another Love virus variant

Lori Binner lbinner at jjkeller.com
Fri May 5 18:26:29 UTC 2000


Looks like it's for real...read on:

F-Secure Warns of a Cunning New "Mother's Day" Version of the Loveletter E-Mail Worm


Espoo, Finland - May 5, 2000


ESPOO, Finland, May 5th, 2000 - F-Secure Corporation (formerly Data Fellows) [HEX: FSC], a leading provider of security for mobile, distributed enterprises, is warning e-mail users of another new variant of the VBS/LoveLetter e-mail worm. This new variant sends e-mails which appear to be a confirmation of an electronic gift order. F-Secure Anti-Virus detects and disinfects the worm with the latest update available from www.F-Secure.com

By midday (central European time) on Friday, five different versions of the VBS/LoveLetter worm had been found in the wild. Several more are excepted to appear over the coming weekend.

"The Mother's Day version of this worm is quite cunning", comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation. "The e-mail appears to be a confirmation of an order for 'Mother's Day diamond special', and the attached file mothersday.vbs is portrayed as if it were an invoice. When users get such e-mails they assume there is some mistake and will naturally open the attachment - infecting their computer. With only eight days to go until Mother's Day, this attack is quite credible."

The worm arrives in an e-mail message attachment called mothersday.vbs. On a default Windows system, the ".vbs" extension is not visible. If the recipient opens the attachment, the worm will use Microsoft Outlook (if installed) to send a message to everyone in any address books (including global access books of the organization; these typically contains hundreds or thousands of addresses). The message looks like this:

From: Name-of-the-infected-user
To: Random-name-from-the-address-book
Subject: Mothers Day Order Confirmation


We have proceeded to charge your credit card for the amount of 
$326.92 for the mothers day diamond special. We have attached 
a detailed invoice to this email. Please print out the 
attachment and keep it in a safe place.Thanks Again and Have a 
Happy Mothers Day! mothersday at subdimension.com


Attachment: mothersday.vbs


As address books typically contain group addresses, the result of executing the VBS/LoveLetter worm inside an organization is that the first infected user sends the message to everybody in the organization. After this, other users open the message and send the message again to everyone else. This quickly overloads e-mail servers.

In addition, this worm deletes all INI and BAT files from all drives and directories. This may leave the system in an unbootable state and might do serious damage to network files.

This variant is detected as VBS/LoveLetter.E by F-Secure Anti-Virus. Like the original version of the worm, VBS/LoveLetter.E is written in the VBScript language.

The other known variants of the worm are known as VBS/LoveLetter.A, B, C and D. 

The A variant was the original LoveLetter worm.

The B variant has been modified in Lithuania, and the subject field of the sent e-mail messages is "Susitikim shi vakara kavos puodukui...", which in Lithuanian means "Let's meet this evening for a cup of coffee..."

The C variant has the subject field of "fwd: Joke" and the attachment is called "Very Funny.vbs"

The D variant is almost identical to the original LoveLetter worm. It has been modified slightly, probably to make it undetectable to some anti-virus programs.

A technical description of the worm is available in the F-Secure virus description database at: http://www.F-Secure.com/v-descs/love.htm

Sample pictures of e-mail messages generated by VBS/LoveLetter are available in the F-Secure virus screenshots center at: http://www.F-Secure.com/virus-info/v-pics/

About F-Secure Corporation


F-Secure Corporation is a leading developer of centrally managed security solutions for the mobile, distributed enterprise. The company offers a full

range of award-winning integrated anti-virus, file encryption, distributed firewall and VPN solutions. F-Secure products and the underlying policy management framework enable corporate IT departments as well as service providers to deliver Security as a Service(tm). For the end-user, Security as a Service is invisible, automatic, reliable, always-on, and up-to-date. For the administrator, Security as a Service means policy-based management, instant alerts, and centralized management of a widely-distributed user base.

Founded in 1988, F-Secure is listed on the Helsinki Stock Exchange [HEX: FSC]. The company is headquartered in Espoo, Finland with North American headquarters in San Jose, California, as well as offices in Canada, China (Hong Kong and Beijing), France, Germany, Japan, Sweden and the United Kingdom. F-Secure is supported by a network of VARs and Distributors in over 90 countries around the globe.

For more information, please contact

USA:
F-Secure Inc.
Mr. Dan Takata, Manager, Training Division, Professional Services
675 N. First Street, 5th Floor
San Jose, CA 95112
Tel. +1 408 938 6700,
Fax +1 408 938 6701
e-mail Dan.Takata at F-Secure.com


Finland:
F-Secure Corporation
Mr. Mikko Hypponen, Manager, Anti-Virus Research.
PL 24
FIN-02231 ESPOO
Tel +358 9 8599 0513
Fax +358 9 8599 0599
E-mail: Mikko.Hypponen at F-Secure.com




>>> "Mary P. Van Engelen" <maryve1 at starpower.net> 1:11:46 PM 5/5/2000 >>>
Has anyone confirmed the existence of this one? I don't see any mention of it on CERT or Symantec. I wonder if it's
a hoax.

Mary Van Engelen
Network Manager
CSIS
Washington, DC

Dennis Large wrote:

> Hey gang - I just received this from a colleague. I suspect it's just a variant of delivery with the same virus.
> ===============
> Microsoft just notified the *** System of another variation of the Love virus
> that is circulating quickly with the subject line: Mother's Day Order
> Confirmation.  The message body tells you that it is charging $326 to your
> credit card.  Click on the attached invoice to confirm.  Please do not click
> on this attachment.  It is the Love virus.  Please delete from your mailbox.




More information about the ngw mailing list