The "Love Letter" Internet worm that crawled out of Asia late yesterday has spread around the world like wildfire, infecting more than half of UK large businesses and "tens of millions" of computers worldwide, antivirus experts said yesterday afternoon.
"The customer impact has been huge," Peter Watkins, president and chief operating officer of Network Associates, said in a conference call with press yesterday. "There are a number of banking, aerospace and automotive companies that have taken their email servers offline completely."
Network Associates said half of its customers in the US have been hit by the virus. Based on that fact, and anecdotal evidence from Europe, Asia and elsewhere, the company estimated tens of millions of computers have been infected, Watkins said. Besides the US, Sweden, Austria, the UK and Germany have been particularly hard hit, he said.
"It looks like it followed the sun, hitting Asia first, then Europe and then the US," he added.
Last year's notorious Melissa virus, by contrast, affected only about 15 to 20 per cent of U.S. businesses, Peter Tippett, ICSA.net's vice chairman, said yesterday in a separate conference call.
Like Melissa, the Love Letter spreads by emailing itself to addresses in a user's name and address book. But while Melissa sent itself to only the first 50 addresses, the love worm sends itself to the entire address book, various antivirus vendors said. Another reason for its rapid spread is that the Love virus is also sending itself through IRC (Internet relay chat) applications, the experts said.
The words "I Love You" or "Love Letter" appear in the subject line of e-mails. Messages also contain an attached file titled LOVE-LETTER-FOR-YOU.TXT.vbs and the text "kindly check the attached LOVELETTER coming from me." Users are advised to delete such an email immediately.
Ironically, the affectionate subject heading may be another reason the virus is spreading so quickly.
"People tend to respond to that salutation" and open the infected email, Watkins at Network Associates said.
The worm affects users of Microsoft's Outlook Express program whose computers support Visual Basic Scripting, which includes most modern Windows PCs. Because the virus sends out such a huge amount of email it can clog up or disable networks entirely. The love bug also attempts to delete certain files on a user's computer, including JPEG image files and MP3 music files.
Perhaps more disturbing is that the virus attempts to steal passwords, experts said. It does this by connecting a user's browser to a particular Web page in the Philippines where it downloads another, executable file. That file attempts to steal any passwords stored in a PC's cache memory and then send them to an email address, also in the Philippines, experts said.
Passwords that can be stored a computer's cache memory include passwords to Windows NT networks and to email accounts, Network Associates' Watkins said. Exactly which passwords are vulnerable depends on how individual PCs and networks have been configured, he added.
"It's fairly dangerous because you don't know (what passwords) are being sent out and what systems
are being compromised," Watkins said.
Various antivirus vendors contacted the Philippine ISP (Internet service provider) late last night. The company - Sky Internet - has since disabled three Web sites that were acting as a source for the executable that steals passwords, Vernie Gloria of Sky's network security group said in a phone interview today. What this means is that while the virus may still be clogging email networks, it's probably no longer a threat to passwords, Watkins and other antivirus experts said.
While Sky has identified the owners of the three Web pages, it said the viruses may have been uploaded to the pages from another network in the Philippines. The company has provided information to the Federal Bureau of Investigation (FBI), which is investigating the origins of the virus, Gloria said.
Comments in the code of the virus indicate that it originated in Philippines capital city Manila, and that it was written by a hacker who goes by the name "Spyder," according to various sources, although they said the evidence isn't conclusive.
Experts said the virus wasn't particularly tough to write and that anyone with knowledge of Microsoft's Visual Basic and a malicious bent could have created it. "There's nothing particularly advanced in this; that's the scary part," Watkins said.
Meanwhile, reports of copycat versions of the Love Bug virus have already started to surface. One such variant has been dubbed 'Very Funny' and carries the subject field "fwd: joke," according to Computer Associates International Inc. (CA). The attached file is called "VeryFunny.vbs." Other characteristics of the virus are the same at Love Letter, CA said.
"We expect there to be a whole lot of copycat activity in the next few weeks or so, particularly at the weekend," ICSA.net's Tippett said.
Businesses can fight the virus by blocking incoming -mails that have Visual Basic Scripting attachments, Tippett said. Home users should not open any attachments to emails unless they know where they came from - particularly attachments that end in .vbs, he said.
Antivirus software vendors including Network Associates, CA and Symantec Corp. each said they have posted various fixes to the problem on their Web sites - http://www.nai.com/, http://www.cai.com and http://www.symantec.com/.
Network Associates is offering a free program at its MyCIO.com Web site that scans Exchange servers and automatically deletes infected files. For desktop users the company also has a program available called LoveScan ASAP, Watkins said.
(Martin Williams of IDG News Service contributed to this report.)