SoVerNet---the NewLove Macro Virus

The “New Love” Virus

May 19, '00

There are reports today of a new and potentially dangerous macro virus known as the 'New Love' virus circulating on the Internet, transmitted via an email attachment.

“VBS/Newlove.a” was discovered yesterday. This new virus looks like the VBS/Loveletter.worm, but it is actually a new and more damaging worm with virus qualities.

According to Symantec's site, this virus is also known as:
      VBS/Loveletter.ed,
      VBS/Loveletter.Gen,
      VBS_SPAMMER,
      VBS.Loveletter.FW.A

They say, "The subject header will begin with "FW: " and will include the name of the randomly chosen attachment (excluding the .VBS extension). Upon each infection, the worm introduces up to 10 new lines of randomly generated comments in order to prevent detection."

When executed, this virus will place a copy of itself in the Windows folder giving itself a random name, sometimes based on documents in the Recent Document folder. Like the ILOVEYOU worm and its other variants, New Love uses Microsoft Outlook to send copies of itself to all entries in the address book. It also searches all drives connected to the host system and replaces each file with copies of itself, adding the extension .vbs to the original filename.

Because of the dramatic nature of this virus, and the fact that it creates random "Subject:" lines, it is very difficult to filter out specific emails that may be suspect without also affecting a large volume of legitimate mail. With the "ILOVEYOU" virus, and its Copy Cats there was a static Subject: that could be filtered. Nevertheless, our engineers are vigorously investigating the possibility of instituting server-end protections for our customers.

As a general matter of caution you may wish to exercise extreme care in opening any attachment that ends in ".vbs". Outlook users might wish to check out Microsoft's update page as they are expected to be posting a patch that will address the issue of Outlook's vulnerability to such macro viruses. Microsoft's homepage is http://www.microsoft.com, follow the link to their email security article (the update URL itself is at http://officeupdate.microsoft.com)

Further information on this particular virus, as well as the most up-to-date information on any new viruses, can be found at the following sites:

http://www.mcafee.com/

http://www.symantec.com/avcenter/index.html

http://www.cert.org/advisories/

Information on the viruses which we are currently filtering can be found on our Virus Filters page: http://www.sover.net/notices/archived/3-23-00-virus.html