure virus description database at: http://www.F-Secure.com/v-descs/love.htm Sample pictures of e-mail messages generated by VBS/LoveLetter are available in the F-Secure virus screenshots center at: http://www.F-Secure.com/virus-info/v-pics/ -- Sami Rautiainen F-Secure Corporation Sami.Rautiainen@F-Secure.com http://www.Europe.F-Secure.com +358 9 8599 0656 (direct) +358 9 859 900 Integrated Solutions for Enterprise Security