LoveLetter worm variant spams spies

Dubbed "VBS/LoveLet-CL" by U.K. antivirus company Sophos, the mass-mailing program infects a computer system after the PC user opens the e-mail attachment containing the worm. On systems with Microsoft Outlook installed, the program will mail copies of itself to each entry in the Outlook address book.

The worm's code contains a list of almost 300 terms that could trigger surveillance systems--such as the much-theorized Echelon system--that scan for e-mails whose content could affect national security. Words such as toxin, detonator, conspiracy, uzi, grenades and assassination all appear in the body of the virus.

"Why are you using echelon type stupid things to listen around," the worm's authors also state in the code. "Hey others, lets fl00d the echelon."

"The worm contains a large number of comments inside its code which do not get displayed," Sophos stated in its advisory, referring to the red-flag terms. "It is possible these have been chosen in an attempt to overload the Echelon e-mail monitoring system should the worm become widespread."

Two years ago, speculation of widespread American monitoring of other countries' communications caused a great deal of controversy in the European Union. Known as Echelon, the surveillance network allegedly can scan e-mails and wireless communications for particular content. To date, the true capabilities of the system are unknown to all but intelligence communities.

The worm appears as an attachment--"echelon.vbs"--to an e-mail with the subject line: "!!!" and the message ":-) MuCux..."

The worm also searches all local and networked drives for Visual Basic Script, JavaScript HTML application, JPEG image and MP3 files, which it overwrites with itself.

If the computer has the chat program mIRC installed, the worm will add a script that allows it to spread through the chat system as well.