New E-mail Virus May Hurt Worse Than 'Love'

May 10 2000

As detectives in the Philippines continue their investigation of the "ILoveYou" virus and as corporations worldwide scramble to clean up in its aftermath, security experts in the U.S. are targeting an e-mail virus that may be more destructive: it doesn't even require its attachment to be opened before it wreaks havoc.

First seen several months ago, the virus, which is called Kak, seizes on any e-mail program that recognizes HTML, the language used to create most Web pages. It infects computers that lack updated virus protection when the e-mail message that contains it is merely opened or previewed.

Kak affects computers running Internet Explorer 5.0 or Microsoft Office 2000. It spreads by taking advantage of a security hole in Explorer that is caused by a programming bug in an ActiveX control called scriptlet.typelib. The browser doesn't need to be running for the virus to be unleashed, and the bug can be installed on a computer through its default security settings, according to a security alert issued Wednesday by the System Administration, Networking and Security Institute.

"This is by far the fastest growing virus distribution problem and ripe for a hugely destructive event - at least as large as the ILOVEYOU virus," the SANS alert stated.

"If the ILoveYou virus had made use of this, we would have gone crazy," says Jimmy Kuo, a McAfee fellow at Network Associates . "By the time you find out you've received the e-mail, you've gone and looked at it, and that itself sets off the virus and it's a bit too late."

The ILoveYou virus spread via Microsoft Outlook, sending itself to all recipients listed in a user's address book before deleting image files and hiding audio files. It has spawned at least 25 copycats with varying levels of destructiveness. Police in Manila, Philippines, released a man from custody who they initially suspected of writing the virus, and are now looking at suspects connected with a local university.

In response to the outbreak of the virus, which has caused an estimated $6.7 billion in damage, Microsoft and security experts have advised computer users that the best way to preempt infection is to avoid opening suspect attachments. That remedy no longer applies.

A Minneapolis company claims to have developed the first software that allows users to recover files destroyed or hidden by the ILoveYou virus. OnTrack Data International's EasyRecovery software, which sells for $49.95 and can be downloaded here, restores JPG, JPEG, MP2 and MP3 files damaged by the virus to their original condition. It doesn't attempt to repair corrupted files or rewrite the original drive, but instead locates the files' signatures, copies "deleted" image data to a new location and reveals the location of audio files, says Jim Reinert, OnTrack's director of software products.

While the Kak virus, which Network Associates believes originated in France, isn't as malicious as the ILoveYou bug and doesn't spread in the same way, it has the potential to be the most dangerous virus to date if it were expanded with nasty attributes.

"The only viruses using [the hole] aren't very malicious, but that has nothing to do with tomorrow," says Alan Paller, director of research at the SANS Institute.

So far, the Kak virus doesn't do any damage and merely displays a message on the first of the month that says: "Kagou-Anti-Kro$oft says not today!" according to Network Associate's profile of the virus. If a user's security settings are set high, Kak might display warning messages regarding ActiveX and scripts. Users who see a dialogue box asking, "Do you want to allow software such as ActiveX controls and plug-ins to run?" should respond "No."

The same security hole that spawned Kak also exposes users to harmful scripts in malicious Web pages. Microsoft could not be reached for comment on the hole, but a bulletin posted on the software giant's Web site says it could allow a "malicious Web operator to take inappropriate actions on the computer of a user who visited the site."

Users of IE 5.0 and Office 2000 should update their virus-detection software in order to close the hole, which takes less than five minutes, according to Paller. Network Associates also advises computer users to remove Windows Scripting Host from their systems.

Tools to patch the hole, which Microsoft posted in August 1999, are available here, and a correction script may be run directly from here. Network Associates has information on its Web site about the virus.