To avoid further infections by the “I Love You” worm, security experts said, information technology managers should tell all end users to delete virus-laden e-mails from their in-boxes and from their folders of deleted files to ensure that the messages aren’t mistakenly opened at a later date.
The Computer Emergency Response Team (CERT) in Pittsburgh advised companies to update their anti-virus software and said they can halt the virus from spreading further by disabling the active scripting features in Microsoft Corp.’s Internet Explorer Web browser and their e-mail programs.
CERT also recommended that end users avoid clicking on e-mail attachments and shared files and that Internet Relay Chat users disable the automatic receiving of files via the direct client-to-client file-sharing mechanism.
While cleaning up the virus, users need to delete a set of registry files, said Elias Levy, an analyst at SecurityFocus.com in San Mateo, Calif. Companies using security tools and utilities to do the cleanup also should take care to recover MP3 files that may have been hidden but not destroyed by the Love virus, Levy said.
System administrators could protect against similar attacks by setting their Microsoft Exchange e-mail servers to block all attachments written in Visual Basic scripts, Levy said. And to help minimize the scope of future attacks, he added, anti-virus software vendors need to make sure their Web sites can handle heavy traffic from users anxious to install updates.
Still, there’s no guarantee that fixes will always be installed in time to protect corporate networks.
“As long as we are intent on connecting to the Internet and using e-mail to communicate, there are going to be opportunities for crackers to go in and insert malicious code,” said Tanya Candia, vice-president of worldwide marketing at security software vendor F-Secure Corp. in Espoo, Finland.
“We have built a worldwide network that lets us find out about incidents and come up with a fix, but there is always going to be some kind of lag,” Candia said.
For example, a variation of the Love worm called “VeryFunny.vbs” hit some companies that had already suffered at the hands of the original invader.
Variations may defeat anti-virus tools that can contain the first virus if they include significantly different signatures, security experts said.
But they can potentially be kept at bay by other technologies, such as the MIMEsweeper product from Content Technologies Inc. in Bellview, Wash. MIMEsweeper lets users scan for certain words in the subject line of an e-mail and block those messages until an anti-virus update can be installed, the company said.