Threat Center Threats Explained Threat Encyclopedia Threat Blog Security Tips Case Studies White Papers Newsletter Signup
 

VBS/LoveLetter


VBS/LoveLetter is a script virus written in the script language VBS (Visual Basic Script).  The virus was extensively spread within a very short period of time starting at about noon on May 4th 2000.  At the beginning of the virus there is the following text:

rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines

When it is run the virus modifies the script timeout setting.  Into the directory "windows" it writes the file WIN32DLL and into the directory "system" it writes filed MSKernel32VBS and LOVE-LETTER-FOR-YOU.TXT.VBS.  All these files contain the virus code.
Work with registers:
It creates keys: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32",dirsystem&"\MSKernel32.vbs" and "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL",dirwin&"\Win32DLL.vbs".  It ensures that when Microsoft Internet Explorer is run one of the four versions of the file WIN-BUGFIX.EXE is downloaded and executed from the server www.skyinet.net.

Html:
In the system directory the virus creates the file LOVE-LETTER-FOR-YOU.HTM which contains the worm spreading by means of the program mIRC.

E-mail:
If the user works with MS Outlook the virus sends to all addresses in the address books an email containing the following parts:

Subject: ILOVEYOU
Text of the message: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

Destructive actions with files:
The virus overwrites files with extensions: ".js", ".jse", ".css", ".wsh", ".sct" and ".hta" by its code.  To files with extensions ".jpg", ".jpeg", ".mp3" or ".mp2" it creates files with identical filename but it adds to them another extension “vbs".  In the files again the virus code is located.  In case of "jpeg" and "jpg" it deletes the original file.  The virus searches for the files in all directories of all disks.



PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 
Top of Page Back One Page Print this Page