SPECIAL BULLETIN    from Graham Haynes
Supplement 1, 9TH May - 9TH August 2000 - Love Bug Virus (Sixth Version)
LOVE BUG VIRUS SPECIAL RELEASE

INTRODUCTION

On Thursday 4th May an Asian computer virus swept around the globe over the Internet inflicting around 4.2 bn worth of damage. Nicknamed the 'Killer from Manila', this worm is the most dangerous since Melissa last year and may never be completely removed from computer systems.

WHAT IS A VIRUS ?

A virus (which isn't the same as a bug) is a file written to run unknown to the user, usually with malicious intent. Most viruses can duplicate themselves but very few are 'intelligent'. They tend to be written by young, lonely men, but it is important not to stereotype or underestimate a virus writer.

There are four main types of virus:

  • Boot viruses which alter the code needed to start a floppy or hard disk
    also known as boot block, boot sector or bootstrap viruses and limpets
  • Prelaunchers which rename the original file and replace it with their own code. When the program is launched the virus takes control , does its business in the background then passes control to the original file.
    also known as dopplegangers
  • Trojan Horses are viruses pretending to be useful programs e.g. a disk copier that trashes the original data. Many are normal file infected by link viruses, and most use a bomb technique - that is they only reveal their true purpose or become active after a certain time or event.
  • Link Viruses attach themselves to other files and duplicate across whole networks this way.
    also known as parasites, worms, zombies, vampires and lycanthopes

The new strain of e-mail virus challenges these classifications as it is a virus straight off - it doesn't mimic anything or pretend to be anything else. It's main difficulty is to be activated, but using the Internet as a medium this is very easy to do, and contrary to popular belief you don't need to be a genius to write a virus. Because of the way they are attached to messages they are generally known as worms (link viruses) as they have infiltrated a healthy messages, but this is normally by the virus author and the virus itself is likely not to have this ability other than in replicating itself. In truth the e-mail virus fits into a new classification of misnamed malicious programs.

TELL ME ABOUT THIS ONE

The 'Love Bug' or 'Killer from Manila' was thought to originally have been written in and sent over the Internet from the Philipines. It manifests itself as a rich text message proclaiming 'I LOVE YOU' in capitals and then asking the curious reader to 'Kindly check the attached LOVELETTER coming from me'.

Read straight off the message is fine provided you don't open the attachment 'LOVE-LETTER-FOR-YOU.TXT.vbs'. You may not see the '.vbs' extension as a lot of software will remove it, leaving just the '.TXT' 'extension', making the virus look like a plain text file.

WHAT DOES IT DO ?

The exact symptoms are unclear, but reports mainly focus on the following:

  • Disabling virus protection software, like stabbing a watchman in the back.
  • Writing a file 'win-bugsfix.exe' to disk - search for this now, and if you find it, delete it.
  • Duplicates itself and forwards itself to everybody in your address book (especially Microsoft Outlook and Outlook Express users).
  • Changes the homepage of Internet Explorer to one of four sites in Manila.
  • Overwriting files especially .jpg images and rumours of system files. It is said to replace them with copies of itself, but data files such as .jpgs are loaded in a very different way to executable programs.
  • Reorganising the hard disk's file structure. It is unlikely that the virus actually deletes files, it simply replaces information on the drive stating how large the drive is and where the files are stored. This is quick and devastating. It can make essential files inaccessable and hence cause the computer to crash. The damage might or might not be recoverable.
  • Duplicates itself and forwards itself to anybody in one of your chat groups.

Viruses are very much platform-specific, so only PC user were affected, but the way the virus was stored demonstrates an alarming trend which may later lead to multi-platform viruses.

WHAT'S DIFFERENT ABOUT THIS ONE ?

This file is stored as a Visual Basic Script. The significance of this is - like with most script files - the program is stored as text and not in a format the computer can run straight off without using an interpreter. This sounds good, but isn't. Immediately any virus filter software will look at the file and not see any strange letters, so concludes that it's safe ASCII text. Next up, because the script isn't ready to run it needs to be converted into a form the computer can understand, and this form varies between types of platform. Ultimately it means it could be possible to write a virus script that will work on any computer, and Java might already have this functionality. The danger will really come when the one program, many machine systems become more widespread, such as those being researched by the Tao group.

HOW DO I RECOGNISE ONE ?

