1. /
  2. Security Response/
  3. VBS.LoveLetter.Var

VBS.LoveLetter.Var

Risk Level 2: Low

Discovered:
May 5, 2000
Updated:
March 12, 2002 8:00:32 PM
Also Known As:
VBS/LoveLet-AE [Sophos], VBS/LoveLetter.A-V@mm [Norman], VBS/LoveLetter [F-Secure], VBS/Loveletter@MM [McAfee]
Type:
Virus
Infection Length:
Varies
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
When the worm executes, it copies itself to the following locations:
  • %System%\Mskernel32.vbs
  • %System%\LOVE-LETTER-FOR-YOU.TXT.vbs
  • %Windows%\Win32dll.vbs


The worm then checks for the presence of Winfat32.exe in the %System% folder.
  • If the file does not exist, the worm sets the Internet Explorer home page to a website with the Win-bugsfix.exe file. This website has been shut down.
  • If the file does exist, the worm creates the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX

    It then executes the file during system startup. The Internet Explorer home page is then replaced with a blank page.

For each drive, including network drives, the worm attempts to infect files that have .vbs and .vbe extensions. The worm also searches for files with the extensions: .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .mp3, and .mp2.

When files with these extensions are found, the worm does the following:
  • Overwrites all files having the extensions: .js, .jse, .css, .wsh, .sct, .hta, .jpg, and .jpeg with viral code. It then makes a copy of the file and adds the extension .vbs to the file name. For example, if the file is named House_pics.jpg, the overwritten file is named House_pics.jpg.vbs. The original file is then deleted. These files must be deleted and then restored from a backup.
  • Creates copies of all files having the .mp3 and .mp2 extensions. It then overwrites the copy with viral code and adds the .vbs extension to the file name. Next it changes the attribute of the original .mp3 or .mp2 file to hidden. Because of this, the original copies of .mp3 and .mp2 files are still unaltered, though hidden, on the hard drive. The modified files should be deleted.

Caution: Do not attempt to run files that have been overwritten or renamed by this worm. If you do, the worm is executed again.

The worm also spreads by way of mIRC by creating a Script.ini file in the mIRC program folder. The script file sends the dropped file LOVE-LETTER-FOR-YOU.HTM to other users in the chatroom.

The worm uses MAPI calls to the Microsoft Outlook program and creates messages by going through all of the addresses in the Microsoft Outlook Address Book. The worm uses the Windows registry to keep track of those who have been sent the message, so that each is sent only one email.

The email has the following characteristics:
Subject:
ILOVEYOU

Body:
kindly check the attached LOVELETTER coming from me.

Attachment:
LOVE-LETTER-FOR-YOU.TXT.vbs

Finally, the virus drops the LOVE-LETTER-FOR-YOU.HTM file into the \Windows\System folder.

Summary of modified registry entries
The worm may create the following registry subkeys:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSKernel32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ESKernel32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ES32DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WINFAT32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX


One or more of the programs referenced by the added subkeys may also be added for each user in the following registry subkey:
HKEY_USERS\[USER NAME]\Software\Microsoft\Windows\CurrentVersion\Run

The worm may then delete the following registry subkeys:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching


In addition, potentially hundreds of DWORD registry entries are created in the following subkey:
HKEY_USERS\[USER NAME]\SOFTWARE\Microsoft\WAB

The number of registry entries created is based on how many emails messages are sent out. These keys will be different on each computer.

Variants
Symantec Security Response has identified 82 versions of VBS.LoveLetter. This information is current as of May 31, 2001.
  • VBS.LoveLetter.A
    • Detected as: VBS.LoveLetter.A(1)
    • Subject: ILOVEYOU
    • Body: kindly check the attached LOVELETTER coming from me.
    • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

  • VBS.LoveLetter.B (Lithuania)
    • Detected as: VBS.LoveLetter.B(1) or VBS.LoveLetter(HTM)
    • Subject: Susitikim shi vakara kavos puodukui...
    • Body: kindly check the attached LOVELETTER coming from me. (MESSAGE BODY: same as A)
    • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

  • VBS.LoveLetter.C (Very Funny)
    • Detected as: VBS.LoveLetter.C(1)
    • Subject: fwd: Joke
    • Body: (Message body is empty.)
    • Attachment: Very Funny.vbs

  • VBS.LoveLetter.D (BugFix)
    • Detected as: VBS.LoveLetter.A(1)
    • Subject: ILOVEYOU
    • Body: kindly check the attached LOVELETTER coming from me.
    • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

      Note: Creates the registry entry WIN- -BUGSFIX.exe instead of WIN-BUGSFIX.exe

  • VBS.LoveLetter.E (Mother's Day)
    • Detected as: VBS.LoveLetter.E
    • Subject: Mothers Day Order Confirmation
    • Body: We have proceeded to charge your credit card amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place. Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com
    • Attachment: mothersday.vbs

      Note: This variant will delete all .ini and .bat files.

