May 4, 2000
PITTSBURGH—The CERT® Coordination Center (CERT/CC) at Carnegie Mellon University’s Software Engineering Institute (SEI) is fighting a new computer virus called the Love Letter virus. As of 11:30 EDT this morning, the CERT/CC had received more than 120 reports of the virus, which affected 233,393 computers.
“The reports are mounting fast,” says Kathy Fithen, manager of the CERT/CC. “By 10:00, we had received 54 reports, and 94,365 computers had been affected.”
Users can get the virus through email, through Internet Relay Chat (IRC), and through shared file systems. The presence of files named MSKernel32.vbs and Win32DLL.vbs indicate infection.
In infected email messages, the subject is “ILOVEYOU.” The body of the message typically says, “kindly check the attached LOVELETTER coming from me.” The attachment name is likely to be LOVE-LETTER-FOR-YOU.TXT.VBS. For people who use Microsoft Outlook and a product called Windows Scripting Host, simply previewing the message is enough to activate the virus. Thus advice to avoid clicking on unsolicited email doesn’t help in this case, though it does help users of email programs other than Outlook. In Internet Relay Chat (IRC), a script is created during file infection. When a user logs into IRC and connects to a channel, the virus sends a copy of itself to others on the channel. In shared file systems, especially shared local area networks, everyone who accesses an infected file gets the virus on their system.
Current knowledge indicates that the virus works by setting the default homepage in Internet Explorer to download a file that may be malicious. It reads the user’s address book, sends copies of itself through email to people in that address book, and overwrites files on infected systems. The CERT/CC will provide further technical details in an advisory, which will be published later today.
To get rid of the virus, users should get an update for their anti-virus software. To help avoid getting the virus, they should disable active scripting in Internet Explorer and their email program, and should avoid clicking on email attachments and shared files. To prevent getting the virus through IRC, users should disable automatic receiving of files (DCC is the file sharing mechanism for IRC).
The CERT/CC continues to field reports and analyze the virus. More information, including the forthcoming advisory, will be published on the CERT/CC web site at http://www.cert.org/.
Please tell us what you
think with this short
(< 5 minute) survey.