New strain of "Love" virus steals passwords

Security experts say that a new strain of the infamous "I Love You" virus has hit some businesses located in Europe and in the United States.

3 min read
Security experts say that a new strain of the infamous "I Love You" virus has hit some businesses located in Europe and in the United States.

The virus, "VBS/LoveLetter.bd," first appeared yesterday in Europe; so far, it has only infected computers at banks in the region and a few locations in the United States, according to experts.

The National Infrastructure Protection Center today warned of the new variant and said infections had been reported at two U.S. banks.

"At this time, we haven't received any further reports other than the initial two, and since those two incidents focused on banking functions, that is the reason behind the action the NIPC took in issuing its warnings," NIPC spokeswoman Debbie Weirerman said.

Antivirus software company Computer Associates International said in a Web posting that at least two of its North American clients had reported infections.

Weirerman said she did not know whether the virus attack was specific to banks.

NIPC, which is the government agency charged with protecting the security of the nation's computing infrastructure, would not say which banks had been hit.

The virus appears to have first affected the United Bank of Switzerland's European operations. In a release today, the company said that only "a small proportion of UBS e-banking customers are at risk" and that "there are no reports of damage as of yet." The Swiss bank said it has installed virus filters that have "successfully prevented the virus from spreading within UBS."

The new strain downloads and runs a program, "hcheck.exe," that steals passwords from an infected computer. While the virus is at work, people see a résumé for "Knowledge Worker, Zurich," written in German.

The original I Love You virus, also known as the "Love Letter" virus or the "Love" bug, struck in May, crippling email systems worldwide. An earlier version also appeared as a résumé.

While other I Love You variants have posed threats, protections put in place by large corporations and government agencies since the original outbreak have greatly curtailed new infections.

Symantec's Antivirus Research Center is warning computer users to be wary of email messages containing the attachment "resume.txt.vbs."

Like other Love Letter variants, the virus scans a person's Microsoft Outlook address book and attempts to send copies of the virus to all email addresses listed. Other email programs generally are not affected this way.

Infected files sent to Outlook addressees contain no subject lines or recipients, but the following email addresses appear in the BCC, or blind carbon copy, line: ct102356@excite.com, acch01@netscape.net, deroha@mailcity.com.

The original I Love You outbreak was devastating, with damage estimates in the billions. While a Gallup poll found only one in 15 companies were infected by the original outbreak, damages mounted as companies shut down email systems and took other precautions to prevent the virus' spread.

Microsoft products are particularly vulnerable to this kind of virus attack because of their design, and the company has been sharply criticized for this.

Viruses such as I Love You and its variants use VBScript to execute commands affecting an infected system. Microsoft and most security experts warn computer users to be wary of email attachments, such as the "resume.txt.vbs" resume script, ending with the ".vbs" extension.

Because competing email products such as Qualcomm's Eudora Pro and even Microsoft's Outlook Express do not use VBScript, they generally are not vulnerable to this kind of attack. But Microsoft is introducing scripting capabilities to its Macintosh version of Office and an Outlook-like email client that could increase vulnerability in Office 2001, which will ship in October.

In the wake of the original Love Letter outbreak, Microsoft released a patch that changes Outlook's default security settings and makes it more difficult to launch ".vbs" attachments.