May 5, 2000 4:10 PM PDT
Experts say "Love" spawns at least 8 mutations
- Related Stories
"I Love You" virus has "Very Funny" new nameMay 4, 2000
As earlier reported by CNET News.com, a version called "Very Funny" was among the first identified. But antivirus researchers say that at least eight different versions are rippling through the Net and warn that more are likely on the way.
"There's a big hacker community out there, and anyone could open up the script," said Steve Gottwals, senior product manager for security company F-Secure. "It's really easy to make a variant."
The most prevalent new form of the virus today is a variant called "Mothers' Day," antivirus companies say.
This version contains the words "Mothers Day Confirmation Order" in the subject line. The email informs readers that a $326.92 credit card charge was made for a Mothers' Day diamond special and directs them to print the attachment, allegedly an order invoice.
Computer users who click on the "invoice" will find their computers infected with a modified version of I Love You. But instead of attacking image and music files, as did the original, Mothers' Day overwrites ".bat" and ".ini" files needed to start the computer. That makes it potentially even more destructive than the original, researchers warned.
Most major virus companies
| Variations on a virus |
The "Love" bug and eight of its variants spotted so far.
|Version||Subject|| Attachment |
|Seen "in the wild"|
|a||I Love You|| LOVE-LETTER- |
|b||Susitikim shi vakara kavos puodukui...*|| LOVE-LETTER- |
|c||FWD: JOKE|| VERYFUNNY. |
|d**||I Love You|| LOVE-LETTER- |
|e||Mother's Day Order Confirmation|| mothersday. |
|f***||Dangerous Virus Warning|| virus_warning. |
|h*****||A killer for VBS/LoveMail and VBS/Kak worm||viruskiller.vbs||yes|
| * Lithuanian for "Let's meet tonight for a cup of coffee." |
** underlying code changed.
*** message body reads: "There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it."
**** message body begins: "Dear Symantec customer," and includes detailed explanation of the Love Letter virus. Variant targets some system files.
***** message body begins: "Start the attachment to clean all you (sic) files and hard discs (sic)."
Source: McAfee and Symantec
Several versions besides the Very Funny modification have popped up.
One version includes the words "Susitikim shi vakara kavos puodukui..." in the email's subject line, which F-Secure said translates to "Let's meet this evening for a cup of coffee..." in Lithuanian.
Others make tiny changes to the code of the virus that don't change its function but do allow it to slip past some of the antivirus filters.
"At least in some instances it seems tabs in the virus code have been changed to spaces," reported Security Focus' Elias Levy to the Bugtraq security mailing list. "That means the code looks the same, but it's not. Some antivirus products may be fooled by this."
The leading antivirus research houses have been working overtime to keep up with the different variants and post information and protection against the newcomers.
"I'm sure we'll see more variants," said Dan Schrader, antivirus researcher at Trend Micro. "The code is easily modified and easily spread."
The widespread Melissa virus outbreak followed a similar pattern, Schrader said. Melissa variants, some of them far more malicious than the original version, number in the 40s.
New patches began appearing yesterday, shortly after the Very Funny variant surfaced.
"It seems to be that someone has changed the name of the attachment and the subject line," said Nerender Mangalan, director of security strategy for Computer Associates. "Basically it's the exact same file, and it does the exact same thing, but it's renamed so people looking out for I Love You would open it."