Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » VBS/LoveLetter.A-V@mm

Overview

Threat Risk LOW LOW
Destructivity HIGH HIGH
Payload
Detection files published 04 May 2000 03:00:00
Description created 03 May 2000 03:00:00
Description updated 08 Nov 2001 02:29:00
Malware type VIRUS
Alias ILoveYou
Spreading mechanism EMAIL
IRC
NETWORK
Summary None

VBS/LoveLetter.A-V@mm

Spreading

The original A-variant is the one listed in the introduction.

Details of the other variants are:

VBS/LoveLetter.A (the original) This is a VBS virus using WSH (Windows Scripting Host). WSH is default installed by Win98, Win2000 and Internet Explorer 5.

It will copy itself to c:WindowsfolderWin32DLL.vbs, c:SystemfolderMSKernel32.vbs and c:SystemfolderLOVE-LETTER-FOR-YOU.TXT.vbs and further modifies Windows Registry to run these files each time Windows is loaded:


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\MSKernel32", "MSKernel32.vbs"

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\Win32DLL", "Win32DLL.vbs"

It replicates by sending itself to each entry in MS Outlook (not Outlook Express) address book(s). This is only done once. It modifes Internet Explorer's start page to point to one of five web-sites where it tries to run an executable file WIN-BUGFIXS.EXE.

It searches for mirc32.exe, mlink32.exe, mirc.ini, script.ini and mirc.hlp to check whether mIRC is installed. If some of these files are found, VBS/LoveLetter will create script.ini with code to "DCC" send the file "LOVE-LETTER-FOR-YOU.HTM". This file is dropped by the virus in the Windows System folder.

It checks the Internet Explorer Download Directory for the file WinFAT32.exe. If that file does not exist the worm tries to download and install an executable file called WIN-BUGSFIX.EXE from one of four randomly selected websites over the Internet by changing the home page of the Web Browser to one of these four sites. The link actually causes the Trojan program to run which then installs a password stealing program that sends an email to the address MAILME@SUPER.NET.PH with the subject line

Barok. email.passwords.sender.trojan The message contains the following:
username host IP address remote access passwords cached passwords The virus searches all local drives and network drives for files with certain exstension. It overwrites the following files with copies of itself and renames the files to "originalfilename.VBS" *.VBS, *.VBE, *.JS, *.JSE, *.CSS, *.WSH, *.SCT, *.HTA. Further it will create copies of *.JPG and *.JPEG files and add an extra exstension (.vbs).For example, if you have a file mypicture.jpg, it will create a new file, mypicture.jpg.vbs with the virus code and delete the original file. If the file is write protected the virus will not succeed in deleting the original files, only to create the companion files with the .vbs exstension.

The virus also searches for *.MP3 and *.MP2 files; It will create a new file, add an exstra extension .VBS (myfile.mp3.vbs) and write its own viral code to this file. Then it changes the file attribute to the original *.MP3 files to hidden. The original *.MP3 files will not be overwritten.
Variants VBS/LoveLetter.B This variant contains one additional comment at the beginning of the code

rem Modified Lameris Tamoshius / Lithuania (Tovi systems)The body of the e-mail is the same as the original variant, but the subject field is changed:


Subject: "Susitikim shi vakara kavos puodukui... "

Body:

"kindly check the attached LOVELETTER coming from me." Thus the body of the e-mail is the same as the original variant.
VBS/LoveLetter.C

The e-mail subject and body is changed:


Subject: " fwd: Joke "

LoveLetter.C use a blank message body.

The filename of the attached file is changed to "Very Funny.vbs! and instead of "LOVE-LETTER-FOR-YOU.HTM, it creates the file "Very Funny.HTM ".
VBS/LoveLetter.D This variant contains a blank line between each line of virus code.
VBS/LoveLetter.E
Alias: "Mothers Day" The e-mail subject and body is changed.

Subject: "Mothers Day Order Confirmation"

Body:
We have proceeded to charge your credit card for the amount of $326.92 for the mothers day
diamond special. We have attached a detailed invoice to this email. Please print out the attachment
and keep it in a safe place.Thanks Again and Have a Happy Mothers Day!

mothersday@subdimension.com This variant also attack files of types .BAT and .INI in addition to the files targeted by the A variant.

The comment lines in the beginning of the code are changed. This variant also changed the start Page to Internet Explorer like the original variant but this one point the start page to some other web-sites.
VBS/LoveLetter.F The e-mail subject and body is changed.

Subject: Dangerous Virus Warning

Body:

There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it.The filename of the attached file is changed to "virus_warning.jpg.vbs and instead of "LOVE-LETTER-FOR-YOU.HTM, it creates the file "Urgent_virus_warning.htm". However it tries to send the file "_virus_warning.htm" through IRC. This spreading mechanism then does not function.

In addition to the files targeted by the A variant, this variant also target files of the following types: .WAV, .TXT, .GIF, .DOC, .XLS, .HTM, .HTML (which are overwritten and extensions changed to vbs.

This variant also tries to download an .EXE file from the shareware web site Tucows. This file is not a trojan.

VBS/LoveLetter.G

This variant is disguised as being sent from the domain of the antivirus company Symantec (symantec.com)

Subject: Virus ALERT!!!

Body:


Dear Symantec customer,

Symentec's AntiVirus Research Center began receiving reports regarding VBS.LoveLetter.A virus early morning on May 4, 2000 GMT. This worm appears to originate from the Asia Pasific region. Distribution of the virus is widespread and hundreds of thousands of machines are reported infected.

The VBS.Loveletter.A is an Internet worm that uses Microsoft Outlook to e-mail itself as an attachment.
The subject line of the e-mail reads ILOVEYOU with the attachment titled LOVE-LETTER-FOR-YOU.TXT.VBS.
Once the attachment is opened, the virus replicates and sends an e-mail to all the e-mail addresses listed in the address book.
The virus also spreads itself via Internet relay chat and infects files on local and remote drives including files with extensions VBS, VBE, JS, SJE, CSS, WSH, SCT, HTA, JPG, JPEG, MP3, MP2.
Users should exercise caution when opening e-mails with this subject line, even if the e-mail is from someone they know, as that is how the virus is spread.

Symantec Corp. today announced availability of the virus definition to detect, repair and protect users against the VBS.LoveLetter.A virus.
This definition is available now via Symantec's Live Update and can also be downloaded from the following web sites: http://www.symantecstore.com/AF74211/promo/loveletter
http://www.digitalriver.com/symantec

Also as a quick solution Symantec Corp. offers Visual Basic Script to protect your PC agains this worm. (See attached.)

Note! When executed, this script will protect your PC from being INFECTED from VBS.LoveLetter.A.
To cure already infected PC's download Norton Antivirus Updates mentioned above.

Symantec Corporation - a world leader in internet security technology.

The filename of the attached file is "protect.vbs and instead of "LOVE-LETTER-FOR-YOU.HTM, it creates the file "protect.htm".

In addition to the files targeted by the A variant, this variant also target files of the following types: .COM and .BAT (which are overwritten and extensions changed to vbs.

This variant changes the start page in Internet Explorer and set it to a site with pornographic content. It also sets the search page to a search engine which is used to search for underground materials. Default_Page_URL is set to a famous pornographic web portal. Default_Search_URL is set to an underground web site. Local Page is set to protect.htm. Internet Explorer's window title is sest to "Mocro$oft Internet Exploder by Ommen ".

Note that it is nothing new in a virus disguising itself as coming from an antivirus company. This virus is of course not sent from Symantec.


VBS/Loveletter.H

This is like the A variant with minor changes in the source code.


VBS/Loveletter.I

Subject: Important ! Read carefully !!

Body:

Check the attached IMPORTANT coming from me !

The filename of the attached file is "IMPORTANT.TXT.vbs" and instead of "LOVE-LETTER-FOR-YOU.HTM", it creates the file "Important.HTM".

Files targeted are like the A variant.


VBS/LoveLetter.J

Subject : How to protect yourself from the IL0VEY0U bug!

Body :


Here's the easy way to fix the love virus.

Attachment file name: "Virus-Protection-Instructions.vbs"

Additional file created for IRC spread: "Virus-Protection-Page.HTM"

Functionally this is similar to A variant.


VBS/LoveLetter.K

Subject : Thank You For Flying With Arab Airlines

Body:


Please check if the bill is correct, by opening the attached file.

Attachment file name: "ArabAir.TXT.vbs"

Additional file created for IRC spread (nonfunctional): "no-hate-FOR-YOU.HTM"

This variant overwrites program files of types EXE and DLL instead of the JPG and JPEG file types that were overwritten by the A variant.


VBS/LoveLetter.L

This is like the original A except that some comments are added to the source code.


VBS/LoveLetter.M

Subject: Bewerbung Kreolina

Body:



Sehr geehrte Damen und Herren!

File attached: "BEWERBUNG.TXT.vbs"

File created for IRC spread: "BEWERBUNG.HTM"

Otherwise this is identical to the A variant.


VBS/LoveLetter.N

Subject: LOOK!

Body:


hehe...check this out.

File attached in email: "LOOK.vbs"

File created for IRC spread: "LOOK.HTM"

This variant is more destructive than the A variant, as it overwrites *.XLS and *.MDB files instead of JPG and JPEG. XLS is the standard extension of Excel spreadsheets, and MDB is the standard extension of Microsoft Access databases.

It also creates companion files to *.LNK and *.EXE files instead of *.MP2 and *.MP3, and sets the original LNK and EXE files hidden.


VBS/LoveLetter.O

Minor differences from the A variant.


VBS/LoveLetter.P

Subject: Variant Test

Body:


This is a variant to the vbs virus.

File attached in email: "IMPORTANT.TXT.vbs"

File created for IRC spread : "IMPORTANT.HTM"


VBS/LoveLetter.Q

Subject: Yeah, Yeah another time to DEATH...

Body:


This is the Killer for VBS.LOVE-LETTER.WORM.

File attached in email: "Vir-Killer.vbs"

This variant seems to be partly corrupted and won't spread properly.


UNIX/LoveLetter.A

This is the original LoveLetter.A email worm, rewritten to function in a UNIX environment.

It contains of a so-called shell script which, when executed, will email itself to all addresses found in the files ".muttrc" and ".mailrc", as well as user names picked from the local password file etc/passwd.

It uses the UNIX standard mail program mailx to do this.

Subject: I LOVE YOU

Body: (No text in body.)

File attached in email: "Loveletter.sh"

This virus is also started at every login, as the virus file name is inserted into the Bourne Again Shell startup file ".bashrc".

This variant is equally destructive as the original VBS version. It will attempt to flat out delete graphical files of types *.JPG, *.JPEG, *.MPG and *.GIF, but will not overwrite them with the virus body, as is the case with the original.

Note that as of 7 May 2000 1600 CET, this variant has not been found in the wild, and will probably have a limited spread potential due to compatibility issue.


Other variants New variants of the VBS/LoveLetter are expected to arrive in days to come. Unless these variants are rewritten more than the later variants, it is assumed that Lumension's already published virus detection files will detect such new variants.


Payload Details

n/a

Analysis

n/a

Removal

The Visual Basic Script viruses rely on the association between .VBS files and Windows Scripting Host to execute.


Last Updated: 12 Nov 2015 11:06:11