- May 5, 2000
- March 12, 2002 8:00:32 PM
Also Known As:
- VBS/LoveLet-AE [Sophos], VBS/LoveLetter.A-V@mm [Norman], VBS/LoveLetter [F-Secure], VBS/Loveletter@MM [McAfee]
- Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
VBS.LoveLetter.Var is a mass-mailing worm that sends itself to all email addresses in a compromised user's Microsoft Outlook address book.
Symantec Security Response has identified 82 variants of this worm. The latest is VBS.LoveLetter.CN. Virus definitions dated May 31, 2001, or later detect and remove all of these known variants. Occasionally new variants of this worm are discovered. Norton AntiVirus may, at times, detect these new variants as VBS.LoveLetter.Var. This is a generic detection indicating that the worm is a new variant of VBS.LoveLetter that has not yet been specifically identified and named.
Symantec Security Response began receiving reports regarding this worm in the early morning of May 4, 2000, GMT. This worm originated in Manila, Philippines. It had wide-spread distribution, and infected millions of computers.
This worm sends itself to email addresses in the Microsoft Outlook address book and also spreads to Internet chatrooms using mIRC. This worm overwrites files on local and remote drives, including files with the extensions: .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .avi, .qt, .mpg, .mpeg, .cpp, .c, .h, .swd, .psd, .wri, .mp3, and .mp2.
The contents of most of these files are replaced with the source code of the worm, destroying the original contents. The worm also appends the .vbs extension to each of these files. For example, image.jpg becomes image.jpg.vbs. However, files with .mp2 and .mp3 extensions are merely hidden and not destroyed. Norton SystemWorks users can recover these files if NProtect is running at the time of infection.
VBS.LoveLetter also tries to download a password-stealing Trojan horse program from a website.
Antivirus Protection Dates
Initial Rapid Release version May 5, 2000
Latest Rapid Release version August 20, 2014 revision 032
Initial Daily Certified version May 5, 2000
Latest Daily Certified version August 20, 2014 revision 018
Initial Weekly Certified release date May 5, 2000
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Eric Chien