|
U.S. catches 'Love' virus
|
 |
May 4, 2000: 10:34 p.m. ET
Quickly spreading virus can steal passwords, experts say
By Staff Writers David Kleinbard and Richard Richtmyer
|
NEW YORK (CNNfn) - The newly discovered "I Love You" virus swept through banks, securities firms, and Web companies in the United States Thursday, but proved in large part to be more of an annoyance than a costly disruption of business.
The virus did cause damage, however, at companies that make heavy use of multimedia files, such as magazines and advertising agencies, because it overwrites picture files with "jpg" extensions and MP3 music files.
|
|
VIDEO
|
|
The "Love Bug" bit the computer world hard on Thursday in the latest sign of how vulnerable the global infrastructure is to easy-to-launch and hard-to-detect hacker attacks.
|
|
Real
|
28K
|
80K
|
|
Windows Media
|
28K
|
80K
|
|
In addition, the virus could result in some security breaches weeks or months from now because it can steal network passwords from a computer and send them to a remote location, security experts said.
McAfee.com (MCAF: Research, Estimates), makers of the best-selling VirusScan security software, said that 60 to 80 percent of its Fortune 100 clients were infected by the virus. McAfee expects to release a software patch that can identify the virus Thursday afternoon.
The I Love You virus spreads quickly among users of Microsoft Outlook and corporate networks that use the Microsoft Exchange e-mail server because it sends a copy of itself to every e-mail address in a recipient's Outlook address book. By contrast, the "Melissa" virus, which spread around the globe in March 1999, sent itself only to the first 50 people on a victim's address book.
Click here to read CNN.com's full coverage of the I Love You computer virus story
"Its transmission technique is somewhat similar to Melissa," said Chris Rouland, director of the X-Force security research team at Internet Security Systems (ISS: Research, Estimates) in Atlanta. "Once launched, it downloads an executable backdoor program from one of four Web sites. That program, Win_bug6, steals passwords stored on that computer and sends them to an e-mail address in the Philippines."
 If a person whose computer has been infected with I Love You uses the popular Internet chat program mIRC, the virus will attempt to transmit itself to every user who enters the chat room, Rouland said.
Rob Clyde, vice president of security management at Axent Technologies (AXNT: Research, Estimates) in Rockville, Md., said that the virus tries to connect to one of four Web sites, but that those sites were down today.
"In theory, it could allow the people who own those sites to get access to your computer, but there is no indication that the virus has ever been successful at connecting to those sites," Clyde said.
"A lot of companies shut off their e-mail systems to contain the virus, which caused disruption," Clyde said.
Business as usual at investment banks
All the major commercial and investment banks contacted by CNNfn.com Thursday reported having individual computers infected with I Love You. However, none said that trading activities were disrupted because of it.
 "The virus was not debilitating at all - it was more of a nuisance or annoyance than anything," said Russell Sherman, a spokesman for Bear Stearns in New York. "We isolated the servers that were affected."
"It had no impact on applications or client business," said PaineWebber spokesman Paul Marrone. "We learned of the virus early this morning, notified all employees, and are in the process of cleaning it up."
ISP's say customer accounts still working
Internet service providers also reported that I Love You had a minimal impact on their business and their customers. They also pointed out that corporate e-mail systems appear to be more vulnerable to the virus than most home e-mail users because of the widespread use of Microsoft's Outlook and Exchange products.
"We're still doing a fair amount of scrambling to find out exactly what the impact is, but so far it has not affected the mail delivery to our members," said Steve Dougherty, director of technology acquisition at Earthlink (ELNK: Research, Estimates), the second-largest U.S. Internet service provider.
"Earthlink service has been available full time," Dougherty added. "And the volume of traffic on our mail servers is not appreciably different than normal."
Competing Internet service provider Concentric Network also reported that the company and its customers were not seriously hurt by I Love You.
The number of e-mail messages containing the virus on Concentric's customer e-mail servers was minimal, according to David Schairer, the company's chief systems architect.
"Out of about 5,000 messages that I scanned, I saw 17 virus traces. That's much lower than I would have expected," Schairer said.
However, the virus caused some internal problems at Concentric's corporate offices. "We saw a little bit of it, and our security people went right to work on it," Schairer said. "When you have 1,000 or more people, there will always be some who have their mail clients configured to allow these things through."
Even so, Schairer warned that since the virus was developed using a programming language that is easy to understand, further attacks are likely.
 "This is going to get worse before it gets better," he said. "The code is very easy to read, and there will be copycats. Every teenager who understands a bit of Visual Basic can download this thing now, do their own thing with it, then distribute it again."
Customers at America Online, the largest U.S. Internet service provider, have been relatively unaffected, although the company is taking steps to alert them of the virus, said spokesman Rich D'Amato. AOL has its own proprietary e-mail program, which has been unaffected by the virus, D'Amato said. AOL has a pending merger agreement with Time Warner, the owner of CNNfn.
Amazon.com spokesman Bill Curry said that he was unaware of any problems created by the virus at the online retailing giant. Likewise, a spokesman for the online auction site eBay said the site is "operating at full strength."
Network administrators scrambling to contain the "ILOVEYOU" computer virus are now battling copycat attacks, including one dubbed "very funny."
The new variants can elude anti-virus software designed to block the "ILOVEYOU" bug and could potentially cause the same damage.
"We predict at least a dozen copycats within the next 24 hours," said computer security expert Peter Tibbett, who works for ICSA.net of Reston, Va., which measures the frequency and cost of viruses on 1 million machines per year.
"There'll be hundreds of these" in the coming days, he said, "maybe thousands."
He said he didn't expect the copycats to cause the widespread damage that Thursday's "ILOVEYOU" virus did -- which is estimated at tens of millions of dollars in damage worldwide and could reach $1 billion by Monday. However, Tibbett said the copycats should not be underestimated.
The latest virus comes via e-mail with "fwd:joke" on the subject line and an attachment "very funny.vbs." The copycat first appeared Thursday afternoon.
It is believed to have been re-sent from the earlier "ILOVEYOU" virus, rather than that virus written to rename itself.
Tibbett urges computers users and companies to block all e-mails that have attachments as a precaution, or if they can, simply block attachments with *.vbs files.
"Quarrantine or block anything coming into your organization with an attachment," he said. 
|
|
|
McAfee.com
|
Note: Pages will open in a new browser window
External sites are not endorsed by CNNmoney
|
|
|
|
 |
|
