New virus scares, but does little damage
A new virus on the loose could make the "Love" bug pale by comparison, but security experts now say the threat may have passed.
Antivirus firms were monitoring the new outbreak and have said that only a handful of infections have been reported. But they caution that the virus has the potential to spread rapidly and cause even more damage than its recent predecessor.
"Everything on the computer is destroyed," said Vincent Weafer, director of Symantec's antivirus research center.
Yet by late today, it seems most companies were well prepared and escaped relatively unscathed. Network Associates this evening downgraded the threat of the new computer virus to a "medium" risk from the "high risk" rating it got earlier in the day.
Weafer said earlier that "less than a dozen" corporations in Israel, Europe and the United States reported infections to Symantec.
The FBI's National Infrastructure Protection Center this morning issued an alert on the virus and has dubbed it "NewLove.VBS." The NIPC has also opened an investigation into the matter, the posting said, and is warning people not to open any email attachments.
Perhaps even more disquieting than the destructive payload is the fact that the virus alters itself to sneak around traditional virus scanners.
This meaner, smarter bug comes on the heels of the so-called I Love You virus that wreaked havoc and caused billions of dollars in damage earlier this month. The new one threatens not only to overwrite files on victims' computers but to destroy data, programs and crucial operating software on them as well.
The viruses are not related to each other, according to Computer Associates.
While the potential effects of this new virus could be more crippling than the notorious Love bug, it has not spread as widely.
A San Francisco Bay Area company whose 5,000 desktops received the virus got it from its office in Israel, according to Trend Micro. But the company cautioned against concluding that the virus originated in Israel.
Dan Schrader, chief security analyst at Trend Micro, said that people are more cautious about attachments sent to them via email. Because of the awareness generated by the I Love You virus, more email users may be deleting attachments.
"Especially after the brouhaha with the Love virus, people are more cautious," Schrader said.
Like the Love bug, the new virus exploits features of Microsoft's Outlook email program to send itself to all contacts in the victim's address book. The virus is written as a Visual Basic attachment, which can be recognized by the suffix ".vbs."
Microsoft this week pledged to shore up Outlook with an upgrade meant to thwart the spread of viruses such as the Love bug. Symantec said the upgrade would be effective against the new virus, but it has not yet been released.
The Love virus has seen a wide array of mutations--not an uncommon development among viruses--which Symantec numbered around 30 so far. Some of the Love variations have been more destructive than the original, damaging system files in addition to the image and audio files targeted by their predecessor.
The new virus does not overwrite computer files; instead, it shrinks them down to nothing, targeting files on both local and network drives.
In addition, it imitates the behavior of biological viruses by making subtle alterations as it spreads.
The mutation occurs in three places. First, the virus changes the subject header of the email by selecting at random from various document files found on the victim's computer and adopting that file's name, preceded by "FW:."
Next, the virus renames itself with the same name, followed by ".vbs."
Finally, the virus inserts random text in the VBS script itself. This code does not alter the behavior of the virus but throws virus scanners off its scent.
Symantec said it was at work on a fix that would exclude those randomly generated comments in identifying the virus.
One possible avenue of attack for the antivirus crews is the fact that the new virus comes in an email with a blank body. A filter that scraps emails with "FW:" in the subject header and nothing in the body would be effective against the virus without filtering out a large number of legitimate attachments, Weafer said.
Symantec's Weafer stressed that, contrary to a Symantec press release and earlier published reports, the new virus is not a variant of the Love bug. Although the viruses share key characteristics, such as the reliance on Microsoft's Outlook address book and VBS scripting language, they do not share source code.
The virus has been dubbed "VBS.LoveLetter.FW.A" by Symantec and "VBS/NewLove-A" by U.K. antivirus firm Sophos.
Virus firms have come under some criticism for hyping virus threats, especially as their stock tends to do well in the midst of security crises.
News.com's Jim Hu contributed to this report.