SPONSOR ALSO IN THIS SECTION [an error occurred while processing this directive] MORE > >

How 'Love' Bug Gets Under A PC's Skin

Three Modes Of Attack

Imagine my surprise Thursday morning when I received a message from a coworker simply titled "I LOVE YOU" -- apparently, I thought, I have a not-so-secret admirer.

Looking through my inbox, I was surprised to see that I had LOTS of secret admirers. Clearly, something was wrong.

E-mail messages titled "I LOVE YOU" all contain a malicious attachment written in VBScript. If you open this attachment, your computer will send a similar "I LOVE YOU" message to everyone in your address book. Additionally, media files will disappear and will be replaced by doppelganger files infected with this virus.

This type of security exploit is technically called a "Trojan Horse" or a "worm" program. The e-mail attachment is like the gift horse that the ancient Greeks used to sack the city of Troy.

If you open the attachment, your company will end up like that city: overrun.

Like many similar e-mail-borne viruses, such as "Bubbleboy", this message affects only versions of Microsoft Outlook: Outlook Express, Outlook 2000, Outlook 95, etc.

There are no reports of other mail clients being affected.

Unlike the "Bubbleboy" virus, this message does NOT activate when viewed in Outlook's preview pane. Delete the message before opening the attachment, and you should be safe.

Even more insidious than the "I LOVE YOU" chain letters, this program ALSO erases MP3s, JPEGs and other media files and replaces them with executable versions of the same program. This causes to you retransmit the program when you use media.

This virus ALSO makes changes to the fundamental components of the Windows operating system: the kernel and the registry. Several files are added to the operating system to ensure the replication of this virus.

These files are generated:

MSKernel32.vbs
LOVE-LETTER-FOR-YOU.TXT.vbs
Win32DLL.vbs

These Registry keys are added:

HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\CurrentVersion\RunServices\Win32DLL

These kernel files are altered:

MSKERNAL.DLL
WIN32.DLL

A side effect of this virus is that anti-virus sites like symantec.com and norton.com are almost entirely unreachable, as millions of infected surfers are trying to download an antidote.

The creator of the virus, suspected to be a hacker from Manila, has left a "maker's mark" on the virus:

rem barok -loveletter(vbe)
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines

This is an excellent analysis by some Finns: www.datafellows.com/v-descs/love.htm.

Steve Morman is software development manager for Internet Broadcasting Systems, which operates this Web site and others in North America.