Over the last 5 years we have seen a huge increase in the amount of malicious code spread via email and popular applications (such as Microsoft Word, Microsoft Excel, Microsoft Outlook, and Microsoft Visual Basic).

This page was written to help people understand the threat to information systems which email viruses represent. It deals with recent incidents in reverse order (most recent to preceding, and so on). For background reading on viruses and anti-virus software, we suggest this article by Stephen Cobb). For a quick list of steps to protect your company against email viruses check out this page.

Important Microsoft Fix Information

Microsoft has released a software patch which eliminates one of the mechanisms exploited by the current crop of email viruses. We have provided a link to the relevant location on the Microsoft web site, but suggest you read the rest of this paragraph before going there. The Microsoft page describes the "scriptlet.typelib/Eyedog" vulnerability, as a potential threat on malicious web pages. Viruses and worms are not mentioned. The fact is, if left unpatched, the vulnerability exposes personal computers running Internet Explorer (IE) version 5.0 and/or Microsoft Office 2000 to virus attacks via most HTML-enabled email systems. This is true even if the person who receives the email does not open any attachments. In fact, even if you don't use IE, but have it installed, with the default security settings, you could be vulnerable without this patch. Click on this link to open the relevant page in a separate browser window:

http://www.microsoft.com/technet/security/bulletin/ms99-032.asp

Note that this is entirely different from the much publicized Microsoft security fix for Outlook, announced in early May, but still not available (check this Microsoft page for more information).

Resume Killer Virus

The email message in which it arrives has the subject: Resume - Janet Simons. It is addressed to: Director of Sales/Marketing and says:

There is an attachment, Explorer.doc, which should NOT be opened. While you or your company might want to establish filters in firewall or email software, in order to filter out the above message, bear in mind that this is not foolproof. Copy cat viruses with altered messages particulars are likely to appear. (One step you should take, apart from making sure everyone in your organization knows how to handle email attachments safely, is to deactivate the executive summary feature in Microsoft Outlook). Here is data from virus vendors:

CERT on Resume Killer

F-Secure (formerly Datafellows) on Resume Killer

McAfee on Resume Killer

Symantec on Resume Killer

NIPC on Resume Killer

Kak -- A Growing Threat

Historically, the spread of computer viruses through infection of host software has always been limited by definition: the host code has to be executed in order for the virus to infect a new host. That is why virus writers are so interested in automated processes, such as booting the computer (boot sector viruses were by far the most common form of infection during most of the last decade). The auto-execute feature of macro code is appealing from this perspective, as is html-enabled email. Html has always been able to do more than simply format pages for display. Today's html can execute, or cause to be executed, powerful embedded code. This is allows...

Kak has been described as "one of the first of a new breed of viruses that can infect users simply when they read an e-mail, or even by previewing an e-mail using Microsoft's Outlook Express - opening an attached file is not required" (MSNBC). Kak has been known for some time, but has recently become more widely distributed. On May 24, 2000, some 50,000 clients of Shoppingplanet.com received an email newsletter infected with Kak. Many of those who previewed or read the email in Outlook Express are likely to have become infected. After infection, the virus sends a copy of itself with every message the victim sends.

The Kak payload itself is not destructive, but this is no reason to take this virus lightly. A large percentage of the losses caused by viruses are cleanup costs, since no organization can afford the risk of business knowing that its systems are infected and thus infecting customers, partners, suppliers, and so on.

There are several ways of reducing your exposure to Kak-type malicious code. These include turning off scripting (click here for a description of this) and the Microsoft path mentioned at the top of this page. Turning off the "html-enabled" setting in your email program is also a good idea. We have long contended that email works best if it is straight ASCII, with no formatting.

F-Secure (formerly Datafellows) on Kak

New Love

Similar to LoveLetter (see below) this virus appeared about two weeks after LoveLetter and apparently failed to spread with anything like the same speed, due to three factors:

However, three features of this incident were significant and should be considered carefully when evaluating the threat of malicious code:

We think some virus writers will be attracted to the idea of causing preemptive email outages at big companies. Along with the low level of apprehension and punishment, this is likely to produce a near term increase in such incidents.

F-Secure (formerly Datafellows) on New Love

The Love Letter Arrives

As of May 7, 2000, 3 days after it had incurred significant damage to millions of computers around the world, the origins of the malicious code known as Love Letter were still shrouded in mystery. Investigations were under way in the Philippines. Some theories pointed to Germany and Australia. But this was mostly academic for those users who lost data, time, and peace of mind because of this latest example of computer misuse.

