The Symantec AntiVirus Research center began receiving reports regarding this worm in the early morning of May 4, 2000 GMT.
This worm appears to originate from Manila, Phillipines. It has wide-spread distribution, infecting millions of computers.
This worm sends itself to email addresses in the Microsoft Outlook address book and also spreads itself into Internet chatrooms via mIRC. This worm overwrites files on local and remote drives, including files with the extensions .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .mp3, and .mp2. The contents of these files will be replaced with the source code of the worm, thus destroying the original contents. However, files with .mp2 and .mp3 extensions will merely be hidden from the user's view and not actually destroyed. Additionally, users of Norton Systemworks or Norton Utilities will be able to recover these files if NProtect is running at the time of infection.It also tries to download a password-stealing Trojan horse program from a Web site.
Symantec has identified nine versions of VBS.LoveLetter. This information is current as of May 5, 2000 at 6:40pm (PST)
VBS.LoveLetter.A
Norton AntiVirus detects as: VBS.LoveLetter.A(1)
ATTACHMENT: LOVE-LETTER-FOR-YOU.TXT.vbs
SUBJECT LINE: ILOVEYOU
MESSAGE BODY: kindly check the attached LOVELETTER coming from me.
VBS.LoveLetter.B (also known as Lithuania)
Norton AntiVirus detects as: VBS.LoveLetter.B(1)
ATTACHMENT: same as A
SUBJECT LINE: Susitikim shi vakara kavos puodukui...
MESSAGE BODY: same as A
VBS.LoveLetter.C (also known as Very Funny)
Norton AntiVirus detects as: VBS.LoveLetter.C(1)
ATTACHMENT: Very Funny.vbs
SUBJECT LINE: fwd: Joke
MESSAGE BODY: empty
VBS.LoveLetter.D (also known as BugFix)
Norton AntiVirus detects as: VBS.LoveLetter.A(1)
ATTACHMENT: same as A
SUBJECT LINE: same as A
MESSAGE BODY: same as A
MISC. NOTES: registry entry: WIN- -BUGSFIX.exe instead of WIN-BUGSFIX.exe
VBS.LoveLetter.E (also known as Mother's Day)
Norton AntiVirus detects as: VBS.LoveLetter.Variant.E
ATTACHMENT: mothersday.vbs
SUBJECT LINE: Mothers Day Order Confirmation
MESSAGE BODY: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place.Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com
MISC. NOTES: mothersday.HTM sent in IRC, & comment: rem hackers.com, & start up page to hackes.com, l0pht.com, or 2600.com
VBS.LoveLetter.F (also known as Virus Warning)
Norton AntiVirus detects as: VBS.LoveLetter.Variant.F
ATTACHMENT: virus_warning.jpg.vbs
SUBJECT LINE: Dangerous Virus Warning
MESSAGE BODY: There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it.
MISC. NOTES: Urgent_virus_warning.htm
VBS.LoveLetter.G (also known as Virus ALERT!!!)
Norton AntiVirus detects as: VBS.LoveLetter.Variant or VBS.LoveLetter.G
ATTACHMENT: protect.vbs
SUBJECT LINE: Virus ALERT!!!
MESSAGE BODY: a long message regarding VBS.LoveLetter.A
MISC. NOTES: FROM support@symantec.com. This variant also overwrites files with .bat and .com extensions.
VBS.LoveLetter.H (also known as No Comments)
Norton AntiVirus detects as: VBS.LoveLetter.A
ATTACHMENT: same as A
SUBJECT LINE: same as A
MESSAGE BODY: same a A
MISC. NOTES: the comment lines at the beginning of the worm code have been removed.
VBS.LoveLetter.I (also known as Important! Read carefully!!)
Norton AntiVirus detects as: VBS.LoveLetter.Variant
ATTACHMENT: Important.TXT.vbs
SUBJECT LINE: Important! Read carefully!!
MESSAGE BODY: Check the attached IMPORTANT coming from me!
MISC. NOTES: new comment line at the beginning: by: BrainStorm / @ElectronicSouls. It also copies the files ESKernel32.vbs & ES32DLL.vbs, and MIRC script comments referring to BrainStorm and ElectronicSouls and sends IMPORTANT.HTM to the chat room.
Damage
Payload: Overwriting files
Payload trigger: On execution of email attachment
Large scale emailing: Sends itself to all addresses in the Microsoft Outlook Address Book
Modifies files: Overwrites files with the following extensions: .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, and .jpeg. Files with extensions of .mp2 and .mp3 will be hidden form the user by setting the hidden directory attribute. The overwritten files can be recovered if the user is running NProtect from Norton Systemworks or Norton Utilities at the time of infection. Variant G also overwrites .bat and .com files.
Degrades performance: Might clog the email server
Distribution
Subject of email: ILOVEYOU
Name of attachment: Love-letter-for-you.txt.vbs
Size of attachment: 10,307 bytes
Target of infection: Overwrites files with the following extensions: .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, and .jpeg. Files with .mp3 and .mp2 extensions will merely be hidden from the user's view and not actually destroyed. Variant G also overwrites .bat and .com files.
Shared drives: Overwrites files located on network drives.
Technical description:
When executed, the worm copies itself into:
Windows directory as Win32dll.vbs
Windows System directory as MSKernel32.vbs
Windows System directory as Love-letter-for-you.txt.vbs
The worm checks if Winfat32.exe exists in the Windows System directory. If the file does not exist, the worm sets the Internet Explorer Start Page to a Web site with the file Win-bugsfix.exe. This Web site is currently unreachable. It appears to have been shut down, but the Web server might just be overloaded.
Norton AntiVirus detects the downloaded Win-bugsfix.exe as PWSteal.LoveLetter.
If the file exists, the worm creates the following registry key:
HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\WIN-BUGSFIX
to execute the file on start up. The Internet Start Page is then replaced with a blank page.
For each drive including network drives, the virus attempts to infect files with .vbs and .vbe extensions.
The worm also searches for files with the following extensions: .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .mp3, and .mp2 and creates a file with the same name, but with a .vbs extension.
The worm also spreads via mIRC by creating a script.ini file in the mIRC program directory, which sends the dropped file Love-letter-for-you.htm to other users in the chatroom.
The worm uses MAPI calls to the Microsoft Outlook application and creates messages by iterating through all the addresses in the Microsoft Outlook Address Book. The worm marks these recipients using the registry in attempt to send them the mail only once.
The subject of the message is:
ILOVEYOU
The body of the message is:
kindly check the attached LOVELETTER coming from me.
Attached to the message is the file:
Love-letter-for-you.txt.vbs
Finally, the virus also copies the file Love-letter-for-you.htm into the Windows System directory, which is sent in conjuction with mIRC while the user is logged into an Internet chat room.
Removal:
Delete the files that Norton AntiVirus detects as VBS.Loveletter.A, VBS.LoveLetter.Variant, and PWSteal.LoveLetter.
Edit the Windows registry using Regedit.exe. Go to the following registry key:
HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Run
On the right-side of the window, look for the registry with WIN-BUGSFIX inside its Name field. Right-click WIN-BUGSFIX and click Delete.
Restore your Internet Explorer Start Page.
(
geocities.com/timessquare/alley) (
geocities.com/timessquare)