pasmith@..., a user from metacrawler.com, asked this question on 5/4/2000:
Is the ILOVRYOU email virus for real? People at my workplace are afraid to open their email. Thanks! Phyllis
NataliePratt gave this response on 5/4/2000:
Yes, it is for real and NOT a hoax. It has hit numerous places already such as CNN, Xerox, the White House, Senate, etc, etc. Following is a brief description of it. It is very dangerous so DO NOT open it!
VBS/LoveLetter.A is a worm that spreads via email and mIRC. It also attempts to download a backdoor access trojan (bugs-fix.exe) that collects cached network password and attempts to send them to an attacker's site. The worm relies on Windows Scripting Host to run, which is installed by default in IE5.x/Win98 configurations.
Currently, the e-mail worm is being received as follows: Subject: ILOVEYOU Body: kindly check the attached LOVELETTER coming from me Attachement: LOVE-LETTER-FOR-YOU.TXT.vbs
This worm does appear to be spreading quickly. If you do not execute the attachment, you cannot become infected.
Here is also the press release issued on it:
Thursday May 4, 9:31 am Eastern Time Company Press Release F-Secure Warns: LOVE LETTER e-Mail Worm Might Exceed Melissa in Severity Activates by Overwriting Picture and Music Files SAN JOSE, Calif.--(BUSINESS WIRE)--May, 2000--F-Secure Corporation (formerly Data Fellows) [HEX: FSC], a leading provider of security for mobile, distributed enterprises, is warning e-mail users of a new destructive e-mail worm called VBS/LoveLetter. This worm spreads by e-mailing a file called LOVE-LETTER-FOR-YOU.TXT.vbs. F-Secure Anti-Virus detects and disinfects the virus, with the latest update available from www.F-Secure.com.
``This worm spreads at an amazing speed,'' said Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation in Espoo, Finland. ``We got the first report around 9:00 a.m. on Thursday from Norway, and by 1 p.m. we had reports from over 20 countries. We estimate that total number of infected machines is already in tens of thousands. This epidemic might exceed Melissa in both speed and destructiveness.''
The LoveLetter worm activates by overwriting picture and music files from the local and network drives. Files with extension JPG, JPEG, MP3 and MP2 are overwritten and will have to be restored from backups.
The worm arrives to users in e-mail message attachments called LOVE-LETTER-FOR-YOU.TXT.vbs. On a default Windows system, the ``.vbs'' extension is not visible, and users might mistake the file for a harmless text file (.TXT). If the recipient opens the attachment, the worm will use Microsoft Outlook (if installed) to send a message to everyone in any address books (including global access books of the organization these typically contains hundreds or thousands of addresses). The messages is as follows:
From: Name-of-the-infected-user To: Random-name-from-the-address-book Subject: ILOVEYOU
kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
As address books typically contain group addresses, the result of executing the VBS/LoveLetter worm inside an organization is that the first infected user sends the message to everybody in the organization. After this, other users open the message and send the message again to everyone else. This quickly overloads e-mail servers.
In addition to spreading over e-mail, the worm also overwrites existing local script and HTML files with its own code.
The worm was most likely written in the Philippines. It was first spotted in early morning, Thursday May 4. It contains the following text:
barok -loveletter(vbe) <i hate go to school> by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
VBS/LoveLetter is written in the VBScript language. By default, programs written in VBScript operate only under Windows 98 and Windows 2000. However, Windows 95 and NT 4 users are also vulnerable, if they have installed version 5 of Microsoft Internet Explorer.
Good Luck and I hope this helps. Natalie Pratt Midwest Investigative Consultants
The average rating for this answer is 5.
pasmith@... rated this answer a 5.