|Children of 'Love' bug: No
by Roy Linker
An international manhunt has failed to deter several anonymous
authors from creating new, potentially more destructive variants of
the 'ILOVEYOU' script worm that clogged e-mail servers around the
world on Thursday.
In less than 36 hours, five different variants of the ILOVEYOU
worm have appeared. The one found Friday morning, dubbed "Mothers
Day," masquerades as a response to an order for a Mother's Day
gift. Like the 'Love' bug, the worm deletes files and spreads itself
"This will follow the pattern that we learned with Melissa,"
said David Kennedy, director of research services for security firm
ICSA.net. "Within 24 hours we saw a variant of Melissa. Within
three days we saw a worse variant that infected Excel files."
Kennedy expected a similar effect with ILOVEYOU.
"We will continue to see variations on the theme," he said.
In fact, late Friday another variant, called "Brainstorm,"
had popped up. The subject line of the e-mail carrying the worm says
"Important! Read carefully!"
More to come?
The "Mothers Day" variant is perhaps the worst yet, said
Richard Jacobs, president of Sophos Inc., an anti-virus software maker
in Wakefield, Mass. Instead of overwriting multimedia and script files
(as the "ILOVEYOU" worm does), he said, it overwrites and
deletes .bat and .ini files, which can cause more damage and prevent
systems from booting up.
Mothers Day Virus
* Subject line reads 'Mother's Day Order Confirmation' and a blurb of
text informs the recipient that his or her credit card has been
charged $326.92 for a Mother's Day diamond special. The attachment is
in the form of an invoice, entitled mothersday.vbs, leading security
experts to believe many people will unwittingly open it.
* A version of the bug apparently modified by someone in Lithuania.
The subject field is 'Susitikim shi vakara kavos puodukui,' which is
reportedly Lithuanian for 'Let's meet this evening for a cup of
* The subject field of this version reads 'fwdd:Joke,' and the
infected attachment is entitled VeryFunny.vbs.
a fifth variant of the 'love' bug.
Subject:'Important! Read carefully!!'
Body text: 'Check the attached IMPORTANT coming from me !'
Second, after mailing itself out, the worm places a copy into every
script file and several multimedia files as well, essentially deleting
Image files (.jpg and .jpeg), Visual Basic scripts (.wsh, .vbs and .vbe)
worm and will be renamed with the .vbs extension. HTML applications (.hta)
and other program codes (.css and .sct) will also be overwritten.
Music files (.mp3 and .mp2) are hidden, and a file of the same name --
containing the worm's script and a .vbs file extension -- is put in
The worm also infects files on networked and mapped drives, and it
sends itself to people who join a chat room with an infected member. A
number of Windows register entries are changed as well.
Note from another User Group with a make shift Fix.
A remedy, should you catch the ILOVEYOU virus
Until such time that you can
get a hold of a fix from McAfee or another virus removal publisher,
Find and delete LOVE*.HTM
Find and delete LOVE*.VBS
Run REGEDIT and delete:
Rename C:\WINDOWS\WSCRIPT.EXE to WSCRIPT.old
You may get an error upon start up that it can't find WSCRIPT.EXE to
run a script -- just cancel out. This is a Visual Basic program that
you probably don't need.