Virus Worm on email

I Love You w o r m - vir u s

05.05.'00

A student, pseudonym "Spyder" sends a email from Manilla (Philippines) to Honkong with attachment : love-letter-to-you.txt.vbs

The misery is started.

Medina, Ohio: Central Command's Emergency Virus Response Team (EVRT) has now reported several new variants of the original Internet Worm LoveLetter.
These variants have been spreading as fast as the original with the same deadly payload, which has already reached an epidemic level never seen before throughout the world. We are now seeing 4 new variants of the I-Worm.LoveLetter worm spreading rapidly in-the-wild and expecting this number to increase in the next few days," Said Steven Sundermeier, Manager of Technical Services at Central Command Inc.
The EVRT (Emergency Virus Response Team) is continually working around the clock to stop this global outbreak and keep our customers completely protected, Concluded Sundermeier.
Cental Command estimates that 2.5 million PC users have been infected in the United States alone from I-Worm.LoveLetter or its' counterparts on 4th May 00.
Currently the subject lines of the known variants are:

Subject: Susitikim shi vakara kavos puodukui...
Subject: Fw: Joke These worms

1. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Subjet Line: ILOVEYOU
Message Body: kindly check the attached LOVELETTER coming from me.

2. Attachment: Very Funny.vbs
Subjet Line: fwd: Joke
Message Body: empty

3. Attachment: mothersday.vbs
Subjet Line: Mothers Day Order Confirmation
Message Body: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place.Thanks Again and Have a Happy Mothers Day! [email protected]

4. Attachment: virus_warning.jpg.vbs
Subjet Line: Dangerous Virus Warning
Message Body: There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it.

5. Attachment: protect.vbs
Subjet Line: Virus ALERT!!!
Message Body: a long message regarding VBS.LoveLetter.A

6. Attachment: Important.TXT.vbs
Subjet Line: Important! Read carefully!!
Message Body: Check the attached IMPORTANT coming from me!

7. Attachment: Virus-Protection-Instructions.vbs
Subjet Line: How to protect yourself from the IL0VEY0U bug!
Message Body: Here's the easy way to fix the love virus.

8. Attachment: KillEmAll.TXT.VBS
Subjet Line: I Cant Believe This!!!
Message Body: I Cant Believe I have Just Recieved This Hate Email .. Take A Look!

9. Attachment: ArabAir.TXT.vbs
Subjet Line: Thank You For Flying With Arab Airlines
Message Body: Please check if the bill is correct, by opening the attached file

10. Attachment: IMPORTANT.TXT.vbs
Subjet Line: Variant Test
Message Body: This is a variant to the vbs virus.

11. Attachment: Vir-Killer.vbs
Subjet Line: Yeah, Yeah another time to DEATH...
Message Body: This is the Killer for VBS.LOVE-LETTER.WORM.

12. Attachment: LOOK.vbs
Subjet Line: LOOK!
Message Body: hehe...check this out.

13. Attachment: BEWERBUNG.TXT.vbs
Subjet Line: Bewerbung Kreolina
Message Body: Sehr geehrte Damen und Herren!

are of high risk, and are aggressively infecting computer users.
Central Command strongly urges all computers user to continually update their antivirus software and stay informed over the next few days or until this epidemic is under control. For the latest on I-Worm.LoveLetter and its variants subscribe to Central Command's mailing list at www.avp.com
I-Worm.LoveLetter is an overwriting Visual Basic Script worm that is spreading through the internet via a Microsoft Outlook e-mail message.
This malicious worm exploits the Outlook e-mail application and distributes the LoveLetter as a chain letter. It has also been reported circulating through mIRC clients as well.

A free fully functional time limited antivirus software evaluation is available from Central Command at www.avp.com that can successfully detect and remove the I-Worm.LoveLetter worm.

Info

This is a virus which tries to spread itself in several ways. Most commonly, it sends itself as an attachment to an email.
Infected emails have the subject line: ILOVEYOU
The message text is: kindly check the attached LOVELETTER coming from me.
The attachment is called LOVE-LETTER-FOR-YOU.TXT.vbs, which has a double-extension.
Mailers which suppress well-known extensions such as .vbs may present this file as LOVE-LETTER-FOR-YOU.TXT, which appears more innocent. Because the virus arrives in a VBS file, it requires the Windows Scripting Host (WSH) in order to work. If you disable WSH, the viral attachment will be rendered harmless.
The virus also drops an HTM file which can spread the virus, and a mIRC script which tries to distribute it.
The virus checks the Internet Explorer Download Directory for the presence of the file WinFAT32.exe. If that file does not exist the virus randomly picks one of four websites and changes the registry to set it as the Start Page for Internet Explorer. The websites point to an EXE file, WIN-BUGSFIX.exe, which is then downloaded and the registry is modified to run the file on reboot.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
This file is detected as Troj/LoveLet-A. The Internet Explore Start Page is also set to blank.

The virus copies itself to two places in the system directory where they are executed each time the computer reboots.
The email component of the virus requires Microsoft Outlook to work. If you are using Outlook it will try to send itself to each entry in your Windows Address Book.
The virus also searches all local and networked drives for files that end with the extensions VBS, VBE, JS, JSE, CSS, WSH, SCT or HTA. These files are overwritten with the virus and their extension is renamed to .VBS. Any JPG or JPEG files are also overwritten by the virus but have the extension .VBS added to the existing filename.
Any MP2 or MP3 files are overwritten by the virus but are also copied to a new file that has the .VBS extension added. The original files are set as hidden.
If the virus determines that mIRC is installed on the system it will drop a mIRC script that will send the virus on via mIRC.

Technical Details:

When the worm is executed, it first copies itself to Windows System directory as:

- MSKernel32.vbs
- LOVE-LETTER-FOR-YOU.TXT.vbs
- Win32DLL.vbs (Windows directory)

Then it adds the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
The worm replaces the Internet Explorer home page with a link to an executable program, "WIN-BUGSFIX.exe" and creates a HTML file, " LOVE- LETTER-FOR-YOU.HTM", to the Windows System directory.
I-Worm.LoveLetter will use Outlook to mail a copy of itself to everyone in each address book. The message will be addressed:

Subject: ILOVEYOU
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

The worm then searches for file with an extension of .jpeg, .mp3, .mp2,.jpg .js, .jse, .css, .wsh, .sct, and .hta on local and remote drives and overwrites them with itself. Once overwritten the worm changes the extension of the overwritten files to .vbs or .vbe.

Download a file for the removal of this worm, virus from

http://housecall.antivirus.com/
http://www.symantec.com/press/2000/n000508.html(download tool)
http://www.advalvas.be/lovecleaneradvver2.vbs (script)
http://www.ealaddin.com/home/csrt/loveemerg.asp
http://www.pandasoftware.com/loveletter/love-en.asp(download tool)
http://www.teq-international.com/nl/

Manuel removal instructions and how to back up registry http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000050407210206

Save Computing : be suspicious of .exe, .shs, vbs, MS Word and MS Excel file attachments.

Download this full trial version from AVP (Anti Virus Protection), see at Trial Versions
Anti Virus Experts: Your First, Last, and Only Line of Defense

Sign My Guestbook View My Guestbook

Virus Worm on email

I Love You worm - virus

Info

Technical Details:

I Love You w o r m - vir u s