The Love Bug was first
reported Thursday (05/04/2000) afternoon Hong Kong time and early
morning in Europe and sense then it has been duplicated by several
copycats causing several more additional similar variants to appear.
The virus has caused companies, governments and end-users extreme
grief shutting down mail systems, mail servers, bank systems and even
causing issues with pagers. The worm has been reported to have come from a
27 and 23 year old couple in the Philippines after a raid of their
Apartment on Monday (05/08/2000).
The Love Bug
infects all users who are using Microsoft Windows and Microsoft Outlook.
The following is what will be the subject, message and the actual attachment
for each of the currently known wild viruses. If you see this mail do
not attempt to open the attachment and simply instead delete the mail
even if the message is from someone you know well.
Variant A (Original Virus)
Subject: ILOVEYOU
Message: kindly check the attached LOVELETTER coming from
me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: The virus begins by copying itself into the
Windows directory placing Win32dll.vbs and
LOVE-LETTER-FOR-YOU.TXT.vbs. Once these files have been placed on
the hard disk drive the virus will then place it self into the
computer registry making the virus initiate on each of the following
boots. The virus will also attempt to delete the HideSharePwds,
DisablePwdCaching and DisablePwdCaching from the computer registry.
Once these modifications have been made to the computer it will then
send it self to each of the individuals in the address book with the
Subject ILOVEYOU. To complete the destruction the destruction the
virus will search out .js, .jse, .css, .wsh, .sct and .hta creating
a duplicate of each of the files found with the .vbs extension.
Finally it will search and delete all files with the
".jpg" and ".jpeg" (these are the most commonly
found image file format on the Internet.) Next the virus will search
for ".mp3" and ".mp2" files replacing all files
found with ".vbs" extension and hiding the original
".mp3" and ".mp2" files.
Variant B
Subject: Susitikim shi vakara kavos puodukui...
Message: kindly check the attached LOVELETTER coming from
me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Variant C
Subject:
fwd: Joke
Message: *No Message*
Attachment: VeryFunny.vbs
Variant D
Subject: ILOVEYOU
Message: kindly check the attached LOVELETTER coming from
me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: Creates registry entries as WIN- -BUGFIX.exe
instead of WIN-BUGSFIX.exe.
Variant E
Subject: Mothers Day Order Confirmation
Message: We have proceeded to charge your credit card for the
amount of $326.92 for the mothers day diamond special. We have
attached a detailed invoice to this email. Please print out the
attachment and keep it in a safe place. Thanks Again and Have
a Happy Mothers Day!
Attachment: Mothersday.vbs
Variant F
Subject: Dangerous Virus Warning
Message: There is a dangerous virus circulating. Please click
attached picture to view it and learn to avoid it.
Attachment: virus_warning.jpg.vbs
Variant G
Subject: Virus Alert!!!
Message: Detailed message containing information about the
ILOVEYOU worm.
Attachment: protect.vbs
Special Notes: Virus claims to be from support@symantec.com (which
is a well known virus protection software company) this mail however
of course is not from Symantec. In addition this variant of the worm
will delete all files ending with .com and .bat seriously damaging
the computer.
Variant H
Subject: ILOVEYOU
Message: kindly check the attached LOVELETTER coming from
me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: This virus is exactly like Variant A, except
that the beginning comments that give credit to the author of the
worm and information about worm have been removed.
Variant I
Subject: Important! Read carefully!!
Message: Check the attached IMPORTANT coming from me!
Attachment: Imporant.TXT.vbs
Special Notes: The beginning of the code has been changed
giving credit to another author "BrainStorm / @ElectronicSouls"
Variant J
Subject: Virus Alert!!!
Message: Detailed message containing information about the
ILOVEYOU worm. Appears to be same as Variant G.
Attachment: protect.vbs
Special Notes: Variant J of the ILOVEYOU worm appears to be a
slightly modified version of Variant G.
Variant K
Subject: How to protect yourself from the ILOVEYOU bug!
Message: Here's the easy way to fix the love virus.
Attachment: Virus-Protection-Instructions.vbs.
Variant L
Subject: I Cant Believe This!!!
Message: I Cant Believe I have Just Received This Hate Email ..
Take A Look
Attachment: KillEmAll.TXT.VBS
Special Notes: Replaces GIF & BMP images instead of
JPG & JPEG images, hides WAV & MID instead of MP3 and MP2
and copies KILER.HTM, KILLER2.VBS, KILLER1.VBS to the hard disk
drive.
Variant M
Subject: Thank you For Flying with Arab Airlines
Message: Please check if the bill is correct, by opening the
attached file.
Attachment: ArabAir.TXT.vbs
Special Notes: Replaces DLL & EXE files instead of JPG &
JPEG files. Hides SYS & DLL files instead of MP2 and MP3 files.
Copies file onto hard drive no-hate-FOR-YOU.HTM.
Variant N
Subject: Variant Test
Message: This is a Variant to the vbs virus
Attachment: IMPORTANT.TXT.vbs
Special Notes: Copies itself as sndvol32.vbs and IEAKDLL.vbs.
Internet Explorer start page changes to http://astalavista.box.sk.
Overwrites *.mpg, *.mpeg, *.avi, *.qt, *.qtm.
Variant O
Subject: ILOVEYOU
Message: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: The script.ini has been modified slightly.
Variant P
Subject: Yeah, Yeah another time to DEATH...
Message: This is the Killer for VBS.LOVE-LETTER.WORM
Attachment: LOOK.vbs
Special Notes: Sets the Internet Explorer start page to http://www.yahoo.com/Vir-Killer.exe.
Overwrites *.ZIP and *.RAR files and hides *.PAS and *.ASM files.
Variant Q
Subject: LOOK!
Message: hehe...check this out.
Attachment: LOOK.vbs
Special Notes: copies itself as MSUser32.vbs and User32DLL.vbs.
Overrights *.XLS and *.MDB files. Hides *.EXE and *.LNK files.
Creates a LOOK.HTM file.
Variant R
Subject: Bewerbung Kreolina
Message: Sehr geehrte Damen and Herren!
Attachment: BEWERBUNG.TXT.vbs
Special Notes: Sends BEWERBUNG.HTM into connected IRC chat
rooms.
Variant S
Subject: ILOVEYOU
Message: Kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: Additional comment lines have been added into the
virus.
Variant T
Subject: Recent Virus Attacks-Fix
Message: Attached is a copy of the script that will reverse the
effects of the LOVE-LETTER-TO-YOU.TXT.vbs as well as the FW:JOKE,
Mother's Day and Lithuanian siblings.
Attachment: BAND-AID.DOC.VBS
Special Notes: Sets the Internet Start page to a virus related
page. Deletes *.BAT, *.GIF, *.TIF, *.TIFF, *.WAV, *.LNK, *.BAK,
*.DOC, *.XLS, *.RTF, *.TXT, *.HTM, *.HTML, *.XML, *.MNY, *.ZIP,
*.BMP, *.CAB and *.INF extentions.
Variant U
Subject: UOL.TXT.vbs
Message: O UOL tem um grande presente para voce, e eh exclusivo.
Veja o arquivo em anexo. http://www.uol.com.br.
Attachment: UOL.TXT.vbs
Special Notes: Sets home page to http://www.uol.com.br and hides
*.EXE, *.COM and *.INI files.
Variant V
Subject: ILOVEYOU
Message: kindly check the attached LOVELETTER coming from
me."
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Special Notes: Several comment lines have been modified.
Variant W
Subject: IMPORTANT: Official virus and bug fix
Message: This is an official virus and bug fix. I got it from
our system admin. It may take a short while to update your system
files after you run the attachment.
