How does the virus work?
Please see the Sophos diagram.
Where did the virus start out?
The virus itself claims to come from Manila in the Philippines.
How do I get it?
It usually arrives by email.
Who does it come from?
- It doesn't come directly from the author of the virus.
- It usually comes from someone you know who already has the virus.
- The virus is sent automatically.
- The sender is unlikely to have sent it to you deliberately.
What does it look like?
Various versions exist. One has an email subject "ILOVEYOU". Another claims to be a "Joke" called "VERY FUNNY". A third says "Susitikim shi vakara kavos puodukui..." (Lithuanian for "Let's meet this evening for coffee"). A fourth tells you it is a "Mothers Day Order Confirmation".
Does this mean all other emails are safe?
No! Any email can contain a virus. Exercise caution. You should certainly never open an attachment you were not expecting.
So if anyone sends me the virus, I'm infected?
No! The email has an attachment which it asks you to open. If you double-click the attachment, you get infected. If you simply delete the email, you will not be infected.
But can't I get infected just by reading or even deleting the email?
No! Some people are saying so. But as with most email viruses, you have to activate the attachment by double-clicking on it.
So why is it spreading so fast?
Because many people blindly trust attachments. If an email says "check this attachment", people do. This is like taking sweets from strangers in the street. Don't do it.
But what if I launched the attachment?
You are probably infected. Read on to learn how to clean up.
How do I check if I'm infected?
If you use Sophos Anti-Virus (SAV), download the latest virus identities (IDEs), which include fixes for the LoveLetter viruses. Apply the identities and use SAV to scan your computer. If you are not a SAV user, you can download a copy of the product for a 30-day trial.
If I find the virus, how do I clean up?
Simply tell SAV to delete infected files.
Why can't I disinfect files and get the originals back?
When the virus infects files, it overwrites them. So removing the virus means removing the entire file - the original contents are lost.
Have I infected other people?
If you use Microsoft Outlook, the virus will send itself to everyone in your address book.
Do I need to tell people that I might have infected them?
Usually this is regarded as common courtesy. But because this is a pandemic, sending a follow-up warning will simply add to their email load.
What can I do next time?
- Don't blindly trust attachments.
- Never open an unexpected attachment.
- Don't assume that an email is safe just because it comes from someone you know - they could be infected themselves.
- Make sure you know how to update your anti-virus software quickly.
- Avoid sending around jokes and stupid attachments yourself, as it encourages people to treat them as "mostly harmless".
Everyone I know has had this virus. What will the total cost be?
Already, people are jumping to conclusions, which vary wildly. This is unwise because it can be confusing. But we know that the author of the Melissa virus, who was caught and convicted, admitted to causing damages of US$80,000,000. So we can use this as a guideline in this case.
Is it true the virus author has been caught?
According to media reports a 27 year old computer analyst working for an Asian bank was detained on Monday 8th May by the authorities in Manila. A woman who shared the man's apartment is also expected to help the authorities with their enquiries.
Obviously it is not known at this stage whether they are connected to the virus in any way. Even if the author is caught their virus will continue to cause problems for some time to come.
How many copycats will there be?
As mentioned above, there have already been several. We recommend that you keep in contact with the Sophos website to watch for changes in the situation. But trying to guess the total number of copycats is only likely to cause fear, uncertainty and doubt.
Are all the copycats dangerous?
Some of the copycats we have received do not actually work. This has caused confusion as some anti-virus companies seem to be treating these as "viruses", even though they cannot spread. Clearly, this exaggerates the size of the problem.
Many of the broken copycats produce an error display such as the one below. Please do not try to repair them, for obvious reasons!
Is the worst over?
Probably. But experience suggests that once a virus is out of the box, it is very hard to get it back in again. For example, the Form virus is nearly 10 years old and still commonly reported. Also, don't forget that there are over 50,000 viruses, with thousands of new ones each month. As the LoveLetter problems die down, do not relax your vigilance!
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.