Some of the savviest computer users around have been caught by the Love Letter virus and its variants; people who should know better than to open a strange Visual Basic script attachment. It would appear that virus writers are getting better at exploiting human weaknesses as well as security flaws.
The need to be loved, avarice, or sheer habit can override common sense, it seems.
"With the amount of non-work related information flowing through the Internet, users are sometimes a little ignorant and irresponsible when opening e-mails, and given the fact that somebody may be sending them a love letter or joke, are inclined to open these type of messages," says Heath Turner of The E-mail Corporation. Turner is responsible for the company's Virus-Alert e-mail service.
"People are inquisitive," says security consultant Justin Stanford. "That is not their fault." He says Love Letter was so effective because it took advantage of the average computer user's lack of knowledge and the flaw in Microsoft products that allows mail to be automatically generated without user intervention. "[Love Letter] prays on the unwary. When the sender is known, a recipient is more likely to trust the message," he says.
Love Letter and its variants replicate using the address books of infected users, sending replicas from the infected account that appear to come from a known source.
One of the most widespread variants has the subject line "Mothers Day Order Confirmation". It appears to be the verification of an online purchase and the text in the body of the message is sure to temporarily overtake reason.
It reads: "We have proceeded to charge your credit card for the amount of $326.92 for the Mothers Day diamond special. We have attached a detailed invoice to this e-mail. Please print out the attachment and keep it in a safe place. Thanks Again and Have a Happy Mothers Day!"
Jaco Vogus, Symantec marketing manager for Africa and the Middle East, says outrage at this message is the natural response. "That is a lot of money, especially with the rand-dollar exchange rate." So many people click on the VBS attachment without thinking.
Vogus says the quick spread of the virus is more likely due to the fact that it sends itself indiscriminately to any e-mail address on the infected computer, but adds that the way it is presented cannot be ruled out. "They are designed to fool you," he says.
An even more worrying variant from the Symantec point of view is one that purports to come from the company and to carry a fix for Love Letter. The message appears to come from support@symantec.com and carries a more destructive payload than the original virus. Named VBS.Loveletter.G, it also overwrites batch and component object model (.com) files.
The problem is compounded because Symantec has released a real tool to detect and erase the virus. "When you see a message that looks like it comes from Symantec you are more likely to open it," Vogus says.
Although most anti-virus vendors report that their lines have quietened down since Friday, many are still concerned that more dangerous variants could show up. "It is tough to tell where these guys will go," says Robert Brown, MD of Kaspersky South Africa. "The worst that could happen is that it sends itself out and then deletes the hard-drive completely through something like a low-level format."
Brown agrees that users need to be less trusting to prevent similar virus spreads. "The root of the problem is definitely the user," he says.
Related stories:
ITWeb 'virus of love" special
Share
