FYI.
Need to add to sendmail.cf new subject filter, for those running
sendmail on their network.
>From ABCNews website :-
May 4 - A computer virus that crippled
government and corporate computer
networks today by disguising itself as an
e-mail love letter is now spreading in an
e-mail labeled "FWD: JOKE."
The new version could enable the
virus to bypass filters that companies
set up today to block the love letter
virus.
The e-mail contains an attachment
labeled "very funny.vbs" which, if
opened, will destroy files on the
computer and replicate itself, sending
copies of the e-mail to people listed
in
the computer's address book.
Experts don't know whether the new virus was
created by the same person or whether someone
simply copied and renamed the love letter virus. But
because the virus could continue to appear in new
disguises, computer users should not open any
e-mails with suspicious attachments.
The `Love Bug'
The earlier incarnation of the virus, dubbed the
"love
bug," is one of the fastest-replicating viruses ever,
landing in the e-mail box of millions of computer
users
today. At last count, the virus had hit more than
294,000 mail hubs worldwide, each of which can serve
thousands of users, according to the Computer
Emergency Response Team at Carnegie Mellon
University in Pittsburgh.
The virus penetrated computer networks at major
corporations, such as AT&T, which was forced to shut
down an e-mail system serving 145,700 employees. It
also struck the Pentagon, the Central Intelligence
Agency and Britain's Parliament, though it did not
affect
any classified systems.
In Britain, about 30 percent of company e-mail
systems were brought down by the virus, according to
Network Associates, a computer security firm. In
Germany and in Sweden, 80 percent of computer were
hit.
"We do not love the `Love Bug.' We are urging
people to avoid all contact, intimate or otherwise,"
Pentagon spokesman Ken Bacon said.
The FBI launched an investigation today and said
it
is trying to determine whether there have been any
violations of the federal Computer Abuse Act. The
virus appears to have been sent from the Philippines
and the code is signed by someone named "Spyder,"
though many computer users adopt that pseudonym.
The Curious Suffer
The original virus spreads through e-mails bearing
the
subject line "ILOVEYOU" and containing an attached
file called "LOVE LETTER FOR YOU.TXT.vbs."
Computer users who receive that e-mail, or one with
the subject line "FWD: JOKE," should delete it
without
opening the attachment, and their computer won't be
infected.
But those who were more curious and opened the
attached "love letter," infected their computers -
and
unwittingly sent the virus to everyone in their
Microsoft
Outlook address book.
Once the attachment is opened, the virus can
destroy pictures, video and music files not only on
the
computer's hard drive, but on networks the user is
connected to.
The virus can also be transmitted via pager and
fax,
although it cannot be spread that way. Adam Dubitsky,
for example, a public-relations consultant in
Alexandria, Va., received an eight-page fax of
computer code from a friend of his who had Dubitsky's
fax number in his Outlook address book.
The fax attachment consists of the printed-out
code
of the virus, a long list of computer instructions.
Clogs Up Networks
The first reports of the virus came from the
Philippines.
Symantec Antivirus Research Center and other
anti-viral companies quickly developed vaccination
and cure programs, and their Web sites were
swamped by users all day.
The virus uses similar tricks to last year's
feared
Melissa virus, which infected 300,000 computers in
March 1999. But "love letter" replicates faster and
is
even more destructive.
The virus searches for all files with the
extensions
JPG, JPEG, MP2, and MP3 - the most popular image
and sound formats - as well as other, more obscure
extensions. It erases the files and replaces them
with
copies of itself under the same name, with the
extension VBS tacked on.
Unlike Melissa, this virus also spreads through
Internet chat rooms. The virus infects the popular
mIRC chat program, so the next time a user starts
chatting, the virus spreads to everyone in the room.
The virus spreads through corporate firewalls
because most are not configured to reject attachments
with a .txt.vbs extension, a relatively uncommon type
of
file, information systems managers said. Anyone
running Windows 98, Windows NT 4.0, or both
Windows 95 and Internet Explorer 5.0 is vulnerable
because the virus needs Microsoft Outlook to spread.
Macintosh and Linux users are safe.
Bored Student?
No one knows who wrote the virus, but experts are
already speculating. Eric Chien of Symantec suspects
the virus was written by a student, probably 14 to 28
years old and probably male as well.
"He seemed to just write it because he was
bored.
He probably has no idea he'd cause so much chaos,"
Chien said, citing code within the virus and past
experience with virus writers.
Two lines within the virus identify the author
as
"Spyder," part of the "@GRAMMERsoft Group" from
Manila, Philippines. They say: "I hate go to school."
The
author also offers his opinion of his work: "simple
but I
think this is good ..."
"The group name is not familiar," said security
consultant Brian Martin. "Spyder" is a common name in
the electronic underground, but the virus contains an
e-mail address that should help track him, Martin
said.
Officials at Spyder's e-mail provider, mail.com,
are
"working on the problem," a spokeswoman said.
The virus directs victims to four Web pages in
the
Philippines hosted by Sky Internet of Quezon City.
Bowasanta said the virus creator may have hacked
into accounts there.
The virus didn't originate at Sky, Bowasanta
said.
But the Love Bug's primary breeding ground was on
Sky. The virus directed so much traffic to his
servers,
forcing victims to download copies of itself, that
Sky's
system crashed, Bowasanta said.
"We are still conducting the investigation and
trying
to identify this person," he said.
Despite the simplicity of the code, the writer
does
have a good idea of psychology, Chien said. By adding
the phrase "kindly check the attached LOVELETTER
coming from me" to the e-mails, he makes users think
it
might be a personal message.
"If you send an attachment with, `I'm a virus,
run me,'
people won't run it. But with this, people say, `oh,
look,
it's a love letter, I think I'll open it,'" Chien
said.
The answer, security experts said, is simple:
Never,
ever, ever, open an attached file that comes as a
surprise, no matter who it seems to be from, or how
"loving" it seems to be.
The Associated Press contributed to this story.
Curing the Virus
All the major anti-viral companies have released
free trial
versions of their software that can fix the new
virus. Try
going to www.symantec.com, www.mcafee.com, or
www.sophos.com.
You'll be cured, but you won't be able to get
your
JPEG and MP3 files back unless you've made backups.
To prevent further infections by copycat
viruses,
Richard Jacobs of Sophos recommends you turn off
your
Windows Scripting Host. In Windows 98, that means go
to
your Start Menu and choose Settings, then Control
Panel.
Double-click on the Windows Components control
panel,
and then choose the Accessories option. Uncheck the
box
for Windows Scripting Host, which should be the last
one
on the list.
Melissa and ILOVEYOU both use Windows Scripting
Host to propagate, but very few users need it in
their
day-to-day lives, Jacobs said.
The No. 1 lesson, antiviral experts agree, is
to
scrutinize e-mail closely.
"It's so important for people to think about
what they're
opening in their e-mail. Very few people get large
numbers
of love letters via e-mail," Jacobs said.
Do You Practice Safe Computing?
Here are a few tips on keeping your computer safe
from
computer viruses:
* Use anti-virus software, and be sure to regularly
update the
software from the vendor's Web site.
* Don't open files sent to you via e-mail from
unfamiliar
sources. Check with colleagues and associates before
opening files they send you without notification.
* Be aware of how viruses operate, and watch for the
telltale
signs.
* Don't download anything from unfamiliar Web sites.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
