1. /
  2. Security Response/
  3. VBS.LoveLetter Fix

VBS.LoveLetter Fix

Discovered:
December 22, 2000
Updated:
August 24, 2005 12:00:00 AM
Type:
Removal Information
The VBS.LoveLetter Fix tool removes the changes that were made to a computer by all known versions of the VBS.LoveLetter worm except VBS.LoveLetter.CA, VBS.LoveLetter.BJ, VBS.LoveLetter.BM and VBS.LoveLetter.AS.

Caution: Before you run the tool, you must update to the most recent virus definitions and run a full system scan, making sure that Norton AntiVirus (NAV) is set to scan all files. If you run the tool before scanning your system, you may see warnings that indicate that files have been infected with LoveLetter. If you see any such warning, choose to delete the files.

Notes:
  • This tool will have limited effectiveness if you have been infected with VBS.NewLove.A. This variant of LoveLetter destroys all files on the system that are not in use. Therefore an infected system will most likely be unstable.
  • If you are running this tool on Windows NT or Windows 2000, you must have Administrator-level privileges.
  • When the tool has finished running, you will see a message indicating whether or not the computer was infected by VBS.LoveLetter.
  • If you are an administrator, and you want to run the tool without displaying the information dialog box, run the tool with the /auto command line switch; for example, C:\Windows\Desktop\fixlove.exe /auto

To obtain and run the tool:

The digital signature
Fixlove.exe is digitally signed. Symantec recommends that you only use copies of Fixlove.exe that have been downloaded directly from the SARC download site. To check the authenticity of the digital signature, follow these steps:
  • Go to http://www.wmsoftware.com/free.htm
  • Download and save the chktrust.exe file to the same folder where you saved Fixlove.exe.
  • Click Start, point to Programs, and click MS-DOS Prompt.
  • Change to the folder where Fixlove.exe and Chktrust.exe are stored, and then type:

    chktrust -i fixlove.exe

    For example:
    cdcd download
    chktrust -i fixlove.exe

  • Press Enter after typing each command.
  • If the digital signature is valid, you will see the following:
    Do you want to install and run "fixlove.exe" signed on 5/11/2000 3:19 PM and distributed by Symantec Corporation.
    • The date and time that are displayed in this dialog will be adjusted to your time zone if your computer is not set to the Pacific time zone.
    • If you are using Daylight Saving time, the time that is displayed will be exactly one hour earlier.
    • If this dialog does not appear or the date and time are not correctly adjusted for your time zone, do not use your copy of Fixlove.exe. It is not from Symantec.
  • Click Yes to close the dialog box.
  • Type exit and then press Enter. This will close the MS-DOS session.

What the tool does
The VBS.LoveLetter tool performs the following actions:
    • MSKernel32.vbs
    • LOVE-LETTER-FOR-YOU.TXT.vbs
    • LOVE-LETTER-FOR-YOU.HTM
    • WINFAT32.EXE
    • WIN-BUGSFIX.EXE
    • Funny Love.vbs
    • Funny Love.htm
  • Deletes the Win32DLL.vbs file from the %Windir% folder
  • Deletes the following files from the %System% folder:

    • HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftWindows\CurrentVersion\Run
    • HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftWindows\CurrentVersion\RunServices
    • HKEY_USERS\[USER NAME]\Software\MicrosoftWindows\CurrentVersion\Run (This is done for all users.)

  • Removes Winfat32.exe, Win-bugsfix.exe, and all .vbs entries from the following registry subkeys:

  • Restores the Timeout value for the Windows Scripting Host key for all users, if present:
    HKEY_USERS\username\SOFTWARE\Microsoft\Windows Scripting Host\Settings
  • Sets the starting page for Internet Explorer in the following registry subkey http://www.symantec.com/avcenter/repair_instruct.html:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
  • Removes all DWORD values from the following registry subkey except for LDAP Connection Timeout and Server ID (This is done for all users):
    HKEY_USERS\[USER NAME]\SOFTWARE\Microsoft\WAB
  • Searches all local hard drives for hidden .mp3 and .mp2 files, and removes the hidden attribute.
  • Searches all local hard drives for LoveLetter Script.ini files. If found, the Script.ini file will be overwritten with a blank file that contains just one line:
    [SCRIPT]
Summary

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver