- A new Internet "worm" that spreads via an e-mail message purporting to be a love letter is wreaking havoc around the globe.
Hundreds of thousands of computers are already estimated to be hit by the "ILOVEYOU" worm -- a software script. It was first detected on Wednesday night, according to Computer Associates International (CA) and has been more in evidence in the past 24 hours as it began its global sweep.
Sites throughout the world -- first in Asia, followed by Europe and the US -- have reported being infected by the virus, which is particularly troublesome because, unlike the notorious Melissa virus, which attached itself to the first 50 e-mail addresses in address books, the "ILOVEYOU" worm attaches itself to the entire address book, said Narender Mangalam, director of security, CA.
Besides affecting companies, the worm also struck the British houses of Parliament. Both the House of Commons and House of Lords were hit, leading to a shut down of e-mail that lasted a couple of hours.
"The message was noticed before lunch. It was a message sending love to you, which is the sort of message a lot of us here don't expect to be receiving," said Muir Morton, the deputy sergeant at arms for the House of Commons.
The Visual Basic script worm arrives in an e-mail message with the subject "ILOVEYOU," according to information from antivirus vendors, and carries an attached file titled LOVE-LETTER-FOR-YOU.TXT.vbs and the text "kindly check the attached LOVELETTER coming from me." Because it is based on Visual Basic script, the worm infects only computers that have Visual Basic, which is included with Windows 2000.
Users are advised to immediately delete the message and the attached file, "even if it's from your spouse," Mangalam said. He further advised that computer users immediately update antivirus software. Upgrades are available at the Internet sites of various antivirus vendors.
If opened, the worm inserts the following files: MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs in the Windows system directory, Win32DLL.vbs in the Windows directory, WinFAT32.EXE and WIN-BUGSFIX.EXE in the Internet download directory and script.ini in the mIRC directory.
It is particularly adept at hiding itself "so you can't really tell where it's going," Mangalam said.
When it first was detected, the worm also would go out to four different Internet sites and pull software from those to download on infected computers, allowing hackers to possibly break into those computers, Mangalam said. The Internet sites have been shut down.
One of the companies hit by the worm was Adaco, a Stockholm-based food wholesaler with approximately 120 users.
"We were hit at around 2 p.m., but were quite lucky -- only three of our users got infected," said Conny Björling, IT manager at Adaco.
Björling immediately isolated the worm's code, which he said consists of around nine A4-sized pages of Visual Basic script and carries the signature of a Manila, Philippines-based hacker calling himself Spider.
"Although it is too early to say how serious a problem this really is, it certainly spreads like wildfire," he said.
Within five minutes, the worm had infected around 800 files, including some register and system files, added Björling.
The worm seems to have originated in the Philippines, agreed F-Secure, an antivirus software vendor in Espoo, Finland.
(Additional reporting by Laura Rohde in London, Terho Uimonen in Stockholm and Margret Johnston in Washington, D.C.)