More information of the "LoveLetter" story

09 May 2000
Business News

"LoveLetter" worm: how it happened?

The number of "declarations of love" at the beginning of May 2000 exceeded the most optimistic forecasts and currently is at least three times more than the average statistic figures. Everybody was declaring his/her love - from secretaries and clerks to bosses and parliamentarians, and they did so insistently and completely - everybody who could be accessed, was loved.

This impressive epidemic of love stories begun on May 4 2000, when a German or Filipino (this is still under investigation) student sent itheir new worm creation to Internet conference(s). It then spread like wildfire - the worm occupied and affected millions of computers with fantastic speed, because of its "fan-delivery" method of infection. The worm sent copies of its self by using all the addresses that it locates in the victims Outlook address book.

Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab Int., compared the worm's spreading routine with an A-bomb: "This worm sends itself IMMEDIATELY it infects a system (unlike KakWorm that attaches itself to messages that are sent by a user). The worm sends itself to ALL the addresses that it can get from the Address Book (unlike Melissa that uses just 50 addresses). As a result the "chain reaction" of infected messages (and, of course, infected machines and networks) was dramatically accelerated. Imagine an average company with 50 employees, 300 addresses in Outlook, and about 20% of staff not aware about the possible danger in attached messages. The average number of infected messages that will be sent from such a company is 0.20*50*300 = 3000 infected messages. As far as I recall, in nuclear bombs each neutron causes three more neutrons. So you see, a computer love bug can be a 1000 times more powerful than an A-bombs!."

The first region to fall down was Asia, from where (Philippines) the worm started its invasion of the world. When the rest of the World awoke, the worm affected European countries, then followed the time zones and jumped overseas to America. In few hours the whole World was crippled by thenew computer monster. News agencies stated that there were approximately 3 million computers infected, and losses were estimated from a hundred million to 10 billion of US dollars.

Antidote discovered?

It was not too difficult to develop a special cure module against the "LoveLetter" worm. Kaspersky Lab's anti-virus experts spent about 10 minutes to produce an emergency update to AntiViral Toolkit Pro (AVP) anti-virus database. The update was immediately provided to AVP users. The first trouble was that the worm started to mutate. This was because the worm is written in VisualBasic script language, i.e. is distributed in source code and is therefore very easy to modify. As a result everybody who has elementary VisualBasic knowledge is able to refine worm's code, add or remove routines and functions.

The second problem with the detection of script virus and worms is the fact that in some cases the scripts are activated as a program in the system memory only, not as a program from a disk file. As a result, anti-virus monitors responsible for scanning disk files become useless to detect a malicious code in scripts.

The way out
The best way to protect your computer or a network against "LoveLetter"-style worms and other script-viruses is to use AVP Script Checker.