ad info

Editions | myCNN | Video | Audio | Headline News Brief | Feedback  





Bush signs order opening 'faith-based' charity office for business

Rescues continue 4 days after devastating India earthquake

DaimlerChrysler employees join rapidly swelling ranks of laid-off U.S. workers

Disney's is a goner


4:30pm ET, 4/16









CNN Websites
Networks image

Special Event

Attorney General Janet Reno Holds News Briefing on 'Newlove.vbs' Computer Virus

Aired May 19, 2000 - 9:33 a.m. ET


DARYN KAGAN, CNN ANCHOR: We want to go to the Justice Department where Attorney General Janet Reno is holding her weekly media briefing. She has a statement on the computer virus.


JANET RENO, U.S. ATTORNEY GENERAL: This new worm is newlove.vbs, which was identified yesterday. Like the earlier versions, this worm is transmitted via e-mail. But unlike the others, this new version can change the subject line and the program code every time it is retransmitted. This makes the virus more difficult for users and anti-virus programs to detect. The worm is transmitted when a user opens an e-mail attachment.

The newlove.vbs virus uses the file name of a file that a user has recently been working on and places that file name in the subject line of the e-mail transmission. The recipient may think that they have been forwarded a file from a known associate. When the attachment is opened, this worm can damage all files not currently in use by changing the file extensions to dot-vbs.

It can also transmit itself to a new group of victims, taking from the current victim's e-mail address book.

The new e-mail will have a different subject line taken from a file name that the current victim has been recently working on.

If you receive an e-mail with a dot-vbs file extension, do not open it, even if it comes from a trusted source. Delete the e-mail from your system.

Michael Vatis from the National Infrastructure Protection Center is here with me to answer any questions you may have.

QUESTION: Mr. Vatis, from the sound of it, if it uses a vbs extension, I gather that it uses Microsoft Outlook.

QUESTION: How do you -- you usually see file extensions -- you usually see extensions in the file name in Microsoft Outlook. How would you know whether you had an e-mail with that extension on it?

MICHAEL VATIS, NATL. INFRASTRUCTURE PROTECTION CENTER: Our understanding so far of this is that the name of the document that is being transmitted that will contain the virus will be in the subject line of the e-mail, but that subject line will not contain the dot-vbs extension. However, in the body of the e-mail, you will see the dot- vbs. So if the e-mail is opened, you'll be able to see the dot-vbs, which will indicate that this is probably an infected file and you should not open the attachment to the e-mail.

QUESTION: So it's opening the attachment that would spread the virus into your computer?

VATIS: Exactly.

QUESTION: Mike, how widespread is this thing? It seems like "ILOVEYOU" was all over the place before people knew it. This seems a little slower to go global.

VATIS: We don't know yet exactly how widespread this is. In the early morning hours of today, we did have reports of upward of 1,000 machines being infected. I suspect it's somewhat larger than that now, but we don't have any final fix on how widespread it is. Unlike the original love letter virus, this one appears to have started at least in significant part in the United States rather than spreading from Asia to Europe to the United States.

QUESTION: And the patch that Microsoft is offering, will it protect a system against the new variant?

VATIS: We haven't yet evaluated the various patches that are available. We do know that the major anti-virus vendors are working on detection software for this variant. But people should check with their anti-virus vendor to see whether they've got an update yet to the normal anti-virus software.

QUESTION: Do you think you're jumping on this more quickly than you were able to on the love bug?

VATIS: We jump on all these as quickly as we can. It's important when we first get a report in that we assess the information, that we check with other sources to see if this is a significant virus, to see if fixes are available, so that when we do go out with notification to other agencies, to the public, that we have as much information, and that we've assessed and determined that it's credible before we go out.

So in this instance we started notifying other agencies at approximately 2 a.m. this morning and have been issuing further alerts through various mechanisms to the public, to private industry and to federal agencies by various means. But that started around 2 a.m.

QUESTION: When did you get your first reports of it?

VATIS: Just slightly before that.

QUESTION: Michael, is there any particular section of the country more affected than others?

VATIS: It's too early to say at this time. But we have seen reports of infection across the country.

QUESTION: The worm, the love bug worm, would copy all of the -- or send copies of itself to all of the addresses in the -- in your Microsoft address book. Does this thing do the same? How does it transmit itself to others?

VATIS: From we know so far, it propagates in the same manner, that is, by sending an e-mail to we believe all of the addressees in your e-mail address book.

