F-Secure Warns: Love Letter E-mail worm might exceed Melissa in severity

Espoo, Finland - May 4, 2000

F-Secure Corporation (formerly Data Fellows) [HEX: FSC], a leading provider of security for mobile, distributed enterprises, is warning e-mail users of a new e-mail worm called VBS/LoveLetter. This worm spreads by e-mailing a file called LOVE-LETTER-FOR-YOU.TXT.vbs around. F-Secure Anti-Virus detects and disinfects the virus, with the latest update available from www.F-Secure.com.

"This worm spreads at an amazing speed", comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation. "We got the first report around 9:00 a.m. on Thursday from Norway, and by 1 p.m. we had reports from over 20 countries. We estimate that total number of infected machines is already in tens of thousands. This epidemic might exceed Melissa in both speed and destructivity."

The worm arrives to users in e-mail message attachments called LOVE-LETTER-FOR-YOU.TXT.vbs. On a default Windows system, the ".vbs" extension is not visible, and users might mistake the file for a harmless text file (.TXT). If the recipient opens the attachment, the worm will use Microsoft Outlook (if installed) to send a message to everyone in any address books (including global access books of the organization these typically contains hundreds or thousands of addresses). The messages is as follows:

From: Name-of-the-infected-user
To: Random-name-from-the-address-book
Subject: ILOVEYOU

kindly check the attached LOVELETTER coming from me.

Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

As address books typically contain group addresses, the result of executing the VBS/LoveLetter worm inside an organization is that the first infected user sends the message to everybody in the organization. After this, other users open the message and send the message again to everyone else. This quickly overloads e-mail servers.

In addition to spreading over e-mail, the worm also tries to use companion techniques by creating new script files next to existing JPG and MP3 files and by overwriting existing local script and HTML files with its own code.

The virus contains the following text:

barok -loveletter(vbe)
by: spyder@GRAMMERSoft ispyder@mail.com
Group / Manila,Philippines

VBS/LoveLetter is written in the VBScript language. By default, programs written in VBScript operate only under Windows 98 and Windows 2000. However, Windows 95 and NT 4 users are also vulnerable, if they have installed version 5 of Microsoft Internet Explorer.

The worm was most likely written in the Philippines. It was first spotted in early morning, Thursday May 4.

A technical description of the virus is available in the F-Secure virus description database at: http://www.F-Secure.com/v-descs/love.shtml

Sample pictures of e-mail messages generated by VBS/LoveLetter are available in the F-Secure virus screenshots center at: http://www.F-Secure.com/virus-info/v-pics/