LoveLetter worm variant spams spies

A new email worm sends out messages from a victim's PC containing a list of words designed to trigger surveillance systems such as Echelon

A new variant of the LoveLetter worm has surfaced that contains a list of words designed to attract software that monitors electronic communications for national security threats.

Dubbed "VBS/LoveLet-CL" by UK antivirus company, Sophos, the mass-mailing program infects a computer system after the PC user opens the e-mail attachment containing the worm. On systems with Microsoft Outlook installed, the program will mail copies of itself to each entry in the Outlook address book.

The worm's code contains a list of almost 300 terms that could trigger surveillance systems -- such as the much-theorized Echelon system -- that scan for e-mails whose content could affect national security. Words such as "toxin", "detonator", "conspiracy", "uzi", "grenades" and "assassination" all appear in the body of the virus.

"Why are you using echelon type stupid things to listen around," the worm's authors also state in the code. "Hey others, lets fl00d the echelon."

"The worm contains a large number of comments inside its code which do not get displayed," Sophos stated in its advisory, referring to the red-flag terms. "It is possible these have been chosen in an attempt to overload the Echelon e-mail monitoring system, should the worm become widespread."

Two years ago, speculation of widespread American monitoring of other countries' communications caused a great deal of controversy in the European Union. Known as Echelon, the surveillance network allegedly can scan e-mails and wireless communications for particular content. To date, the true capabilities of the system are unknown to all but intelligence communities.

The worm appears as an attachment -- "echelon.vbs" -- to an e-mail with the subject line: "!!!" and the message ":-) MuCux..."

The worm also searches all local and networked drives for Visual Basic Script, JavaScript HTML application, JPEG image and MP3 files, which it overwrites with itself.

If the computer has the chat program mIRC installed, the worm will add a script that allows it to spread through the chat system as well.

Is your PC safe? Find out at the Hackers News Special.

How can you protect your PC from viruses? Find out at the Virus Workshop

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read other letters.