VBS.LoveLetter and variants

Symantec Security Response has identified 82 variants of this worm. The latest is VBS.LoveLetter.CN. Virus definitions dated May 31, 2001, or later detect and remove all of these known variants. Occasionally new variants of this worm are discovered. Norton AntiVirus may, at times, detect these new variants as VBS.LoveLetter.Variant. This is a generic detection indicating that the worm is a new variant of VBS.LoveLetter that has not yet been specifically identified and named. NOTE: If Norton AntiVirus detects VBS.LoveLetter.Variant, we suggest that you quarantine and submit the file to SARC for analysis. See the document How to submit a file to Symantec Security Response using Scan and Deliver. You can protect your computer from all known variants of the VBS.LoveLetter worm by downloading the latest virus definitions using LiveUpdate or from http://www.symantec.com/avcenter/download.html. A tool to repair the VBS.LoveLetter infection, including all known variants (except VBS.Loveletter.CA, VBS.Loveletter.BJ, VBS.Loveletter.BM and VBS.Loveletter.AS), is available here. Symantec Security Response began receiving reports regarding this worm in the early morning of May 4, 2000, GMT. This worm originated in Manila, Philippines. It had wide-spread distribution, and infected millions of computers. This worm sends itself to email addresses in the Microsoft Outlook address book and also spreads to Internet chatrooms using mIRC. This worm overwrites files on local and remote drives, including files with the extensions .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .avi, .qt, .mpg, .mpeg, .cpp, .c, .h, .swd, .psd, .wri, .mp3, and .mp2. The contents of most of these files are replaced with the source code of the worm, destroying the original contents. The worm also appends the .vbs extension to each of these files. For example, image.jpg becomes image.jpg.vbs. However, files with .mp2 and .mp3 extensions are merely hidden and not destroyed. Norton SystemWorks users can recover these files if NProtect is running at the time of infection. VBS.LoveLetter also tries to download a password-stealing Trojan horse program from a Web site.
Removal tool link: http://securityresponse.symantec.com/avcenter/venc/data/fix.vbs.loveletter.html

Also Known As:	Lovebug, I-Worm.LoveLetter, VBS/LoveLetter.A, VBS/LoveLet-A
Type:	Worm
Infection Length:	10,307 bytes
Systems Affected:	Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected:	DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x

Virus Definitions (LiveUpdate™ Weekly) May 05, 2000 Virus Definitions (Intelligent Updater) May 05, 2000

Wild Number of infections: 0 - 49 Number of sites: 3 - 9 Geographical distribution: High Threat containment: Moderate Removal: Moderate

Threat Metrics Wild: Low Damage: High Distribution: High

Damage

• Payload Trigger: On execution of email attachment
• Payload: Overwriting files
  • Large scale e-mailing: Sends itself to all addresses in the Microsoft Outlook Address Book
  • Modifies files: Overwrites files with the following extensions: .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .mp3, and .mp2. Files with extensions of .mp2 and .mp3 will be hidden from the user by setting the hidden directory attribute. The overwritten files can be recovered if the user is running NProtect from Norton Systemworks or Norton Utilities at the time of infection. Variant G also overwrites .bat and .com files.
  • Degrades performance: Might clog the email server

Distribution

• Subject of email: ILOVEYOU
• Name of attachment: Love-letter-for-you.txt.vbs
• Size of attachment: 10,307 bytes
• Shared drives: Overwrites files located on network drives
• Target of infection: Overwrites files with the following extensions: .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .mp3, and .mp2. Files with .mp3 and .mp2 extensions will merely be hidden from the user's view and not actually destroyed. Variant G also overwrites .bat and .com files.

When executed, the worm copies itself to the \Windows\System folder as both Mskernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs, and to the \Windows folder as Win32dll.vbs The worm checks for the presence of Winfat32.exe in the Windows\System folder.

• If the file does not exist, then the worm sets the Internet Explorer start page to a Web site with the Win-bugsfix.exe file. This Web site has been shut down.
• If the file does exist, the worm creates the following registry key:
  
  HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
  
  and executes the file during system startup. The Internet Explorer start page is then replaced with a blank page.

• Overwrites all files having the extensions .js, .jse, .css, .wsh, .sct, .hta, .jpg, and .jpeg with viral code. It then makes a copy of the file and adds the extension .vbs to the file name. For example, if the file is named House_pics.jpg, the overwritten file is named House_pics.jpg.vbs. The original file is then deleted. These files must be deleted and then restored from a backup.
• Creates copies of all files having the .mp3 and .mp2 extensions. It then overwrites the copy with viral code and adds the .vbs extension to the file name. Next it changes the attribute of the original .mp3 or .mp2 file to hidden. Because of this, the original copies of .mp3 and .mp2 files are still unaltered--though hidden--on the hard drive. The modified files should be deleted.

