- June 6, 2000
- October 11, 2001 10:01:58 PM
- Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
VBS.Loveletter.AS is a mass-mailing worm first reported early on June 6, 2000.
The virus is executed by a user running an infected email attachment.
On first execution, the worm writes copies of itself to the \Windows folder:
and one of
The worm replaces files of certain types with its own code, and adds an extension of '.vbs' to the filename. In most reported variants, these include the following file types:
.vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .mp3, and .mp2.
.mp3 and .mp2 files are hidden rather than overwritten.
The worm also creates this file:
The worm checks for this file:
If it is unable to find Winfat32.exe, it will try to download one of three files from a remote location, set the Internet Explorer's default home page to the address chosen, and take a specific action:
- the worm saves Macromedia32.zip as \Windows\important_note.zip and changes the registry to execute the worm on startup.
- copies Linux321.zip to \Windows\Syslogos.sys, replacing the Windows shutdown screen.
- copies Linux322.zip to \Windows\Logow.zip, replacing the Windows "safe to turn off your computer" screen.
Since the virus' appearance, these websites have been made unavailable.
Note: On May 14, 2015, modifications will be made to the threat write-ups to streamline the content. The Threat Assessment section will no longer be published as this section is no longer relevant to today's threat landscape. The Risk Level will continue to be the main threat risk assessment indicator.