|SPECIAL BULLETIN from Graham Haynes|
|Supplement 1, 9TH May - 9TH August 2000 - Love Bug Virus (Sixth Version)|
LOVE BUG VIRUS SPECIAL RELEASE
On Thursday 4th May an Asian computer virus swept around the globe over the Internet inflicting around £4.2 bn worth of damage. Nicknamed the 'Killer from Manila', this worm is the most dangerous since Melissa last year and may never be completely removed from computer systems.WHAT IS A VIRUS ?
A virus (which isn't the same as a bug) is a file written to run unknown to the user, usually with malicious intent. Most viruses can duplicate themselves but very few are 'intelligent'. They tend to be written by young, lonely men, but it is important not to stereotype or underestimate a virus writer.
There are four main types of virus:
The new strain of e-mail virus challenges these classifications as it is a virus straight off - it doesn't mimic anything or pretend to be anything else. It's main difficulty is to be activated, but using the Internet as a medium this is very easy to do, and contrary to popular belief you don't need to be a genius to write a virus. Because of the way they are attached to messages they are generally known as worms (link viruses) as they have infiltrated a healthy messages, but this is normally by the virus author and the virus itself is likely not to have this ability other than in replicating itself. In truth the e-mail virus fits into a new classification of misnamed malicious programs.TELL ME ABOUT THIS ONE
The 'Love Bug' or 'Killer from Manila' was thought to originally have been written in and sent over the Internet from the Philipines. It manifests itself as a rich text message proclaiming 'I LOVE YOU' in capitals and then asking the curious reader to 'Kindly check the attached LOVELETTER coming from me'.
Read straight off the message is fine provided you don't open the attachment 'LOVE-LETTER-FOR-YOU.TXT.vbs'. You may not see the '.vbs' extension as a lot of software will remove it, leaving just the '.TXT' 'extension', making the virus look like a plain text file.WHAT DOES IT DO ?
The exact symptoms are unclear, but reports mainly focus on the following:
Viruses are very much platform-specific, so only PC user were affected, but the way the virus was stored demonstrates an alarming trend which may later lead to multi-platform viruses.WHAT'S DIFFERENT ABOUT THIS ONE ?
This file is stored as a Visual Basic Script. The significance of this is - like with most script files - the program is stored as text and not in a format the computer can run straight off without using an interpreter. This sounds good, but isn't. Immediately any virus filter software will look at the file and not see any strange letters, so concludes that it's safe ASCII text. Next up, because the script isn't ready to run it needs to be converted into a form the computer can understand, and this form varies between types of platform. Ultimately it means it could be possible to write a virus script that will work on any computer, and Java might already have this functionality. The danger will really come when the one program, many machine systems become more widespread, such as those being researched by the Tao group.HOW DO I RECOGNISE ONE ?
There are a number of giveaway clues. Normally the e-mail is designed to grab your attention, after all, who could resist to look at a 'love letter' out of curiousity, even if it almost certainly wasn't real. Not most MPs, that's for sure. And the proof ? The House of Commons was one of the most heavily hit places. Here are some signs to look out for:
It can be difficult to see the true extension of a file under Windows due to the way it is often hidden. To fix this open a folder and select View/Folder Options. From the Views tab uncheck hide extensions of known file types. Now extensions will be shown - they are the bit starting with the last dot in a file's name.
Remember that with thousands of viruses created monthly not even the best virus checker can completely protect you. Love Bug had affected most of the world's computers within about 5 hours of being activated. That's no time to write a counter measure and virtually impossible to get it distributed.HOW CAN I PROTECT MYSELF ?
Again, there are a variety of ways to ensure your system is at less risk, although none of these measures are certain to work.
As mentioned, viruses are normally designed to attack a single computer platform or even a specific program, so you might want to forward the message (or attachment in the main body) to a web-based service, an Open... e-mail account, a safety computer or a computer of a different type e.g. Unix box. You might even want a postmaster computer which filters out all suspicious e-mails, forwards the rest to other comouters and leaves the rest for a supervisor to look at. You can easily set this up with rules to check whether an attachment is included with the message, although it doesn't account for messages accessing a file via the Internet.NEW VARIATIONS
The Love Bug, because it's a plain text script, has been doctored by the poorest of programmers and has spawned a series of daughters. Watch out for:
Some of these messages are frightening. The Mother's Day one takes advantage of the USA's approaching Mother's Day and your credit card worries - has somebody bee using it fraudulantly ? It looks convincing because they give a contact e-mail address. Also check messages similar to these or that have been forwarded (e.g. FWD: JOKE).
Even more worrying are the virus protection software pieces. The first one appears to be from a major virus protection company, including the sender's address (but this is probably their username rather than address). It's almost convincing apart from the use of language and omission of information, like the time to go with GMT. There are a few other giveaways, though. The extension .vbs with the scroll icon, which couldn't possibly be a software upgrade, the incorrect virus name and the fact that it isn't asking you to update the software via the Symantec website. The double extension (.TXT.vbs) is a common ploy and in three of them there is a subtle hint as to the attachment's true purpose. This is most clear in the second virus alert e-mail. You can't see a virus in a pictorial form, so when it says you can see the virus and learn to avoid it it's talking about first hand experience. This shows how clever some virus programmers are at disguising the message's true nature.WHAT SHOULD I DO IF I FIND ONE OF THESE ?
With the present generation of e-mail viruses it should be safe to look at the message, just not the attachment. You might want to play it safe and turn off the preview pane, if available. Refuse any requests to download a file or attachment. Now delete the selected message, usually by pressing the Delete key. If you daren't risk previewing the message, create two dummy message in the same folder (i.e. a blank e-mail which you can send when offline and then copy or move to your inbox) and give them names which are alphabetically before and alphabetically after the virus subject. Sort your list by subject and select your first dummy e-mail followed by your second while holding down the shift key. This should select the virus and two dummy messages without previewing the virus. Now delete them. (If any innocent files are deleted you can restore them from the deleted items folder). Most of these methods will only work with e-mail clients and not web-based systems, but most web-mail systems will let you delete messages without previewing them.
Deleting a message normally only moves it to the Deleted items folder, so now it is important that you look in this folder and repeat the above steps otherwise the virus will lie dormant and next time you stumble across it you may not be so lucky.
To fix any security holes in your e-mail client make sure you download any patches for it. You might prefer not to upgrade to major new versions until after they have been around for a while and fixes have been released for any new security vulnerabilities. Some clients allow scripting, which you might want to disable. For Microsoft Outlook (Express) go to Tools/Options/Security and select Most Secure then using Control Panel or Internet Explorer's Tools menu select Internet Options (use Control Panel if you run compatibility mode) and select the security tab. Select Internet and Custom. From here you can change scripting abilities among other security issues.
Finally, search your boot partition - or any write-enabled media such as Windows boot disks, Zip disks, CDRs etc. - for a file named 'win-bugsfix.exe', and if you find it delete it. Note, however, that variations in virus bring variations in file names and effects, so keep that virus checker running and update it frequently (monthly or better).HOW BAD CAN THESE THINGS GET ?
Well, this is pretty much as bad as they've got so far, but multi-platform viruses could arrive soon such as auto-launching viruses which have a multi-platform Java applet embedded within the message. The applet could be taken straight off the Internet so there doesn't need to be an attachment included, or the attachment could be embedded and not appear as an attachment at all. The viruses could also rig it that so every time you open - say - a .jpg, the virus launches. Alternatively it might launch at startup. And an infinite list of other possibilities. A patch for Outlook Express was recently released which corrects a security hole which could see malicious users acquiring complete control of your computer. Just be prepared.HOW SAFE AM I ?
Estimations are that ILOVEYOU hit upto 80% of computers (PCs), but a virus is restriced in what it can do by the same restrictions as any other downloaded file. They can't write to write-protected floppies and while some philosophers argue they are alive, they can't infect people. It would also be difficult for a virus to cause hardware damage and don't expect it to be particularly sophisticated. Always check downloaded files as these are a prime source of non-e-mail viruses.
The suspected writer of the 'Love Bug', Reonel Ramones, was released on Tuesday 9th May 2000 due to a lack of evidence, even after the huge hunt for the culprit. Writing a virus leaves little evidence, so it's difficult to convict. This means that eleven people involved in this virus and hundreds involved in others are still out there..FINALLY
I hope this information has been useful. If you have any questions please do get in touch. Forward this message to anyone you think might find it useful or ask them to send a blank e-mail with subject 'request bulletin1' to email@example.com.
This is the third version of this bulletin which has been adapting to inform you of new variants as they are released. If you are made aware of any news relating to this virus please get in touch, although there is no need to send the virus itself. Thanks.
Keep yourself safe.LINKS AND RESOURCES
@Backup is a popular data backup program for the PC. Although you have to pay to use it you can get a free trial by selecting the link. Backups are extremely useful as not all damaged files can be recovered and restoring from a backup can sometimes be the only way to get your system working again. There is other backup software available.
Driveway Corporation (formerly Atrieva) is an online hard drive. This can be useful if you have documents you need to share across the world. Since it is a separate system it is less likely to become infected by a virus that attacks you. It is a good option if you can restore your system files but want to keep your documents safe, perhaps by using the drive as a backup. Other online hard drives exist.
This bulletin is now available at http://www.crosswinds.net/~ghweb/texts/lovebug.htm.