‘Mother’s Day’ ILOVEYOU Variant Surfaces 05/04/00

‘Mother’s Day’ ILOVEYOU Variant Surfaces 05/04/00 – Industry Trend or Event

Steve Gold

LONDON, ENGLAND, 2000 MAY 5 (NB) — As the US wakes up to another day of ILOVEYOU virus problems just about now, the variants of this potentially catastrophic worm are multiplying. News just in from Sophos (http://www.sophos.com) said that variant D is now sweeping across the Internet.

Variant D of ILOVEYOU distinguishes itself with the text “Mothers Day Order Confirmation” in the header.

The message text of the e-mail reads:

“We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this e-mail. Please print out the attachment and keep it in a safe place. Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com.”

Sophos reported that the attachment is called mothersday.vbs. The IT security firm said that mailers which suppress well-known extensions such as “.vbs” may present this file as mothersday, which appears more innocent.

Sophos said that because the virus arrives in a VBS file, it requires the Windows Scripting Host (WSH) in order to work. If users disable WSH on their PC, the viral attachment will be rendered harmless.

In its advisory to customers, Sophos adds that the virus also drops an HTM file which can spread the virus, and a mIRC script which tries to distribute it.

In addition, the virus checks the Internet Explorer Download Directory for the presence of the file WinFAT32.exe. If that file does not exist the virus randomly picks one of three hacker Web sites and changes the registry to set it as the Start Page for the Internet Explorer.

As a result of this latest variant, Sophos points customers to its “Guidelines for Safe Hex” located on its Web site at http://www.sophos.com/virusinfo/articles/safehex.html , which it said will render PC users “almost immune” to the attack.

“If you do not read unusual or unlikely e-mails and if you have disabled the WSH, then you are unlikely to become infected,” the firm said.

Reported by Newsbytes.com, http://www.newsbytes.com .

(20000505/Press Contact: Graham Cluley, Sophos +44-1235-559933 /WIRES ONLINE, BUSINESS, PC, LEGAL, ASIA/VIRUS/PHOTO)

COPYRIGHT 2000 Newsbytes News Network

COPYRIGHT 2000 Gale Group