Updated from 11:11 a.m. EDT

The love letter computer

virus that ravaged email systems around the world on Thursday morphed into a phony Mother's Day gift order message on Friday, complicating efforts to control the latest Internet communications scourge.


, a Finland-based computer antivirus company that helped to identify the ILOVEYOU virus on Thursday, said it was now appearing on email systems as a Mothers Day order confirmation for diamonds, and would continue to generate offspring under different email subjects until completely eradicated.

Mikko Hypponnen, manager of antivirus research at F-Secure, said there are already four versions of the virus in circulation and that he doesn't see an end to the rampage in the near term. The two other versions include a Lithuanian version of the love letter virus, and an email with the subject "Joke" and an attachment "Very Funny."

Estimates about the damage to the corporate world wildly fluctuated between $1 billion to $10 billion.

"The Mother's Day version of this worm is quite cunning," Hypponnen said. The Mother's Day virus is similar to the love letter virus in the way it operates but deletes files that allow users to reboot their computers.

All versions of the virus can erase files, steal email addresses and passwords, and replicate themselves. The speed of its spread on Thursday stunned computer virus experts and debilitated major corporations by forcing them to restrict email communications.

"It's a bit of clever social engineering," said Roger Thompson, technical director of malicious code research


, a computer security firm. "People will say, `By god, I didn't spend that much on my gift' and click on the link."

Thompson thinks that whoever wrote the virus got lucky by hitting a large corporation with a large address book to use for replication early in the bug's life.

Thompson, who is involved in the hunt for the originator of the bug believed to be in the Philippines, said he is closing in and hopes to find the cyber-terrorist soon.

Companies that installed an antivirus line of defense yesterday, he said, will be protected against the new strains.

When a user clicks on the email message, from Microsoft's email software, Microsoft Outlook, the robbery begins. The Internet browser is then directed to steal passwords for Windows log-in and remote access for Windows then sends the passwords to an account in the Philippines. The perpetrators can later use those passwords to get back into the organization from which they came.

The virus isn't finished yet. Next it sends copies of the passwords to everybody in the company's stolen email address book so that all users within the organization have access.

Then it goes to the hard drive and overwrites copies of files with the virus. In particular, graphics files called JPGs and music files called MP2s are overwritten and the originals are lost.

Finally, it infests itself in Internet relay chat software called MIRC 32, one of the most popular chat applications, so that anyone who communicates with the person affected will themselves become infected.