VBS_LOVELETTER

Malware type: VBScript

Aliases: IRC-Worm.VBS.Grammer (Kaspersky), VBS/LoveLetter.cy (McAfee), VBS.LoveLetter.Var (Symantec), VBS/Loveletter.B (Avira), VBS/LoveLet-G (Sophos),

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows 9x/NT

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 
VBS_LOVELETTER has several variants, which use different email subject, message body and attachments than the original virus. All variants are detected by Trend's latest pattern file.

This VBScript virus, like Melissa, uses Microsoft Outlook to send email with an attachment file "LOVE-LETTER-FOR-YOU.TXT.vbs" to all email addresses listed in the address list. This email has the subject: "ILOVEYOU", body: "kindly check the attached LOVELETTER coming from me." And a file attachment with the virus. LOVELETTER also propagates using mIRC. Using mIRC, the virus sends a copy of itself ;LOVE-LETTER-FOR-YOU.HTM; to users in the same channel as the infected user.

This virus has a destructive payload, it overwrites files with specific extensions with its codes. This eliminates the host file and the file now contains the virus source code.

For additional information about this threat, see:

Description created: May. 18, 2000 5:12:26 AM GMT -0800

TECHNICAL DETAILS


Size of malware: 10,307 Bytes

Initial samples received on: May 4, 2000

Payload 1: (email spamming and damages files with certain extension)

Trigger date 1: Any Day

Details:

VBS_LOVELETTER has several variants, Trend Micro's latest pattern file detects all of them.

This virus has a destructive payload that overwrites files with specific extensions with its code. It modifies registry entries and drops files. The Love Bug also downloads a password stealing Trojan in the infected system.

Analysis By: Ace Portuguez

SOLUTION


Minimum scan engine version needed: 2.062

Pattern file needed: 693

Pattern release date: May 4, 2000


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please refer to the Trend Micro Damage Cleanup Services.

MANUAL REMOVAL INSTRUCTIONS

  1. To modify your registry and remove the .TXT and HTML files dropped by the virus please run this Free tool, SWAT.EXE. (This tool does not delete VBS_LOVELETTER, to delete this virus update pattern file or use HouseCall)
  2. Scan your system with Trend Micro antivirus and delete all files detected as VBS_LOVELETTER. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.



Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.