  • VBS.LoveLetter.F (Virus Warning)
    • Detected as: VBS.LoveLetter.F
    • Subject: Dangerous Virus Warning
    • Body: There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it.
    • Attachment: virus_warning.jpg.vbs

      Note: Also includes Urgent_virus_warning.htm

  • VBS.LoveLetter.G (Virus ALERT!!!)
    • Detected as: VBS.LoveLetter.G
    • Subject: Virus ALERT!!!
    • Body: A long message regarding VBS.LoveLetter.A
    • Attachment: Protect.vbs

      Note: The From line of the message displays as "FROM support@symantec.com." This variant also overwrites files with .bat and .com extensions.

  • VBS.LoveLetter.H (No Comments)
    • Detected as: VBS.LoveLetter.H or VBS.LoveLetter(HTM)
    • Subject: ILOVEYOU
    • Body: kindly check the attached LOVELETTER coming from me.
    • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

      Note: This is known as No Comments because the comment lines at the beginning of the worm code have been removed.

  • VBS.LoveLetter.I (Important! Read carefully!!)
    • Detected as: VBS.LoveLetter.I
    • Subject: Important! Read carefully!!
    • Body: kindly check the attached LOVELETTER coming from me.
    • Attachment: Important.TXT.vbs

      Note: This variant copies the files Eskernel32.vbs and Es32dll.vbs. It also copies mIRC script comments referring to BrainStorm and ElectronicSouls, and sends the Important.htm file to the chat room.

  • VBS.LoveLetter.J (same as G version)
    • Detected as: VBS.LoveLetter.J
    • Subject: Virus ALERT!!!
    • Body: Largely the same as the G variant.
    • Attachment: Protect.vbs

      Note: This appears to be a slight modification of the G variant.

  • VBS.LoveLetter.K (same as I version)
    • Detected as: VBS.LoveLetter.K
    • Subject: Important! Read carefully!!
    • Body: Here's the easy way to fix the love virus.
    • Attachment: Important. How to protect yourself from the IL0VEY0U bug!

  • VBS.LoveLetter.L (I Cant Believe This!!!)
    • Detected as: VBS.LoveLetter.L
    • Subject: I Cant Believe This!!!
    • Body: I Cant Believe I have Just Recieved This Hate Email .. Take A Look!
    • Attachment: KillEmAll.TXT.VBS

      Note: This variant replaces .gif and .bmp files instead of .jpg and .jpeg. It hides .wav and .mid instead of .mp2 and .mp3 files. There is no IRC routine, so it will not infect chat room users. Copies the files Kiler.htm, Killer2.vbs, and Killer1.vbs to the hard drive.

  • VBS.LoveLetter.M (Arab Air)
    • Detected as: VBS.LoveLetter.M
    • Subject: Thank You For Flying With Arab Airlines
    • Body: Please check if the bill is correct, by opening the attached file
    • Attachment: ArabAir.TXT.vbs

      Note: Replaces .dll and .exe files instead of .jpg and .jpeg files. Hides .sys and .dll files instead of .mp3 and .mp2 files. Copies no-hate-FOR-YOU.HTM to the hard drive.

  • VBS.LoveLetter.N (Variant Test)
    • Detected as: VBS.LoveLetter.N
    • Subject: Variant Test
    • Body: This is a variant to the vbs virus.
    • Attachment: IMPORTANT.TXT.vbs

      Note: Copies itself as Sndvol32.vbs and Ieakdll.vbs. Internet Explorer home page is changed to [http://]altalavista.box.sk. It does not download the password stealing Trojan. Overwrites .mpg, .mpeg, .avi, .qt, and .qtm. Sends the file important.htm into Internet chat rooms using mIRC.

  • VBS.LoveLetter.O (same as A version)
    • Detected as: VBS.LoveLetter.O
    • Subject: ILOVEYOU
    • Body: kindly check the attached LOVELETTER coming from me.
    • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

      Note: This is the same as the A variant with slightly different internal coding.

  • VBS.LoveLetter.P (Yeah Yeah)
    • Detected as: VBS.LoveLetter.P
    • Subject: Yeah, Yeah another time to DEATH...
    • Body: This is the Killer for VBS.LOVE-LETTER.WORM.
    • Attachment: Vir-Killer.vbs

      Note: Sets the Internet Explorer home page to www.yahoo.com/Vir-Killer.exe. It does not download the password stealing Trojan. Overwrites .zip and .rar files instead of .jpg and .jpeg. Hides .pas and .asm files instead of .mp3 and .mp2.

  • VBS.LoveLetter.Q (LOOK!)
    • Detected as: VBS.LoveLetter.Q
    • Subject: LOOK!
    • Body: hehe...check this out.
    • Attachment: LOOK.vbs

      Note: Copies itself as Msuser32.vbs and User32dll.vbs. Overwrites .xls and .mdb files instead of .jpg and .jpeg. Hides .exe and .lnk files instead of .mp3 and .mp2. Creates Look.htm.

  • VBS.LoveLetter.R (Bewerbung)
    • Detected as: VBS.LoveLetter.R
    • Subject: Bewerbung Kreolina
    • Body: Sehr geehrte Damen und Herren!
    • Attachment: Bewerbung.txt.vbs

      Note: IRC sends Bewerbung.htm into connected Internet chat room.

  • VBS.LoveLetter.S (same as A version)
    • Detected as: VBS.LoveLetter.S
    • Subject: ILOVEYOU
    • Body: kindly check the attached LOVELETTER coming from me.
    • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs:

      Note: This is the same as the A variant with slightly different internal coding.

  • VBS.LoveLetter.T (BAND-AID)
    • Detected as: VBS.LoveLetter.T
    • Subject: Recent Virus Attacks-Fix
    • Body: Attached is a copy of a script that will reverse the effects of the LOVE-LETTER-TO-YOU.TXT.vbs as well as the FW:JOKE, Mother's Day and Lithuanian siblings.
    • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

      Note: Sets Internet Explorer home page set to a virus-related website. Deletes files with .bat, .gif, .tif, .tiff, .wav, .lnk, .bak, .doc, .xls, .rtf, .txt, .htm, .html, .xml, .mny, .zip, .bmp, .cab, and .inf extensions. It does not hide .mp3 and .mp2 files, but deletes them. Uses mIRC to send Band-aid.htm into Internet chat rooms.

  • VBS.LoveLetter.U (Presente)
    • Detected as: VBS.LoveLetter.U
    • Subject: PresenteUOL
    • Body: O UOL tem um grande presente para voce, e eh exclusivo.Veja o arquivo em anexo.[http://]www.uol.com.br.
    • Attachment: UOL.TXT.vbs

      Note: Sets Internet Explorer home page to [http://]www.uol.com.br. It also hides .exe, .com, and .ini files. Uses mIRC to send Uol.htm into Internet chat rooms.

  • VBS.LoveLetter.V (same as A version)
    • Detected as: VBS.LoveLetter.V
    • Subject: ILOVEYOU
    • Body: kindly check the attached LOVELETTER coming from me.
    • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

      Note: Internal comment lines slightly different.

  • VBS.LoveLetter.W (IMPORTANT)
    • Detected as: VBS.LoveLetter.W
    • Subject: IMPORTANT: Official virus and bug fix
    • Body: This is an official virus and bug fix. I got it from our system admin. It may take a short while to update your system files after you run the attachment.
    • Attachment: Bug and virus fix.vbs

      Note: Sets Internet Explorer home page to a virus-related website. Overwrites files with .exe, .com, .dll, .sys, .pwl, and .txt. extensions. Uses mIRC to send "Bug and virus fix.htm" into Internet chat rooms.

  • VBS.LoveLetter.X (ANTI-VIRUS-LISTE)
    • Detected as: VBS.LoveLetter.X
    • Subject: NEUE ANTI-VIRUS-LISTE
    • Body: Hiermit senden wir Ihnen/Dir eine neue Liste mit LOVE-LETTER-VIRUS Namen, die nicht geoeffnet werden sollten, bitte sofort lesen, danke.
    • Attachment: ANTI-VIRUS-LISTE.TXT.vbs

      Note: Overwrites files with .mdb, .pdf, .wsh, .dot, .hta, .js, .drv, and .ini extensions. Hides files with .xlx and .doc extensions. Uses mIRC to send "ANTI-VIRUS-LISTE.HTM" into Internet chat rooms.

  • VBS.LoveLetter.Y (same as Q version)
    • Detected as: VBS.LoveLetter.Y
    • Subject: LOOK!
    • Body: hehe...check this out
    • Attachment: LOOK.vbs

      Note: Similar to Q variant but hides .mp3 and .mp2 files.

  • VBS.LoveLetter.Z (BUG & VIRUS FIX)
    • Detected as: VBS.LoveLetter.Z
    • Subject: Virus ALERT!!!
    • Body: I got this from our system admin. Run this to help pervent any recent or future bug & virus attack's. It may take a small while up update your files.
    • Attachment: MAJOR BUG & VIRUS FIX.vbs

      Note: Sets Internet Explorer home page to a virus-related website. Overwrites files with .com, .dll, .exe, .txt, .bat, and .sys extensions. Uses mIRC to send "BUG & VIRUS FIX.HTM" into Internet chat rooms.

  • VBS.LoveLetter.AA (same as A version)
    • Detected as: VBS.LoveLetter.AA
    • Subject: ILOVEYOU
    • Body: kindly check the attached LOVELETTER coming from me.
    • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

      Note: Several internal comments have been added.

  • VBS.LoveLetter.AB (same as A version)
    • Detected as: VBS.LoveLetter.AB
    • Subject: ILOVEYOU
    • Body: kindly check the attached LOVELETTER coming from me.
    • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

      Note: Several internal comments and instructions have been removed.

  • VBS.LoveLetter.AC (antivirusupdate)
    • Detected as: VBS.LoveLetter.AC
    • Subject:New Variation on LOVEBUG Update Anti-Virus!!
    • Body: There is now a newer variant of love bug. It was released at 8:37 PM Saturday Night. Please Download the following patch. We are trying to isolate the virus. Thanks Symantec."
    • Attachment: antivirusupdate.vbs

      Note: Several comment lines have been modified. Uses mIRC to send antivirusupdate.htm into Internet chat rooms.

  • VBS.LoveLetter.AD (same as A version)
    • Detected as: VBS.LoveLetter.AD
    • Subject: ILOVEYOU
    • Body: kindly check the attached LOVELETTER coming from me.
    • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

      Note: This is the same as the A variant with a number of internal comments.

  • VBS.LoveLetter.AE (same as A version)
    • Detected as: VBS.LoveLetter.AE
    • Subject: ILOVEYOU
    • Body: kindly check the attached LOVELETTER coming from me.
    • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

      Note: This is the same as the A variant with a number of internal comments.

  • VBS.LoveLetter.AF (FREE SEXSITE PASSWORDS)
    • Detected as: VBS.LoveLetter.AF
    • Subject: FREE SEXSITE PASSWORDS
    • Body: cHECK IT OUT ; FREE SEX SITE PASSWORDS.
    • Attachment: FREE SEXSITE PASSWORDS.HTML.vbs

      Note: Modification of the A variant. Contains over 100 comment lines at the beginning of the file.

  • VBS.LoveLetter.AG (same as A version)
    • Detected as: VBS.LoveLetter.AG
    • Subject: ILOVEYOU
    • Body: kindly check the attached LOVELETTER coming from me.
    • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

      Note: This is the same as the A variant with slightly different internal coding.

  • VBS.LoveLetter.AH (same as A version)
    • Detected as: VBS.LoveLetter.AH
    • Subject: ILOVEYOU
    • Body: kindly check the attached LOVELETTER coming from me.
    • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

      Note: This is the same as the A variant with internal comments explaining the various functions of the script.

  • VBS.LoveLetter.AI (Win $1,000,000!)
    • Detected as: VBS.LoveLetter.AI
    • Subject: You May Win $1,000,000! 1 Click Away
    • Body: kindly check the attached WIN coming from me.
    • Attachment: WIN.vbs

      Note: Bad formatting prevents this variant from executing.

  • VBS.LoveLetter.AJ (Virus Warnings !!!)
    • Detected as: VBS.LoveLetter.AJ
    • Subject: Virus Warnings !!!
    • Body: VERY IMPORTANT PLEASE READ THIS TEXT. TEXT ATTACHMENT.
    • Attachment: very-important-txt.vbs

      Note: This version replaces .vbs, .vbe, .js, .txt, .doc, and .hta files with a copy of itself. It appends .vbs to all other files. .mp3 and .mp2 files are renamed and overwritten. A browser window will open displaying a list of some common hoaxes.

  • VBS.LoveLetter.AL (NICE-GIRL)
    • Detected as: VBS.LoveLetter.AL
    • Subject: NICE-GIRL
    • Body: is this a nice girl or what ?
    • Attachment: NICE-GIRL.JPG.vbs

      Note: Same functionality as the A variant. Copies itself as Mfc41a.vbs and Mfc41b.vbs and adds these files to the registry to be executed on startup. Also overwrites .hta, .avi, .mpg, .mpeg, .cpp, .c, .txt, .doc, .h, and .bmp files. It does not touch .mp2 files. This variant contains a large number of comment lines consisting of the numerous @ symbols. Uses mIRC to send NICE-GIRL.HTM to Internet chat rooms.

  • VBS.LoveLetter.AM (You must read this!)
    • Detected as: VBS.LoveLetter.AM
    • Subject: You must read this!
    • Body: Have you read this text? You must do it!!
    • Attachment: NOTES.TXT.exe

      Note: Buggy code prevents this variant from executing.

  • VBS.LoveLetter.AN (HOLA)
    • Detected as: VBS.LoveLetter.AN
    • Subject: HOLA
    • Body: HOLA ESTAMOS BUSCANDO GENTE PARA HACER UN CLUB DE HACKER ,PHERAK ,VIRUS Y ETC SI QUIERES UNIRTITE AUNQUE NO TENGAS CONOCIMIENTOS LEE EL ARCHIVO
    • Attachment: HELLO.TXT.vbs

      Note: This version does not change the default home page for Internet Explorer. It copies itself as rasapi.vbs and win32api.vbs. It uses mIRC to send KIKE.HTM to Internet chat rooms.

  • VBS.LoveLetter.AO (I missed ilnour..)
    • Detected as: VBS.LoveLetter.AO
    • Subject: I missed ilnour..
    • Body: I was in love with nour! but now am in love with KUWAIT !! Check this file
    • Attachment: I-Love-Kuwait.TXT.vbs

      Note: Sets Internet Explorer home page to [http://]alshaheen.net. Uses mIRC to send I-Love-Kuwait.BWC.vbs to Internet chat rooms. This version creates six different links on the desktop to various websites. No files get overwritten by this variant. When executed, a randomized message box is displayed with one of four possible messages.

  • VBS.LoveLetter.AP (Wish you were Here!)
    • Detected as: VBS.LoveLetter.AP
    • Subject: Wish you were Here!
    • Body: Wish you were Here! Im having a great time!
    • Attachment: Wish you were Here!.postcard.vbs

      Note: Buggy code prevents this variant from executing.

  • VBS.LoveLetter.AQ (New virus discovered!)
    • Detected as: VBS.LoveLetter.AQ
    • Subject: New virus discovered!
    • Body: A new virus has been discovered! It's name is @-@Alha and Omega@-@. Full list of virus abilities is included in attached file @-@info.txt@-@. For the last information go to McAfee's web page Please forward this mesage to everyone you care about.
    • Attachment: info.txt.vbs

      Note: This variant only contains the mass-mailer functionality. It sets the main window title of Internet Explorer to display "I am the Alpha and Omega". The script deletes itself after it has run.

  • VBS.LoveLetter.AR (random subject list)
    • Detected as: VBS.LoveLetter.AR
    • Subjects:
      • Event Information
      • Joke of the Day
      • Staff memo
      • n/a
      • Important information
      • Security alert!!!
      • Links!!!
      • Free Cellular Phone
      • Cure for CANCER!?!?!?!
      • Clinton and Lewinki phone messages
    • Body: Please download the attached file.
    • Attachment: placid.txt.vbs

      Note: This variant randomly chooses one of ten possible subjects for the email. Uses mIRC to send Placid.txt.vbs to Internet chat rooms. It copies itself over .vbs files, deletes .dos and .tmp files and overwrites all .js and .jse files with the line onLoad="alert('Placid, isnt it?? you bet.!');". It deletes the following executables if found on the system: Navw32.exe, Navapw32.exe, Pccmain.exe, and Webtrap.exe. A new Autoexec.bat is created, which deletes all files from the drive A, and runs Fdisk /mbr, which rewrites the master boot record.

  • VBS.LoveLetter.AT (3 de septiembre en Roma)
    • Detected as: VBS.LoveLetter.AT
    • Subject: 3 de septiembre en Roma
    • Body: Este a±o nos vemos el 3 de septiembre en Roma, no faltes. Te env_o detalles del viaje.
    • Attachment: 3septiembreroma.TXT.vbs

      Note: This variant contains only the mass-mailer and registry editing functionalities. It does not overwrite or delete any files.

  • VBS.LoveLetter.AU (FREE SURF)
    • Detected as: VBS.LoveLetter.AU
    • Subject: FREE SURF
    • Body: kindly check the attached HOW TO FREE SURFLETTER coming from me.
    • Attachment: Free Surf.TXT.vbs

      Note: Sets Internet Explorer home page to [http://]mitglied.tripod.de/aker1434ffjz/winbat[REMOVED]. It sets the hidden attribute for all files in subfolders, and creates copies of itself as the original file names plus the .vbs extension. Uses mIRC to send Free Surf.TXT.vbe to Internet chat rooms.

  • VBS.LoveLetter.AV (same as AS version)
    • Detected as: VBS.LoveLetter.AV
    • Subject: US PRESIDENT AND FBI SECRET PICTURES =PLEASE VISIT => ( [http://]WWW.2600.COM )<=
    • Body: VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES..
    • Attachment: .vbs file with a randomly generated name

      Note: Please see the separate document that describes VBS.LoveLetter.AS for more information.

  • VBS.LoveLetter.AX (Hello Kitty)
    • Detected as: VBS.LoveLetter.AX
    • Subject: Hello Kitty
    • Body: About Hello Kitty latest News in JAPAN. See the attached document.
    • Attachment: Hello-Kitty.TXT.vbs

      Note: Same functionality as the .A variant. Uses mIRC to send Hello-Kitty.HTM to Internet chat rooms.

  • VBS.LoveLetter.AZ (You have a secret admirer!)
    • Detected as: VBS.LoveLetter.AZ
    • Subject: You have a secret admirer!
    • Body: Have a look at <url link> and open enclosed document.
    • Attachment: aa.vbs

      Note: Buggy code prevents this variant from executing.

  • VBS.LoveLetter.BA (same as C variant)
    • Detected as: VBS.LoveLetter.BA
    • Subject: fwd: Joke
    • Body: (message body is empty)
    • Attachment: Very Funny.vbs

      Note: Identical to the C variant, except that it does not set the Timeout period for Windows Scripting Hosting because of bad code.

  • VBS.LoveLetter.BB (no email capability)
    • Detected as: VBS.LoveLetter.BB

      Note: This variant contains only the infection routine for overwriting files. Files with the extensions .jpg, .jpeg, .gif, and .bmp are overwritten. Files with the extensions .mp3, .wav, and .mid are overwritten and set to hidden. All other files have the .vbs extension added to them.

  • VBS.LoveLetter.BC (KILL ILOVEYOU)
    • Detected as: VBS.LoveLetter.BC
    • Subject: KILL ILOVEYOU 2.0 - Apaga as altera__es do ILOVEYOU
    • Body: Execute o script em anexo para voltar as op__es do registry modificados pelo ILOVEYOU e apagar os arquivos relacionados a este vírus. A página inicial do Explorer serß setado para about:blank.
    • Attachment: KILL_LOVE-LETTER.TXT.vbs

      Note: This variant attempts to reverse the affects of a VBS.LoveLetter.A infection. It deletes the registry subkeys and files associated with the A variant. It contains the mass-mailer function only.

  • VBS.LoveLetter.BF (My-Linong....)
    • Detected as: VBS.LoveLetter.BF
    • Subject: My-Linong....
    • Body: True Story....
    • Attachment: mylinong.txt.shs

      Note: This variant does not overwrite files. It makes use of only the mass-mailer to spread; it does not use mIRC. An ASCII message is displayed in Notepad when this worm is executed. The message is "I Love You Linong." The script also creates 600 folders on drive C named LINONG I LOVE YOU MY FOLDER[RANDOM NUMBER] where the [RANDOM NUMBER] is a three digit number from 000-600. After seven days the worm deletes itself and any files or folders that it created.

  • VBS.LoveLetter.BH (random email subject)
    • Detected as: VBS.LoveLetter.BH
    • Subject: randomly generated
    • Body: randomly generated
    • Attachment: win.com.vbs

      Note: Buggy code prevents this variant from executing. This variant randomly selects one of sixteen email subjects and message bodies for outgoing email. It makes many changes to the registry. Finally, it also overwrites .zip and .rar files, and hides files with .doc, .xls, .ppt, and .gif extensions.

  • VBS.LoveLetter.BI (Party Time)
    • Detected as: VBS.LoveLetter.BI
    • Subject: Party Time
    • Body: Hey!!.. Cloze the doorz coz we gonna party in 'ere all nite!! ;-) Sweet demo coded in Visual Basic.. unleash the powerz of Mickey$oft! Enjoy :-)
    • Attachment: Party.BAS.vbs

      Note: This variant changes the RegisteredOwner, RegisteredOrganization and Version to "SiR DySTyK", "VBS/Party", and "Mickey$oft Windowz v0.3" respectively. The worm maintains two counters in the registry, which are used to create new folders in the \Windows\System folder. When the first counter reaches 20 (increasing once per execution of the worm) the second counter is increased by 1. Each time that the second counter increases, a new hidden, read-only folder named Party[NUMBER] (where the [NUMBER] is replaced by the number of the second counter) is created, and inside this new folder, 50 copies of the worm are hidden. It uses mIRC to send Party.BAS.vbs to Internet chat rooms. It copies itself as WinMgr.LNK.vbs to the \Startup folder.

  • VBS.LoveLetter.BK (same as BI variant)
    • Detected as: VBS.LoveLetter.BK
    • Subject: Party Time
    • Body: Hey!!.. Cloze the doorz coz we gonna party in 'ere all nite!! ;-) Sweet demo coded in Visual Basic.. unleash the powerz of Mickey$oft! Enjoy :)
    • Attachment: win.com.vbs

      Note: This is the same as the BI variant, except for the author's name, which has changed from SiR DySTyK to Total Konfuzion.

  • VBS.LoveLetter.BL (Rock the Vote)
    • Detected as: VBS.LoveLetter.BL
    • Subject: Rock the Vote
    • Body: I thought you would find this interesting :)
    • Attachment: al_gore.vbs

      Note: This variant contains the mass mailer and file replication functions. It overwrites and appends the .vbs extension to the following file types: .asp, .jpg, .gif, .htm, .html, .css, .mp3, .mp2, .mod, .mpg, and .mpeg. It copies itself as System32.vbs and al_gore.vbs. Once executed, it displays the following message: Windows does not recognize this file. Click 'OK' to cancel this operation.

  • VBS.LoveLetter.BN (similar to BL variant)
    • Detected as: VBS.LoveLetter.BN
    • Subject: randomly generated
    • Body: I thought you would find this interesting :) Call me later!
    • Attachment: win.com.vbs

      Note: This is a slightly modified variant based on VBS.LoveLetter.BL. It randomly chooses one of ten subjects for the outgoing email. It also sends a copy of the mail as a bcc to cybercrime@techtv.com. This version also modifies .cfm files in addition to those already listed under the BL variant.

  • VBS.LoveLetter.BO (same as C version)
    • Detected as: VBS.LoveLetter.BO
    • Subject: fwd: Joke
    • Body: (message body is empty)
    • Attachment: Very Funny.vbs

      Note: Same as C variant.

  • VBS.LoveLetter.BQ (Gotov je! 24.09.2000!)
    • Detected as: VBS.LoveLetter.BO
    • Subject: Gotov je! 24.09.2000!
    • Body: Ej! Pogledaj ovo u prilogu!!!
    • Attachment: GotovJe.vbs

      Note: This variant only contains the mass-mailer function. It copies itself as GotovJe.vbs into the \Windows and \Windows\System folders. It displays the file GotovJe.htm, which it creates when it is executed. This file contains the following text: KOMSIJA, 24 Septembra su izbori! Na tim izborima TI pobedjujes Milosevica! Tvoj glas ga plasi! 24.09 Izadji, Glasaj, Pobedi! Gotov je!

