VBS:LoveLetter

is a computer worm created in VBS (Visual Basic Script language).It arrives  via e-mail and is activated by double click on the message attachment called LOVE-LETTER-FOR-YOU.TXT.vbs. It requires Windows Scripting Host to be installed on the victim's computer. This support is not installed under Windows 95 and Windows NT 4 by default. It is installed under Windows 98 and Windows 2000 and it is also  part of some additional software packages (such as Microsoft Internet Explorer v5.x).

VBS:LoveLetter was discovered on 4th May 2000 and it spreads like a fire. This worm uses e-mail as the primary spreading channel. It is also able to use mIRC client as secondary distribution channels. Several variants of this worm are known now (see bellow).

VBS:LoveLetter copies itself to following files:
MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs in the system directory and
Win32DLL.vbs in the Windows directory.

It also modifies two registry keys for its activation after computer restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MsKernel32
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL

VBS:LoveLetter sends itself via Outlook application as an attachment in a similar way as Melissa does. It sends the infected message  to all recipients in every address book. The message has the following subject and body: 

Subject: ILOVEYOU
Body:    kindly check the attached LOVELETTER coming from me.

The worm sends itself  only once from the infected computer.

If the file system\WinFAT32.exe does not exist, worm sets the MSIE start page to remote EXE file on certain web page. After successfull download of file named WIN-BUGSFIX.exe it sets another registry key 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX

in order to run this file on every computer restart and sets the MSIE start page to about:blank. This porgram tries to collect the Windows passwords and send them to the e-mail address on Philippines.

VBS:LoveLetter searches for the certain files on all local and remote drives. If it finds the file with extension vbs or vbe, it overwrites such file with itself. Files with extension js, jse, css, wsh, sct, hta are overwritten as well and renamed to *.vbs. Also jpg and jpeg files are overwritten and renamed to *.jpg.vbs, while mp3 and mp2 files are copied to *.mp?.vbs , this copy is overwritten by worm and the attribute of original file is changed to hidden.

When VBS:LoveLetter finds mIRC client, it overwites the "mirc.ini" file and is able to send itself  to other users via IRC channels.

Worm also drops the HTM file in order to get better chance to spread.
 

Removal

Delete all infected files and remove all registry keys mentioned above. Reset the MSIE starting page. Then reboot the computer.

Any avast! with VPS file dated on or after 4th May 2000 is able to detect this virus. We recommend to change the avast32 task to test ALL files! 
 

Variants

        Unfortunately many variants pop up since the initial incident. Some of them differ only in formatting, while others have modified texts:

Variant B:
Subject:           fwd: joke 
Message Body:     
Attachment:        VERY FUNNY.VBS 

Variant C:
Subject:           Susitikim shi vakara kavos puodukui...
Message Body:      kindly check the attached LOVELETTER coming from me.
Attachment:        LOVE-LETTER-FOR-YOU.TXT.vbs

Variant D:
Subject:           Mothers Day Order Confirmation 
Message Body:      We have proceeded to charge your credit card
                   for the amount of $326.92 for the mothers day diamond
                   special. We have attached a detailed invoice to this email.
                   Please print out the attachment and keep it in a safe
                   place.Thanks Again and Have a Happy Mothers Day!
                   mothersday@subdimension.com 
Attachment:        mothersday.vbs

Variant E:
Subject:           Dangerous Virus Warning
Message Body:      There is a dangerous virus circulating. Please click
                   attached picture to view it and learn to avoid it.
Attachment:        virus_warning.jpg.vbs

Variant F:
Subject:           Virus ALERT!!!
From:              support@symantec.com
Message Body:      Dear Symantec customer,

                   Symantec's AntiVirus Research Center began receiving
                   reports regarding VBS.LoveLetter.A virus early morning
                   on May 4, 2000 GMT.
                   This worm appears to originate from the Asia Pacific
                   region. Distribution of the virus is widespread and
                   hundreds of thousands of machines are reported infected.
                   The VBS.LoveLetter.A is an Internet worm that uses
                   Microsoft Outlook to e-mail itself as an attachment.
                   The subject line of the e-mail reads ILOVEYOU, with the
                   attachment titled LOVE-LETTER-FOR-YOU.TXT.VBS. Once the
                   attachment is opened, the virus replicates and sends an
                   e-mail to all e-mail addresses listed in the address book.
                   The virus also spreads itself via Internet relay chat and
                   infects files on local and remote drives including files
                   with extensions vbs, vbe, js, sje, css, wsh, sct, hta, jpg,
                   jpeg, mp3, mp2.
                   Users should exercise caution when opening e-mails with
                   this subject line, even if the e-mail is from someone they
                   know, as that is how the virus is spread.
                   Symantec Corp. today announced availability of the virus
                   definition to detect, repair and protect users against the
                   VBS.LoveLetter.A virus.
                   This definition is available now via Symantec's LiveUpdate
                   and can also be downloaded from the following web sites:
                   http://www.symantecstore.com/AF74211/promo/loveletter
                   http://www.digitalriver.com/symantec

                   Also as a quick solution Symantec Corp. offers Visual Basic
                   Script to protect your PC against this worm. (See
                   attached.)

                   Note! When executed, this script will protect Your PC from
                   being INFECTED by VBS.LoveLetter.A virus.

                   To cure already infected PC's download Norton Antivirus
                   Updates mentioned above.

                   Symantec Corporation - a world leader in internet security technology.

Attachment:        protect.vbs

Variant G:
Subject:           Important ! Read carefully !!
Message Body:      Check the attached IMPORTANT coming from me !
Attachment:        IMPORTANT.TXT.vbs

Variant H:
Subject:           How to protect yourself from the IL0VEY0U bug!
Message Body:      Here's the easy way to fix the love  virus.
Attachment:        Virus-Protection-Instructions.vbs

Variant I:
Subject:           Thank You For Flying With Arab Airlines
Message Body:      Please check if the bill is correct, by opening the
                   attached file.
Attachment:        ArabAir.TXT.vbs

Viruses
Viruses in the Wild Virus Database History Virus Report Form Eicar Test File
Subscription Services
VPS Subscription Service
Home pageWeb site mapPrint this pagePrivacy policy
Copyright © 1988 - 2008 ALWIL Software a.s.
Home page
Viruses  script viruses  VBS:LoveLetter