The "Love Bug" virus continued to plague businesses throughout the world this weekend as several additional variants were discovered including a copycat bug posing as a Symantec anti-virus remedy.
Philippine authorities say they have detained a 27-year-old man suspected of sending the virus.
The outbreak of the "Love Bug" virus last week wreaked havoc on computer systems everywhere, affecting hundreds of thousands of companies throughout the world. The menace virus clogged Web servers, overwrote personal files and caused corporate IT managers to shut down e-mail systems. Over a five-hour period on Thursday morning, the worm spread across Asia, Europe and the United States via e-mail messages titled "ILOVEYOU." When the e-mail's attachment was opened, the bug used Microsoft Outlook to send copies of itself to addresses in the user's address book.
By Thursday evening, experts estimated the damage from the virus had topped $2 billion but predicted it would reach $10 billion as variants of the malicious worm continued to surface Friday and throughout the weekend.
The virus had spurred thousands of e-mail users to seek protection. Traffic to sites of top anti-virus software makers such as Symantec and McAfee.com by users wanting to download virus-protection software created major slowdowns. As a result of the heavy traffic, the sites' performance was extremely slow and several users reported major backup in getting onto the sites. One user, who was having technical problems downloading anti-viral software said he was told his wait would be a minimum of an hour and a half before he would get someone on the line.
In addition, there were reports Friday afternoon that Symantec's anti-virus definition itself had a bug in it, which was later determined to be a "Love Bug" copycat masquerading as a Symantec cure for the virus. The bug created additional, and possibly more serious problems, for users trying to download a fix. The mutation appears in the form of an e-mail with the subject header "VIRUS ALERT!!!" The e-mail is addressed to "Dear Symantec customer" and proceeds to describe the virus in detail. Its attachment is called "protect.vbs." To read more on this copycat virus go to CNET story
Bob Holton, manager of information systems for Schrader-Bridgeport International, said that because of his department's quick response, none of his company's infected e-mails were ever opened. Unfortunately, Holton's luck didn't last.
"I had the extreme bad luck to try to install Symantec's solution for the entire network the day before the 'Love Bug' virus struck," he said. "Since the virus definitions shipped with the product were from December, the first thing it wanted to do was a 'Live Update.' Then, you can guess what happened. The Web site was down big time. When I finally got to the Web site (36 hours later), and downloaded the newest virus definitions, the anti-virus scan engine crashed with a hex error code."
But when Holton called Symantec technical support he said he was told there were 40 calls in front of him and that the average wait time was 1 hour, 26 minutes.
According to Holton, when he finally got through to Symantec's technical support, he was told there was a bug in the latest anti-virus definitions, which caused the scan engine to crash. Symantec's tech support representative e-mailed Holton a fix but was told it was only a workaround and not a 100% fix and it was the best they could do for him at that time."
The amount of damage reported by companies seemed to depend on how quickly IT was able to respond. Actual damage was kept to a minimum if users were aware of the virus and weren't duped into thinking they had actually received an amorous e-mail. However, the hours spent in getting the system back to normal took its toll on most companies.
"The virus did not strike anywhere in our company. The biggest pain was all of the warnings that came in from so many different sources," said Randy Schuff, a software support representative for Unique Equipment Co. "We are a small company (35 employees) but received approximately 100 notices about the virus."
"We were hit but not very hard," said Bonnie Westfall, Golder Associates Inc. "We shut down our e-mail systems early, as in very shortly after it hit. Within nine minutes of the first message hitting 4,800 messages had been propagated. We use Trend Micro's Scanmail and Officescan for our virus protection. These products work great, but everybody clogged the system and it took us a while to get the pattern file update for this virus."
"We received a big influx of messages with the virus attached but were warned about it ahead of time, so I think the number of users who actually opened the attachment was only one," said David Johnson, network technician, Arcus Data Security.
"We also found that the "latest" version of Norton's DEF files on our Exchange servers was not finding the virus so we shut down our Internet Mail gateway until we could get updated def files to all our Exchange servers (15 spread across the country)," Johnson added.
"We were finally able to gain access to Norton's Web site and download the update around 7 p.m. [Thursday] night and after imaging the server, had the update installed and we were finally able to leave the office around 8 p.m.," said Johnson.
"Some 250 users were without Internet e-mail [Friday]in our company, and two or three of us spent the entire day researching and playing with the virus on quarantined machines to try and develop a solution," said Johnson. "I'd say it was a pretty expensive hit for a fairly minor virus!"
Administrators credited the media with rapidly spreading the news about the virus allowing them to keep damage to a minimum.
"Deb Juberian, an administrator for an 150-person office said all the media attention given to the virus on Thursday was not hype and was thankful for it. "It took three of us 'IS techs' a day and a half to diagnose and repair the damage," she said. "Our e-mail and Internet systems were down for an entire day. Given how difficult it was to access the Symantec and McAfee's sites, I was happy to get information from the news media," she said.
Douglas Bridwell, a director of information systems, said he suspects this virus to be more widespread that even the media thinks. "I also think the person who did this must have used some method to infect a massive number of systems immediately," he said. "This thing spread across the world in a matter of hours. That didn't give people much time to find out and react or warn users."
"Thanks to the media and list servers, our company was aware of the virus attack prior to being hit," said Dave Kingsella, information technology director, ABC Financial Services. "We were able to notify our users and prevent them from inadvertently opening any infected email messages. We were actually fortunate in that we only received two e-mails with the virus (out of about 100 employees) but in both cases the employee knew how to handle the email and averted any damage."
"Thanks to early warnings from various news agencies, we were able to spread the alarm early enough to prevent most of our users from launching the ILOVEYOU virus," said Emily Brooks, advisory systems manager, MDL Information Systmes. "Out of 400 users worldwide, we had less than 10 infections, and some of those users were able to halt the script before it did much damage. We only had two machines that were damaged enough to need to be reinstalled."
But, some users couldn't understand why the virus had the impact it did and claimed that with the number of bugs hitting computers lately, anyone caught off guard had no one to blame but themselves.
"How are these big companies getting hit by this virus? I heard about it yesterday [Thursday], disabled windows scripting host and since then have had no problems," said Jim Pritchett, an administrator with a U.K.-based company. "It startles me that big IT companies are so ill-informed and lacking in common sense. Still you've got to laugh."
But, it was the shops using Microsoft Outlook's biggest competitor that actually had the biggest laugh.
"We received a few e-mails that had the 'Love Bug' virus but found that Lotus Notes prevented the attachment from being opened," said Meg Greenwood, an information supervisor for a school system in British Columbia. "We realize how lucky we were not to get infected. Score another one for Lotus Domino."