Symantec.com > Security Response > VBS.LoveLetter and variants

VBS.LoveLetter and variants

Risk Level 2: Low

Download Removal Tool | Printer Friendly Page

Discovered: May 5, 2000

Updated: February 13, 2007 11:54:55 AM

Also Known As: Lovebug, I-Worm.LoveLetter, VBS/LoveLetter.A, VBS/LoveLet-A

Type: Worm

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Symantec Security Response has identified 82 variants of this worm. The latest is VBS.LoveLetter.CN. Virus definitions dated May 31, 2001, or later detect and remove all of these known variants. Occasionally new variants of this worm are discovered. Norton AntiVirus may, at times, detect these new variants as VBS.LoveLetter.Variant. This is a generic detection indicating that the worm is a new variant of VBS.LoveLetter that has not yet been specifically identified and named.

NOTE: If Norton AntiVirus detects VBS.LoveLetter.Variant, we suggest that you quarantine and submit the file to SARC for analysis. See the document How to submit a file to Symantec Security Response using Scan and Deliver.

You can protect your computer from all known variants of the VBS.LoveLetter worm by downloading the latest virus definitions using LiveUpdate or from http://www.symantec.com/avcenter/download.html. A tool to repair the VBS.LoveLetter infection, including all known variants (except VBS.Loveletter.CA, VBS.Loveletter.BJ, VBS.Loveletter.BM and VBS.Loveletter.AS), is available here .

Symantec Security Response began receiving reports regarding this worm in the early morning of May 4, 2000, GMT. This worm originated in Manila, Philippines. It had wide-spread distribution, and infected millions of computers.

This worm sends itself to email addresses in the Microsoft Outlook address book and also spreads to Internet chatrooms using mIRC. This worm overwrites files on local and remote drives, including files with the extensions .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .avi, .qt, .mpg, .mpeg, .cpp, .c, .h, .swd, .psd, .wri, .mp3, and .mp2.

The contents of most of these files are replaced with the source code of the worm, destroying the original contents. The worm also appends the .vbs extension to each of these files. For example, image.jpg becomes image.jpg.vbs. However, files with .mp2 and .mp3 extensions are merely hidden and not destroyed. Norton SystemWorks users can recover these files if NProtect is running at the time of infection.

VBS.LoveLetter also tries to download a password-stealing Trojan horse program from a Web site.

Besides running LiveUpdate frequently, one other thing that you can do to protect your system from this type of worm is to block scripts of this type (NAV 2001) or disable or remove the Windows Scripting Host. VBS.LoveLetter, and others such as the Wscript.KakWorm, use the VBScript computer language to run.

If you are using Norton AntiVirus 2001, a free program update that includes Script Blocking is available.Please run LiveUpdate to obtain this.
For other versions of Norton AntiVirus, Symantec Security Response offers a tool to disable the Windows Scripting Host.