There are a number of giveaway clues. Normally the e-mail is designed to grab your attention, after all, who could resist to look at a 'love letter' out of curiousity, even if it almost certainly wasn't real. Not most MPs, that's for sure. And the proof ? The House of Commons was one of the most heavily hit places. Here are some signs to look out for:

  • Bold or attention-grabbing style. A virus will look like a lot of spam e-mail and will use a number of devices to ensure it grabs your attention. Pay particular attention to an excess of capital letters in the subject, whole message or key words. Also consider the phrasing - is it overly polite ? Is the language style unfamiliar ? Are the spellings reasonable ? The message may also be rich text HTML, using different colours, fonts and sizes.
  • Attachments. Look at the icon and the extension. If you see a scroll icon get worried or if the file ends in .exe, .vbs etc. If it claims to be a .jpg, .gif, .png, .txt, .doc, .htm etc., ensure that its icon matches that of other files of the same type and that the extension is in lower case lettering. If in doubt, drag the attachment into Wordpad (not Word) and look at it. A typical virus will either be a jumble of letters with a cryptic message somewhere inside or a script of neatly laid out intructions on short lines, often beginning with a comment. Check this information with the type of file it claims to be, for example an HTML file might initially look like a script virus, but a picture file would produce jumbled character with little or no English text.
  • Context. Put simply, does the e-mail make sense ? If it claims to be a love letter in plain text (.txt), then why not include it in the e-mail body - why is it necessary to put it as an attachment ? If you're sent a receipt, did you order anything ? If a friend send you something you 'requested', did you request it ? Is unfair emphasis placed on the attachment - if you were sent a love letter by an admirer, would they force you to read it by PUTTING-IT-IN-CAPITALS and hyphenating it, or would they simply mention that it's there placing no undue emphasis on the file ?
  • Sender. It's not a question of if you can trust the sender. It's quite possible that they were affected by the virus and it has now been sent out from their account in their name, so again look for context. Would your boss send you a love letter, and why through e-mail ? Would your best friend send you a bill for a Mothers' Day gift, especially if Mothers' day was in March and the message was sent in May ? And would your distant friend send you a funny joke ? Does the message match their style ? You will notice that at the foot of GH News I always state how many attachments there are just so you can verify that the current issue is virus-free.
  • Subject. Again, look for over emphasis or a segment that doesn't make sense, maybe due to bad grammar or perhaps looking like it has been ripped from another file, indicating a mutating virus with limited artificial intelligence. Also, a dead giveaway is Fwd: (or similar) preceding the message to indicate that it has been forwarded or duplicated, which is the one thing all viruses do. Don't expect all virus messages to be forwarded, though.
  • General observations. How many copies of this message have you got, and who sent them ? Are there more than one recipients listed in the To field ? Are you running a virus checker ? Have you recently updated you virus definitions and e-mail client software ? Has the message been filtered e.g. by passing through a Hotmail address ?
  • File size and download time. For a short text message 10kb is normally enough.

It can be difficult to see the true extension of a file under Windows due to the way it is often hidden. To fix this open a folder and select View/Folder Options. From the Views tab uncheck hide extensions of known file types. Now extensions will be shown - they are the bit starting with the last dot in a file's name.

Remember that with thousands of viruses created monthly not even the best virus checker can completely protect you. Love Bug had affected most of the world's computers within about 5 hours of being activated. That's no time to write a counter measure and virtually impossible to get it distributed.

HOW CAN I PROTECT MYSELF ?

Again, there are a variety of ways to ensure your system is at less risk, although none of these measures are certain to work.

  • Filter your e-mails at the server. Hotmail, for instance, scans all incoming messages for known viruses.
  • Run a virus checker. Beware those that are free in case they harbour a virus. look for checkers from large companies and with many facilities and a large database. Also check to see if the database can be updated over the Internet. This is useful, but popular virus checkers are more likely to be targeted by viruses and on the Internet you can never be entirely sure that what you're downloading is safe.
  • Update your virus checker. If you ever encounter a virus it's most likely to be a fairly recent one, so make sure you're prepared.
  • Update your e-mail client software. There are often free security updates posted on the sofware houses' websites.
  • Use a web-based e-mail service. You can still download viruses through these, but there is a slightly lower chance of immediate infection.
  • Backup your data regularly. It can be a pain having two drives where one will do, but how can you recover what you lose otherwise ?
  • Never set a filetype to allow downloading and running without user authorisation.
  • Check the file's properties. If it claims to be .gif, does the description match ?
  • Open suspicious files in a text editor (not a word processor) or on another computer type or a 'safety' computer. By looking at the file you should immediately be able to tell what the file type is.
  • Query the sender. Did they (intend to) send you the file ?
  • Disable rich text display. This should prevent any virus automatically launching. Failing this, turn of image/applet/script displaying and disconnct from the Internet when checking files.
  • Scan the e-mail. some virus protection software will let you scan a file by right-clicking it once you have saved the e-mail to disk.
  • Check the filetype. Data files are normally fine, but anything that executes or is run can be risky:
    • Normally safe: .gif, .jpg, .png, .txt, .wav - Non-interactive data files
    • Slightly risky: .htm, .js, .doc - Interactive data files which have access to other files
    • High risk: .exe, .vbs, .class Java applets, other script, code or libraty files (e.g. .bat, .dll, .lib) - Executables, scripts and programs with almost unrestricted system access

