X-Message-Number: 13679
From: "Robert Moore" <>

Subject: Courtesy: Virus Alert: Do not open emails with ILOVEYOU subect or 
attached "Love Letter" file -- Just delete it.
Date: Thu, 4 May 2000 10:36:53 -0700

This is a multi-part message in MIME format.

Content-Type: multipart/alternative;

Content-Type: text/plain;

Destructive 'ILOVEYOU' computer virus strikes worldwide
May 4, 2000 
Web posted at: 10:51 AM EDT (1451 GMT) 

By D. Ian Hopper
CNN Interactive Technology Editor

(CNN) -- On Thursday, saying "ILOVEYOU" was especially hard to do. A 
self-propagating computer worm has infected government and business computers in
Asia, Europe and the United States. 

The virus was first reported in Hong Kong, spreading through Microsoft Outlook 
e-mail systems and through a popular Internet Relay Chat program. 

Two anti-virus companies, Symantec, which makes Norton Anti-Virus, and F-Secure,
have posted "virus definition" files for the "ILOVEYOU" virus. Those files have
so-called "fingerprints" for the virus, allowing those programs to detect and 
eliminate it. 

                    a.. Bracing for Cyberwar

                  b.. Hacking Primer

                  c.. Hacking: Two Views

                  d.. Timeline

                  e.. Gallery

                  f.. Discussion

                  g.. TIME: Counterhacking 101

                  h.. Related Sites


The virus is "widespread" at the U.S. Senate computer system, according to 
Elizabeth McAlhany of the Senate Sergeant At Arms office. Every Senate office 
has been paged, alerted them to the virus. The Senate's internal e-mail system 
was shut down. 

Effects are minimal at the House of Representatives, although "hundreds of 
thousands" of copies of the virus were deleted, according to the Committee on 
House Administration which is overseeing the defense efforts. 

"By all looks, it doesn't appear to be too bad," Jason Poblete, a spokesman for 
the committee told CNN. "No one knew it was coming. But we won't know about 
permanent technical damage until it's over," he said. The House e-mail system is
still operating, Poblete said. 

Britain's House of Commons was also hobbled by the virus. 

"I have to tell you that, sadly, this affectionate greeting contains a virus 
which has immobilized the House's internal communication system", said House 
leader Margaret Beckett. 

In Hong Kong the virus appeared late in the afternoon, and is reported to have 
hit public relations firms and investment firms particularly hard. Dow Jones 
Newswires and the Asian Wall Street Journal were among the victims. 

In Europe, the virus reached European parliaments, big companies and financial 
traders early Thursday. 

Officials at the Norwegian anti-virus company Norman said they first heard of 
the virus around 10 p.m. CET. 

"The virus first showed up on my desk one hour ago", virus analyst Snorre 
Fagerland at Norman told CNN Norway. "Usually we get a few days notice until the
virus reaches us, thus this virus seems to be very aggressive." 

In Denmark, the TV2 channel, the telecom company Tele Danmark and the Danish 
parliament were all victims. 

Security experts at F-Secure have analyzed the virus thoroughly. Users usually 
get an e-mail, sometimes from someone they know, asking them to check the 
attached "Love Letter." That file is a VisualBasic script, which contains the 
virus payload. As long as the user deletes the e-mail without opening the 
attachment, their computer is safe from harm. Once a computer is infected, the 
virus transmit itself through e-mail using Outlook's address book. 

"What makes this virus so much more aggressive than Melissa is that this virus 
sends copies to all the addresses, whilst Melissa only sent copies to the first 
50 addresses," Fagerland said. 

The virus can also travel through the Internet Relay Chat client mIRC, according
to F-Secure, which has analyzed the malicious code. 

Unlike the "Melissa" virus, which traveled in a similar fashion, "ILOVEYOU" is 
more destructive. First, it copies itself to two critical system directories and
adds triggers in the Windows registry. This ensures that it's running every 
time the computer reboots. 

The virus then starts affecting data files. Files associated with Web 
development, including ".js" and ".css" files, will be overwritten with a file 
in the VisualBasic programming language. The original file is deleted. It also 
goes after multimedia files, affecting JPEGs and MP3s. Again, it deletes the 
original file and overwrites it with a VisualBasic file with a similar name. 

The beginning of the virus code indicates a possible origin. In comments, the 
virus is signed by "spyder," and contains an anonymous e-mail address and a 
company name. It is also signed "Manila, Philippines," and with the comment, "i 
hate go to school." 

Taking a lighter view of the virus, British Commons leader Beckett said she did 
not know whether to be "sorry or pleased that as far as I'm aware, I have not 
received an e-mail saying 'I love you.'" 

Morton Overbye of CNN Norway, CNN producer Ted Barrett and Congressional 
Correspodent Frank Black contributed to this report.


 Content-Type: text/html;


Rate This Message: http://www.cryonet.org/cgi-bin/rate.cgi?msg=13679