• VBS.LoveLetter.A
  • Detected as: VBS.LoveLetter.A(1)
  • Email subject: ILOVEYOU
  • Body: kindly check the attached LOVELETTER coming from me.
  • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
    
    
• VBS.LoveLetter.B (Lithuania)
  • Detected as: VBS.LoveLetter.B(1) or VBS.LoveLetter(HTM)
  • Email subject: Susitikim shi vakara kavos puodukui...
    MESSAGE BODY: same as A
  • Body: kindly check the attached LOVELETTER coming from me.
  • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
    
    
• VBS.LoveLetter.C (Very Funny)
  • Detected as: VBS.LoveLetter.C(1)
  • Email subject: fwd: Joke
  • Body: (Message body is empty.)
  • Attachment: Very Funny.vbs
    
    
• VBS.LoveLetter.D (BugFix)
  • Detected as: VBS.LoveLetter.A(1)
  • Email subject: ILOVEYOU
  • Body: kindly check the attached LOVELETTER coming from me.
  • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
    
    NOTE: Creates the registry entry WIN- -BUGSFIX.exe instead of WIN-BUGSFIX.exe
    
    
• VBS.LoveLetter.E (Mother's Day)
  • Detected as: VBS.LoveLetter.E
  • Email subject: Mothers Day Order Confirmation
  • Body: We have proceeded to charge your credit card amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place. Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com
  • Attachment: mothersday.vbs
    
    NOTE: This variant will delete all .ini and .bat files.
    
    
• VBS.LoveLetter.F (Virus Warning)
  • Detected as: VBS.LoveLetter.F
  • Email subject: Dangerous Virus Warning
  • Body: There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it.
  • Attachment: virus_warning.jpg.vbs
    
    NOTE: Also includes Urgent_virus_warning.htm
    
    
• VBS.LoveLetter.G (Virus ALERT!!!)
  • Detected as: VBS.LoveLetter.G
  • Email subject: Virus ALERT!!!
  • Body: A long message regarding VBS.LoveLetter.A
  • Attachment: Protect.vbs
    
    NOTE: The From line of the message displays as "FROM support@symantec.com." This variant also overwrites files with .bat and .com extensions.
    
    
• VBS.LoveLetter.H (No Comments)
  • Detected as: VBS.LoveLetter.H or VBS.LoveLetter(HTM)
  • Email subject: ILOVEYOU
  • Body: kindly check the attached LOVELETTER coming from me.
  • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
    
    NOTE: This is known as No Comments because the comment lines at the beginning of the worm code have been removed.
    
    
• VBS.LoveLetter.I (Important! Read carefully!!)
  • Detected as: VBS.LoveLetter.I
  • Email subject: Important! Read carefully!!
  • Body: kindly check the attached LOVELETTER coming from me.
  • Attachment: Important.TXT.vbs
    
    NOTE: This variant copies the files Eskernel32.vbs and Es32dll.vbs. It also copies mIRC script comments referring to BrainStorm and ElectronicSouls, and sends the Important.htm file to the chat room.
    
    
• VBS.LoveLetter.J (same as G version)
  • Detected as: VBS.LoveLetter.J
  • Email subject: Virus ALERT!!!
  • Body: Largely the same as the G variant.
  • Attachment: Protect.vbs
    
    NOTE: This appears to be a slight modification of the G variant.
    
    
• VBS.LoveLetter.K (same as I version)
  • Detected as: VBS.LoveLetter.K
  • Email subject: Important! Read carefully!!
  • Body: Here's the easy way to fix the love virus.
  • Attachment: Important. How to protect yourself from the IL0VEY0U bug!
    
    
• VBS.LoveLetter.L (I Cant Believe This!!!)
  • Detected as: VBS.LoveLetter.L
  • Email subject: I Cant Believe This!!!
  • Body: I Cant Believe I have Just Recieved This Hate Email .. Take A Look!
  • Attachment: KillEmAll.TXT.VBS
    
    NOTE: This variant replaces .gif and .bmp files instead of .jpg and .jpeg. It hides .wav and .mid instead of .mp2 and .mp3 files. There is no IRC routine, so it will not infect chat room users. Copies the files Kiler.htm, Killer2.vbs, and Killer1.vbs to the hard drive.
    
    
• VBS.LoveLetter.M (Arab Air)
  • Detected as: VBS.LoveLetter.M
  • Email subject: Thank You For Flying With Arab Airlines
  • Body: Please check if the bill is correct, by opening the attached file
  • Attachment: ArabAir.TXT.vbs
    
    NOTE: Replaces .dll and .exe files instead of .jpg and .jpeg files. Hides .sys and .dll files instead of .mp3 and .mp2 file. Copies no-hate-FOR-YOU.HTM to the hard drive.
    
    
• VBS.LoveLetter.N (Variant Test)
  • Detected as: VBS.LoveLetter.N
  • Email subject: Variant Test
  • Body: This is a variant to the vbs virus.
  • Attachment: IMPORTANT.TXT.vbs
    
    NOTE: Copies itself as Sndvol32.vbs and Ieakdll.vbs. Internet Explorer start page is changed to http://altalavista.box.sk. It does not download the password stealing Trojan. Overwrites .mpg, .mpeg, .avi, .qt, and .qtm. Sends the file important.htm into Internet chat rooms using mIRC.
    
    
• VBS.LoveLetter.O (same as A version)
  • Detected as: VBS.LoveLetter.O
  • Email subject: ILOVEYOU
  • Body: kindly check the attached LOVELETTER coming from me.
  • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
    
    NOTE: This is the same as the A variant with slightly different internal coding.
    
    
• VBS.LoveLetter.P (Yeah Yeah)
  • Detected as: VBS.LoveLetter.P
  • Email subject: Yeah, Yeah another time to DEATH...
  • Body: This is the Killer for VBS.LOVE-LETTER.WORM.
  • Attachment: Vir-Killer.vbs
    
    NOTE: Sets the Internet Explorer start page to www.yahoo.com/Vir-Killer.exe. It does not download the password stealing Trojan. Overwrites .zip and .rar files instead of .jpg and .jpeg. Hides .pas and .asm files instead of .mp3 and .mp2.
    
