From: Kathleen Duey <kathleen>
Date: Fri, 19 May 2000 09:22:38 -0700

I put these virus alerts together for the Childlit list. Apologies to any who get it twice. I thought it was news you could all use. It is arranged summary first; sources and details follow. Best, Kathleen Duey
~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Good morning. There is a new vbs virus. Not a hoax. This one will swipe subject lines from your recent emails--there is no standardized subject line to look out for, nor a standard message, not standard attachment name. All these change. It does a lot of file damage (by changing .doc, .exe. etc to .vbs and other mischief) and it will send itself out to your friends, business contacts, and family, using your address book. Best advice: OPEN NO ATTACHMENTS until you have more info, or someone yells "all clear". The source sites are so busy this morning that, to save you time, I am including the links, then the text you would find upon opening that link:

FROM NORTON'S SYMANTEC: LINK: http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html TEXT FROM LINK:

VBS.NewLove.A Last updated 5/19/00 6:00am PDT

SARC, in conjunction with other anti-virus vendors, has renamed this worm from VBS.LoveLetter.FW.A to VBS.NewLove.A.

The VBS.NewLove.A is a worm, and spreads by sending itself to all addresses in the Outlook address book when it is activated. The attachment name is randomly chosen, but will always have a .Vbs extension. The subject header will begin with "FW: " and will include the name of the randomly chosen attachment (excluding the .VBS extension) Upon each infection, the worm introduces up to 10 new lines of randomly generated comments in order to prevent detection.

Also known as: VBS/Loveletter.ed, VBS/Loveletter.Gen, VBS_SPAMMER, VBS.Loveletter.FW.A

Category: Worm

Infection length: Variable

Virus definitions: May 18, 2000 (available)

Threat assessment:

Damage: High Distribution: High Wildness: Medium



FROM NIPC (National Infrastructure Protection Center): LINK: http://www.nipc.gov/alert003.htm TEXT FROM LINK :

National Infrastructure Protection Center Information System Alert
(Alert 003) (VBS.NewLove.) as of 0500 (EDT) 19 May 2000

As of 18 May 2000, a new, more destructive variant of the LOVE LETTER worm, NewLove.VBS, has been identified. Like the earlier variants, this worm is transmitted via email, but unlike the others, this new polymorphic variant can change the subject line and the program code every time it is retransmitted, thus making it more difficult for users and anti-virus programs to detect. The worm is transmitted when a user opens an email attachment.

The NewLove.VBS variant uses the filename of a file that a user has recently been working on, and places that filename in the subject line of the email transmission. The recipient may think that they have been forwarded a file from a known associate. When the attachment is opened, this worm can damage all files not currently in use, by changing the file extensions to .VBS. It can also transmit itself to a new group of victims taken from the current victim's email address book. The new email will have a different subject line taken from a filename that the current victim has recently been working on.

VBS.NewLove.A

Subject: Variable; "FW: filename.ext" (where filename.ext is derived from the user's recently opened documents list) Attachment: Variable; "filename.ext.vbs" (where filename.ext is derived from the user's recently opened documents list) Size of attachment: Variable Message Body: Variable. Target of Infection: Overwrites all files that are not currently in use regardless of extension. Shared Drives: Will overwrite files on all mapped local drives (with the exception of files in root directories)

Major Anti-Virus vendors have posted software to detect and prevent infection by many variants of the LoveLetter worm. Affected users should contact their anti-virus software website frequently for updated information and patches.

The FBI has opened an investigation into this activity. NIPC alerts and additional information on this worm, as they become available, will be posted to the NIPC's webpage. Please report any evidence of infection to your local FBI office, NIPC, military, or civilian computer incident response group, as appropriate. The NIPC Watch and Warning Unit can be reached at (202) 323204/5/6.


FROM YAHOO's NEWS: LINK: http://dailynews.yahoo.com/h/nm/20000519/ts/virus_security_4.html TEXT ON LINK:

WASHINGTON (Reuters) - Attorney General Janet Reno warned on Friday that a new, more destructive variant of the ``love bug'' computer scourge is spreading by attachments to e-mail.

Unlike the original ``love bug'' that struck computer networks on May 4 and its copycats, the new ``worm'' can change its subject line and the program code each time it is retransmitted, making it more difficult for users and anti-virus programs to detect, Attorney General Janet Reno told a news conference.

Reno warned computer users that if they received a suspicious e-mail attachment, ``do not open it, even if it comes from a trusted source.''

The FBI-led National Infrastructure Protection Center (NIPC) referred to the scourge as ``polymorphic'' and called it ''NewLove.VBS variant.'' A criminal investigation has been opened, it said.

VBS is a subset of Microsoft Corp.'s (NasdaqNM:MSFT - news) Visual Basic program language used in World Wide Web browsers and certain other software programs.

NIPC chief Michael Vatis said the virus appeared to have started in the United States, ``at least in significant part.''

``The NewLove.VBS variant uses the filename of a file that a user has recently been working on, and places that filename in the subject line of the e-mail transmission,'' an FBI alert said.

``The recipient may think that they have been forwarded a file from a known associate. When the attachment is opened, this worm can damage all files not currently in use, by changing the file extensions to .VBS.

``It can also transmit itself to a new group of victims taken from the current victim's e-mail address book. The new e-mail will have a different subject line taken from a filename that the current victim has recently been working on,'' added the alert posted on the NIPC Web site, at 5 a.m. (0900 GMT).

The latest software scourge, based on the FBI description, appears to be both a ``virus'' and a ``worm.'' Worms propel themselves through networks; viruses destroy files and replicate themselves by manipulating code.

FBI spokeswoman Debbie Weierman said it was too early to determine the origin of the latest virus. A computer student in the Philippines has said he may have accidentally released the ''love bug'' earlier this month, which came with ``I LOVE YOU'' in its subject line.

The NIPC leads the multi-agency U.S. effort to detect, deter and warn of cyber and other threats to critical U.S. systems, including telecommunications, finance and power grids.
Received on Fri 19 May 2000 11:22:38 AM CDT