Love Letter virus mutates

• By FCW Staff
• May 05, 2000

Variations of the Love Letter virus — known as "Mother's Day" and "Joke" — continue to worm their way into computer systems worldwide today.

Mutations of the file name, its text and attachment are meant to hide the virus from the scrutiny of antivirus programs.

The original virus, known by the names "ILOVEYOU" or "love letter," hit more than a dozen government agencies, Congress and the White House on Thursday. It infected thousands of unclassified government computers and has forced some organizations to temporarily shut down their systems. (For an agency-by-agency look at the virus' impact, click here.)

The virus is similar to the notorious Melissa virus that plagued networks last year. It arrives as an e-mail attachment and uses the recipient's e-mail address book to send itself to potentially thousands of other systems. (For more on how the Love virus works, click here.)

In addition, the Mother's Day version is believed to delete .ini and .bat files. Deletion can affect the performance of applications on the infected system and can even prevent the system from functioning upon reboot.

The subject line is "Mothers Day Order Confirmation," located in the header of the e-mail. The attachment appears as "mothersday.vbs." The body text reads in part: "We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this e-mail."

Late Thursday, the Joke variant began to circulate. Its subject line was "joke" or "Fwd: joke," and the attachment was changed to "Very Funny.vbs."

As of 8:15 a.m. today, the Computer Emergency Response Team Coordination Center had received "several hundred reports [about the Love virus] from industry, government, academic institutions and home users, affecting more than 300,000 computers attached to the Internet," said Jeff Carpenter, senior Internet security technologist at the CERT Coordination Center.

"Since only a small fraction of affected users have reported to us directly, the total number of organizations and computers affected is much higher." (For CERT's advisory on the love letter worm, click here.)