VBS.Loveletter.AS

Printer Friendly Page

Discovered: June 06, 2000
Updated: October 11, 2001 10:01:58 PM
Systems Affected: Windows

The VBS.Loveletter.AS variant is a mass-mailing worm first reported on June 6, 2000.

Like the original VBS.LoveLetter.A, this variant spreads through Microsoft Outlook and replaces file contents with infectious copies of itself.

The variant triggers on September 17 of any year, executing the email payload and displaying a greeting message.

The worm also attempts to download and install files from three specfic websites. These have since been disabled.

Antivirus Protection Dates

  • Initial Rapid Release version June 16, 2000
  • Latest Rapid Release version August 08, 2016 revision 023
  • Initial Daily Certified version June 16, 2000
  • Latest Daily Certified version August 09, 2016 revision 001

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Discovered: June 06, 2000
Updated: October 11, 2001 10:01:58 PM
Systems Affected: Windows

VBS.Loveletter.AS is a mass-mailing worm first reported early on June 6, 2000.

The virus is executed by a user running an infected email attachment.

On first execution, the worm writes copies of itself to the \Windows folder:

\Windows\Reload.vbs
\Windows\System\Linux32.vbs

and one of

\Windows\System\[random filename].bmp.vbs

or

\Windows\System\[random filename].jpg.vbs

or

\Windows\System\[random filename].gif.vbs


The worm replaces files of certain types with its own code, and adds an extension of '.vbs' to the filename. In most reported variants, these include the following file types:

.vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .mp3, and .mp2.

.mp3 and .mp2 files are hidden rather than overwritten.

The worm also creates this file:

\Windows\US-PRESIDENT-AND-FBI-SECRETS.htm

The worm checks for this file:

\Windows\System\Winfat32.exe

If it is unable to find Winfat32.exe, it will try to download one of three files from a remote location, set the Internet Explorer's default home page to the address chosen, and take a specific action:

http://members.fortunecity.com/plancolombia/macromedia32.zip
- the worm saves Macromedia32.zip as \Windows\important_note.zip and changes the registry to execute the worm on startup.

http://members.fortunecity.com/plancolombia/linux322.zip
- copies Linux321.zip to \Windows\Syslogos.sys, replacing the Windows shutdown screen.

http://members.fortunecity.com/plancolombia/linux321.zip
- copies Linux322.zip to \Windows\Logow.zip, replacing the Windows "safe to turn off your computer" screen.

Since the virus' appearance, these websites have been made unavailable.