  • VBS.LoveLetter.BR (insert subject here)
    • Detected as: VBS.LoveLetter.BR
    • Subject: insert subject here
    • Body: insert body here
    • Attachment: syscheck.vbs

      Note: This variant sends one mail with each user added as a bcc. It creates the file OOBHCDGC.VBS in the \Windows folder, CAIXDVRP.VBS in the \Windows\System folder, and BPDNQLVR.VBS in the Windows \Temp folder. It creates the file C:\Autorun.inf which attempts to execute the OOBHCDGC.VBS file.

  • VBS.LoveLetter.BZ (Southpark Is Here On Singapore!!!)
    • Detected as: VBS.LoveLetter.BZ
    • Subject: Southpark Is Here On Singapore!!!
    • Body: Check it out!!! SOUTHPARK Never Diez!!!
    • Attachment: Southpark.txt.vbs

      Note: If this variant is executed on your computer, you will in most cases need to reinstall everything on your computer. This variant deletes files in the root folder of drive C. It deletes files that are not currently in use from the following folders: C:\Windows, C:\Windows\System, C:\Program Files, C:\Windows\Cookies, and the root of drive D. Most files in these folders have 0-byte copies of themselves created with Southpark.vbs appended to the file name. It uses mIRC to send Southpark.txt.vbs to Internet chat rooms. It sets the ComputerName and RegisteredOwner to "Love Never Change For Linghui".

  • VBS.LoveLetter.CB (HELLO)
    • Detected as: VBS.LoveLetter.CB
    • Subject: HELLO
    • Body: JulieNSurprise.
    • Attachment: JulieNSurprise.vbs

      Note: This variant will possibly set the Internet Explorer home page to the address [http://]www.hackside.fr.fm/hack[REMOVED] in an attempt to download the file JULIEN_PELLETIER.zip. It will not overwrite any files on the system, but it does contain the mass-mailer function.

  • VBS.LoveLetter.CC (MY FAVORITE POETRIES)
    • Detected as: VBS.LoveLetter.CC
    • Subject: MY FAVORITE POETRIES
    • Body: These are some of the poetries that I have written for you.
    • Attachment: (5)-Poetries-that-I-have-written-for-you.txt.vbs

      Note: This variant sends one email with each user added as a bcc. It creates the file OOBHCDGC.VBS in the \Windows folder, CAIXDVRP.VBS in the \Windows\System folder, and BPDNQLVR.VBS in the Windows \Temp folder. It creates the file C:\Autorun.inf, which attempts to execute the OOBHCDGC.VBS file.

  • VBS.LoveLetter.CE (same as A version)
    • Detected as: VBS.LoveLetter.CE
    • Subject: ILOVEYOU
    • Body: kindly check the attached LOVELETTER coming from me.
    • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

      Note: This variant is almost identical to the VBS.LoveLetter.A variant. It contains an additional comment line at the beginning of the file.
  • VBS.LoveLetter.CF (same as A version)
    • Detected as: VBS.LoveLetter.CF
    • Subject: ILOVEYOU
    • Body: kindly check the attached LOVELETTER coming from me.
    • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

      Note: This variant is almost identical to the VBS.LoveLetter.A variant except for extra spacing in the file.

  • VBS.LoveLetter.CG (same as A version)
    • Detected as: VBS.LoveLetter.CG
    • Subject: ILOVEYOU
    • Body: kindly check the attached LOVELETTER coming from me.
    • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

      Note: This variant is almost identical to the VBS.LoveLetter.A variant. It contains slightly differing variable names.

  • VBS.LoveLetter.CI (same as A version)
    • Detected as: VBS.LoveLetter.CI
    • Subject: ILOVEYOU
    • Body: kindly check the attached LOVELETTER coming from me.
    • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

      Note: This variant is almost identical to the VBS.LoveLetter.A variant except for extra spacing in the file.
  • VBS.LoveLetter.CN (same as A version)
    • Detected as: VBS.LoveLetter.CN
    • Subject: Where are you?
    • Body: This is my pic in the beach!
    • Attachment: JENNIFERLOPEZ_NAKED.JPG.vbs

      Note: This variant also creates a file named "Cih_14.exe" which is a dropper for the CIH virus, and attempts to run it. Please see the separate document that describes VBS.LoveLetter.CN for more information.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Eric Chien
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver