CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Virus posing as Symantec email could be worst

A recent "Love" bug copycat masquerading as a Symantec cure for the virus appears to be the most destructive variant yet.

A recent "Love" bug copycat masquerading as a Symantec cure for the virus appears to be the most destructive variant yet.

The mutation comes in an email with the subject header "VIRUS ALERT!!!" The email begins, "Dear Symantec customer," and proceeds to describe the virus in detail. Its attachment is called "protect.vbs."

This variant overwrites, in addition to the image and audio files already overwritten or hidden by the original "Love" bug, system files that lie at the heart of some crucial computing functions.

Victims of this variant would be "in trouble," warned Vincent Weafer, director of Symantec's antivirus research center. "It's going to target some system files."

Because its name is fraudulently attached to the latest, most virulent strain, Symantec is taking extra measures to warn against it. The company is posting an alert to its Web site, issuing a press release, and emailing its corporate customers.

The files targeted by the new variant are batch files (.bat) and command files (.com), Symantec said.

Batch files are used for utilities or upon start-up, a common example being the "autoexec.bat" file for the computer's start-up configuration file. Command files are DOS-executable files, used for simple commands such as "edit," "format" or "disk copy."

Weafer said the use

Variations on a virus
The "Love" bug and eight of its variants spotted so far.
Version Subject Attachment
Seen "in the wild"
b Susitikim shi vakara kavos puodukui...* LOVE-LETTER-
d** I Love You LOVE-LETTER-
e Mother's Day Order Confirmation mothersday.
f*** Dangerous Virus Warning virus_warning.
g**** VIRUS ALERT!!! protect.vbs yes
h***** A killer for VBS/LoveMail and VBS/Kak worm viruskiller.vbs yes
* Lithuanian for "Let's meet tonight for a cup of coffee."
** underlying code changed.
*** message body reads: "There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it."
**** message body begins: "Dear Symantec customer," and includes detailed explanation of the Love Letter virus. Variant targets some system files.
***** message body begins: "Start the attachment to clean all you (sic) files and hard discs (sic)."

Source: McAfee and Symantec
of Symantec's name in the virus email was not surprising.

"It's fairly common to see both viruses and hoaxes that purport to come from Microsoft or other organizations as fixes," he said. "This is all about social engineering, about trying to get you to open up the file. Whether it's a Mother's Day greeting or a virus alert, everything is designed to get you to lower your guard."

Antivirus firms identified at least eight variations including the original earlier today. Alterations in these variants are for the most part in the packaging, with the virus coming attached to emails variously labeled "I Love You," "FWD: JOKE," "Susitikim shi vakara kavos puodukui..." (Lithuanian for "Let's get a cup of coffee") and "Mother's Day Order Confirmation."

Another fraudulent fix packing the viral payload comes in an email headed "Dangerous Virus Warning" and carries an attachment labeled "virus_warning.jpg.vbs," said antivirus firm McAfee.

Symantec, which counted 10 variants in all so far, warned against still a third of this type with the attachment "VirusKiller.vbs."