WARNING: LOVE LETTER E-MAIL WORM might exceed Melissa in severity This worm has already hit certain areas of UVM. If you receive this message with a subject of ILOVEYOU and attachment called LOVE-LETTER-FOR-YOU.TXT.vbs please delete it immediately. This worm appears to impact Outlook users so be especially careful if you use Outlook. Lynne This press release comes from F-Secure. For more information on F-Secure's mailing list policy, see end of message. F-SECURE WARNS: LOVE LETTER E-MAIL WORM might exceed Melissa in severity ESPOO, Finland, May 4th, 2000 - F-Secure Corporation (formerly Data Fellows) [HEX: FSC], a leading provider of security for mobile, distributed enterprises, is warning e-mail users of a new destructive e-mail worm called VBS/LoveLetter. This worm spreads by e-mailing a file called LOVE-LETTER-FOR-YOU.TXT.vbs around. F-Secure Anti-Virus detects and disinfects the virus, with the latest update available from www.F-Secure.com . "This worm spreads at an amazing speed", comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation. "We got the first report around 9:00 a.m. on Thursday from Norway, and by 1 p.m. we had reports from over 20 countries. We estimate that total number of infected machines is already in tens of thousands. This epidemic might exceed Melissa in both speed and destructiveness." The LoveLetter worm activates by overwriting picture and music files from the local and network drives. Files with extension JPG, JPEG, MP3 and MP2 are overwritten and will have to be restored from backups. The worm arrives to users in e-mail message attachments called LOVE-LETTER-FOR-YOU.TXT.vbs. On a default Windows system, the ".vbs" extension is not visible, and users might mistake the file for a harmless text file (.TXT). If the recipient opens the attachment, the worm will use Microsoft Outlook (if installed) to send a message to everyone in any address books (including global access books of the organization these typically contains hundreds or thousands of addresses). The messages is as follows: kindly check the attached LOVELETTER coming from me. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs As address books typically contain group addresses, the result of executing the VBS/LoveLetter worm inside an organization is that the first infected user sends the message to everybody in the organization. After this, other users open the message and send the message again to everyone else. This quickly overloads e-mail servers. In addition to spreading over e-mail, the worm also overwrites existing local script and HTML files with its own code. The worm was most likely written in the Philippines. It was first spotted in early morning, Thursday May 4. It contains the following text: barok -loveletter(vbe) by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines VBS/LoveLetter is written in the VBScript language. By default, programs written in VBScript operate only under Windows 98 and Windows 2000. However, Windows 95 and NT 4 users are also vulnerable, if they have insta Sample pictures of e-mail messages generated by VBS/LoveLetter are available in the F-Secure virus screenshots center at: http://www.F-Secure.com/virus-info/v-pics/ lled version 5 of Microsoft Internet Explorer. A technical description of the virus is available in the F-Secure virus description database at: http://www.F-Secure.com/v-descs/love.htm Sample pictures of e-mail messages generated by VBS/LoveLetter are available in the F-Secure virus screenshots center at: http://www.F-Secure.com/virus-info/v-pics/