For Consumer

Virus Profile: VBS/Loveletter.as

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 6/8/2000
Date Added: 6/8/2000
Origin: N/A
Length: 12,609
Type: Virus
Subtype: VBScript worm
DAT Required: 4078
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Presence of "WINDOWS\reload.vbs" and "WINDOWS\SYSTEM\LINUX32.vbs"

Presence of the Registry keys:
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
LINUX32 = WINDOWS\SYSTEM\LINUX32.vbs"

"HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
reload = WINDOWS\reload.vbs"

Seeing this message displayed on September 7:
"Dedicated to my best brother Christiam Julian(C.J.G.S.)"
"Att. [random 5 letters] (M.H.M. TEAM)"

Altered Startup and Shutdown screens displayed

Methods of Infection

If this Internet worm is run either intentionally or accidentally, it will install to the local system and also perform actions against files.

This worm will copy itself ot the local system in the following locations:
WINDOWS\reload.vbs
WINDOWS\SYSTEM\LINUX32.vbs
WINDOWS\SYSTEM\[RANDOM NAME]

In the above, the random name could have the following possible file extensions:
".GIF.vbs", ".BMP.vbs", ".JPG.vbs"

The filename itself is generated using a random pick alternating between any letter in the alphabet, and the vowel character set A, E, I, O, U. For instance, a possible filename could be
"bAlIr.BMP.vbs"

Next, this worm will modify the registry to load itself via the registry at Windows startup from these locations:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
LINUX32 = WINDOWS\SYSTEM\LINUX32.vbs

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
reload = WINDOWS\reload.vbs

After modifying the registry, it checks for the existence of the file "WINFAT32.EXE". If this file is found, it modifies settings for Internet Explorer to download three files from a web page. The three files are two .BMP files and one .TXT however the names of the files suggest being of .ZIP format - they are not.

The three files copied to the local system are:
macromedia32.zip
linux321.zip
linux322.zip

These are then copied from the Temporary Internet Files folder to the WINDOWS folder as:
important_note.txt
logow.sys
logos.sys

The logo files are bitmap replacements for Windows startup and shutdown screens. The .txt is displayed at Windows startup due to a registry modification made by this worm:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
plan colombia = WINDOWS\important_note.txt

After this, the worm writes a file as
"US-PRESIDENT-AND-FBI-SECRETS.HTM"
in the WINDOWS\SYSTEM folder. This .HTM file contains the worm code.

Next, the worm will run an email routine to distribute itself via MAPI email to all users in the address book - the list of users is not hidden, they are visible in the "To" field.

The email is variable and could have either of four possible formats. The Subject line with either be static (below) or a random 6 letters, and the body will either be static (below) or a random 10 letters:

Subject =
"US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (HTTP://WWW.2600.COM)<= "
Body =
"VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES.."
Attachment = [RANDOM FILE NAME]

The random name is predetermined in an earlier process mentioned above.

After the email routine, this worm performs another action against the system and mapped drives. If this worm find files of type ".VBS" or ".VBE", it will overwrite and replace them with its own code.

If this worm finds files of type ".js", ".jse", ".css", "wsh", "sct", "hta", ".jpg" or ".jpeg", it will first copy itself as that filename and add extension .VBS and delete the original file.

If this worm finds files of type ".MP2" or ".MP3", it will set their attributes to hidden.

Finally, if the current day is September 7, this worm will display a message: "Dedicated to my best brother=>Christiam Julian(C.J.G.S.) Att. [random 5 letters] (M.H.M. TEAM)"

After this message is displayed and cleared, it will attempt to disconnect drives Z: through E: in reverse order.

Aliases

VBS/Columbia, VBS/Plan, VBS_Colombia, VBS_Columbia
   

Virus Characteristics

Update Sept 20, 2000:
A modified variant of this virus was discovered by McAfee AVERT, known as VBS/Loveletter.bj - this variant is identified and removed simply as "VBS/Loveletter.worm" using the latest DAT and current engine.

This is a variant of the VBS/Loveletter family. It contains similar routines as other variants and includes a date activated payload which attempts to disconnect all mapped drives from the local host on the network. One AntiVirus firm announced this as VBS/Plan in a press release.

This virus arrives via Outlook email and the attachment filename is variant and could have either of four possible formats. The Subject line with either be static (below) or a random 6 letters, and the body will either be static (below) or a random 10 letters:

Subject = "US PRESIDENT AND FBI SECRETS =PLEASE VISIT =&gt; (HTTP://WWW.2600.COM)&lt;= "
Body = "VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES.."
Attachment = [RANDOM FILE NAME]

The virus is distributed to all users in the infected user's address book, and the list is visible in the "To" field.

This worm contains this string which is not displayed:

rem "Plan Colombia" virus v1.0
rem by Sand Ja9e Gr0w
rem Santa fe de Bogotá 2000/09
rem I dedicate to all you the song "GoodBye" of Andreas Bochelli

Variants

Variants information
Virus Name Type Subtype Differences
VBS/Loveletter.bj Virus VBScript worm Discovered Sept 20, 2000 - two bytes different.
Detected by current DAT + 4.0.50
   
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations


Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.