1. Symantec/
  2. Security Response/
  3. VBS.LoveLetter.Var


Risk Level 2: Low

May 5, 2000
March 12, 2002 8:00:32 PM
Also Known As:
VBS/LoveLet-AE [Sophos], VBS/LoveLetter.A-V@mm [Norman], VBS/LoveLetter [F-Secure], VBS/Loveletter@MM [McAfee]
Infection Length:
Systems Affected:
VBS.LoveLetter.Var is a mass-mailing worm that sends itself to all email addresses in a compromised user's Microsoft Outlook address book.

Symantec Security Response has identified 82 variants of this worm. The latest is VBS.LoveLetter.CN. Virus definitions dated May 31, 2001, or later detect and remove all of these known variants. Occasionally new variants of this worm are discovered. Norton AntiVirus may, at times, detect these new variants as VBS.LoveLetter.Var. This is a generic detection indicating that the worm is a new variant of VBS.LoveLetter that has not yet been specifically identified and named.

Symantec Security Response began receiving reports regarding this worm in the early morning of May 4, 2000, GMT. This worm originated in Manila, Philippines. It had wide-spread distribution, and infected millions of computers.

This worm sends itself to email addresses in the Microsoft Outlook address book and also spreads to Internet chatrooms using mIRC. This worm overwrites files on local and remote drives, including files with the extensions: .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .avi, .qt, .mpg, .mpeg, .cpp, .c, .h, .swd, .psd, .wri, .mp3, and .mp2.

The contents of most of these files are replaced with the source code of the worm, destroying the original contents. The worm also appends the .vbs extension to each of these files. For example, image.jpg becomes image.jpg.vbs. However, files with .mp2 and .mp3 extensions are merely hidden and not destroyed. Norton SystemWorks users can recover these files if NProtect is running at the time of infection.

VBS.LoveLetter also tries to download a password-stealing Trojan horse program from a website.

Antivirus Protection Dates

  • Initial Rapid Release version May 5, 2000
  • Latest Rapid Release version August 27, 2018 revision 024
  • Initial Daily Certified version May 5, 2000
  • Latest Daily Certified version August 28, 2018 revision 002
  • Initial Weekly Certified release date May 5, 2000
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube