F-Secure warns of a new variant of the LoveLetter virus

New LoveLetter.BD virus steals online banking info

Espoo, Finland - August 17, 2000

F-Secure Corporation [HEX: FSC], a leading provider of security for mobile, distributed enterprises, is warning e-mail users of a new version of the VBS/LoveLetter virus. The new version is known as LoveLetter.BD, and tries to download a password-stealing trojan. However, LoveLetter.BD is not widespread. F-Secure Anti-Virus detects and disinfects the virus, with the latest update available from www.F-Secure.com

This worm spreads by e-mail, much like LoveLetter. When the virus activates, it first runs Notepad and shows a text in German, purporting to be from an Internet company searching for an Internet engineer. The virus sends a hidden message to all recipients in Outlook's address book with the subject "Resume" and the attachment "resume.txt.vbs".

LoveLetter.BD operates under Windows operating system and needs Microsoft Outlook to spread itself further via e-mail.

However, the virus also downloads a trojan that steals passwords. The trojan searches the victim's computer for software called "UBS Pin" produced by the Swiss bank UBS. UBS Pin automatically manages a customer's online banking authorization information and stores that data in encrypted form on the user's hard drive. The trojan collects the user information from the victim's PC and sends the information to an anonymous e-mail address.

The virus was found in the wild on August 16. F-Secure has heard of no cases where a real user's banking information has been compromized.

A technical description of the virus is available in the F-Secure virus description database at: http://www.F-Secure.com/v-descs/love.shtml

Sample pictures of the code of the VBS/LoveLetter worm is available in the F-Secure virus screenshots center at: http://www.F-Secure.com/virus-info/v-pics/