What makes this somewhat more dangerous, as the attorney general said in her opening remarks, is that it doesn't send an e-mail with a subject line that everybody can look out for, that says "ILOVEYOU" or something else. This one takes the name of an actual file in the infected user's computer so it appears to be a legitimate file and then sends that.

And this is known as a polymorphic virus or worm, in that each time it's transmitted, it comes in a different guise. So that's why we have to alert people not to open any e-mail attachment that comes where the document in the subject line has a dot-vbs extension, because we don't know -- it varies in each instance what the actual document name will be. So it's -- people need to be much more vigilant in looking at e-mails.

And again, just as with the original love letter virus, the e- mail will appear to come from someone you know, and it will actually come from that person's computer. It just will not have actually been sent by that individual pressing transmit. The virus will have sent itself.

QUESTION: Because of that, would you say that this is one more complicated, the code is more elaborate than the last one?

VATIS: Our initial assessment is that this is more complex, as is typically the case with viruses you see in evolution, and this is the latest stage in the evolutionary process from the love letter virus.

So, essentially, it propagates itself in the same way, but it disguises itself in a more sophisticated fashion so that it's potentially more dangerous. It also has a greater capability to erase files on a system. At least at this point in time, that's what it seems to be capable of doing.

QUESTION: When you talk about the evolution, does that mean that it's (OFF-MIKE)? First there was the love bug, this is the new generation? It's almost like another version from a copycat.

VATIS: Yes, precisely. It evolves, not in a biological sense, but in the sense that people take the code from the initial variant and then change it in ways that try to evade the anti-virus software that's been put out for the initial variant. And that also tries to trick users, who now are vigilant, to the possibility of receiving an infected e-mail. It tries to still trick them by disguising itself in different ways. So, in that sense, it is more complex. QUESTION: Have you suspected about its origins, where it may have come from?

VATIS: I can't say at this time. We are investigating to determine what the source might have been.

QUESTION: But you do think it's a copycat, not the source -- same source of the original one?

VATIS: I can't say at this time, but we are looking into all possibilities.

QUESTION: Is it more difficult to track for the reasons you just stated?

VATIS: At this time, I can't get into the investigative strategy or process, but we are looking at all possible leads as we do in these cases.

QUESTION: How much has government been affected by any of this?

VATIS: We don't have any firm fixes yet.

Obviously the warnings were all disseminated before the start of business today. Hopefully that will minimize the effects within the federal government community and across the private sector as well. But it's too early to say yet what the impact has been or will be.

QUESTION: Mr. Vatis, does this worm go after any specific files or just any file it gets its hands on?

VATIS: It appears to go after most files in a computer, other than those in the root directory. That's our understanding from the anti-virus vendors so far.

QUESTION: Can it destroy the files?

VATIS: It basically reduces them to zero. So, yes, it erases the file.

QUESTION: Everything on the hard drive gets erased.

VATIS: Most files, other than those in the root directory, are potentially subject to being erased. That's our understanding so far.

QUESTION: It doesn't just change the names.

VATIS: It adds a dot-vbs extension to the file and then reduces their content to zero. So it effectively erases them.

But again, this is all based on our preliminary analysis overnight so far, so our understanding may change as we examine this virus further.

QUESTION: What about deterrents? There were some indications and some reversals in the Philippines that these weren't being considered serious crimes. Is there any thought -- either Ms. Reno or Mike -- is there any thought to filing U.S. charges against any suspects in the Philippines or against any suspects who are discovered in this latest...

RENO: I think while the investigation is pending, we really shouldn't comment. We're working with the Philippine authorities in a good, close working relationship. And I think it's important that we continue that effort.

QUESTION: But how do you stop these types of attacks, unless you have some very high profile prosecutions and some rather long prison terms handed out?

RENO: We don't comment on what's going to happen in an investigation, as you well know, because we're going to do it based on all the evidence and what's best for the case.

KAGAN: We've been listening to Attorney General Janet Reno talking about the latest computer bug virus out there, this new one kind of like the "Love Bug," but they're calling it "newlove.vbs." And it could be even worse than "Love Bug." It changes the subject and program code -- changes it all the time. Basically, the warning: Don't open any e-mail attachments that don't look familiar and don't look correct to you, especially if they end with .vbs because you could have a big mess on your hands.


KAGAN: That's the nontechnical explanation on that one: Just don't do it.

HARRIS: Nice going, nice going..



Back to the top  © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.