The "Love Bug"
By Kevin Jones
I thought you might be interested in an update on the love.letter worm that worked its
way through State government last month. I guess, other than being a little frazzled from
the tension during that couple of days, I can confidently say that the State is currently
in good shape.
The love virus infected around 10% of BIS/MRS (Bureau of Information Services/Maine
Revenue Services) desktop computers and overwrote some multimedia files (JPEG) on a number
of file servers. The first recorded virus strike happened on our Exchange (mail) systems
around 7:40 am. May 4. By 8:15 a.m. we had shut down incoming SMTP mail service in/out
from/to the Internet, turned off connectors from/to other agencies and disabled users from
accessing their e-mail. It was mail administrators’ quick reaction that was largely
responsible for the low infection rate to the State. Unfortunately the "early
risers" took the brunt of the damage. (Editor Mary Cloutier was an early riser that
day, and photos to be used in this issue were love letter victims!)
The love letter virus was most destructive to Exchange/Outlook/Windows systems and
since BIS maintains about 65% of these mailboxes, we were hit the hardest. The love letter
virus requires not only Outlook/Exchange but also a 32bit OS running Windows Host
Scripting to infect a desktop. Agencies operating cc:Mail or MS Mail should not have had
an infection. Customers running Windows95 also avoided getting damaged but did get a lot
of Love Letters in their mailboxes. We did discover that Internet Explorer version 5+ will
install Windows Host Scripting, even on Win95 PCs.
BIS does run a continuous Norton Anti-virus scan on all Exchange servers that will
delete messages with known viruses before it is delivered to a mail-box. On an average,
over the last four months, the Norton anti-virus tool detected and eliminated about 30
viruses a week. Regrettably, the love letter virus was already rampant in the wild before
any virus definition files were available from the anti-virus vendors.
Staff has reviewed most PCs in BIS/MRS and deleted the infected files, reset registry
entries and cleaned up mailboxes. Terry Kenniston and Sandy Perry had the virus definition
files from Norton running by 3:00 p.m. May 4th - and the file was already
updated to catch known variants of the love letter virus. We also turned off Windows Host
Scripting on desktops and restored damaged server files.
As of 3:00 p.m. May 5th the Mail*Hub was sending and receiving Internet
messages (SMTP) and all of the Exchange connectors to other agencies were open and we were
processing e-mail. Although a limited number of love letters still arrive, Norton software
has removed the viral attachment, so they are non-destructive. Starting the following
Monday, mopping-up efforts continued, and considering how bad things could have been, we
were lucky:
- no word processing, database or spreadsheets were damaged,
- no authentic mail was lost, and
- most JPEG files that were overwritten on file servers were restored from backups.
Congratulations and job well done to Terry Kenniston, Sandy Perry, Ron Grimard, Nancy
Parameter, and Elizabeth Jacques all members of the Desktop Support SWAT team. My special
thanks go to all BIS customers for their fortitude and understanding during that
especially trying day.
P.S. - As of May 22, 2000 there were over 20 different variations of the Love Letter
virus. Many of them are ingenious in the ways they disguise themselves and a number of
them are highly destructive. While we haven’t seen any variants of this particular
virus at BIS, once a virus is out of the box, it is very hard to get it back in again. For
example, the Form virus is nearly 10 years old and is still commonly reported. Also, don't
forget that there are over 50,000 viruses, with thousands of new ones each month. As the
Love Letter problems die down, do not relax your vigilance!
Kevin Jones is the Director of BIS’ Network Services Division’s
Desktop Support Section. He may be reached via e-mail at kevin.jones@state.me.us.
|