As mentioned, viruses are normally designed to attack a single computer platform or even a specific program, so you might want to forward the message (or attachment in the main body) to a web-based service, an Open... e-mail account, a safety computer or a computer of a different type e.g. Unix box. You might even want a postmaster computer which filters out all suspicious e-mails, forwards the rest to other comouters and leaves the rest for a supervisor to look at. You can easily set this up with rules to check whether an attachment is included with the message, although it doesn't account for messages accessing a file via the Internet.

NEW VARIATIONS

The Love Bug, because it's a plain text script, has been doctored by the poorest of programmers and has spawned a series of daughters. Watch out for:

  • Love Bug (Subject: ILOVEYOU)
    Reads: Kindly check the attached LOVELETTER coming from me
    Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
  • Susitikim shi vakara kavos puodukui
    Reads: Kindly check the attached LOVELETTER coming from me
    Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
  • JOKE
    No message
    Attachment: Very funy.vbs or Very funny.vbs
  • Mother's Day Order Confirmation
    Reads: We have proceeded to charge your credit card for the amount of $326.92 for the mother's day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place. Thanks again ! mothers-day@subdimension.com
    Attachment: mothersday.vbs
  • Important: Read carefully !!
    Reads: Check the attached IMPORTANT coming from me !
    Attachment: IMPORTANT.TXT.vbs
  • Virus ALERT ! (from support@symantec.com)
    Reads: Dear Symantec customer, Symantec's AntiVirus Research Center began receiving reports regarding VBS.LoveLetter. A virus early moring on May 4, 2000 GMT. the worm appears to originate from Asia Pacific region. Distribution of the virus is widespread and hundreds of thousands of computers are reported infected...
    Attachment: protect.vbs
  • Dangerous Virus Warning
    Reads: There is a dangerous virus circulating. Please click picture attached to view it and learn to avoid it.
    Attachment: virus_warning.jpg.vbs
  • How to protectyourself from the ILOVEYOU bug !
    Reads: Here's the easy way to fix the love virus.
    Attachment: Virus-Protection-Instructions.vbs
  • Friend Mess or FRIEND MESSAGE
    Reads: A real friend sends this message for you
    Attachment: FRIEND_MESSAGE.TXT.VBS
    Effects: Deletes Windows system files including Windows, System and Temp directories, forcing a re-install and loss of some data.
  • Herbie: Love Bug II or NewLove
    This version was released 19/05/2000 and mutates. There is no clear pattern to identify it by as it takes its subject from user files. It was thought to have been updated in Israel and deletes or overwrites any file it can access (i.e. that isn't being used by a running program).
    Attachment: A .vbs file
    Effects: Destroys a great number of files and sends mutated copies of itself to people in your Outlook (Express) address book.
  • Resume (Deadly Payload)
    Effects: Reports are that it can format all system drives.

Some of these messages are frightening. The Mother's Day one takes advantage of the USA's approaching Mother's Day and your credit card worries - has somebody bee using it fraudulantly ? It looks convincing because they give a contact e-mail address. Also check messages similar to these or that have been forwarded (e.g. FWD: JOKE).

Even more worrying are the virus protection software pieces. The first one appears to be from a major virus protection company, including the sender's address (but this is probably their username rather than address). It's almost convincing apart from the use of language and omission of information, like the time to go with GMT. There are a few other giveaways, though. The extension .vbs with the scroll icon, which couldn't possibly be a software upgrade, the incorrect virus name and the fact that it isn't asking you to update the software via the Symantec website. The double extension (.TXT.vbs) is a common ploy and in three of them there is a subtle hint as to the attachment's true purpose. This is most clear in the second virus alert e-mail. You can't see a virus in a pictorial form, so when it says you can see the virus and learn to avoid it it's talking about first hand experience. This shows how clever some virus programmers are at disguising the message's true nature.

WHAT SHOULD I DO IF I FIND ONE OF THESE ?

