A new Visual Basic script (VBS) virus that appears to have originated in Europe has made its way to the U.S. and is clogging up e-mail systems across the country Monday, according to antivirus vendors.
The virus, which spreads itself through e-mail systems using Microsoft Corp.’s Outlook in a way similar to the notorious “LoveLetter” virus apparently made its way from Europe to the U.S. overnight, according to Vincent Weafer, director of antivirus research for antivirus vendor Symantec Corp. Computer Associates International Inc. (CA) also received reports of its existence in the Asia-Pacific region, said Ian Hameroff, a CA business manager, who called the threat a “worm” rather than a virus. Vendors Trend Micro Inc. and McAfee.com Corp. also issued warnings, containing the same basic information.
The virus, as all but CA have termed the threat, features one of three variants of the subject line “Here you go :-)” as well as three variants of the name for the attachment, based around “Anna.Kournikova.jpg.vbs.” The image is intended to appear to be a .JPG image of Russian tennis star Anna Kournikova. The e-mail resends itself, but does not appear to do any damage like deleting files or corrupting data.
“Damage is a variable term,” CA’s Hameroff said. “This does cause damage in ways such as inappropriate bandwidth use or by filling up an e-mail server.”
The virus appears to be doing both ably.
“We started getting reports from U.S. customers overnight,” Symantec’s Weafer said. “At this point, we believe it came from Europe, but we haven’t been able to narrow it down any further yet,” he added.
CA hasn’t been able to nail down the origin either, Hameroff said. The worm, or virus depending on the source, tries to launch a browser on Jan. 26 of any year that links to a domain name in the Netherlands, he said, adding that doesn’t necessarily mean that is the country of origin.
Because there are only three variants on the subject line and the name of the attachment, Weafer believes the virus will be easy to filter out, but he doesn’t think it is a variant of any previously discovered virus. CA came to the same conclusion, with Hameroff saying: “it’s very simplistic” and appears to be a sample piece of work shared among “black hat sites” of hackers and miscreants.
Finland-based security vendor F-Secure Corp., which calls the virus “Onthefly,” said in a statement that it appears to be spreading faster than many of last year’s bigger viruses, adding that it is currently spreading as fast as “LoveLetter,” which infected an estimated 15 million computers.
According to Symantec’s Weafer, the virus has hit “about 50” of Symantec’s large customers so far.
“Most likely, this came from the virus generation kit which allows ‘script kiddies’ to create viruses easily,” he added. Script kiddies are computer users who usually lack programming skills, but use easy-to-assemble kits and scripts to create viruses.
The security vendors are recommending that computer users update antivirus software and “use good judgment in executing e-mail like this” that contains attachments, Hameroff said.
CA, in Islandia, New York, can be reached http://www.cai.com/. Symantec, in Cupertino, Calif., can be reached at http://www.symantec.com/. F-Secure, in Espoo, Finland, can be reached at http://www.f-secure.com/.
