5 May 2000

The Australian Computer Emergency Response Team (AusCERT) based at The University of Queensland has urged computer users to take precautionary steps against a virulent new computer virus known as "The Love Bug".

"The virus has infected thousands of computers throughout the world, including some Australian sites," Senior Security Analyst Rob McMillan said.

AusCERT is one of the few organisations in Australia recognised internationally as an authoritative source of expertise and information about Internet security. It provides a single, trusted point of contact in Australia for the computer community to deal with computer security incidents and their prevention.

Mr McMillan said AusCERT received its first reports on May 4, as did peer response teams throughout the world. Reports of variants had also started to emerge.

"Systems at risk are those running Microsoft Windows with Windows Scripting Host enabled," he said.

"The main goal of the virus at this stage appears to be propagation, although this does not rule out the possibility of later variants having a more malicious payload. A side effect of some of the propagation techniques is that some files on the local computer will be overwritten. It is possible that increased network load because of this virus may cause some email servers to have degraded performance.

"The main economic cost of the virus at this stage appears to be related only to the costs involved in detection, removal and recovery of the virus."

Propagation was based on three main mechanisms.

The primary mechanism appeared to be as an email attachment. Example indicators that the virus may be attached include subject lines such as "ILOVEYOU" or "fwd: Joke", or attachments named "LOVE-LETTER-FOR-YOU.TXT.vbs" or "Very Funny.vbs". Note that the ".vbs" extension may not be displayed in all cases.

The worm could attempt to install itself in several locations. It also attempted under some circumstances to reset the Internet Explorer Start Page, download arbitrary code and cause the system to execute this code upon reboot.

The final propagation technique is related to the use of IRC. Under some circumstances the virus may also rename JPEG, MP2 and MP3 files, and possibly also other scripts with range of extensions.

Mr McMillan said AusCERT urged potential victims to address this problem through a number of steps.

"Users should be wary of any attachment with these listed characteristics," he said. "To avoid falling victim to variants in future, users should also be wary of attachments originating from someone they do not know, out-of-character attachments originating from someone they do know, or any other containing characteristics that arouse suspicion."

"System administrators are urged to maintain anti-virus software. It is unavoidable, however, that a time lag will occur between the emergence of a virus and the implementation of a technical solution. Therefore, it's most important that user education is emphasised to avoid infection during the time lag."

Mr McMillan said sites could wish to consider disabling the Windows Scripting Host, since this was required by the virus to execute successfully via the email attachment. Similarly, sites may also wish to disable Active Scripting in Internet Explorer.

Some email routing packages could be configured to trap messages containing indicators of the attachment. Sites should check the capabilities of the package they use to see whether this is possible within their implementation.

Mr McMillan said AusCERT has released an Alert to its members with further information.

Further media enquiries should be addressed to AusCERT at (07) 3365 4417 or Jan King at UQ Communications 0413 601 248.

Enquiries can also be directed to communications@mailbox.uq.edu.au