Discovered: June 06, 2000
Updated: February 13, 2007 11:56:05 AM
Also Known As: VBS.President.Worm, VBS/Columbia, VBS.LoveLetter.AS, VBS.LoveLetter.BJ, I-Worm.Plan
Type: Worm

VBS.Plan is a Visual BASIC Script worm that is detected by Norton AntiVirus (NAV) as VBS.LoveLetter.Variant with virus definitions prior to Aug. 28, 2000. This worm shares many of the properties of the VBS.LoveLetter worm. It spreads using MS Outlook and overwrites files with a copy of itself.

Additional precautions that you can take:
Some threats, such as this one, use the VBScript computer language to run. You can protect yourself from threats that use this language by enabling Script Blocking (Norton AntiVirus 2001/2002) or by disabling or uninstalling the Windows Scripting Host. Because the Windows Scripting Host is an optional part of Windows, it can be safely removed from your computer. (Some programs, however, need Windows Scripting Host in order to function properly.)

  • If you are using Norton AntiVirus 2002, which includes Script Blocking, make sure that Script Blocking is enabled (the default).
  • If you are using Norton AntiVirus 2001, a free program update that includes Script Blocking is available. Please run LiveUpdate to obtain this.
  • For other versions of Norton AntiVirus, SARC offers a tool to disable the Windows Scripting Host.
  • To disable the Windows Scripting Host in Microsoft Outlook Express only, see the Microsoft Knowledge Base document OLEXP: How to Disable Active Scripting in Outlook Express, Article ID: Q192846.

Antivirus Protection Dates

  • Initial Rapid Release version June 16, 2000
  • Latest Rapid Release version August 08, 2016 revision 023
  • Initial Daily Certified version June 16, 2000
  • Latest Daily Certified version August 09, 2016 revision 001

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Technical Description

When executed, the worm copies itself into the following locations:

  • Windows folder as Reload.vbs
  • Windows\System folder as Linux32.vbs
  • Windows\System folder as a randomly generated 4- to 8-character file ending in .gif.vbs, .jpg.vbs, or .bmp.vbs

The worm checks whether Winfat32.exe exists in the Windows\System folder. If the file is present, the worm randomly sets the Internet Explorer Start Page to one of the following Web addresses:
Depending on which file is downloaded, the worm performs the following action:
  • Copies as the hidden file Important_note.txt in the Windows folder and modifies the registry to load this text file at startup.
  • Copies as \Windows\Syslogos.sys to replace the screen that is displayed when Windows has shut down.
  • Copies as \Windows\Logow.sys to replace the screen that is displayed when Windows is shutting down.

The worm also creates the file Us-president-and-fbi-secrets.htm in the Windows folder, but this file is not loaded.

The worm uses MAPI calls to the Microsoft Outlook application and creates messages by iterating through all addresses in the Microsoft Outlook address book. The worm marks these recipients using the registry in an attempt to send them the mail only once.

The randomly generated file names appear in all capital letters and are formatted so that every even numbered letter is a vowel, for example, SOXU, DEII, YIEUHUDI, BILALU, and so on.


Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.


To remove this worm, perform the following steps in the order presented (detailed instructions follow):

  • Verify that NAV is set to scan all files.
  • Restart the computer in Safe Mode.
  • Scan the computer for infected files.
  • Delete the Us-president-and-fbi-secrets.htm and files with a .vbs extension.
  • Remove worm entries from the registry.
  • (Optional) Restore copies of Logos.sys and Logow.sys
  • (Optional) Recover infected image files.

To verify that NAV is set to scan all files:
  • NAV 4.0/5.0:
    1. Start NAV.
    2. Click Options.
    3. Click the Scanner tab.
    4. Click All files, and then click OK.
  • NAV 2000/2001
    1. Start NAV.
    2. Click Options.
    3. Click Manual Scans.
    4. Under "File types to scan," click All files, and then click OK.
To restart the computer in Safe Mode:
  • Windows 95:
    1. Exit all programs, and then shut down the computer.
    2. Turn off the computer, and wait 30 seconds. You must turn off the computer to remove the virus from memory. Do not use the reset button.
    3. Turn on the computer. When you see the "Starting Windows 95" message, press F8.
    4. Type the number for Safe Mode, and then press Enter.
  • Windows 98 or Windows Me:
    1. Click Start, and click Run.
    2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
    3. Click Advanced on the General tab.
    4. Check Enable Startup Menu, click OK, and then click OK again.
    5. Exit all programs, and then shut down the computer.
    6. Turn off the computer, and wait 30 seconds. You must turn off the computer to remove the virus from memory. Do not use the reset button.
    7. Turn on the computer, and wait for the menu.
    8. Type the number for Safe Mode, and then press Enter.

      NOTE: After you have completed all of the steps in this document, you may repeat steps 1 through 4, and in step 4, uncheck Enable Startup Menu. The next time you restart the computer, you will not see the Startup menu.
To scan the computer for infected files:
Scan your computer with NAV, and delete any files that NAV detects as infected.

To delete the Us-president-and-fbi-secrets.htm file and files with a .vbs extension:
First, configure Windows to show all files, and then find and delete the worm's .htm and .vbs files. Here are the steps:

To show all files:
  1. Start Windows Explorer.
  2. Click the View menu, and click Options or Folder options.
  3. Click the View tab, and uncheck (if it is checked) "Hide file extensions for known file types."
  4. Click Show all files, and then click OK.

To find the worm's files:
  1. Click Start, point to Find, and click Files or Folders.
  2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
  3. In the Named box, type us*.htm and then click Find Now.
  4. If the Us-president-and-fbi-secrets.htm file is found, select it and press the Delete key.
  5. Click New Search, and then click OK to confirm
  6. In the Named box, type *.vbs and click Find Now.
  7. If any files are found, you should in most cases delete them because they probably have been overwritten by the worm. If these are .vbs files that you have created or downloaded for a specific purpose, you should move them to external media, such as a floppy disk.

To remove worm entries from the registry:

CAUTION : We strongly recommend that you back up the Windows registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and click OK. The Registry Editor opens.

    NOTE: For information about how to edit the registry, click Help and then click Help Topics. See the information regarding Changing Keys and Values.
  3. Navigate to the following subkey:

  4. Look for the following String values in the right pane:

    plan columbia
  5. If any of these exist, select each in turn, press the Delete key, and then click Yes to confirm.
  6. Navigate to the following subkey:

  7. Look for the following String value in the right pane:

  8. If this entry exists, select the entry and then press the Delete key.
  9. Exit the Registry Editor.

(Optional) To restore copies of Logos.sys and Logow.sys:
In some cases, VBS.Plan may infect the following files:
  • Logow.sys
  • Logos.sys

These files are used by Windows to display the Windows shutdown messages. If you delete them, then when Windows shuts down you will not see the "Windows is shutting down" or the "It is now safe to turn off your computer" messages. This does not affect the ability of Windows to shut down. If you want to restore these files, you will need to use the Extract command (Windows 95) or the System File Checker (Windows 98). Please see your Windows documentation for information on how to do this.

(Optional) To recover infected image files:
If you have Norton Utilities and the Protected Recycle bin was enabled at the time of the infection, you can recover the deleted originals of many of the infected files. To do so, follow these steps:
  1. Right-click the Protected Recycle bin, and click Norton UnErase.
  2. When the wizard appears, click Next.
  3. At the next panel, hold down the Ctrl key and click each file that you want to restore.
  4. Click Restore.

Writeup By: Brian Ewell