    
• VBS.LoveLetter.Q (LOOK!)
  • Detected as: VBS.LoveLetter.Q
  • Email subject: LOOK!
  • Body: hehe...check this out.
  • Attachment: LOOK.vbs
    
    NOTE: Copies itself as Msuser32.vbs and User32dll.vbs. Overwrites .xls and .mdb files instead of .jpg and .jpeg. Hides .exe and .lnk files instead of .mp3 and .mp2. Creates Look.htm.
    
    
• VBS.LoveLetter.R (Bewerbung)
  • Detected as: VBS.LoveLetter.R
  • Email subject: Bewerbung Kreolina
  • Body: Sehr geehrte Damen und Herren!
  • Attachment: Bewerbung.txt.vbs
    
    NOTE: IRC sends Bewerbung.htm into connected Internet chat room.
    
    
• VBS.LoveLetter.S (same as A version)
  • Detected as: VBS.LoveLetter.S
  • Email subject: ILOVEYOU
  • Body: kindly check the attached LOVELETTER coming from me.
  • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs:
    
    NOTE: This is the same as the A variant with slightly different internal coding.
    
    
• VBS.LoveLetter.T (BAND-AID)
  • Detected as: VBS.LoveLetter.T
  • Email subject: Recent Virus Attacks-Fix
  • Body: Attached is a copy of a script that will reverse the effects of the LOVE-LETTER-TO-YOU.TXT.vbs as well as the FW:JOKE, Mother's Day and Lithuanian siblings.
  • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
    
    NOTE: Sets Internet Explorer start page set to a virus-related web site. Deletes files with ..bat, .gif, .tif, .tiff, .wav, .lnk, .bak, .doc, .xls, .rtf, .txt, .htm, .html, .xml, .mny, .zip, .bmp, .cab, and .inf extensions. It does not hide .mp3 and .mp2 files, but deletes them. Uses mIRC to send Band-aid.htm into Internet chat rooms.
    
    
• VBS.LoveLetter.U (Presente)
  • Detected as: VBS.LoveLetter.U
  • Email subject: PresenteUOL
  • Body: O UOL tem um grande presente para voce, e eh exclusivo.Veja o arquivo em anexo. Http://www.uol.com.br.
  • Attachment: UOL.TXT.vbs
    
    NOTE: Sets Internet Explorer start page to http://www.uol.com.br. It also hides .exe, .com, and .ini files. Uses mIRC to send Uol.htm into Internet chat rooms.
    
    
• VBS.LoveLetter.V (same as A version)
  • Detected as: VBS.LoveLetter.V
  • Email subject: ILOVEYOU
  • Body: kindly check the attached LOVELETTER coming from me.
  • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
    
    NOTE: Internal comment lines slightly different.
    
    
• VBS.LoveLetter.W (IMPORTANT)
  • Detected as: VBS.LoveLetter.W
  • Email subject: IMPORTANT: Official virus and bug fix
  • Body: This is an official virus and bug fix. I got it from our system admin. It may take a short while to update your system files after you run the attachment.
  • Attachment: Bug and virus fix.vbs
    
    NOTE: Sets Internet Explorer Start page to a virus-related site. Overwrites files with .exe, .com, .dll, .sys, .pwl, and .txt. extensions. Uses mIRC to send "Bug and virus fix.htm" into Internet chat rooms.
    
    
• VBS.LoveLetter.X (ANTI-VIRUS-LISTE)
  • Detected as: VBS.LoveLetter.X
  • Email subject: NEUE ANTI-VIRUS-LISTE
  • Body: Hiermit senden wir Ihnen/Dir eine neue Liste mit LOVE-LETTER-VIRUS Namen, die nicht geoeffnet werden sollten, bitte sofort lesen, danke.
  • Attachment: ANTI-VIRUS-LISTE.TXT.vbs
    
    NOTE: Overwrites files with .mdb, .pdf, .wsh, .dot, .hta, .js, .drv, and .ini extensions. Hides files with .xlx and .doc extensions. Uses mIRC to send "ANTI-VIRUS-LISTE.HTM" into Internet chat rooms.
    
    
• VBS.LoveLetter.Y (same as Q version)
  • Detected as: VBS.LoveLetter.Y
  • Email subject: LOOK!
  • Body: hehe...check this out
  • Attachment: LOOK.vbs
    
    NOTE: Similar to Q variant but hides .mp3 and .mp2 files.
    
    
• VBS.LoveLetter.Z (BUG & VIRUS FIX)
  • Detected as: VBS.LoveLetter.Z
  • Email subject: Virus ALERT!!!
  • Body: I got this from our system admin. Run this to help pervent any recent or future bug & virus attack's. It may take a small while up update your files.
  • Attachment: MAJOR BUG & VIRUS FIX.vbs
    
    NOTE: Sets Internet Explorer Start Page to a virus-related site. Overwrites files with .com, .dll, .exe, .txt, .bat, and .sys extensions. Uses mIRC to send "BUG & VIRUS FIX.HTM" into Internet chat rooms.
    
    
• VBS.LoveLetter.AA (same as A version)
  • Detected as: VBS.LoveLetter.AA
  • Email subject: ILOVEYOU
  • Body: kindly check the attached LOVELETTER coming from me.
  • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
    
    NOTE: Several internal comments have been added.
    
