Category Archives: Michael Blanchard

The Real Lovebug

I don’t think I’ve ever seen “Kramer versus Kramer”, but I did actually read the novel by Avery Corman, a long, long time ago. And I have a vague recollection of Ted Kramer saying something to his wife Joanna about the birth of their son, and of her responding that she doesn’t remember Ted having been there. Hold that thought…

Suddenly, there’s a whole rash of anti-malware vendors reminiscing about VBS/Loveletter, which is, in epidemiological terms anyway, ten years old today. There’s a massive amount of information about what it actually did, of course, complete with copious screenshots, so I won’t waste time reproducing that information – I doubt if you’ll be faced with a Lovebug infection at this stage in the game.  There is even a certain amount of discussion about which company “discovered” it.

As someone who works for an anti-malware vendor, I have nothing to say about that: I was certainly very active in the anti-virus field by that time, but I didn’t work for a vendor. In fact, I was working in security systems administration for a medical research charity, so I didn’t get a vendor’s eye view of the drama, but very much the customer view.

I do know how I became introduced to the Love Bug, because I included a note about it in the case study Rob Slade and I included in a book we wrote in 2001 called “Viruses Revealed”. One of our end users reported receiving an attachment containing gibberish – Outlook wasn’t in common use on that site, and other clients couldn’t interpret the code. The Helpdesk analyst who picked up the call realized that “gibberish” might well denote program code, and passed it on to me. And, in fact, the most cursory inspection of the code indicated that it was clearly meant to be infective, so I passed a copy straight to the vendor from whom my company was licensing AV at the time.

No, I’m not claiming to be patient zero: by that time, I was starting to see mail from other corporate AV specialists – that is, people specializing in malware management but not working in the anti-virus industry – seeing the same malcode. What I wasn’t seeing at that time was information from the industry.

That was a little before the birth of AVIEN (the result of a meeting at the 2000 Virus Bulletin conference later that year), but I remember talking to several of the same people who later exchanged information on other malware outbreaks on AVIEN lists. These less formal exchanges of information and opinions during the first phase of the Loveletter epidemic were immensely valuable as we all evolved strategies suited to our particular environments for dealing with the threat (and the waves of copycat malware that quickly followed), while we waited for signatures from our vendors of choice. Unfortunately, I don’t have access to those emails anymore, but I used an AVIEN mailing list to ask some of those who were there at the time what they remembered.

Some remember risking life, limb and speeding tickets trying to get to the office  in order to take hands-on remediative action. Ken Bechtel remembers getting 12 messages on his pager and three phone calls before he’d even left home, and subsequently, he says, “I remember 36 out of 48 hours of work blocking vbs at the PMDF, and creating a custom SMS script to create a special named DIRECTORY to prevent a file from being dropped.”

Mike Blanchard was due at a training session that morning, but was similarly pounded by pager messages and phone calls and had to turn around en route and get to the office. (He actually received a ticket for turning around in someone’s driveway, but successfully fought the case because of the nature of the emergency.)

Thankfully, I was already at work, so there was no risk of my being charged with running too fast on a London Underground station…

So to all those industry professionals I’m now immensely proud to call colleagues, I’d like to say thank you for all your help over the years, and not least for the excellent job you did ten years ago in producing updates for Lovebug and the wave of semi-clones that followed.

But as far as Lovebug is concerned, I don’t remember you being at the birth. 🙂

David Harley FBCS CITP CISSP
AVIEN Chief Operations Officer