1. /
  2. Security Response/
  3. VBS.Loveletter.AS

VBS.Loveletter.AS

Risk Level 2: Low

Discovered:
June 6, 2000
Updated:
October 11, 2001 10:01:58 PM
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
VBS.Loveletter.AS is a mass-mailing worm first reported early on June 6, 2000.

The virus is executed by a user running an infected email attachment.

On first execution, the worm writes copies of itself to the \Windows folder:

\Windows\Reload.vbs
\Windows\System\Linux32.vbs

and one of

\Windows\System\[random filename].bmp.vbs

or

\Windows\System\[random filename].jpg.vbs

or

\Windows\System\[random filename].gif.vbs


The worm replaces files of certain types with its own code, and adds an extension of '.vbs' to the filename. In most reported variants, these include the following file types:

.vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .mp3, and .mp2.

.mp3 and .mp2 files are hidden rather than overwritten.

The worm also creates this file:

\Windows\US-PRESIDENT-AND-FBI-SECRETS.htm

The worm checks for this file:

\Windows\System\Winfat32.exe

If it is unable to find Winfat32.exe, it will try to download one of three files from a remote location, set the Internet Explorer's default home page to the address chosen, and take a specific action:

http://members.fortunecity.com/plancolombia/macromedia32.zip
- the worm saves Macromedia32.zip as \Windows\important_note.zip and changes the registry to execute the worm on startup.

http://members.fortunecity.com/plancolombia/linux322.zip
- copies Linux321.zip to \Windows\Syslogos.sys, replacing the Windows shutdown screen.

http://members.fortunecity.com/plancolombia/linux321.zip
- copies Linux322.zip to \Windows\Logow.zip, replacing the Windows "safe to turn off your computer" screen.

Since the virus' appearance, these websites have been made unavailable.
Summary| Technical Details

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver