May 19, 2000
As of May 18, 2000, a new, more destructive variant
of the LOVE LETTER worm, NewLove.VBS, has been identified. Like the earlier
variants, this worm is transmitted via e-mail, but unlike the others, this
new polymorphic variant can change the subject line and the program code
every time it is retransmitted, thus making it more difficult for users and
anti-virus programs to detect. The worm is transmitted when a user opens
an e-mail attachment.
The NewLove.VBS variant uses the filename of a file that a user has recently
been working on, and places that filename in the subject line of the e-mail
transmission. The recipient may think that they have been forwarded a file
from a known associate. When the attachment is opened, this worm can damage
all files not currently in use, by changing the file extensions to .VBS. It
can also transmit itself to a new group of victims taken from the current victim's
e-mail address book. The new e-mail will have a different subject line taken
from a filename that the current victim has recently been working on.
Subject: Variable; "FW: filename.ext" (where filename.ext
is dervied from the user's recently opened documents list)
Attachment: Variable; "filename.ext.vbs" (where
filename.ext is dervied from the user's recently opened documents
Size of attachment: Variable
Message Body: Variable.
Target of Infection: Overwrites all files that are not currently
in use regardless of extension.
Shared Drives: Will overwrite files on all mapped local
drives (with the exception of files in root directories)
Major Anti-Virus vendors have posted software to detect and prevent infection
by many variants of the LoveLetter worm. Affected users should contact their
anti-virus software web site frequently for updated information and patches.
The FBI has opened an investigation into this activity. NIPC alerts and additional
information on this worm, as they become available, will be posted to the NIPC's
web page. Please report any evidence of infection to your local FBI office,
NIPC, military, or civilian computer incident response group, as appropriate.
The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206.