FBI Tracking LoveLetter Worm
Kevin Poulsen, SecurityFocus 2000-05-04

A new Melissa-style email virus is spreading globally, and it loves you not.

The FBI's National Infrastructure Protection Center (NIPC) this morning issued an advisory on a new virus that's rapidly spreading through email messages with the subject "ILOVEYOU," and the body "kindly check the attached LOVELETTER coming from me."

The "love letter" is an attachment titled LOVE-LETTER-FOR-YOU.TXT.vbs. It is a decidedly unromantic Visual Basic script, which, if executed, sends a single copy of itself to every email address in the victim's Microsoft Outlook address book -- the same tactic used with devastating success by the Melissa virus in March, 1999.

The program also attempts to propagate over Internet Relay Chat, and it writes itself over other programs on a victim's hard drive, while replacing files with common point-and-click extension like .mp3 with deceptively named decoy copies of itself, according to analysis by vendors and computer security experts.

Dow Jones News Wire reported this morning that the virus has hit PR firms and investment banks in Asia particularly hard. Various reports say the virus has been spotted in Europe, the U.S. and Canada. Anti-virus software vendor Symantec reports hundreds of thousands of machines infected worldwide, and an advisory from the U.S. Defense Department's Computer Emergency Response Team said the program has already affected U.S. Army mail servers.

The Washington-based NIPC issued an alert at 11:00 a.m. Eastern time. "We are currently assessing the impact that the virus is having nationally and worldwide," said FBI spokesperson Debbie Weierman. "That's all I can say at this time."

Within the virus code the author identifies his or herself as "spyder" from Manila, Philippines, with an email address of ispyder@mail.com. The author dates the code March, 2000. Another comment in the program reads, "i hate go to school." Spyder did not immediately answer an email inquiry Thursday morning.

In addition to spreading virulently, the worm also attempts to download and execute another program from any one of four web accounts hosted by Sky Internet, a Philippine ISP. "We're aware of that, and our network security people are taking the necessary actions of disabling the URLs that are sent by email," said Ronald Elciario, Network Administrator at Sky Internet.

"Our service was used as a gateway for the virus to spread out over the net," said Elciario. "We've been receiving calls from all over the world, mostly from the USA."