NewLove: What went right?

It had the potential to be a crippling virus, but NewLove has done little damage. Thank more-savvy users and better virus protection
Written by Robert Lemos, Contributor

Dire warnings fell flat on Friday when the "NewLove" worm -- loosely based on the "ILOVEYOU" worm that spread like wildfire at the beginning of May -- failed to infect a significant number of computers and seemed to be under control.

The containment of the latest outbreak may demonstrate that users are becoming more savvy when handling unknown email and that virus fighters are better prepared to knock down infections quickly.

"We have not gotten a single report," said Tanya Candia, vice president of global marketing with anti-virus software maker F-Secure. "While it evades detection -- quite successfully -- by making itself hard to find, none of our clients are reporting infections."

The Computer Emergency Response Team at Carnegie Mellon University also announced Friday that its members had not seen any infections.

And clients of security software maker Network Associates submitted only two samples of the new virus to researchers there. "We don't have reports of widespread damage nor prevalence," said Vincent Gullotto, director of the Network Associates' AVERT research lab. In total, less than 20 of the company's clients reported infections.

On Friday afternoon the AVERT lab downgraded the threat from the virus to a "medium" risk from the "high risk" rating earlier.

Referred to as VBS/NewLove, the worm-type outbreak has failed to cause much disruption all in the computer world, experts said, after raising fears that a rival of the Love bug outbreak was about to hit the computer world.

Based loosely on its cousin ILOVEYOU, the Visual Basic script virus known as NewLove is mailed to users as an apparent attachment from a friend, with the subject line "FW:" followed by a random file name. The attached file has the same name plus the .VBS extension.

For example, the worm might find the file "mydoc.txt" on the user's system and send off a message with the subject line "FW: mydoc.txt" and an attachment of "mydoc.txt.vbs".

After that, the virus trashes the system by deleting all files by setting their lengths to zero.

The current variant also adds a twist found in other viruses: Polymorphism. The worm adds several more comment lines to itself every time it reproduces, thereby changing the length and "fingerprint" by which most virus software attempts to recognise the code.

That feature made the virus harder to stop, but has also made the virus its own worst enemy. Growing at 100KB every time that it infects a computer, the worm should soon be too large to spread through email systems unnoticed.

The virus popped up earlier in the week in Israel when a handful of companies became infected. Thursday night, software maker Symantec raised the red flag when three of its Israeli and European clients reported being infected with the destructive virus.

Other anti-virus vendors followed suit with their own press releases as soon as a fix became available. Even the FBI jumped into the fray announcing that it had decided to try and hunt the creator of the ILOVEYOU knockoff.

Cary Nachenberg, chief scientist for Symantec, said the industry reacted quickly and appropriately to the new virus.

"If you looked how this started out, it had the same pattern as ExploreZip. That virus took out a fair number of computers," he said. "If anything our announcements raised people's awareness, and I don't think it caused any harm at all."

ExploreZip, which hit the Net a year ago, had a similar modus operandi, trashing files and sending itself to emails taken from the Outlook address book.

However, while a minor consideration, the warnings and pre-emptive network shutdowns probably cause far more e-mail traffic than the virus did, said Rob Rosenberger, editor of Computer Virus Myths, an independent Web site that keeps an eye on the anti-virus industry.

"I think there is more spamming going on because of warnings than because of the virus. The military, for one, is pumping out alerts," he said.

The ILOVEYOU swamped servers and computers with a far greater amount of email.

According to a survey by the Pew Internet and American Life Project, the ILOVEYOU virus appeared in the inboxes of 15 percent of the US Internet-using populace, and roughly a quarter of those that received on the email opened the attachment, infecting themselves.

"Viruses seem to be a growing part of our lives," said John Horrigan, analyst with the project.

It seems that most of the world is still reeling from the shock of the cutely and seductively named ILOVEYOU virus. Go with Peter Coffee to AnchorDesk UK and read the news comment to find out how easy it was and the perils that lie ahead.

What do you think? Tell the Mailroom. And read what others have said.

Go to ZDNet's ILOVEYOU Special Report

Editorial standards