With the present generation of e-mail viruses it should be safe to look at the message, just not the attachment. You might want to play it safe and turn off the preview pane, if available. Refuse any requests to download a file or attachment. Now delete the selected message, usually by pressing the Delete key. If you daren't risk previewing the message, create two dummy message in the same folder (i.e. a blank e-mail which you can send when offline and then copy or move to your inbox) and give them names which are alphabetically before and alphabetically after the virus subject. Sort your list by subject and select your first dummy e-mail followed by your second while holding down the shift key. This should select the virus and two dummy messages without previewing the virus. Now delete them. (If any innocent files are deleted you can restore them from the deleted items folder). Most of these methods will only work with e-mail clients and not web-based systems, but most web-mail systems will let you delete messages without previewing them.

Deleting a message normally only moves it to the Deleted items folder, so now it is important that you look in this folder and repeat the above steps otherwise the virus will lie dormant and next time you stumble across it you may not be so lucky.

To fix any security holes in your e-mail client make sure you download any patches for it. You might prefer not to upgrade to major new versions until after they have been around for a while and fixes have been released for any new security vulnerabilities. Some clients allow scripting, which you might want to disable. For Microsoft Outlook (Express) go to Tools/Options/Security and select Most Secure then using Control Panel or Internet Explorer's Tools menu select Internet Options (use Control Panel if you run compatibility mode) and select the security tab. Select Internet and Custom. From here you can change scripting abilities among other security issues.

Finally, search your boot partition - or any write-enabled media such as Windows boot disks, Zip disks, CDRs etc. - for a file named 'win-bugsfix.exe', and if you find it delete it. Note, however, that variations in virus bring variations in file names and effects, so keep that virus checker running and update it frequently (monthly or better).

HOW BAD CAN THESE THINGS GET ?

Well, this is pretty much as bad as they've got so far, but multi-platform viruses could arrive soon such as auto-launching viruses which have a multi-platform Java applet embedded within the message. The applet could be taken straight off the Internet so there doesn't need to be an attachment included, or the attachment could be embedded and not appear as an attachment at all. The viruses could also rig it that so every time you open - say - a .jpg, the virus launches. Alternatively it might launch at startup. And an infinite list of other possibilities. A patch for Outlook Express was recently released which corrects a security hole which could see malicious users acquiring complete control of your computer. Just be prepared.

HOW SAFE AM I ?

Estimations are that ILOVEYOU hit upto 80% of computers (PCs), but a virus is restriced in what it can do by the same restrictions as any other downloaded file. They can't write to write-protected floppies and while some philosophers argue they are alive, they can't infect people. It would also be difficult for a virus to cause hardware damage and don't expect it to be particularly sophisticated. Always check downloaded files as these are a prime source of non-e-mail viruses.

The suspected writer of the 'Love Bug', Reonel Ramones, was released on Tuesday 9th May 2000 due to a lack of evidence, even after the huge hunt for the culprit. Writing a virus leaves little evidence, so it's difficult to convict. This means that eleven people involved in this virus and hundreds involved in others are still out there..

FINALLY

I hope this information has been useful. If you have any questions please do get in touch. Forward this message to anyone you think might find it useful or ask them to send a blank e-mail with subject 'request bulletin1' to ghweb@crosswinds.net.

This is the third version of this bulletin which has been adapting to inform you of new variants as they are released. If you are made aware of any news relating to this virus please get in touch, although there is no need to send the virus itself. Thanks.

Keep yourself safe.

Quick Search
Search:
Keywords:
In Association with Amazon.com
LINKS AND RESOURCES

@Backup is a popular data backup program for the PC. Although you have to pay to use it you can get a free trial by selecting the link. Backups are extremely useful as not all damaged files can be recovered and restoring from a backup can sometimes be the only way to get your system working again. There is other backup software available.

Driveway Corporation (formerly Atrieva) is an online hard drive. This can be useful if you have documents you need to share across the world. Since it is a separate system it is less likely to become infected by a virus that attacks you. It is a good option if you can restore your system files but want to keep your documents safe, perhaps by using the drive as a backup. Other online hard drives exist.

  • If you've got a link or resource to contribute, want to comment on this article or submit some ideas to it e-mail ghweb@crosswinds.net.
    (Please do not e-mail any viruses to this address as I do not deal with virus research or protection software)
Search using GH Web Search
 Go

This bulletin is now available at http://www.crosswinds.net/~ghweb/texts/lovebug.htm.

No Attachments. If you can only see plain text or if you want to advertise, e-mail me. Contact numbers for UK. Elsewhere change 0 to 44.
Tel: (0 7092) 20 25 29   Fax: (0 870) 130 86 48
http://www.grahamhaynes.web.com
ghweb@crosswinds.net