Powerful Love Bug Variant Emerges, Falters

A destructive version of the “Love Bug” worm has emerged in Israel, Europe and the United States, but is expected to be contained without widespread damage.

The new variant, known as “NewLove,” works through the Microsoft Outlook Express e-mail system, according to the U.S. Federal Bureau of Investigation (FBI) and several antivirus software manufacturers. The FBI is posting alerts and additional information about the bug on its National Infrastructure Protection Center (NIPC) Web site.

Random Name

“This new virus looks like the VBS/Loveletter worm, but it is actually a new and damaging worm with virus qualities,” warned antivirus firm McAfee Corp. The subject line of an infected e-mail starts with “FW:” and includes the name of a randomly chosen attachment from a previous e-mail on an infected computer. The e-mail will have an attachment with the same name, but ending in ”.vbs.”

After the user clicks on the attachment, the virus uses Outlook to send copies of itself to everyone in the user’s address book. It also searches all drives connected to the host system, replacing every file with copies of itself.

Multiple Attacks

Computers at several large companies were infected late Thursday, said Dave Perry, spokesman at antivirus firm Trend Micro, Inc. One company had all of its 5,000 computers infected, he said.

”Any time a virus hits a week after another virus its potency is diminished,” Perry said. ”People tend to be a little more cautious.”

Ford Motor Co. (NYSE: F), one of the U.S. companies hit hardest by the Love Bug, immediately hired Mail.com, Inc. (Nasdaq: MAIL) to protect its e-mail system from further damage. Mail.com said it configured its MailZone to block the Love Bug within 20 minutes of discovering the virus.

Symantec, another antivirus firm, is reporting more than 100 infections of the latest virus, and said that while it is difficult to remove, containment efforts so far have met with “moderate” success. ”Each time the virus spreads, it mutates itself to evade detection,” the company said.

Strength and Weakness

Ironically, NewLove’s damage potential will likely be its downfall. “This worm is too destructive to go very far,” said Mikko Hypponen, manager of antivirus research at San Jose, California-based F-Secure Corporation. “When people were hit by LoveLetter, they didn’t notice it until they were contacted by people whom they had sent the virus to. With NewLove, your computer crashes immediately and you lose your files. It’s difficult to miss that.”

Hypponen said that the virus is programmed to continually change its code by adding random junk text. It gets larger as it spreads and eventually becomes too large to be e-mailed as an attachment, limiting its effectiveness.

Antivirus experts also say that NewLove will not spread as quickly as its predecessor because the public is more alert to the possibility of receiving a virus.

Outlook Express

Following the Love Bug episode, Microsoft said that it is upgrading security for Outlook Express. The company has promised that it will make a modification to Outlook available next week that will warn users about suspect e-mail attachments.

The Love Bug may have cost U.S. companies as much as $1 billion. Government agencies around the world, including the U.S. Central Intelligence Agency (CIA), were also affected. The General Accounting Office (GAO), the investigative arm of the U.S. Congress, weighed in on the issue, saying the incident shows the need for heightened security and coordination among e-mail systems worldwide.

Government Slow to React

In related news, congressional auditors from the GAO told the Senate Banking Subcommittee Thursday that the United States is vulnerable to cyberattacks from terrorists and hostile foreign governments. Many federal agencies did not receive timely warnings of the Love Bug from the NIPC.

Investigators believe the Love Bug originated in the Philippines, where several people have been under suspicion, but the prosecution has been stalled due to a lack of relevant laws.

Authorities released their first suspect and continue to probe the links between the virus and a number of graduates of the AMA Computer College. Last week, authorities reportedly seized a disk from the computer of AMA graduate Michael Buen that contained a virus similar to the first Love Bug.

Investigators also found a note purportedly written by Buen saying that a third virus would be released if he did not find a stable job shortly. He graduated from AMA on May 5th, one day after the Love Bug was released.