National Infrastructure Protection Center Information System Alert (Alert 00-043) (VBS.NewLove.) as of 0500 (EDT) 19 May 2000 As of 18 May 2000, a new, more destructive variant of the LOVE LETTER worm, NewLove.VBS, has been identified. Like the earlier variants, this worm is transmitted via email, but unlike the others, this new polymorphic variant can change the subject line and the program code every time it is retransmitted, thus making it more difficult for users and anti-virus programs to detect. The worm is transmitted when a user opens an email attachment. The NewLove.VBS variant uses the filename of a file that a user has recently been working on, and places that filename in the subject line of the email transmission. The recipient may think that they have been forwarded a file from a known associate. When the attachment is opened, this worm can damage all files not currently in use, by changing the file extensions to .VBS. It can also transmit itself to a new group of victims taken from the current victim's email address book. The new email will have a different subject line taken from a filename that the current victim has recently been working on. VBS.NewLove.A Subject: Variable; "FW: filename.ext" (where filename.ext is dervied from the user's recently opened documents list) Attachment: Variable; "filename.ext.vbs" (where filename.ext is dervied from the user's recently opened documents list) Size of attachment: Variable Message Body: Variable. Target of Infection: Overwrites all files that are not currently in use regardless of extension. Shared Drives: Will overwrite files on all mapped local drives (with the exception of files in root directories) Major Anti-Virus vendors have posted software to detect and prevent infection by many variants of the LoveLetter worm. Affected users should contact their anti-virus software website frequently for updated information and patches. The FBI has opened an investigation into this activity. NIPC alerts and additional information on this worm, as they become available, will be posted to the NIPC's webpage. Please report any evidence of infection to your local FBI office, NIPC, military, or civilian computer incident response group, as appropriate. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/5/6. _________________________________________________________________ [ [1]Back to Advisories, Alerts and Warnings ] References 1. http://www.fbi.gov/nipc/nipcaaw.htm