    
• VBS.LoveLetter.AB (same as A version)
  • Detected as: VBS.LoveLetter.AB
  • Email subject: ILOVEYOU
  • Body: kindly check the attached LOVELETTER coming from me.
  • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
    
    NOTE: Several internal comments and instructions have been removed.
    
    
• VBS.LoveLetter.AC (antivirusupdate)
  • Detected as: VBS.LoveLetter.AC
  • Email subject:New Variation on LOVEBUG Update Anti-Virus!!
  • Body: There is now a newer variant of love bug. It was released at 8:37 PM Saturday Night. Please Download the following patch. We are trying to isolate the virus. Thanks Symantec."
  • Attachment: antivirusupdate.vbs
    
    NOTE: Several comment lines have been modified. Uses mIRC to send antivirusupdate.htm into Internet chat rooms.
  
  
• VBS.LoveLetter.AD (same as A version)
  • Detected as: VBS.LoveLetter.AD
  • Email subject: ILOVEYOU
  • Body: kindly check the attached LOVELETTER coming from me.
  • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
    
    NOTE: This is the same as the A variant with a number of internal comments.
  
  
• VBS.LoveLetter.AE (same as A version)
  • Detected as: VBS.LoveLetter.AE
  • Email subject: ILOVEYOU
  • Body: kindly check the attached LOVELETTER coming from me.
  • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
    
    NOTE: This is the same as the A variant with a number of internal comments.
  
  
• VBS.LoveLetter.AF (FREE SEXSITE PASSWORDS)
  • Detected as: VBS.LoveLetter.AF
  • Email subject: FREE SEXSITE PASSWORDS
  • Body: cHECK IT OUT ; FREE SEX SITE PASSWORDS.
  • Attachment: FREE SEXSITE PASSWORDS.HTML.vbs
    
    NOTE: Modification of the A variant. Contains over 100 comment lines at the beginning of the file.
  
  
• VBS.LoveLetter.AG (same as A version)
  • Detected as: VBS.LoveLetter.AG
  • Email subject: ILOVEYOU
  • Body: kindly check the attached LOVELETTER coming from me.
  • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
    
    NOTE: This is the same as the A variant with slightly different internal coding.
  
  
• VBS.LoveLetter.AH (same as A version)
  • Detected as: VBS.LoveLetter.AH
  • Email subject: ILOVEYOU
  • Body: kindly check the attached LOVELETTER coming from me.
  • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
    
    NOTE: This is the same as the A variant with internal comments explaining the various functions of the script.
  
  
• VBS.LoveLetter.AI (Win $1,000,000!)
  • Detected as: VBS.LoveLetter.AI
  • Email subject: You May Win $1,000,000! 1 Click Away
  • Body: kindly check the attached WIN coming from me.
  • Attachment: WIN.vbs
    
    NOTE: Bad formatting prevents this variant from executing.
  
  
• VBS.LoveLetter.AJ (Virus Warnings !!!)
  • Detected as: VBS.LoveLetter.AJ
  • Email subject: Virus Warnings !!!
  • Body: VERY IMPORTANT PLEASE READ THIS TEXT. TEXT ATTACHMENT.
  • Attachment: very-important-txt.vbs
    
    NOTE: This version replaces .vbs, .vbe, .js, .txt, .doc, and .hta files with a copy of itself. It appends .vbs to all other files. .mp3 and .mp2 files are renamed and overwritten. A browser window will open displaying a list of some common hoaxes.
  
  
• VBS.LoveLetter.AL (NICE-GIRL)
  • Detected as: VBS.LoveLetter.AL
  • Email subject: NICE-GIRL
  • Body: is this a nice girl or what ?
  • Attachment: NICE-GIRL.JPG.vbs
    
    NOTE: Same functionality as the A variant. Copies itself as Mfc41a.vbs and Mfc41b.vbs and adds these to the registry to be executed on startup. Also overwrites .hta, .avi, .mpg, .mpeg, .cpp, .c, .txt, .doc, .h, and .bmp files. It does not touch .mp2 files. This variant contains a large number of comment lines consisting of the numerous @ symbols. Uses mIRC to send NICE-GIRL.HTM to Internet chat rooms.
  
  
• VBS.LoveLetter.AM (You must read this!)
  • Detected as: VBS.LoveLetter.AM
  • Email subject: You must read this!
  • Body: Have you read this text? You must do it!!
  • Attachment: NOTES.TXT.exe
    
    NOTE: Buggy code prevents this variant from executing.
  
  
• VBS.LoveLetter.AN (HOLA)
  • Detected as: VBS.LoveLetter.AN
  • Email subject: HOLA
  • Body: HOLA ESTAMOS BUSCANDO GENTE PARA HACER UN CLUB DE HACKER ,PHERAK ,VIRUS Y ETC SI QUIERES UNIRTITE AUNQUE NO TENGAS CONOCIMIENTOS LEE EL ARCHIVO
  • Attachment: HELLO.TXT.vbs
    
    NOTE: This version does not change the default start page for Internet Explorer. It copies itself as rasapi.vbs and win32api.vbs. It uses mIRC to send KIKE.HTM to Internet chat rooms.
  
