A love letter businesses learned to hate

A new Internet “worm” that spreads via an e-mail message purporting to be a love letter wreaked havoc around the globe earlier this month.

Hundreds of thousands of computers were estimated to be hit by the “ILOVEYOU” worm – a software script. It was first detected in the evening of May 3, according to Computer Associates (CA).

Sites throughout the world – first in Asia, followed by Europe and the U.S. -reported being infected by the virus, which is particularly troublesome because, unlike the notorious Melissa virus, which attached itself to the first 50 e-mail addresses in address books, the “ILOVEYOU” worm attaches itself to the entire address book, said Narender Mangalam, director of security, CA.

Besides affecting companies, the worm also struck the British houses of parliament. Both the House of Commons and House of Lords were hit, leading to a shut down of e-mail that lasted a couple of hours.

“The message was noticed before lunch. It was a message sending love to you, which is the sort of message a lot of us here don’t expect to be receiving,” said Muir Morton, the deputy sergeant at arms for the House of Commons.

The Visual Basic script worm arrives in an e-mail message with the subject “ILOVEYOU,” according to information from antivirus vendors, and carries an attached file titled LOVE-LETTER-FOR-YOU.TXT.vbs and the text “kindly check the attached LOVELETTER coming from me.” Because it is based on Visual Basic script, the worm infects only computers that have Visual Basic, which is included with Windows 2000.

Users are advised to immediately delete the message and the attached file, “even if it’s from your spouse,” Mangalam said. He further advised that computer users immediately update antivirus software. Upgrades are available at the Internet sites of various antivirus vendors.

If opened, the worm inserts the following files: MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs in the Windows system directory, Win32DLL.vbs in the Windows directory, WinFAT32.EXE and WIN-BUGSFIX.EXE in the Internet download directory and script.ini in the mIRC directory.

It is particularly adept at hiding itself “so you can’t really tell where it’s going,” Mangalam said.

When it first was detected, the worm also would go out to four different Internet sites and pull software from those to download on infected computers, allowing hackers to possibly break into those computers, Mangalam said. The Internet sites have been shut down.

One of the companies hit by the worm was Adaco AB, a Stockholm-based food wholesaler with approximately 120 users.

“We were hit at around 2 p.m., but were quite lucky – only three of our users got infected,” said Conny Bj”rling, IT manager at Adaco.

Bj”rling immediately isolated the worm’s code, which he said consists of around nine A4-sized pages of Visual Basic script and carries the signature of a Manila, Philippines-based hacker calling himself “Spyder.”

Additional reporting by Laura Rohde in London, Terho Uimonen in Stockholm and Margret Johnston in Washington, D.C.