Responding to the Dreaded "Love Bug"

By now, the reports of the so-called "Love Bug" virus have spread almost as fast as the virus itself. But what sets the Love Bug apart from other viruses before it, such as Melissa and Happy99? The biggest factor that sets the Love Bug apart from its predecessors is what is known as the virus' payload. A payload is what the virus was designed to do after infecting a computer system. Sometimes the payload is harmless. For example, the payload of Happy99 is to simply replicate itself. Whenever an email message is sent out on a computer system infected by Happy99, the virus tags along for the ride (this all happens behind the computer owner's back, and is unknown to him or her). So each email message sent from that computer has a stowaway, and when someone else opens up Happy99 after receiving it from the first system, that second system becomes infected as well. But Happy99 does not actually damage anything on the computers that it infects (as a matter of fact, it backs up critical system data before infecting it, making the process of removing the little bugger pretty easy).

The payload on the Love Bug, however, is quite different. It does share one common aspect with viruses such as Happy99 in that it uses the infected computer's email system to spread itself. But that's where the similarity ends. Upon infecting a computer, Love Bug immediately searches to see if Microsoft Outlook (not Outlook Express) is installed on the computer. If it is installed, it proceeds to send itself out to *everyone* in the Outlook address book. This means that if the infected computer has 200 addresses in the address book, 200 copies of the love bug will be emailed out, all at one time, and in the name of whoever owns the infected computer. So for example, if a loved one's address is in the Outlook address book and he or she receives the virus' message, shown in Figure 1 below, there's a large temptation to open up the letter. Once the attachment is run, the system is infected. But that's only part I of the payload. The second part is much worse. All files with the following extensions will either be destroyed or "hidden" from the user's sight:

vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .mp3, and .mp2.

To make matters even worse, there are several "copycat" versions of the Love Bug beginning to appear. They all try to trick the user into opening them up so that they can infect the system. These copycats vary the message that comes with the email to read anything from an order confirmation for a Mother's Day gift to a virus warning!  The main goal of the authors of these viruses it to get the user to open them. So be careful. A complete list of the Love Bug variants can be found here:

Figure 2: Corrupted Data

Who is at Risk?

As with most computer viruses, Microsoft Windows users are the primary target. We at ISDN tested many different operating systems, intentionally infecting them with the Love Bug virus to see just which systems would be vulnerable to the virus' mischief. Here's a rundown of the system "requirements" for infection to take place.

1. Any computer running Microsoft Windows NT 4.0 with Microsoft Internet Explorer 5.0 installed. We noticed that after infecting an NT 4.0 system, the computer had difficulties shutting down. We had to hit Control-Alt-Del twice before the system would shut down properly. This did not seem to come up in any of the other test systems, including Windows 2000, which is based on Windows NT.
2. Any computer running Microsoft Windows 95 with Microsoft Internet Explorer 5.0 installed.
3. Any computer running Microsoft Windows 98 with Microsoft Internet Explorer 5.0 installed.
4. Any computer running Microsoft Windows 98 Second Edition (This version of Windows already has Microsoft Internet Explorer 5.0 pre-installed).
5. Any computer running Microsoft Windows 2000. (Windows 2000 already has Microsoft Internet Explorer 5.0 pre-installed).
6. In addition, the virus can spread via email if any of these systems have Microsoft Outlook installed (this does NOT include Microsoft Outlook Express). The virus sends itself to any and all addresses stored in the address book of Microsoft Outlook.

Again, we tested various operating systems to see which systems would run the virus, and which ones would not. Here's a list of system that are not affected, and are essentially considered safe from Love Bug's damaging habits.

1. Any computer running any flavor of Linux (we tested on Red Hat Linux 6.1). Linux systems seem to view the file as a standard text file, as shown in Figure 3.
2. Any computer running the Mac OS (this includes all flavors of the Mac OS, right up to Mac OS 9.04). Upon trying to run the virus, the Mac informs the user that there is no program that could be found to open Love Bug, as is shown in Figure 4 below.
3. Any computer running Windows 3.1, 3.11, or Windows 3.11 for Workgroups. These systems don't know how to open the virus, as is shown in Figure 5 below.
4. Any computer running Windows NT 3.51. NT 3.51 systems are similar to Windows 3.11 systems in that they don't know how to open the virus. This is again shown in Figure 5.
5. WebTV. WebTV reads the virus as a plain text file, and therefore cannot run it. This is shown in Figure 6.

Figure 3: Red Hat Linux Sees Love Bug As Nothing More Than a Harmless Text File

Figure 4: Mac OS Systems don't know how to open the Love Bug

Figure 5: Windows 3.11 and Windows 3.51 NT systems don't know how to open the Love Bug

Figure 6: WebTV sees the virus as a plain text file.

What Can I Do to Protect Myself?

This is a good question. There are several solutions to prevent and combat computer virus infection.
 

1. First of all, be very cautious of ANY file attachments that come in the email. If you are not sure if the file attachment is legitimate, err on the side of caution by deleting the message. You can always check with the person that sent the file to see if he or she really did send it.
2. But even if the person did mean to send you an attachment, you still don't know if that attachment is infected with a virus. The only way to make sure that you won't get infected with present and future viruses is to have a good anti-virus program installed on your computer. Not only does it need to be installed, but it needs to be updated regularly. An anti-virus program that is not updated at least once a month does no good. It can't find a new virus if it doesn't know how to look for one. To prove this point, the tests that we performed infecting our various "Guinea Pig" systems included using two popular anti-virus programs (Norton AntiVirus 2000 and Mcafee VirusScan 5.01), both using out-dated virus definition files. The virus definition files contain the software that tells the anti-virus program how to find and disarm new viruses. The virus definitions in these tests did not contain any data on the new Love Bug virus. The result: we were able to infect these systems, right under the anti-virus programs' noses. The moral of the story is to keep the anti-virus software updated. Consult your owner's manual on how to do this with your particular system. Also keep in mind that if you do purchase Norton AntiVirus 2000, it has an email scanning system that will not work with our internet email servers. If you are planning on purchasing Norton AntiVirus 2000, please read this first.
3. Download and run the free I Love You Cleaner program provided by Craig Schmugar at the Get Virus Help homepage. This program will remove the Love Bug from your system, and will give you a list of people that the virus was sent to so that you can warn them.