Love Letter, the most damaging and widespread e-mail virus to date, now has spun off as many as five variants originating all over the world, say antivirus experts.
The original virus is starting to come under control, say executives for antivirus vendor McAfee, but several copycat viruses emerged on Wednesday and Thursday that operate similarly to the original Love Letter worm.
Experts urge e-mail users to beware of messages with the subject lines, "RE: Joke" and "Mother's Day Gift Confirmation", as well as a Lithuanian strain with the subject line, "Susitikim shi vakara kavos puodukui...." All carry the same destructive load as the Love Letter message.
The Mother's Day version appears to have been born in the US, says Mikko Hypponen, manager of antivirus research at security software supplier F-Secure in Finland. The company received a sample on Thursday from the US.
"Since the text in the message also refers to US dollars, it certainly appears to be from America, but we have not confirmed that yet," Hypponen says.
The message field of the Mother's Day e-mail reads: "We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place. Thanks Again and Have a Happy Mothers Day! email@example.com." The attached file is titled mothersday.vbs.
F-Secure and other vendors now recommend that computer users turn off a feature called Script Hosting that is one of the default settings in Microsoft's Internet Explorer browser. This prevents any VBScript worms such as the original Love Letter and its variants from affecting a system.
Virus fighters update cures
"Our customers have been able to deploy cures to Love Letter and its variants," says Gene Hodges, president of the McAfee division at Network Associates.
Damages in the United States are estimated at $US2.6 billion through to Thursday, according to Computer Economics. That number could rise to $10 billion by tomorrow, making Love Letter the worst worm ever. And the effects of Love Letter have been felt worldwide.
McAfee has reason to believe that the virus originated in Manila. "There is a user ID of firstname.lastname@example.org," Hodges says. "I wouldn't say we're dead sure it came from the Philippines but it did originate in the Far East."
One reason for the worm's virulence: "It is craftily designed to spread itself," Hodges says.
The worm looks into your Outlook address book and sends itself to everyone listed there, and it also copies over widely distributed files such as .jpeg, .mp2, and .mp3 files, Hodges says.
The three named variants operate similarly and affect files in similar ways, he adds. But our worm worries may not be over, as McAfee has only just identified the possible new strains.
The virus affects only Windows systems, Hodges says. "It uses Windows scripting typically installed with Internet Explorer 5.0." None of the strains affect Macintosh, Linux, or Unix systems, Hodges says.
Corporate customers have gotten better at responding quickly since last year's Melissa virus, Hodges says.
McAfee offers a web-based cleaning system for the virus at MyCIO.com, as well as a downloadable update to the McAfee antivirus scan software.
"Since yesterday, we've serviced over 1 million customers worldwide," says Srivats Sampath, McAfee.com's president and CEO. "It's starting to get under control; people are becoming informed of the virus and the mechanisms to protect themselves from it."