Virus Characteristics
This Visual Basic Script virus was discovered on February 11, 2001 in a Usenet posting, by AVERT Virus Patrol. The virus is embedded in an HTML file, uses the Vbscript.Encode method to partially encrypt its code, and makes use of the, so called, "Scriptlet.TypeLib" vulnerability.
When the viral code is executed, it copies itself to the StartUp folder, "c:\WINDOWS\Start Menu\Programs\Startup\loveday14-a.hta". If the Spanish version of Windows is detected, it copies itself to the corresponding Startup folder, "c:\WINDOWS\Menú Inicio\Programas\Inicio\loveday14-a.hta".
The .hta file gets executed at each system startup. The virus creates the file "index.html" in the WINDOWS SYSTEM directory which becomes the infected user's signature in Outlook Express. As a result, messages sent from an infected machine will contain the embedded virus code in the email message.
It sets the Internet Explorer start page to a Spanish website which contains another virus, VBS/Valentin@MM.
If the current day is 8, 14, 23, or 29, the virus attempts to delete the contents of directories on the root level of the C: drive. Subfolder names are appended with "happysanvalentin" (ie. C:\Windows\Desktop becomes C:\Windows\Desktophappysanvalentin".
The virus code contains the comments, "loveday14 by Onel2 Melilla, España 'feliz san valentin davinia."