Attachment: Bug and virus fix.vbs
Special Notes: Sets Internet Explorer Start Page to a virus
related page. Overwrites *.EXE, *.COM, *.DLL, *.SYS, *.PWL,
*.TXT.
Variant X
Subject: NEUE antivirus-Liste
Message: Hiermit senden wir Ihnen/Dir eine neue Liste mit
LOVE-LETTER-VIRUS Namen, die nicht geoeffnet werden sollten, bitte
sofort lesen, danke.
Attachment: antivirus-LISTE.TXT.vbs
Special Notes: Overwrites *.MDB, *.PDF, *.WSH, *.DOT, *.HTA,
*.JS, *.DRV and *.INI files. Hides *.XLS and *.DOC files.
Variant Y
Subject: LOOK!
Message: hehe...check this out.
Attachment: LOOK.vbs
Special Notes: Like earlier LOOK various however hides MP3 and
MP2 files.
Variant Z
Subject: BUG & VIRUS FIX
Message: I got this from our system admin. Run this to help
prevent any recent or future bug & virus attacks. It may take a
small while up update your files.
Attachment: MAJOR BUG & VIRUS FIX.vbs
Special Notes: Sets home page as virus related page. Overwrites
*.COM, *.DLL, *.EXE, *.TXT, *.BAT and *.SYS files.
Variant
"Catolina" or "Postcard" in Italian
Subject: C una cartolina per te! (Here is a postcard for
you)
Message: Ciao, un tuo amico ti ha spedito una cartolina
virtuale... mooolto particolare! (Hello my friend, this is a virtual
post card ... very special)
Attachment: CARTOLINA.VBS
Special Notes: Sets home page as http://www.vije.it
an Italian music site.
Variant "BabyPic"
for adults only
Subject: My baby pic!!!
Message: Its myanimated baby picture !!
Attachment: MYBABYPIC.EXE
Special Notes: Program written in Visual Basic with an explicit
graphic animated image. When opened and viewed the virus copies
itself to a local file system and sends e-mail to each MS Outlook
user in the recipients' address book. The worm creates a set of
files and registers them in the startup section of Windows system
registry, enabling execution each time the computer starts.
The virus contains a very dangerous
payload that can easily wipe out data on the computer, enable and
disable on/off NumLock, CapsLock and ScrollLock keys; send buffer
messages ".IM_BESIDES_YOU_" and may send one of various
text messages. In addition MyBabyPic also corrupts files with .VBS,
.JS, .JSE, .CSS, .WSH, .SCT, .HTA, .PBL, .CPP, .PAS, .C, .H, .JPG,
.JPEG, .MP2 and MP3 extensions.
Regardless of who sends you the mail if there is an attachment
verify before opening it that it does not end with .vbs. VBS (Visual
Basic Script). If the attached file ends with .vbs it is recommended
that you delete the e-mail.
In addition the user or system administrator can disable the execution
of VBS files by following the below instructions.
The Love Letter Virus (Variants A, B, C, E, F and H) can be removed manually by following the
below steps:
It is also recommended if you are currently running a Virus
protection software program that you update it with the latest virus
update. Generally doing this will also remove all traces of this virus
as all major virus companies have updates on their pages.
Announced to be Wild 05/18/2000 the NEWLOVE virus was first
reported at Israel. When ran the virus copies itself into the Windows
folder and gives itself either a name from the recent document folder
or gives itself a random name and extension. Once copied into this
directory the virus will then send itself to all the individuals in
your address book. It will then search all drives connected to the
host system and replace each file with copies of itself and adds the
extension .VBS to the original filename.
This virus has more damage potential then the original LoveLetter
virus in addition will rename the subject line to random quires
therefore cannot easily be detected as the Subject Line could be
anything. It is recommended that all PC users and System
administrators utilizing Microsoft Outlook review over the section 'Ways
to Protect Yourself' to help prevent this potential hazardous
virus from infecting your computer and data.
