Computer Security Weekly, May 15, 2000


Special "I Love You Guys!" Edition

Today was the first day in over a week that I *haven't* seen something about the "Love Bug/ILY/Love Letter" virus, so I guess it's about time to give you a review.

The Love Bug, for those who have been living in a cave, first hit the nets on May 3rd. It spread rapidly, perhaps even faster than last year's Melissa, but it wasn't terribly sophisticated. I'm at a bit of a loss to explain the media coverage that it got, unless the pump was primed by the DDoS attacks earlier this year. Or, it could be that people don't mind if you crash their mail system, as long as you don't erase their JPEGs and MP3s.

If you got the original Love Bug, it came in an email with a subject line of "I LOVE YOU." The message contained an attachment, with a bit of a note urging you to read this love letter. The file name, LOVE-LETTER-FOR-YOU.TXT.vbs, was a fairly obvious piece of social engineering. The .TXT bit was supposed to make people think that it was a text file, and thus safe to read. (Some of the early messages that I saw stated that just reading the message would trigger the virus: that wasn't true, and the belief was probably caused by this confusion.) The .vbs at the end was probably meant to be ignored: after all, it was just lower case, so it wasn't important, right? Well, Windows, like DOS before it, isn't case sensitive when it comes to file names, and the .vbs extension indicates a Visual Basic Script.

Now, if you clicked on it, nothing much happened. Unless you happened to have Windows 98, Windows 2000, Internet Explorer 5, or Outlook 5. And with all those options, that means most people. If you have any of those (or a few others) then you have Windows Script Host (WSH) on your machine, and you have a file association binding the .vbs extension to wscript.exe. In that case, WSH started to read an interpret the contents of the "love letter."

(Just as an aside, some people were suggesting that wscript.exe be renamed in order to stop the script from executing. If you booted from DOS, and renamed the file, that would work. However, most people would just rename the file from Windows Explorer. In that case, helpful Windows would change the file association to the new name, and you would still be at risk.)

The infection of your computer included the installation of some files in the Windows and System directories of your system. These were just copies of the original .vbs file, in one case keeping the name of

The copyright of the article Computer Security Weekly, May 15, 2000 in Computer Security is owned by Robert Slade. Permission to republish Computer Security Weekly, May 15, 2000 in print or online must be granted by the author in writing.

Go To Page: 1 2 3 4

Articles in this Topic    Discussions in this Topic