By Paul Festa, CNET News.com
A new virus on the loose could make the Love Bug pale by comparison.
Antivirus firms monitoring the new outbreak say only a handful of instances so far have been reported to them. But they caution that the virus has the potential to spread rapidly and cause even more damage than its recent predecessor.
"Everything on the computer is destroyed," said Vincent Weafer, director of Symantec's antivirus research center.
Perhaps even more disquieting than the destructive payload is the fact that the virus alters itself to sneak around traditional virus scanners.
This meaner, smarter bug comes on the heels of the so-called Love Bug virus that wreaked havoc and caused billions of dollars in damage earlier this month. The new one threatens not only to overwrite files on victims' computers but to destroy data, programs and crucial operating software on them as well.
Like the Love Bug, the new virus exploits features of Microsoft's Outlook email program to send itself to all contacts in the victim's address book. The virus is written as a VisualBasic attachment, which can be recognized by the suffix ".vbs".
Microsoft this week pledged to shore up Outlook with an upgrade meant to thwart the spread of viruses like the Love Bug. Symantec said the upgrade would be effective against the new virus, but it has not yet been released.
The Love Bug has seen a wide array of mutations--not an uncommon development among viruses--which Symantec numbered at around 30 so far. Some of the Love variations have been more destructive than the original, damaging system files in addition to the image and audio files targeted by their predecessor.
The new virus does not overwrite computer files; instead, it shrinks them down to nothing, targeting files on both local and network drives.
In addition, it imitates the behavior of biological viruses in making subtle alterations as it spreads.
The mutation occurs in three different places. First, the virus changes the subject header of the email by selecting at random from various document files found on the victim's computer and adopting that file's name, preceded by "FW:".
Next, the virus renames itself with the same name, followed by ".vbs".
Last, the virus inserts random text in the VBS script itself. This code does not alter the behavior of the virus itself but throws virus scanners off its scent.
Symantec said it was at work on a fix that would exclude those randomly generated comments in identifying the virus.
One possible avenue of attack for the antivirus crews is the fact that the new virus comes in an email with a blank body. A filter that scraps emails with "FW" in the subject header and nothing in the body would be effective against the virus without filtering out a large number of legitimate attachments, Weafer said.
Weafer stressed that, contrary to a Symantec press release and earlier published reports, the new virus is not a variant of the Love Bug. While the viruses share key characteristics, such as the reliance on Microsoft's Outlook address book and VBS scripting language, they do not share source code.
The new virus, dubbed "VBS.LoveLetter.FW.A" by Symantec and "VBS/NewLove-A" by English antivirus firm Sophos, is currently not very widespread. Symantec heard reports from one U.S. firm and two in Israel. Trend Micro, a competing antivirus firm, said one corporate customer reported that all 5,000 of its desktops received the virus, but the company didn't know how many of those actually opened it.
"Those numbers are very small," Weafer said. "But it's not atypical for a worm to start with very low numbers and spread very rapidly. When we first saw the Explorer.zip virus, which started in Israel, there were two cases. Twenty-four hours later it had spread worldwide."
The Bay Area firm whose 5,000 desktops received the virus got it from its office in Israel, according to Trend Micro. But the company cautioned against concluding from that fact that the virus originated in Israel.
Virus firms have come under some criticism for hyping virus threats, especially in light of the fact that antivirus firms' stocks tend to do well in the midst of security crises.
One antivirus researcher keeping an eye on the new worm close to midnight today said he was spreading the word about it with mixed feelings.
"We're in this familiar situation where we're warning people about a problem they may or may not have tomorrow morning," said Dan Schrader, chief security analyst at Trend Micro. "If we cry wolf often enough, they'll tune us out entirely."
