Most modern day anti virus programs have what they call a "Real Time Scanning" function which is by default enabled. This catches and stops any viruses by files which are being actively accessed, i.e. anything on your flash drive that you open (if it is infected) will either be cleaned or quarantined, depending on your anti virus program settings. If you have no antivirus program, I would scan the flash drives on another computer first. There are so far 82 variants of this virus.
Norton says this about the virus:
This worm sends itself to email addresses in the Microsoft Outlook address book and also spreads to Internet chatrooms using mIRC. This worm overwrites files on local and remote drives, including files with the extensions .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .avi, .qt, .mpg, .mpeg, .cpp, .c, .h, .swd, .psd, .wri, .mp3, and .mp2.
The contents of most of these files are replaced with the source code of the worm, destroying the original contents. The worm also appends the .vbs extension to each of these files. For example, image.jpg becomes image.jpg.vbs. However, files with .mp2 and .mp3 extensions are merely hidden and not destroyed. Norton SystemWorks users can recover these files if NProtect is running at the time of infection.
VBS.LoveLetter also tries to download a password-stealing Trojan horse program from a Web site.
Also Known As: Lovebug, I-Worm.LoveLetter, VBS/LoveLetter.A, VBS/LoveLet-A
Type: Worm
Infection Length: 10,307 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x
Wild
Number of infections: 0 - 49
Number of sites: 3 - 9
Geographical distribution: High
Threat containment: Moderate
Removal: Moderate
Threat Metrics
Wild:
Low
Damage:
High
Distribution:
High
Damage
Payload Trigger: On execution of email attachment
Payload: Overwriting files
Large scale e-mailing: Sends itself to all addresses in the Microsoft Outlook Address Book
Modifies files: Overwrites files with the following extensions: .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .mp3, and .mp2. Files with extensions of .mp2 and .mp3 will be hidden from the user by setting the hidden directory attribute. The overwritten files can be recovered if the user is running NProtect from Norton Systemworks or Norton Utilities at the time of infection. Variant G also overwrites .bat and .com files.
Degrades performance: Might clog the email server
Distribution
Subject of email: ILOVEYOU
Name of attachment: Love-letter-for-you.txt.vbs
Size of attachment: 10,307 bytes
Shared drives: Overwrites files located on network drives
Target of infection: Overwrites files with the following extensions: .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .mp3, and .mp2. Files with .mp3 and .mp2 extensions will merely be hidden from the user's view and not actually destroyed. Variant G also overwrites .bat and .com files.
When executed, the worm copies itself to the \Windows\System folder as both Mskernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs, and to the \Windows folder as Win32dll.vbs The worm checks for the presence of Winfat32.exe in the Windows\System folder.
If the file does not exist, then the worm sets the Internet Explorer start page to a Web site with the Win-bugsfix.exe file. This Web site has been shut down.
If the file does exist, the worm creates the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
and executes the file during system startup. The Internet Explorer start page is then replaced with a blank page.
For each drive, including network drives, the virus attempts to infect files that have .vbs and .vbe extensions. The worm also searches for files with the extensions .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .mp3, and .mp2. When files with these extensions are found, the worm does the following:
Overwrites all files having the extensions .js, .jse, .css, .wsh, .sct, .hta, .jpg, and .jpeg with viral code. It then makes a copy of the file and adds the extension .vbs to the file name. For example, if the file is named House_pics.jpg, the overwritten file is named House_pics.jpg.vbs. The original file is then deleted. These files must be deleted and then restored from a backup.
Creates copies of all files having the .mp3 and .mp2 extensions. It then overwrites the copy with viral code and adds the .vbs extension to the file name. Next it changes the attribute of the original .mp3 or .mp2 file to hidden. Because of this, the original copies of .mp3 and .mp2 files are still unaltered--though hidden--on the hard drive. The modified files should be deleted.
CAUTION: Do not attempt to run files that have been overwritten or renamed by this worm. If you do, the worm is executed again.
[highlight]You can download a removal tool here
http://www.symantec.com/avcenter/fixlove.exe[/highlight]
