1. /
  2. Security Response/
  3. VBS.LoveLetter.Var

VBS.LoveLetter.Var

Risk Level 2: Low

Discovered:
May 5, 2000
Updated:
March 12, 2002 8:00:32 PM
Also Known As:
VBS/LoveLet-AE [Sophos], VBS/LoveLetter.A-V@mm [Norman], VBS/LoveLetter [F-Secure], VBS/Loveletter@MM [McAfee]
Type:
Virus
Infection Length:
Varies
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
VBS.LoveLetter.Var is a mass-mailing worm that sends itself to all email addresses in a compromised user's Microsoft Outlook address book.

Symantec Security Response has identified 82 variants of this worm. The latest is VBS.LoveLetter.CN. Virus definitions dated May 31, 2001, or later detect and remove all of these known variants. Occasionally new variants of this worm are discovered. Norton AntiVirus may, at times, detect these new variants as VBS.LoveLetter.Var. This is a generic detection indicating that the worm is a new variant of VBS.LoveLetter that has not yet been specifically identified and named.

Symantec Security Response began receiving reports regarding this worm in the early morning of May 4, 2000, GMT. This worm originated in Manila, Philippines. It had wide-spread distribution, and infected millions of computers.

This worm sends itself to email addresses in the Microsoft Outlook address book and also spreads to Internet chatrooms using mIRC. This worm overwrites files on local and remote drives, including files with the extensions: .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .avi, .qt, .mpg, .mpeg, .cpp, .c, .h, .swd, .psd, .wri, .mp3, and .mp2.

The contents of most of these files are replaced with the source code of the worm, destroying the original contents. The worm also appends the .vbs extension to each of these files. For example, image.jpg becomes image.jpg.vbs. However, files with .mp2 and .mp3 extensions are merely hidden and not destroyed. Norton SystemWorks users can recover these files if NProtect is running at the time of infection.

VBS.LoveLetter also tries to download a password-stealing Trojan horse program from a website.

Antivirus Protection Dates

  • Initial Rapid Release version May 5, 2000
  • Latest Rapid Release version February 19, 2013 revision 016
  • Initial Daily Certified version May 5, 2000
  • Latest Daily Certified version February 9, 2011 revision 002
  • Initial Weekly Certified release date May 5, 2000
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 3 - 9
  • Geographical Distribution: High
  • Threat Containment: Moderate
  • Removal: Moderate

Damage

  • Damage Level: High

Distribution

  • Distribution Level: Medium
  • Subject of Email: Varies
  • Name of Attachment: Varies
  • Target of Infection: May attempt to spread through email and mIRC
Writeup By: Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver