Love Letter is a VBS worm that spread widely around the world simply because people were too curious for their own good.
In its original form the worm sent itself to users via an E-mail attachment. The message subject was “ILOVEYOU” and the message text was: “kindly check the attached LOVELETTER coming from me.” The attachment was called LOVE-LETTER-FOR-YOU.TXT.vbs (note the double extension). When clicked on the attachment would run (assuming Windows Scripting Host is installed) and the cycle would start again.
The double extension is important for this worm as it tries to exploit an ease of use function. Mail programs and directory programs are often set, by default, to not show extensions. This is supposed to shield you from the details of the computer’s operation. In this case, it made things worse since, if you had that option set, the attachment would show up as LOVE-LETTER-FOR-YOU.TXT and thus appear to be a text file instead of an executable script. If you don’t see extensions now, reset your options to show them.
In operation, the worm performs several actions:
- It drops an HTM file which is capable of spreading the virus along with an associated mIRC script that tries to use the HTM file.
- It checks for the file WinFAT32.exe in the IE download directory. If not found the worm changes the registry IE startup page to one of a few websites where the file WIN-BUGSFIX.exe will be downloaded and set to run on the next computer start.
- The IE start page is set to blank.
- The worm copies itself into two places where it will be executed on each computer restart.
- It will try to send itself to every entry in your Outlook address book.
- The worm searches all drives (local and networked) for files ending in VBS, VBE, JS, JSE, CSS, WSH, SCT or HTA. If found, they are overwritten with the virus and their extension renamed to .VBS.
- Graphics file with JPG or JPEG extensions are also overwritten with the virus and .VBS added to their name (so they will end up with a double extension).
- Multimedia files with MP2 and MP3 extensions are marked as hidden and then copied to a new file with the same name and .VBS added. (Note that of all the files attacked, these are the only ones that can be recovered directly; all others have to be recovered from backups.)
- As mentioned, the worm looks for an mIRC client and, if found, will drop a script and HTM file designed to send the worm over mIRC chat.
The Script Kiddies had a field day with this beast and many, many variants were quickly developed and spread. More than 20 variants were quickly reported. A few of the most enticing might be:
- Subject fwd: Joke, no body, Attachment: Very funy.vbs
- Subject: Mothers Day Order Confirmation, Body: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place.Thanks Again and Have a Happy Mothers Day! mothersday @ subdimension.com , Attachment: mothersday.vbs.
- From: support @ symantec.com, Subject: Virus ALERT!!!, Body: Dear Symantec customer, Symantec’s AntiVirus Research Center began receiving reports regarding VBS.LoveLetter.A virus early morning on May 4, 2000 GMT. This worm appears to originate from Asia Pacific region. Distribution of the virus is widespread and hundreds of thousands of machines are reported infected. etc., Attachment: protect.vbs.
- Subject: How to protect yourself from the ILOVEYOU bug!, Body: Here’s the easy way to fix the love virus., Attachment: Virus-Protection-Instructions.vbs.
- And, many more…
Do not blindly open any attachments to E-mail unless you know exactly what is in them!
|Some Virus Threat Details|