F-Secure warns of a cunning new "Mother's day" version of the loveletter e-mail

Report this content

F-SECURE WARNS OF A CUNNING NEW "MOTHER'S DAY" VERSION OF THE LOVELETTER E-MAIL WORM ESPOO, Finland, May 5th, 2000 - F-Secure Corporation (formerly Data Fellows) [HEX: FSC], a leading provider of security for mobile, distributed enterprises, is warning e-mail users of another new variant of the VBS/LoveLetter e-mail worm. This new variant sends e-mails which appear to be a confirmation of an electronic gift order. F-Secure Anti- Virus detects and disinfects the worm with the latest update available from www.F-Secure.com By midday (central European time) on Friday, five different versions of the VBS/LoveLetter worm had been found in the wild. Several more are excepted to appear over the coming weekend. "The Mother's Day version of this worm is quite cunning", comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation. "The e- mail appears to be a confirmation of an order for 'Mother's Day diamond special', and the attached file mothersday.vbs is portrayed as if it were an invoice. When users get such e-mails they assume there is some mistake and will naturally open the attachment - infecting their computer. With only eight days to go until Mother's Day, this attack is quite credible." The worm arrives in an e-mail message attachment called mothersday.vbs. On a default Windows system, the ".vbs" extension is not visible. If the recipient opens the attachment, the worm will use Microsoft Outlook (if installed) to send a message to everyone in any address books (including global access books of the organization; these typically contains hundreds or thousands of addresses). The message looks like this: From: Name-of-the-infected-user To: Random-name-from-the-address-book Subject: Mothers Day Order Confirmation We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place. Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com Attachment: mothersday.vbs As address books typically contain group addresses, the result of executing the VBS/LoveLetter worm inside an organization is that the first infected user sends the message to everybody in the organization. After this, other users open the message and send the message again to everyone else. This quickly overloads e-mail servers. In addition, this worm deletes all INI and BAT files from all drives anddirectories. This may leave the system in an unbootable state and might do serious damage to network files. This variant is detected as VBS/LoveLetter.E by F-Secure Anti-Virus. Likethe original version of the worm, VBS/LoveLetter.E is written in the VBScript language. The other known variants of the worm are known as VBS/LoveLetter.A, B, C and D. The A variant was the original LoveLetter worm. The B variant has been modified in Lithuania, and the subject field of the sent e-mail messages is "Susitikim shi vakara kavos puodukui...", which in Lithuanian means "Let's meet this evening for a cup of coffee..." The C variant has the subject field of "fwd: Joke" and the attachment is called "Very Funny.vbs" The D variant is almost identical to the original LoveLetter worm. It has been modified slightly, probably to make it undetectable to some anti- virus programs. A technical description of the worm is available in the F-Secure virus description database at: http://www.F-Secure.com/v-descs/love.htm Sample pictures of e-mail messages generated by VBS/LoveLetter are available in the F-Secure virus screenshots center at: http://www.F- Secure.com/virus-info/v-pics/ About F-Secure Corporation F-Secure Corporation is a leading developer of centrally managed security solutions for the mobile, distributed enterprise. The company offers a full range of award-winning integrated anti-virus, file encryption, distributed firewall and VPN solutions. F-Secure products and the underlying policy management framework enable corporate IT departments as well as service providers to deliver Security as a Service(tm). For the end-user, Security as a Service is invisible, automatic, reliable, always-on, and up-to-date. For the administrator, Security as a Service means policy-based management, instant alerts, and centralized management of a widely- distributed user base. Founded in 1988, F-Secure is listed on the Helsinki Stock Exchange [HEX: FSC]. The company is headquartered in Espoo, Finland with North American headquarters in San Jose, California, as well as offices in Canada, China (Hong Kong and Beijing), France, Germany, Japan, Sweden and the United Kingdom. F-Secure is supported by a network of VARs and Distributors in over 90 countries around the globe. For more information, please contact USA: F-Secure Inc. Mr. Dan Takata, Manager, Training Division, Professional Services 675 N. First Street, 5th Floor San Jose, CA 95112 Tel. +1 408 938 6700, Fax +1 408 938 6701 e-mail Dan.Takata@F-Secure.com Finland: F-Secure Corporation Mr. Mikko Hypponen, Manager, Anti-Virus Research. PL 24 FIN-02231 ESPOO Tel +358 9 8599 0513 Fax +358 9 8599 0599 E-mail: Mikko.Hypponen@F-Secure.com http://www.F-Secure.com/ Note to Editors: Further technical information and a screenshot of the virus is available at: http://www.F-Secure.com/virus-info/v-pics/ ------------------------------------------------------------ Please visit http://www.bit.se for further information The following files are available for download: http://www.bit.se/bitonline/2000/05/05/20000505BIT01000/bit0001.doc http://www.bit.se/bitonline/2000/05/05/20000505BIT01000/bit0002.pdf

Documents & Links