Love Letter Worm Virus

The Love Bug was first reported Thursday (05/04/2000) afternoon Hong Kong time and early morning in Europe and sense then it has been duplicated by several copycats causing several more additional similar variants to appear. The virus has caused companies, governments, and end-users extreme grief shutting down mail systems, mail servers, bank systems and even causing issues with pagers. The worm has been reported to have come from a 27 and 23 year old couple in the Philippines after a raid of their Apartment on Monday (05/08/2000).

05/18/2000 a New virus alert was announced with the release of the NEWLOVE virus. See information about this virus.

The Love Bug infects all users who are using Microsoft Windows and Microsoft Outlook. The following is what will be the subject, message and the actual attachment for each of the currently known wild viruses. If you see this mail do not attempt to open the attachment and instead delete the mail even if the message is from someone you know well.

Love bug variants

Variant A (Original Virus)
Subject:
ILOVEYOU
Message: kindly check the attached LOVELETTER coming from me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: The virus begins by copying itself into the Windows directory placing Win32dll.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs. Once these files have been placed on the hard drive the virus will then place it self into the computer registry making the virus initiate on each of the following boots. The virus also attempts to delete the HideSharePwds, DisablePwdCaching, and DisablePwdCaching from the computer registry. Once these modifications have been made to the computer it will then send it self to each of the individuals in the address book with the Subject ILOVEYOU. To complete the destruction the destruction the virus will search out .js, .jse, .css, .wsh, .sct, and .hta creating a duplicate of each of the files found with the .vbs extension. Finally it will search and delete all files with the ".jpg" and ".jpeg" (these are the most commonly found image file format on the Internet.) Next the virus will search for ".mp3" and ".mp2" files replacing all files found with ".vbs" extension and hiding the original ".mp3" and ".mp2" files.

Variant B
Subject: Susitikim shi vakara kavos puodukui...
Message:
kindly check the attached LOVELETTER coming from me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

Variant C
Subject:
fwd: Joke
Message: *No Message*
Attachment: VeryFunny.vbs

Variant D
Subject:
ILOVEYOU
Message: kindly check the attached LOVELETTER coming from me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: Creates registry entries as WIN- -BUGFIX.exe instead of WIN-BUGSFIX.exe.

Variant E
Subject:
Mothers Day Order Confirmation
Message: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place. Thanks Again and Have a Happy Mothers Day!
Attachment: Mothersday.vbs

Variant F
Subject:
Dangerous Virus Warning
Message: There is a dangerous virus circulating. Please clickattached picture to view it and learn to avoid it.
Attachment: virus_warning.jpg.vbs

Variant G
Subject:
Virus Alert!!!
Message: Detailed message containing information about the ILOVEYOU worm.
Attachment: protect.vbs
Special Notes: Virus claims to be from support@symantec.com (which is a well known virus protection software company) this mail however of course is not from Symantec. In addition this variant of the worm will delete all files ending with .com and .bat seriously damaging the computer.

Variant H
Subject:
ILOVEYOU
Message: kindly check the attached LOVELETTER coming from me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: This virus is exactly like Variant A, except that the beginning comments that give credit to the author of the worm and information about worm have been removed.

Variant I
Subject:
Important! Read carefully!!
Message: Check the attached IMPORTANT coming from me!
Attachment: Imporant.TXT.vbs
Special Notes: The beginning of the code has been changed giving credit to another author "BrainStorm@ElectronicSouls"

Variant J
Subject:
Virus Alert!!!
Message: Detailed message containing information about the ILOVEYOU worm. Appears to be same as Variant G.
Attachment: protect.vbs
Special Notes: Variant J of the ILOVEYOU worm appears to be a slightly modified version of Variant G.

Variant K
Subject:
How to protect yourself from the ILOVEYOU bug!
Message: Here's the easy way to fix the love virus.
Attachment: Virus-Protection-Instructions.vbs.

Variant L
Subject:
I Cant Believe This!!!
Message: I Cant Believe I have Just Received This Hate Email .. Take A Look
Attachment: KillEmAll.TXT.VBS
Special Notes: Replaces GIF & BMP images instead of JPG & JPEG images, hides WAV & MID instead of MP3 and MP2 and copies KILER.HTM, KILLER2.VBS, KILLER1.VBS to the hard drive.

Variant M
Subject:
Thank you For Flying with Arab Airlines
Message: Please check if the bill is correct, by opening the attached file.
Attachment: ArabAir.TXT.vbs
Special Notes: Replaces DLL & EXE files instead of JPG & JPEG files. Hides SYS & DLL files instead of MP2 and MP3 files. Copies file onto hard drive no-hate-FOR-YOU.HTM.

Variant N
Subject:
Variant Test
Message: This is a Variant to the vbs virus
Attachment: IMPORTANT.TXT.vbs
Special Notes: Copies itself as sndvol32.vbs and IEAKDLL.vbs. Internet Explorer start page changes to http://astalavista.box.sk. Overwrites *.mpg, *.mpeg, *.avi, *.qt, *.qtm.

Variant O
Subject:
ILOVEYOU
Message: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: The script.ini has been modified slightly.

Variant P
Subject:
Yeah, Yeah another time to DEATH...
Message: This is the Killer for VBS.LOVE-LETTER.WORM
Attachment: LOOK.vbs
Special Notes: Sets the Internet Explorer start page to http://www.yahoo.com/Vir-Killer.exe. Overwrites *.ZIP and *.RAR files and hides *.PAS and *.ASM files.

Variant Q
Subject:
LOOK!
Message: hehe...check this out.
Attachment: LOOK.vbs
Special Notes: copies itself as MSUser32.vbs and User32DLL.vbs. Overrights *.XLS and *.MDB files. Hides *.EXE and *.LNK files. Creates a LOOK.HTM file.

Variant R
Subject:
Bewerbung Kreolina
Message: Sehr geehrte Damen and Herren!
Attachment: BEWERBUNG.TXT.vbs
Special Notes: Sends BEWERBUNG.HTM into connected IRC chat rooms.

Variant S
Subject:
ILOVEYOU
Message: Kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: Additional comment lines have been added into the virus.

Variant T
Subject:
Recent Virus Attacks-Fix
Message: Attached is a copy of the script that will reverse the effects of the LOVE-LETTER-TO-YOU.TXT.vbs as well as the FW:JOKE, Mother's Day and Lithuanian siblings.
Attachment: BAND-AID.DOC.VBS
Special Notes: Sets the Internet Start page to a virus related page. Deletes *.BAT, *.GIF, *.TIF, *.TIFF, *.WAV, *.LNK, *.BAK, *.DOC, *.XLS, *.RTF, *.TXT, *.HTM, *.HTML, *.XML, *.MNY, *.ZIP, *.BMP, *.CAB, and *.INF extentions.

Variant U
Subject:
UOL.TXT.vbs
Message: O UOL tem um grande presente para voce, e eh exclusivo. Veja o arquivo em anexo. http://www.uol.com.br.
Attachment: UOL.TXT.vbs
Special Notes: Sets home page to http://www.uol.com.br and hides *.EXE, *.COM, and *.INI files.

Variant V
Subject:
ILOVEYOU
Message: kindly check the attached LOVELETTER coming from me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: Several comment lines have been modified.

Variant W
Subject:
IMPORTANT: Official virus and bug fix
Message: This is an official virus and bug fix. I got it from our system admin. It may take a short while to update your system files after you run the attachment.
Attachment: Bug and virus fix.vbs
Special Notes: Sets Internet Explorer Start Page to a virus related page. Overwrites *.EXE, *.COM, *.DLL, *.SYS, *.PWL, *.TXT.

Variant X
Subject:
NEUE antivirus-Liste
Message: Hiermit senden wir Ihnen/Dir eine neue Liste mit LOVE-LETTER-VIRUS Namen, die nicht geoeffnet werden sollten, bitte sofort lesen, danke.
Attachment: antivirus-LISTE.TXT.vbs
Special Notes: Overwrites *.MDB, *.PDF, *.WSH, *.DOT, *.HTA, *.JS, *.DRV, and *.INI files. Hides *.XLS and *.DOC files.

Variant Y
Subject:
LOOK!
Message: hehe...check this out.
Attachment: LOOK.vbs
Special Notes: Like earlier LOOK various however hides MP3 and MP2 files.

Variant Z
Subject:
BUG & VIRUS FIX
Message: I got this from our system admin. Run this to help prevent any recent or future bug & virus attacks. It may take a small while up update your files.
Attachment: MAJOR BUG & VIRUS FIX.vbs
Special Notes: Sets home page as virus related page. Overwrites *.COM, *.DLL, *.EXE, *.TXT, *.BAT, and *.SYS files.

Variant "Catolina" or "Postcard" in Italian
Subject: C una cartolina per te! (Here is a postcard for you)
Message: Ciao, un tuo amico ti ha spedito una cartolina virtuale... mooolto particolare! (Hello my friend, this is a virtual post card ... very special)
Attachment: CARTOLINA.VBS
Special Notes: Sets home page as http://www.vije.it an Italian music site.

Variant "BabyPic" for adults only
Subject: My baby pic!!!
Message: Its myanimated baby picture !!
Attachment: MYBABYPIC.EXE
Special Notes: Program written in Visual Basic with an explicit graphic animated image. When opened and viewed the virus copies itself to a local file system and sends e-mail to each MS Outlook user in the recipients' address book. The worm creates a set of files and registers them in the startup section of Windows system registry, enabling execution each time the computer starts.

The virus contains a very dangerous payload that can wipe out data on the computer, enable and disable on/off NumLock, CapsLock, and ScrollLock keys; send buffer messages ".IM_BESIDES_YOU_" and may send one of various text messages. In addition MyBabyPic also corrupts files with .VBS, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .PBL, .CPP, .PAS, .C, .H, .JPG, .JPEG, .MP2, and MP3 extensions.

Ways to protect yourself

Regardless of who sends you the mail if there is an attachment verify before opening it that it does not end with .vbs. VBS (Visual Basic Script). If the attached file ends with .vbs it is recommended that you delete the e-mail.

In addition the user or system administrator can disable the execution of VBS files by following the instructions below.

Windows 95 Users

  1. Open My Computer
  2. Click View then Options
  3. Click the "File types" tab
  4. Locate and "VBScript Script File" in the registered file types listing.
  5. Single click "VBScript Script File" to highlight the file.
  6. Select Remove and confirm the file deletion.

Windows 98 Users

  1. Click Start, Settings, Control Panel
  2. Double-click Add/Remove Programs
  3. Click the "Windows Setup" tab
  4. Double-click "Accessories" from the Components listing
  5. Locate "Windows Scripting Host" from the Accessories component list and Uncheck the selection.
  6. Click Ok and then Apply and Windows Scripting Host will be uninstalled from the computer.

Windows NT Users

  1. Open My Computer
  2. Click View then Options
  3. Click the "File types" tab
  4. Locate and "VBScript Script File" in the registered file types listing.
  5. Single click "VBScript Script File" to highlight the file.
  6. Select Remove and confirm the file deletion.

Windows 2000 Users

  1. Open My Computer
  2. Click View then Options
  3. Click the "File types" tab
  4. Locate and "VBScript Script File" in the registered file types listing.
  5. Single click "VBScript Script File" to highlight the file.
  6. Select Delete and confirm the file deletion.

To manually remove the virus

The Love Letter Virus (Variants A, B, C, E, F, and H) can be removed manually by following the steps below:

  • Click Start, Find, Files or Folder and search for *.VBS and delete all files found on the hard drive.
  • Search for the file LOVE-LETTER-FOR-YOU.HTM found in the Windows System directory and delete it.
  • Search for WIN-BUGSFIX.EXE and WINFAT32.EXE found in the Internet Explorer download directory and delete these files.
  • Once these files have been deleted empty the Recycle Bin and restart the computer and the Virus should be effectively removed from the computer.

It is also recommended if you are currently running a Virus protection software program that you update it with the latest virus update. Doing this also removes all traces of this virus as all major virus companies have updates on their pages. 

Information about the Newlove virus

Announced to be Wild 05/18/2000 the NEWLOVE virus was first reported at Israel. When ran the virus copies itself into the Windows folder and gives itself either a name from the recent document folder or gives itself a random name and extension. Once copied into this directory the virus will then send itself to all the individuals in your address book. It will then search all drives connected to the host system and replace each file with copies of itself and adds the extension .VBS to the original filename.

This virus has more damage potential then the original LoveLetter virus in addition will rename the subject line to random quires therefore cannot be detected as the Subject Line could be anything. It is recommended that all PC users and System administrators utilizing Microsoft Outlook review over the section 'Ways to Protect Yourself' to help prevent this potential hazardous virus from infecting your computer and data.

NewLove Virus
Subject:
Begins with FW and then will be named from the Recent Documents folder or a random name.
Message: Message is empty
Attachment: The attachment is a Randomly-selected VBS filename from the Windows Folder.
Special Notes: When ran the virus copies itself into the Windows folder and gives itself either a name from the recent document folder or gives itself a random name and extension. Once copied into this directory the virus will then send itself to all the individuals in your address book. It will then search all drives connected to the host system and replace each file with copies of itself and adds the extension .VBS to the original filename.