?

----- Original Message -----

Pls take note.

?

?

?

Subject:? 'ILOVEYOU' virus threatens commerce, e-mail and history

By D. Ian Hopper
CNN Interactive Technology Editor

(CNN) -- Computer users around the world survived a
particularly rough day Thursday as the self-propagating
and destructive "ILOVEYOU" virus destroyed critical files
and jammed electronic mail systems, causing millions of
dollars in damages.

Experts estimated that 60 percent to 80 percent of U.S.
companies were infected. Additionally, several U.S.
government agencies and the Senate were hit, as well as
more than 100,000 servers in Europe.

The virus was first reported in Hong Kong and spread
gradually west as Thursday dawned, infecting government
and business computers. Anti-virus companies in the United
States fielded thousands of calls from corporate customers
reporting widespread infections.

Several anti-virus companies have developed "virus
definition" files for the "ILOVEYOU" virus, which is
currently known to spread through the Microsoft Outlook
e-mail program and through a popular Internet Relay Chat
program. Those files have so-called "fingerprints" for
the virus, allowing those programs to detect and eliminate
it.

The malicious code is a hybrid virus and worm. Like the
Melissa and Explore.Zip worms, it propagates itself through
networks -- in this case, e-mail. But unlike those two, it
also destroys and replicates itself by manipulating files,
in this case JPEG and MP3 files on a user's hard drive,
like a traditional virus.

"This is fairly big time," said computer security expert
Peter Tibbett, who works for ICSA.net of Reston, Virginia,
which measures the frequency and cost of viruses on 1
million machines per year.

The FBI has begun investigating the virus. Officials at
the National Infrastructure Protection Center were meeting
Thursday to discuss the attack's impact. Two clues within
the virus code indicate that it may have originated in the
Philippines.

The beginning of the virus code states, in comments, the
alias "spyder," and contains an anonymous e-mail address
and a company name. It is also signed "Manila, Philippines,"
and with the comment, "i hate go to school."

Additionally, the virus tries to set the user's Internet
Explorer start page to a Web site registered in Quezon,
Philippines. It attempts to trigger a program called
"WIN-BUGSFIX.exe" on one of four user accounts through the
same site. The site belongs to one of the largest Internet
Service Providers in the Philippines.

How it works

Security experts at F-Secure have analyzed the virus
thoroughly. Users usually get an e-mail, sometimes from
someone they know, asking them to check the attached
"Love Letter." That file is a VisualBasic script, which
contains the virus payload. As long as the user deletes
the e-mail without opening the attachment, their computer
is safe from harm. Once a computer is infected, the virus
transmit itself through e-mail using Outlook's address book.

"What makes this virus so much more aggressive than Melissa
is that this virus sends copies to all the addresses,
whilst Melissa only sent copies to the first 50 addresses,"
Fagerland said.

The virus can also travel through the Internet Relay Chat
client mIRC, according to F-Secure, which has analyzed the
malicious code.

Unlike the "Melissa" virus, which traveled in a similar
fashion, "ILOVEYOU," also known as the Love Letter worm,
is more destructive. First, it copies itself to two
critical system directories and adds triggers in the
Windows registry. This ensures that it's running every
time the computer reboots.

The virus then starts affecting data files. Files associated
with Web development, including ".js" and ".css" files, will
be overwritten with a file in the VisualBasic programming
language. The original file is deleted. It also goes after
multimedia files, affecting JPEGs and MP3s. Again, it deletes
the original file and overwrites it with a VisualBasic file
with a similar name.

'LOVE' already costing much
Tibbett estimated $100 million in software damage and lost
commerce had been caused by 9 a.m. Thursday in North America
alone and predicted the price tag would exceed $1 billion
by Monday morning.

ICSA.net has 200,000 clients, among them financial
institutions, government agencies and corporations, Tibbett
said. The Department of Justice used the company's estimates
for damage caused by last year's Melissa virus, he said.

"This beats Melissa hands down," Tibbett said.

According to ICSA.net, the Melissa virus infected 20 percent
of North American companies' computer systems. "We anticipate
this'll exceed 50 percent of North American companies by
Monday," Tibbett said.