May 4, 2001 4:05 PM PDT

Lessons of 'Love' virus still sinking in

It took only six hours to spread worldwide, cost companies billions of dollars, and could have been stopped by a simple mail filter.

Yet today, many people would still fall prey to Internet viruses and worms similar to the "Love Bug," security experts said.

"I think people have finally become a bit more aware, but I also think we will see a situation where we have a bit of a lull, when someone will click on something," said Vincent Gullotto, director of security software maker Network Associates' antivirus emergency response team.

The LoveLetter worm--also called the Love Bug and the I Love You virus--flooded e-mail gateways a year ago on May 4, as it multiplied exponentially across the Internet. Though companies and Internet users have learned lessons in the year since LoveLetter struck, Gullotto and other security experts believe it could all happen again.

"This was the grandmother of all virus attacks, not in terms of extensive damage to systems, but in terms of clogging systems and clogging e-mail gateways," said Michael Erbschloe, vice president of research for market analyst Computer Economics. He estimated that by the time it burned out, LoveLetter had cost companies $960 million in clean-up costs and $7.7 billion in lost productivity.

The LoveLetter worm appears as an attachment to an e-mail message sent from someone known to the recipient. Once the attachment is opened, the worm deletes a variety of multimedia files on the victim's computer and then, on PCs with Microsoft Outlook installed, sends a copy of itself to every address in the address book.

One e-mail message quickly became a hundred messages, which then exploded into thousands of messages clogging the Internet. Some system administrators found millions of copies of the worm-generated messages piled up at their companies' gateways, Erbschloe said. Many companies took their mail servers off the Net entirely to gain some respite.

To date, nearly 90 variants of the Visual Basic script have been created by copycats. The prolific nature of the bug almost matches that of the Melissa virus created the year before the LoveLetter worm. While the worm has been largely eradicated, a copy occasionally appears even today.

see special report: Year of the Worm But e-mail users, once burned, are less likely to open attachments--even from friends, Erbschloe said. That's a good thing. "Because of the lesson of the Love Bug, we anticipate the damage from other viruses to decrease this year," he said.

The Internet may have benefited from that caution when the AnnaKournikova virus hit in February. That worm peaked more quickly than LoveLetter and spread to far fewer computers.

While the curious may think a bit longer about opening the next VBS or EXE file that appears in their in-box, companies with a stake in protecting e-mail systems have also learned not to inundate customers with apocalyptic warnings, said Roger Thompson, technical director of malicious code research at security services firm TruSecure.

"I think they have learned not to play Chicken Little every other week," he said. "Even the worst of the firms--who used a lot of fear, uncertainty and doubt--have cut back a great deal."

Moreover, the antivirus companies have seemingly learned to deal more efficiently with virus attacks. Where people looking for the cure to LoveLetter swamped the servers of antivirus companies, looking to download updated virus definitions, the process seemed to go more smoothly during the AnnaKournikova crisis.

"I think the antivirus firms have got it down pretty well," Thompson said.

Though there undoubtedly will be another attack that will sneak under the radar of virus companies, the new focus should be the online vandals who write and release the viruses, Thompson said.

"I think there needs to be more of a grassroots education to teach potential virus writers that writing the things (isn't) cool."

 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.