  
• VBS.LoveLetter.AO (I missed ilnour..)
  • Detected as: VBS.LoveLetter.AO
  • Email subject: I missed ilnour..
  • Body: I was in love with nour! but now am in love with KUWAIT !! Check this file
  • Attachment: I-Love-Kuwait.TXT.vbs
    
    NOTE: Sets Internet Explorer start page to http:/ /alshaheen.net. Uses mIRC to send I-Love-Kuwait.BWC.vbs to Internet chat rooms. This version creates six different links on the desktop to various Web sites. No files get overwritten by this variant. When executed, a randomized message box is displayed with one of four possible messages.
  
  
• VBS.LoveLetter.AP (Wish you were Here!)
  • Detected as: VBS.LoveLetter.AP
  • Email subject: Wish you were Here!
  • Body: Wish you were Here! Im having a great time!
  • Attachment: Wish you were Here!.postcard.vbs
    
    NOTE: Buggy code prevents this variant from executing.
  
  
• VBS.LoveLetter.AQ (New virus discovered!)
  • Detected as: VBS.LoveLetter.AQ
  • Email subject: New virus discovered!
  • Body: A new virus has been discovered! It's name is @-@Alha and Omega@-@. Full list of virus abilities is included in attached file @-@info.txt@-@. For the last information go to McAfee's web page Please forward this mesage to everyone you care about.
  • Attachment: info.txt.vbs
    
    NOTE: This variant only contains the mass mailer functionality. It sets the main window title of Internet Explorer to display "I am the Alpha and Omega". The script deletes itself after it has run.
  
  
• VBS.LoveLetter.AR (random subject list)
  • Detected as: VBS.LoveLetter.AR
  • Email subjects:
    • Event Information
    • Joke of the Day
    • Staff memo
    • n/a
    • Important information
    • Security alert!!!
    • Links!!!
    • Free Cellular Phone
    • Cure for CANCER!?!?!?!
    • Clinton and Lewinki phone messages
  • Body: Please download the attached file.
  • Attachment: placid.txt.vbs
    
    NOTE: This variant randomly chooses one of 10 possible subjects for the email. Uses mIRC to send Placid.txt.vbs to Internet chat rooms. It copies itself over .vbs files, deletes .dos and .tmp files and overwrites all .js and .jse files with the line onLoad="alert('Placid, isnt it?? you bet.!');". It deletes the following executables if found on the system: Navw32.exe, Navapw32.exe, Pccmain.exe, and Webtrap.exe. A new Autoexec.bat is created, which deletes all files from the drive A, and runs Fdisk /mbr, which rewrites the master boot record.
  
  
• VBS.LoveLetter.AT (3 de septiembre en Roma)
  • Detected as: VBS.LoveLetter.AT
  • Email subject: 3 de septiembre en Roma
  • Body: Este a±o nos vemos el 3 de septiembre en Roma, no faltes. Te env_o detalles del viaje.
  • Attachment: 3septiembreroma.TXT.vbs
    
    NOTE: This variant contains only the mass mailer and registry editing functionalities. It does not overwrite or delete any files.
  
  
• VBS.LoveLetter.AU (FREE SURF)
  • Detected as: VBS.LoveLetter.AU
  • Email subject: FREE SURF
  • Body: kindly check the attached HOW TO FREE SURFLETTER coming from me.
  • Attachment: Free Surf.TXT.vbs
    
    NOTE: Sets Internet Explorer start page to http:/ /mitglied.tripod.de/aker1434ffjz/winbatch.exe. It sets the hidden attribute for all files in subfolders, and creates copies of itself as the original file names plus the .vbs extension. Uses mIRC to send Free Surf.TXT.vbe to Internet chat rooms.
  
  
• VBS.LoveLetter.AV (same as AS version)
  • Detected as: VBS.LoveLetter.AV
  • Email subject: US PRESIDENT AND FBI SECRET PICTURES =PLEASE VISIT => ( http://WWW.2600.COM )<=
  • Body: VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES..
  • Attachment: .vbs file with a randomly generated name
    
    NOTE: Please see the separate document that describes VBS.LoveLetter.AS for more information.
  
  
• VBS.LoveLetter.AX (Hello Kitty)
  • Detected as: VBS.LoveLetter.AX
  • Email subject: Hello Kitty
  • Body: About Hello Kitty latest News in JAPAN. See the attached document.
  • Attachment: Hello-Kitty.TXT.vbs
    
    NOTE: Same functionality as the .A variant. Uses mIRC to send Hello-Kitty.HTM to Internet chat rooms.
  
  
• VBS.LoveLetter.AZ (You have a secret admirer!)
  • Detected as: VBS.LoveLetter.AZ
  • Email subject: You have a secret admirer!
  • Body: Have a look at <url link> and open enclosed document.
  • Attachment: aa.vbs
    
    NOTE: Buggy code prevents this variant from executing.
  
  
• VBS.LoveLetter.BA (same as C variant)
  • Detected as: VBS.LoveLetter.BA
  • Email subject: fwd: Joke
  • Body: (message body is empty)
  • Attachment: Very Funny.vbs
    
    NOTE: Identical to the C variant, except that it does not set the Timeout period for Windows Scripting Hosting because of bad code.
  
  
• VBS.LoveLetter.BB (no email capability)
  • Detected as: VBS.LoveLetter.BB
    
    NOTE: This variant contains only the infection routine for overwriting files. Files with the extensions .jpg, .jpeg, .gif, and .bmp are overwritten. Files with the extensions .mp3, .wav, and .mid are overwritten and set to hidden. All other files have the .vbs extension added to them.
  
  
• VBS.LoveLetter.BC (KILL ILOVEYOU)
  • Detected as: VBS.LoveLetter.BC
  • Email subject: KILL ILOVEYOU 2.0 - Apaga as altera__es do ILOVEYOU
  • Body: Execute o script em anexo para voltar as op__es do registry modificados pelo ILOVEYOU e apagar os arquivos relacionados a este vírus. A página inicial do Explorer serß setado para about:blank.
  • Attachment: KILL_LOVE-LETTER.TXT.vbs
    
    NOTE: This variant attempts to reverse the affects of a VBS.LoveLetter.A infection. It deletes the registry keys and files associated with the A variant. It contains the mass mailer function only.
  
  
• VBS.LoveLetter.BF (My-Linong....)
  • Detected as: VBS.LoveLetter.BF
  • Email subject: My-Linong....
  • Body: True Story....
  • Attachment: mylinong.txt.shs
    
    NOTE: This variant does not overwrite files. It makes use of only the mass mailer to spread; it does not use mIRC. An ASCII message is displayed in Notepad when this worm is executed. The message is "I Love You Linong." The script also creates 600 folders on drive C named LINONG I LOVE YOU MY FOLDER??? where the ??? is replaced by the numbers 000-600. After seven days the worm deletes itself and any files or folders that it created.
  
  
• VBS.LoveLetter.BH (random email subject)
  • Detected as: VBS.LoveLetter.BH
  • Email subject: randomly generated
  • Body: randomly generated
  • Attachment: win.com.vbs
    
    NOTE: Buggy code prevents this variant from executing. This variant randomly selects one of sixteen email subjects and message bodies for outgoing email. It makes many changes to the registry. Finally, it also overwrites .zip and .rar files, and hides files with .doc, .xls, .ppt, and .gif extensions.
  
  
• VBS.LoveLetter.BI (Party Time)
  • Detected as: VBS.LoveLetter.BI
  • Email subject: Party Time
  • Body: Hey!!.. Cloze the doorz coz we gonna party in 'ere all nite!! ;-) Sweet demo coded in Visual Basic.. unleash the powerz of Mickey$oft! Enjoy :-)
  • Attachment: Party.BAS.vbs
    
    NOTE: This variant changes the RegisteredOwner, RegisteredOrganization and Version to "SiR DySTyK", "VBS/Party", and "Mickey$oft Windowz v0.3" respectively. The worm maintains two counters in the registry, which are used to create new folders in the \Windows\System folder. When the first counter reaches 20 (increasing once per execution of the worm) the second counter is increased by 1. Each time that the second counter increases, a new hidden, read-only folder named Party? (where the ? is replaced by the number of the second counter) is created, and inside this new folder, 50 copies of the worm are hidden. It uses mIRC to send Party.BAS.vbs to Internet chat rooms. It copies itself as WinMgr.LNK.vbs to the \Startup folder.
  
  
• VBS.LoveLetter.BK (same as BI variant)
  • Detected as: VBS.LoveLetter.BK
  • Email subject: Party Time
  • Body: Hey!!.. Cloze the doorz coz we gonna party in 'ere all nite!! ;-) Sweet demo coded in Visual Basic.. unleash the powerz of Mickey$oft! Enjoy :)
  • Attachment: win.com.vbs
    
    NOTE: This is the same as the BI variant, except for the author's name, which has changed from SiR DySTyK to Total Konfuzion.
  
  
• VBS.LoveLetter.BL (Rock the Vote)
  • Detected as: VBS.LoveLetter.BL
  • Email subject: Rock the Vote
  • Body: I thought you would find this interesting :)
  • Attachment: al_gore.vbs
    
    NOTE: This variant contains the mass mailer and file replication functions. It overwrites and appends the .vbs extension to the following file types: .asp, .jpg, .gif, .htm, .html, .css, .mp3, .mp2, .mod, .mpg, and .mpeg. It copies itself as System32.vbs and al_gore.vbs. Once executed, it displays the following message: Windows does not recognize this file. Click 'OK' to cancel this operation.
  
  
• VBS.LoveLetter.BN (similar to BL variant)
  • Detected as: VBS.LoveLetter.BN
  • Email subject: randomly generated
  • Body: I thought you would find this interesting :) Call me later!
  • Attachment: win.com.vbs
    
    NOTE: This is a slightly modified variant based on VBS.LoveLetter.BL. It randomly chooses one of ten subjects for the outgoing email. It also sends a copy of the mail as a bcc to cybercrime@techtv.com. This version also modifies .cfm files in addition to those already listed under the BL variant.
  
  
• VBS.LoveLetter.BO (same as C version)
  • Detected as: VBS.LoveLetter.BO
  • Email subject: fwd: Joke
  • Body: (message body is empty)
  • Attachment: Very Funny.vbs
    
    NOTE: Same as C variant.
  
  
• VBS.LoveLetter.BQ (Gotov je! 24.09.2000!)
  • Detected as: VBS.LoveLetter.BO
  • Email subject: Gotov je! 24.09.2000!
  • Body: Ej! Pogledaj ovo u prilogu!!!
  • Attachment: GotovJe.vbs
    
    NOTE: This variant only contains the mass mailer function. It copies itself as GotovJe.vbs into the \Windows and \Windows\System folders. It displays the file GotovJe.htm, which it creates when it is executed. This file contains the following text: KOMSIJA, 24 Septembra su izbori! Na tim izborima TI pobedjujes Milosevica! Tvoj glas ga plasi! 24.09 Izadji, Glasaj, Pobedi! Gotov je!
  
  
• VBS.LoveLetter.BR (insert subject here)
  • Detected as: VBS.LoveLetter.BR
  • Email subject: insert subject here
  • Body: insert body here
  • Attachment: syscheck.vbs
    
    NOTE: This variant sends one mail with each user added as a bcc. It creates the file OOBHCDGC.VBS in the \Windows folder, CAIXDVRP.VBS in the \Windows\System folder, and BPDNQLVR.VBS in the Windows \Temp folder. It creates the file C:\Autorun.inf which attempts to execute the OOBHCDGC.VBS file.
  
  
• VBS.LoveLetter.BZ (Southpark Is Here On Singapore!!!)
  • Detected as: VBS.LoveLetter.BZ
  • Email subject: Southpark Is Here On Singapore!!!
  • Body: Check it out!!! SOUTHPARK Never Diez!!!
  • Attachment: Southpark.txt.vbs
    
    NOTE: If this variant is executed on your system, you will in most cases need to reinstall everything on your computer. This variant deletes files in the root folder of drive C. It deletes files that are not currently in use from the following folders: C:\Windows, C:\Windows\System, C:\Program Files, C:\Windows\Cookies, and the root of drive D. Most files in these folders have 0-byte copies of themselves created with Southpark.vbs appended to the file name. It uses mIRC to send Southpark.txt.vbs to Internet chat rooms. It sets the ComputerName and RegisteredOwner to "Love Never Change For Linghui".
  
  
• VBS.LoveLetter.CB (HELLO)
  • Detected as: VBS.LoveLetter.CB
  • Email subject: HELLO
  • Body: JulieNSurprise.
  • Attachment: JulieNSurprise.vbs
    
    NOTE: This variant will possibly set the Internet Explorer start page to the address http:/ /www.hackside.fr.fm/hackside2 in an attempt to download the file JULIEN_PELLETIER.zip. It will not overwrite any files on the system, but it does contain the mass-mailer function.
  
  
• VBS.LoveLetter.CC (MY FAVORITE POETRIES)
  • Detected as: VBS.LoveLetter.CC
  • Email subject: MY FAVORITE POETRIES
  • Body: These are some of the poetries that I have written for you.
  • Attachment: (5)-Poetries-that-I-have-written-for-you.txt.vbs
    
    NOTE: This variant sends one email with each user added as a bcc. It creates the file OOBHCDGC.VBS in the \Windows folder, CAIXDVRP.VBS in the \Windows\System folder, and BPDNQLVR.VBS in the Windows \Temp folder. It creates the file C:\Autorun.inf, which attempts to execute the OOBHCDGC.VBS file.
  
  
• VBS.LoveLetter.CE (same as A version)
  • Detected as: VBS.LoveLetter.CE
  • Email subject: ILOVEYOU
  • Body: kindly check the attached LOVELETTER coming from me.
  • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
    
    NOTE: This variant is almost identical to the VBS.LoveLetter.A variant. It contains an additional comment line at the beginning of the file.

• VBS.LoveLetter.CF (same as A version)
  • Detected as: VBS.LoveLetter.CF
  • Email subject: ILOVEYOU
  • Body: kindly check the attached LOVELETTER coming from me.
  • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
    
    NOTE: This variant is almost identical to the VBS.LoveLetter.A variant except for extra spacing in the file.
  
  
• VBS.LoveLetter.CG (same as A version)
  • Detected as: VBS.LoveLetter.CG
  • Email subject: ILOVEYOU
  • Body: kindly check the attached LOVELETTER coming from me.
  • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
    
    NOTE: This variant is almost identical to the VBS.LoveLetter.A variant. It contains slightly differing variable names.
  
  
• VBS.LoveLetter.CI (same as A version)
  • Detected as: VBS.LoveLetter.CI
  • Email subject: ILOVEYOU
  • Body: kindly check the attached LOVELETTER coming from me.
  • Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
    
    NOTE: This variant is almost identical to the VBS.LoveLetter.A variant except for extra spacing in the file.

• VBS.LoveLetter.CN (same as A version)
  • Detected as: VBS.LoveLetter.CN
  • Email subject: Where are you?
  • Body: This is my pic in the beach!
  • Attachment: JENNIFERLOPEZ_NAKED.JPG.vbs
    
    NOTE: This variant also creates a file named "Cih_14.exe" which is a dropper for the CIH virus, and attempts to run it. Please see the separate document that describes VBS.LoveLetter.CN for more information.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

The easiest way to repair the damage done by VBS.LoveLetter is to download an run the VBS.LoveLetter Fix Tool. This tool repairs the changes made to the system by this worm.

If you cannot obtain this tool, go on to the next section.

Manual removal instructions
The VBS.LoveLetter.Worm places several files on your hard drive or drives, and also makes changes to the Windows registry. In addition, it also changes the attribute of some files to hidden. All of this varies with the particular variant of the worm with which the computer was infected.

Enable show all files
Follow these steps to make sure that Windows is set to show all files:

1. Start Windows Explorer.
2. Click the View menu (Windows 95/98/NT) or the Tools menu (Windows Me/2000), and then click Options or Folder options.
3. Click the View tab.
4. Uncheck "Hide file extensions for known file types."
5. Do one of the following:
   • Windows 95/NT. Click "Show all files."
   • Windows 98. In the Advanced settings box, under the "Hidden files" folder, click Show all files.
   • Windows Me/2000. Uncheck "Hide protected operating system files" and under the "Hidden files" folder, click "Show hidden files and folders."
6. Click Apply, and then click OK.

