Love Bug variant hits European banks

A new version of the Love Bug virus has hit the European banking community - and experts warn it has the potential to spread quickly.

A new version of the Love Bug virus has hit the European banking community - and experts warn it has the potential to spread quickly.

The new virus is transmitted as an attachment called 'resume.txt.vbs' to an email with the subject 'contract' and no body text. Experts say it is the 56th variant of the Love Bug virus that spread rapidly around the globe on 5 May causing billions of pounds of damage, and is a significant rewrite of the original.

If the attachment is run, the worm sends copies of itself to all the entries in the address book using Microsoft's Outlook email client. It then creates a text file, which appears to be a German resume.

Lovebug mk.56 was discovered when it infected the Windows registry of the United Bank of Switzerland. It has since spread across Europe, affecting the internal networks of at least two UK banks, although it was stopped before being transmitted to any of the UK banks' customers.

Graham Cluely, senior technology consultant at UK antivirus company Sophos, said: "It is not as prevalent as the original but we have had several reports of this virus in the wild. It shows the importance of keeping your antivirus software up to date."

Potentially, as it hit banks, it could have opened up access to confidential data held by the Swiss bank such as PIN numbers, credit card details and passwords.

However, as many administrators have introduced email filters which block attachments with Visual Basic scripts like the new variant, it is thought it will not cause significant damage to business. Experts say the real danger could be to home users and intranets.

"The real danger is for home users and internal users within an organisation. However, there have been no reports that credit details have actually been stolen," Paul Rogers, a network security analyst at MIS Corporate Defence Solutions, told vnunet.com.

"If companies are infected, they should delete all the trojan files. The Network Associates website has a full list of the files to delete," he added.