1. Symantec/
  2. Security Response/
  3. VBS.Loveletter.AS


Risk Level 2: Low

June 6, 2000
October 11, 2001 10:01:58 PM
Systems Affected:
VBS.Loveletter.AS is a mass-mailing worm first reported early on June 6, 2000.

The virus is executed by a user running an infected email attachment.

On first execution, the worm writes copies of itself to the \Windows folder:


and one of

\Windows\System\[random filename].bmp.vbs


\Windows\System\[random filename].jpg.vbs


\Windows\System\[random filename].gif.vbs

The worm replaces files of certain types with its own code, and adds an extension of '.vbs' to the filename. In most reported variants, these include the following file types:

.vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .mp3, and .mp2.

.mp3 and .mp2 files are hidden rather than overwritten.

The worm also creates this file:


The worm checks for this file:


If it is unable to find Winfat32.exe, it will try to download one of three files from a remote location, set the Internet Explorer's default home page to the address chosen, and take a specific action:

- the worm saves Macromedia32.zip as \Windows\important_note.zip and changes the registry to execute the worm on startup.

- copies Linux321.zip to \Windows\Syslogos.sys, replacing the Windows shutdown screen.

- copies Linux322.zip to \Windows\Logow.zip, replacing the Windows "safe to turn off your computer" screen.

Since the virus' appearance, these websites have been made unavailable.
Summary| Technical Details

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube