This information was copied from the Norton Anti Virus site to save download time and bandwidth

For more information, you can read the article on this virus at MSN.COM or ZDNET.COM.

VBS.LoveLetter.A

The Symantec AntiVirus Research center began receiving reports regarding this worm early morning of May 4, 2000 GMT. This worm appears to originate from the Manila, Phillipines. This worm has wide-spread distribution and hundreds of thousands of machines are reported infected. This worm sends itself out to email addresses in the Microsoft Outlook address book and the worm also will spread itself via mIRC and infect files on local and remote drives including files with the extensions vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, mp2

Category: Worm
Infection length: 10307
Virus definitions: May 4, 2000
Threat assessment:
Wild

• Number of infections: More than 1000
• Number of sites: More than 10
• Geographic distribution: High
• Threat containment: Difficult
• Removal: Difficult

Damage

• Payload:
  
  • Large scale e-mailing: Sends itself to addresses in the Microsoft Outlook Address Book
  • Degrades performance: May clog mail servers

Distribution

• Subject of e-mail: ILOVEYOU
• Name of attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
• Size of attachment: 10307

Technical description:

When executed, the worm will copy itself to the Windows System directory as MSKernel32.vbs, the Windows directory as Win32DLL.vbs, and the Windows System directory as LOVE-LETTER-FOR-YOU.TXT.vbs

The worm checks if the file WinFAT32.exe exists in the Windows System directory. If the file does not exist, the worm sets the Internet Explorer Start Page to a website with the file WIN-BUGSFIX.exe. This website is currently unreachable. The webpage has apparently been shutdown, but this may be do to load on the webserver.

If the file does exist, the worm will create the following registry key

HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\WIN-BUGSFIX

and execute the file on start up. The Internet Start Page will then be replaced to a blank page.

For each drive including network drives, the virus will attempt to infect files with VBS, and VBE extensions.

The worm will also search for files with the extensions JS, JSE, CSS, WSH, SCT, HTA, JPG, JPEG, MP3, MP2 and create a file with the same name, but with the extension VBS.

The worm will also spread via mIRC by creating a script.ini file in the mIRC program directory which will send the dropped file LOVE-LETTER-FOR-YOU.HTM to other users in the chatroom.

The worm uses MAPI calls to the Microsoft Outlook application and creates messages by iterating through all the address in the Microsoft Outlook Address Book. The worm will mark these recipients using the registry in attempt to only send them the mail once.

The subject of the message is:

ILOVEYOU

The body of the message is:

kindly check the attached LOVELETTER coming from me.

LOVE-LETTER-FOR-YOU.TXT.vbs

Finally, the virus will also drop the file LOVE-LETTER-FOR-YOU.HTM in the Windows System directory, which is sent in conjuction with mIRC.

Removal:

1. Find and delete infected files
2. Remove the registry key
   
   HKLM\Software\Microsoft\
   Windows\CurrentVersion\
   Run\WIN-BUGSFIX
   
3. Restore your Internet Explorer Start Page

Write-up by: Eric Chien
Updated: May 4, 2000