• How to restart Windows 9x or Windows Me in Safe Mode.
• How to start Windows 2000 in Safe mode.

1. Click Start, point to Find or Search, and click Files or Folders.
2. Make sure that "Look in" is set to (C:) and that Include subfolders is checked.
3. In the "Named" or "Search for..." box, type--or copy and paste--the following file names:
   
   *letter-for-you* MSKernel32.vbs Win32DLL.vbs WinFAT32.EXE WIN-BUGSFIX.EXE script.ini mothersday.vbs funny love.vbs funny love.htm virus_warning.jpg.vbs urgent_virus_warning.htm protect.vbs important.txt.vbs eskernel32.vbs es32dll.vbs kiler.htm killer2.htm killer1.htm KillEmAll.TXT.VBS ArabAir.TXT.vbs no-hate-FOR-YOU.HTM vir-killer.vbs look.vbs bewerbung.txt.vbs reload.vbs
   
4. Click Find Now or Search Now.
   
   CAUTION: The next step is to delete these files from your system. Make sure that you delete only the files listed, and if you typed the file names, that they were typed exactly as shown. Deleting the wrong file could cause your system to fail to start.
   
5. Delete the files that are displayed.

• There is a space between each file name.
• If you copy and paste all of the file names into the Named box, most will not be found. (If you have run a full system scan and NAV has successfully removed these infected files, none may be found. If that is the case, go on to the next section.) This list contains all known files for all known variants. As an alternative, see the previous section (which provides details on the variants) and enter only the files that apply to the variant that the computer was infected with.
  

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
4. Look for the following String values in the right pane:
   
   WIN32DLL "C:\Windows\WIN32DLL.vbs"
   MSKernel32 "C:\Windows\System\MSKernel32.vbs"
   Win-bugsfix "<Path varies>"
   Winfat32.exe
   ESKernel32
   ES32dll
   Reload "C:\Windows\System\Reload.vbs"
   Any entries that refer to .vbs
   
   
5. For those that appear, select each one, press Delete, and then click Yes to confirm.
6. Navigate to the following key:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
   
7. Look for the following String values in the right pane:
   
   WIN32DLL "C:\Windows\WIN32DLL.vbs"
   MSKernel32 "C:\Windows\System\MSKernel32.vbs"
   Win-bugsfix "<Path varies>"
   Winfat32.exe
   ESKernel32
   ES32dll
   Reload "C:\Windows\System\Reload.vbs"
   Any entries that refer to .vbs
   
8. For those that appear, select each one, press Delete, and then click Yes to confirm.
9. Navigate to the following key:
   
   HKEY_USERS\<username> or <.default>\Software\Microsoft\Windows\CurrentVersion\RunServices
   
10. Look for the following String values in the right pane:
    
    WIN32DLL "C:\Windows\WIN32DLL.vbs"
    MSKernel32 "C:\Windows\System\MSKernel32.vbs"
    Win-bugsfix "<Path varies>"
    Winfat32.exe
    ESKernel32
    ES32dll
    Reload "C:\Windows\System\Reload.vbs"
    Any entries that refer to .vbs
    
11. For those that appear, select each one, press Delete, and then click Yes to confirm.
12. Exit the Registry editor.
    
    NOTES:
    • If you are a network administrator, be aware that the following registry keys may have been deleted by the worm:
      HKLM\Software\Microsoft\Windows\CurrentVersion\
      Policies\Network\HideSharePwds
      
      HKLM\Software\Microsoft\Windows\CurrentVersion\
      Policies\Network\DisablePwdCaching
      
      HKLM\Software\Microsoft\Windows\CurrentVersion\
      Policies\Network\HideSharePwds
      
      HKLM\Software\Microsoft\Windows\CurrentVersion\
      Policies\Network\DisablePwdCaching
      
    • For all users, be aware that potentially hundreds of DWORD registry values are created in
      HKEY_USERS\username\SOFTWARE\Microsoft\WAB
      This is based on how many email messages were sent out. These keys will be different on each computer.

CAUTION: Do not attempt to run files that have been overwritten or renamed by this worm. If you do, the worm is executed again.

NOTE: Files with .mp2 and .mp3 extensions are not infected; only the file name has been changed by adding the .vbs extension (see the Technical Infor
mation section for details). You can recover these files by renaming them back to the original file name in Windows or in DOS. Files with the .jpg extension are destroyed, and must be restored from a backup.

1. Start Internet Explorer.
2. Click the Tools menu, and click Internet Options.
3. On the General tab, replace your home page address as desired.

Additional information:

Besides running LiveUpdate frequently, one other thing that you can do to protect your system from this type of worm is to block scripts of this type (NAV 2001) or disable or remove the Windows Scripting Host. VBS.LoveLetter, and others such as the Wscript.KakWorm, use the VBScript computer language to run.

• If you are using Norton AntiVirus 2001, a free program update that includes Script Blocking is available.Please run LiveUpdate to obtain this.
• For other versions of Norton AntiVirus, Symantec Security Response offers a tool to disable the Windows Scripting Host.

Write-up by: Eric Chien and Brian Ewell