Add to collection(s) Add to saved
  1. Science
  2. Biology
  3. Epidemiology

Mother's Day variant

advertisement 
The Mother’s Day virus is a varient of the original I Love You virus.
Computer bug troubles persist as tricky mutations make the rounds.
An article by:
By Bob Sullivan
MSNBC
U.S. investigators have told NBC News’ Pete Williams they have identified a
suspect they believe is responsible for the ILOVEYOU virus. “We’re convinced,”
the virus attack originated in the Philippines, said one official, who added the
suspect won’t be identified until a search warrant is executed. Meanwhile, there
are now five known variants of the bug, including one that tries to trick victims
into opening an attachment by claiming it’s a bill for diamonds purchased at a
special Mother’s Day price.
U.S. FEDERAL AGENTS, working in cooperation with local authorities, were led
to the suspect by electronic evidence, NBC’s Williams was told. The official, who
requested anonymity, added the FBI is now seeking a search warrant and is
waiting only for authority from Philippines judges before they serve the warrant.
Meanwhile, anti-virus experts say computer administrators around the world are
continuing to fight the Love Bug, which now comes in five flavors, including the
more dangerous “Mother’s Day” mutation.
“We’ve seen the situation just get worse in Asia and Europe during Friday,” said
Mikko Hypponen, manager of anti-virus research at F-Secure Corp. “With four
new variants out after the original one, it’s getting more and more difficult for end
users to know which e-mail to avoid.”
Beginning of Mother’s day threat text:
The latest variant might cause the most trouble. It attempts to prey on consumer
fears of erroneous credit card charges and arrives with the subject line “Mother’s
Day Order Confirmation.” The body of the message then tells the potential victim:
“We have proceeded to charge your credit card for the amount of $326.92 for the
mothers day diamond special. We have attached a detailed invoice to this email.
Please print out the attachment and keep it in a safe place. Thanks Again and
Have a Happy Mothers Day! mothersday@subdimension.com.”
The attached file, mothersday.vbs, is very similar to the original ILOVEYOU virus
but is considerably more destructive. It sets out to delete all .INI and .BAT files
from all local and network drives. Removing such files could make it impossible
to restart a victim’s computer.
“With only eight days to go until Mother’s Day, this attack is quite credible,”
Hypponen said.
Carey Nachenberg, chief virus researcher at Symantec, makers of the highly
popular Norton anti-virus product, tells CNBC that 'Love Bug' copycat viruses are
beginning to spread, and that computer networks are extremely vulnerable to
future worms.
End of Mother’s day threat text.
A Manila Internet services provider, Supernet, said it was assisting in the
investigation, adding that the virus appeared to have first spread from two of its
e-mail addresses.
“The author of the virus used two e-mail addresses through Supernet —
spyder@super.net.ph and mailme@super.net.ph,” Jose Carlotta, chief operating
officer of parent company Access Net Inc, a Manila Internet company, told
Reuters.
Inside all versions of the “love” virus are the two Supernet e-mail addresses.
Combined with information gleaned from Internet chat rooms, Carlotta said, the
e-mails provided investigators with a solid lead, but no definitite information. The
e-mails have been linked to prepaid Internet access accounts so it was not
immediately possible to zero in on the owner, he added.
Toby Ayre, a technical consultant for SkyInternet, another Philippine ISP, told
reporters it appeared the same hacker had tried to break into their systems. In
response, the company blacklisted the local Manila telephone number the
intruder was using.
“We banned this particular person from our servers on April 1,” Ayre said. He
added that the hacker had used the same “signature” at SkyInternet as had been
seen at Supernet.
“We have provided the NBI, the FBI, and Interpol with all of the audit trails for
every transaction that involves this virus and they’re using that information,” he
added.
STILL CIRCUMNAVIGATING THE GLOBE
While authorities tried to track down the culprit, the ILOVEYOU virus continued to
infect computers around the globe on Friday, though not at the rate of Thursday’s
rampage. The federally-funded CERT Coordination Center, a clearinghouse for
U.S. computer crisis information, said it was still receiving reports of outbreaks.
New variations of the “worm” were also winging around the Internet, in some
cases foiling anti-virus protection. A version of the virus named “Luck” started
appearing Thursday afternoon, and other copycats have followed. One variant,
called Susitikim (which in Lithuanian means: Let’s meet), has a subject line that
reads “Susitikem shi vakara kavos puodukui.” In Lithuanian, the sentence
translates into: “Let’s meet this evening for coffee.”
The virus shut down networks at corporations and government agencies all
around the world. The U.S. Navy, Army, and NASA research centers all shut off
e-mail access to protect their systems from the storm. Several government
agencies were still infected; according to NBC’s Betsy Steuart, the U.S. State
Department found about 120,000 versions of the I Love You virus and its various
mutations on their servers.
HOW IT WORKS
ILOVEYOU arrives as an e-mail attachment in a message apparently sent by a
colleague. The virus targets users of Microsoft Outlook and only works under the
Windows operating system. (Microsoft is a partner in MSNBC.) If a victim is
tricked into opening the attached program, which is written in Microsoft’s Visual
Basic script, the virus renames every jpg image file and mp3 music file it can find.
The images are deleted, but the mp3 files are backed up elsewhere on the
victim’s computer. The program also deletes a host of other files with the
following extensions: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT and *.HTA
But before deleting image and music files, the virus e-mails itself to every person
or destination in the victim’s various address books, including any corporate
distribution lists. That’s why it spreads so fast.
But the virus also has another trick up its sleeve. After infection, it changes the
victim’s Internet start page to one of four Web pages hosted at skyinet.net by
SkyInternet. There, the victim’s computer is instructed to download a passwordstealing program called WIN-BUGSFIX.EXE.
Ronald Elciario, a network administrator at SkyInternet, told MSNBC those Web
pages have since been removed and the account holder’s services have been
terminated.
In the virus’s source code, an individual named “spyder” takes credit for
authoring the program. Mikko Hypponen, manager of antivirus research at FSecure Corp., said the name is unknown on the virus scene.
In a bit of programming understatement, the code contains a comment, likely by
the author, suggesting the virus is “simple but I think this is good.”
The code also references Manila, but that doesn’t necessarily indicate the author
lives there.
Other than the e-mail addresses, there are no other hints as to who “spyder”
might be other than this cryptic message within the code: “barok -loveletter(vbe)
“I hate go to school”.”
It’s the love letter seen ’round the world, reports NBC’s Pete Williams.
Computer technicians around the globe held their breath Friday, hoping they had
largely beat back the virus. Perhaps tens of millions of computers have been
infected, experts said, and it is already being called the worst virus outbreak
ever.
But there is evidence that ILOVEYOU may yet do more damage before the worst
is over. Companies in New Zealand and Australia reported infection as daylight
came to that part of the world Friday, and others resorted to shutting off all e-mail
to protect themselves from infection.
“I don’t think it’s over,” said Joe Wells, a long-time antivirus industry observer.
“Melissa came and went because it had limitations. This thing doesn’t turn itself
off.”
That might be bad news for the thousands of businesses that forced to shut
down entire networks on Thursday in order to quarantine computers from
infection. If even one copy of the virus remains on a network, restarting mail
services could restart Thursday’s ordeal all over again. So many employees left
work Thursday night with no guarantee things would be back to normal by Friday.
Where to get help
Several antivirus companies and computer pros are offering information and
tools to help remove the ILOVEYOU virus from PCs. Many sites are working
slowly because of high traffic.
• ZDNet ILOVEYOU Anti-Virus Center
• McAfee.com Anti-Virus
• F-Secure's info on how ILOVEYOU works
• Trend Micro's HouseCall online virus scanner
• Info from thePope.org on removing ILOVEYOU
The statistics Thursday were staggering. Nearly 30 percent of businesses in
Great Britain, and nearly 80 percent in Sweden, have been infected by the virus,
according to Network Associates. In fact, the company said, ATM cash machines
in Belgium were knocked offline thanks to the deluge of e-mail traffic created by
the virus.
The CERT Coordination Center has received reports that over 300,000
computers had been infected — and that only represents those systems where
administrators registered the infections with CERT.
Many companies — and even the Army and the Navy, NASA — resorted to
simply shutting down their e-mail systems while the virus wormed its way around
the Internet.
“This is the worst I’ve ever seen in my nine years in the business,” said
Hypponen.
Internet users were advised to update their virus scanning software as soon as
possible. But throughout the day Thursday, antivirus Web pages were swamped
with traffic and largely unreadable. But the standard advice held true — the best
bet is to avoid opening attachments entirely.
“Only human nature to want to open a letter that leads off with ‘I love you,’ ” said
David Perry, public education director at antivirus research firm Trend Micro. He
said he also suspects that because it had been several months since the last
virus scare, computer users are a bit more gullible than they were perhaps a year
ago, in the wake of the Melissa virus.
The file attachment is called “LOVE LETTER FOR YOU.TXT.vbs,” which might
also be adding to the confusion for consumers. It offers the appearance of being
a harmless text file, and the “vbs” extension, which stands for Visual Basic Script,
may also mislead users who are now trained to be skeptical of executable files
with the extension .exe.
Computers aren’t the only victims. One doctor who e-mailed MSNBC said the
virus had been arriving every five minutes to his pager, which receives incoming
e-mails. Several readers also report having received the virus by fax, since both
pagers and fax numbers can be listed in an Outlook address book.
Related documents
Battlefield Cell Virus Attacks
Battlefield Cell Virus Attacks
Understanding Viruses Video Notes Integrated Science 2
Understanding Viruses Video Notes Integrated Science 2
Amplification of baculovirus
Amplification of baculovirus
Unit 18 – Data Security 1 – Model Answers
Unit 18 – Data Security 1 – Model Answers
Higher Computing Unit 1 – Software Questions
Higher Computing Unit 1 – Software Questions
Virus: disease-causing, nonliving particles composed of an inner
Virus: disease-causing, nonliving particles composed of an inner
`Winter Vomiting Virus` at St - St Vincent`s University Hospital
`Winter Vomiting Virus` at St - St Vincent`s University Hospital
Download
advertisement