On the morning of May 5, the Washington Post described it like this: "An electronic virus disguised as a love letter raged around the globe yesterday, worming its way into potentially millions of personal computers and cutting the e-mail lifelines that serve individuals, businesses and governments." They reported that the virus clogged computer networks from Belgium's banking system to Britain's Parliament to the Pentagon and Ford Motor Co. And if there is anyone left who thinks viruses are just a nuisance, and releasing them is just a prank, consider that scientists at the Centers for Disease Control and Prevention in Atlanta and at the Food and Drug Administration were denied access to their systems because of this infection.

The federally funded Computer Emergency Response Team (CERT) Coordination Center at Carnegie-Mellon University reported that by 2:00 PM EDT May 4, 2000, they had received reports from more than 250 individual sites indicating more than 300,000 individual systems are affected. In addition, they stated "we have several reports of sites suffering considerable network degradation as a result of mail, file, and web traffic generated by the "Love Letter" worm." By that time many corporations and government agencies had turned off their email systems, and many of the anti-virus vendors web sites were struggling to keep up the demand for information.

Love Letter Details

There are plenty of sources to turn for a description of this problem. One of the best can be found at a place you should be familiar with, CERT, which grew out of the first major Internet security incident, the Morris Worm. Here is how CERT describes the "Love Letter" worm: a malicious VBScript program which spreads in a variety of ways...including electronic mail, Windows file sharing, IRC, USENET news, and possibly via web pages. Click here for the full CERT report. Another valuable government source is CIAC. Click here for the relevant pages at CIAC.

One of the first anti-virus companies to post an analysis was Datafellows. The company describes one way of protecting systems against VBScript worms (uninstalling the Windows Script Host). As a worm, LoveLetter uses the Outlook e-mail application to spread, but LoveLetter is also an overwriting VBS virus, meaning that it infects existing files by overwriting them with its own code (LoveLetter overwrites .jpg image files and .mp3 audio files, two of the most widely used formats on Internet-connected computers). LoveLetter also spreads itself using the mIRC client and installs itself in the Windows System directory as MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs, and in the Windows directory as Win32DLL.vbs.

The program does not stop there, it also adds itself to the Windows registry so that it's code will be executed when the system is rebooted (this affected many users who rebooted in hopes of stopping LoveLetter after it had started). LoveLetter also changes the home page in Internet Explorer so that it points to an executable program. If this is downloaded a password stealing Trojan is added to the user's system The Trojan tries to find and delete registry keys related to passwords on the system. Eventually, if not stopped, the code sends stolen RAS passwords and all cached Windows passwords to an email address in the Philippines.

According to Don Faulkner, MCP, Senior Security Analyst with InfoSec, "The LoveLetter Trojan is more or less an "essay" in the art of script virus writing. It is designed to be highly resilient, creating several backup copies of itself, and providing for restart within the windows registry. It performs a myriad of tasks, from getting files, to replicating itself along several nonstandard paths (such as IRC). Additionally, it has the capability to email password lists from the infected box to (presumably) the author."

Faulkner points out that there are pros and cons to this style of virus writing: "Because LoveLetter tries so many things, in effect saying, "look what I can do!" it is very noisy and easy to detect. However, a shrewd programmer could modify this code skeleton into something much more difficult to detect, yet much more devastating." And the LoveLetter quickly gave rise to variants/

LoveLetter.A was found globally in-the-wild on May 4th, 2000. Shortly thereafter the LoveLetter.B variant appeared, using another message subject: Susitikim shi vakara kavos puodukui (Lithuanian for "Let's meet this evening for a cup of coffee..."). The third variant, LoveLetter.C propagates in a message with Subject: fwd: Joke Attachment: Very Funny.vbs. And so on, up to 20 variants appearing within days of the original version.

One of the most pernicious was LoveLetter.E which spreads itself in a message that says: Subject: Mothers Day Order Confirmation, Body: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. The user is thus tempted to click on what appears to be an attached invoice. Additionally, this variant deletes all files with the extension ".ini" and ".bat" instead of ".jpg" and ".jpeg". Another notable variant is LoveLetter.G, similar to the original but seems to originate from Symantec's support with the subject Virus ALERT!!! The Body of the message begins "Dear Symantec customer, Symantec's AntiVirus Research Center began receiving reports regarding VBS.LoveLetter.etc."

As with previous email-based malicious code, variants, copy-cats, and re-infections have continued in the wake of the original. Considered estimates of the amount of money that LoveLetter cost the world within the first week are upwards of $1 billion. All of this due to something which is clearly preventable, and has happened before.