This new virus, similar to the "LoveLetter" worm, was discovered at approximately 7:30 PM on Thursday, May 18, 2000.  This is a very dangerous 'worm' with so-called 'virus qualities', and much more sophisticated than the original.  

    Even though this virus was expected to spread swiftly, it seems to be too destructive for its' own good.  When infected, a computer is usually severely damaged and is not able to spread the virus to others.  Anti-virus experts are expecting that 'NewLove' will eventually die out on its own.  

The information here is the latest we have and will be updated as we learn more.  For current information, you may also check with Symantec here, and with McAfee here.  Virus program updates should be available at these sites soon.

Who is at risk?

    The same people that could be affected by LoveLetter.

    This worm can infect any Windows 98 or Windows 2000 computer or any Windows 95 or Windows NT computer with Internet Explorer 5 or higher.  If you have disabled Windows Scripting Host you should not be at risk (instructions here; for more information about WSH see ZDNet's To Script or Not to Script article.)  Macintosh computers are not affected.

    Even though this program uses Microsoft Outlook to spread, you will still be able to receive the virus using any email program.  

How do I protect myself?

    Procedures for protection from 'LoveLetter' will also protect you against 'NewLove'.  Read this for more detail.

What does it look like?

• The worm will arrive as an attachment to an email.
• The email will most likely come from someone you know.
• There will be no message or text in the email.
• The email will have a subject that starts with "FW:", but after that will be a randomly chosen filename.
• The attachment will have a randomly chosen name but will have an extension from the list below.  It will definitely end with ".vbs".  You will only be infected if you open this attachment.

List of possible extensions:

• .doc.Vbs
• .xls.Vbs
• .mdb.Vbs
• .bmp.Vbs
• .mp3.Vbs
• .txt.Vbs
• .jpg.Vbs
• .gif.Vbs
• .mov.Vbs
• .url.Vbs
• .htm.Vbs

What happens when infected?

• When your computer is infected, the virus will first copy itself to 'C:\Windows' and twice to 'C:\Windows\System' with  randomly chosen file names and add to these files in the following registry keys:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows \CurrentVersion\RunServices\
• When (and if) your computer restarts, the worm/virus will be run again.
 
• The worm will attempt to send itself to everyone in the Microsoft Outlook address book.  If you do not use the Microsoft Outlook email program, this will likely not spread to anyone from your computer.
• The worm will overwrite any files on your computer not currently in use or marked 'read-only' with an empty file and add '.vbs' to the end of the filename. (For example, a file originally name 'file.txt' will become 'file.txt.vbs'.) It will also search any mapped drives if you are on a network, and overwrite all files on those drives. This will most likely cause Windows to cease functioning and the computer will most likely not restart. If the computer is able to restart, the virus will run at startup and overwrite any remaining files that it possibly can.

How to I recover from infection?

    Once you are infected, you will likely not be able to recover any usable information off your computer (or mapped network drives) and will need to reformat the hard drive.  You would then need to re-install all programs on your computer, including Windows.

What makes this worm different?

    This worm has a few unique features that set it apart from other current viruses.

• Before the virus writes itself to your hard drive, it modifies itself with ten lines of randomly generated code.  This way the virus that will be (possibly) sent from your computer will be different than the one you originally received.  This makes detection by anti-virus programs more difficult.
• The filename that will be sent to others as an attachment will be randomly selected from the files and documents you have recently used.  If you have not recently opened any files or documents, the name will be randomly generated.
• The subject line of the email containing the worm is randomly generated.  This makes it very difficult for email providers to filter out this worm.
• Instead of only overwriting a list or certain types of files, this worm attempts to overwrite all files on any hard drives you are connected to.

This document was last updated on  Thursday, January 22, 2004, at 07:12 PM