For immediate releaseHONG KONG, China, May 19th, 2000 - F-Secure Corporation (formerly Data Fellows) [HEX: FSC], a leading provider of security for mobile, distributed enterprises, is warning e-mail users of a new version of the VBS/LoveLetter virus. The new version is known as NewLove, and it carries much more dangerous payload than LoveLetter. However, NewLove is not widespread at all.
This worm spreads by e-mail, much like LoveLetter. However, the subject field of the e-mail and the name of the attached file are random. NewLove operates under Windows operating system and needs Microsoft Outlook to spread itself further via e-mail. F- Secure Anti-Virus detects and disinfects the virus, with the latest update available from www.F-Secure.com .
"This worm is too destructive to go very far", comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation. "When people were hit by LoveLetter, they didn't notice it until they were contacted by people who they had sent the virus to. With NewLove, you're computer crashes immediatly and you loose your files. It's difficult to miss that."
"We have had no reports of this in Hong Kong", comments Allan Dyer, Technical Director at Yui Kee Computing. "Also, discussion between international anti-virus researchers indicates that NewLove has not spread much."
The spreading technique of the virus is tricky; it picks up a filename from the list of recently used files. This name could be, for example "Comments from Bob.txt". Then the virus would copy itself to a similar name: "Comments from Bob.txt.vbs" and e-mail that file as an attachment to people found from the address book. Subject of the e-mail would be "FW: Comments from Bob.txt". The results is quite realistic looking e-mail, which might be opened even by careful users.
With default settings Windows would hide the ".vbs" extension of the attachment. If the user would open the file, the worm would immediatly e-mail itself further and then start to delete all accessible files on the local hard drive and in the company network. As a result, the computer crashes on won't boot.
Currently, there's no information on where the virus may originate from. There's no obvious clues in the source code of the virus.
"The virus is programmed so that it keeps on changing it's code by adding random junk text into it", comments Mikko Hypponen. "This makes the virus larger and larger as it spreads - eventually making it so large it can't be e-mail as an attachment any more. This is another factor that limits the spreading of this virus."
"After all, technology is not all that matters for a virus to spread. It also needs to get lucky."
A technical description of the virus is available in the F-Secure virus description database at: http://www.F-Secure.com/v-descs/newlove.shtml
Sample pictures of the code of the VBS/LoveLetter worm is
available in the F-Secure virus screenshots center at:
http://www.F-Secure.com/virus-info/v-pics/
Founded in 1988, F-Secure is listed on the Helsinki Stock Exchange [HEX: FSC]. The
company is headquartered in Espoo, Finland with North American headquarters in San
Jose, California, as well as offices in Canada, China (Hong Kong and Beijing), France,
Germany, Japan, Sweden and the United Kingdom. F-Secure is supported by a network
of VARs and Distributors in over 90 countries around the globe.
For further information, please contact
Hong Kong:
Yui Kee Co. Ltd.
Mr. Allan Dyer, Technical Director
Tel: +852 28708555
Fax: +852 28736164
email: adyer@yuikee.com.hk
or visit the Yui Kee web site at http://www.yuikee.com.hk/
USA:
F-Secure Inc.
Mr. Dan Takata, Manager, Training Division
San Jose, CA 95112
Tel. +1 408 938 6700,
Fax +1 408 938 6701
e-mail Dan.Takata@F-Secure.com
Finland:
F-Secure Corporation
Mr. Mikko Hypponen, Manager, Anti-Virus Research.
PL 24
FIN-02231 ESPOO
Tel +358 9 8599 0513
Fax +358 9 8599 0599
E-mail: Mikko.Hypponen@F-Secure.com
Note to Editors: Further technical information and a screenshot of the virus is available at: http://www.F-Secure.com/virus-info/v-pics/