Virus Profile: VBS/Loveletter@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Medium | Corporate Medium
Date Discovered: 5/4/2000
Date Added: 5/4/2000
Origin: Phillipines
Length: 10,307
Type: Virus
Subtype: VbScript
DAT Required: 4077
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Existence of files mentioned above, replacement of files as mentioned above. Email propagation as described above. IRC file distribution as mentioned above.

Methods of Infection

This virus will run if Windows Scripting Host is installed. Running the email attachment received either accidentally or intentionally will install to the local system, and also to all available drives, send via email message as an attachment and also via IRC if installed.

Aliases

I-Worm.Loveletter, IRC/Loveletter, Love Bug, LOVE-LET.VBS, LOVE-LETTER-FOR-YOU.TXT.vbs, Loveletter, Troj/LoveLet-A, VBS.Loveletter.a, VBS/LoveLet-A, VBS/LoveLet-B, VBS/LoveLet-C, VBS/LoveLet-E, VBS/Loveletter.a, VBS/Loveletter.worm, VBS_LoveLetter, veryfunny.vbs, WIN-BUGSFIX.EXE
   

Virus Characteristics

*Note: Ensure that the extensions .VBS, .HTM are included when scanning.*

As this detection covers many variants, you may experience symptoms other than those described below.

This is a VBScript worm with virus qualities. This worm will arrive in an email message with this format:

Subject "ILOVEYOU"
Message "kindly check the attached LOVELETTER coming from me."
Attachment "LOVE-LETTER-FOR-YOU.TXT.vbs"
(note that other threats use similar filenames, such as W95/MTX.gen@M which uses the filename LOVE-LETTER-FOR-YOU.TXT.pif):

If the user runs the attachment the worm runs using the Windows Scripting Host program. This is not normally present on Windows 95 or Windows NT unless Internet Explorer 5 is installed.

When the worm is first run it drops copies of itself and writes an .HTM file in the following places :

WINDOWS\SYSTEM\MSKERNEL32.VBS
WINDOWS\WIN32DLL.VBS
WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.TXT.VBS
WINDOWS\SYSTEM\LOVE-LETTER-FOR-YOU.HTM

It also adds the registry keys :

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MSKernel32=WINDOWS\SYSTEM\MSKernel32.vbs

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32DLL=WINDOWS\Win32DLL.vbs

in order to run the worm at system startup.

This worm searches all drives connected to the host system and replaces the following files:

*.JPG
*.JPEG

with copies of itself and it adds the extension .VBS to the original filename. So PICT.JPG would be replaced with PICT.JPG.VBS and this would contain the worm.

The worm also overwrites the following files:

*.VBS
*.VBE
*.JS
*.JSE
*.CSS
*.WSH
*.SCT
*.HTA

with copies of itself and renames the files to *.VBS.

This virus locates instances of the following file types:

*.MP3
*.MP2

and if found, makes them hidden and copies itself as these filenames except with .VBS extension. For instance, if file exists as "2PAC.MP3", this now becomes a hidden file and the virus is copied as "2PAC.MP3.VBS".

The worm creates a file 'LOVE-LETTER-FOR-YOU.HTM' which contains the worm and this is then sent to the IRC channels if the mIRC client is installed. This is accomplished by the worm replacing the file SCRIPT.INI.

After a short delay the worm uses Microsoft Outlook to send copies of itself to all entries in the address book. The mails will be of the same format as the original mail.

This worm also has another trick up it's sleeve in that it tries to download and install an executable file called WIN-BUGSFIX.EXE from the Internet. This exe file is a password stealing program that will email any cached passwords to the mail address MAILME@SUPER.NET.PH

In order to facilitate this download the worm sets the start-up page of Microsoft Internet Explorer to point to the web-page containing the password stealing trojan.

The email sent by this program is as follows :

-------------copy of email sent-----------
From: [victim machine name]@[victim IP address]
To: mailme@super.net.ph
Subject: Barok... email.passwords.sender.trojan
X-Mailer: Barok... email.passwords.sender.
trojan---by: spyder
Host: [machine name]
Username: [user name]
IP Address: [victim IP address]

RAS Passwords:...[victim password info]
Cache Passwords:...[victim password info]
-------------copy of email sent-----------

The password stealing trojan is also installed via the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX

to autorun at system startup. After it has been run the password stealing trojan copies itself to WINDOWS\SYSTEM\WinFAT32.EXE and replaces the registry key with

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
WinFAT32=WinFAT32.EXE

Variants

Variants information
Virus Name Type Subtype Differences
VBS/Loveletter.b Virus VbScript Subject="Susitikim shi vakara kavos puodukui..."
VBS/Loveletter.c Virus VbScript
Subject="FW: Joke"
Files="Very Funny.vbs","Very Funny.HTM"
VBS/Loveletter.d Virus VbScript
Extra " -" due to editor corruption,not spreading.
VBS/Loveletter.af Virus VbScript
First line of code is "rem FREE XXX", followed by 120 repeating comment lines,
different file created in WINDOWS\SYSTEM\
"FREE SEXSITE PASSWORDS.HTML.vbs"
VBS/Loveletter.ah Virus VbScript
Contains comment line:
"i am in love with Dorine de Wit",
also has minor formatting of lines
VBS/Loveletter.ag Virus VbScript
Contains comment "rem Virusu "te iubesc""
VBS/Loveletter.ae Virus VbScript
Insertion of additional comment lines such as:
"rem - vytvooen objektu pro pr ci se systmem soubor"
VBS/Loveletter.ai Virus VbScript
Subject: "You May Win $1,000,000! 1 Click Away"
Body: "kindly check the attached WIN coming from me."
Attachment: WIN.vbs
Found by Virus Patrol in newsgroup;does not contain trojan download code and not viable due to bad formatting.
VBS/Loveletter.be Virus VbScript
Discovered Aug 25, 2000 - detected without update of DAT
Similar to VBS/Loveletter.c - JOKE.VBS instead of VERYFUNNY.VBS
   
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations


Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95