IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ALERT 00-041b

"Love-Letter-For-You/AKA Love Bug Virus"
May 04, 2000

On May 04, 2000, the NIPC received reports on and began investigating the propagation of a worm entitled "ILOVEYOU" that has infected government and private industry systems worldwide. The worm first appeared throughout Asia and quickly spread: at least 20 countries have reportedly been affected. Late this evening new variants of this worm have been discovered. Preliminary information on these new variants is included below. Users are strongly advised to consult frequently their anti-virus software vendors' web sites for updates of inoculations and stay apprised of alerts from NIPC, CERT, and other competent sources.

The original version of the worm is distributed to users in the form of an e-mail message with an attachment called LOVE-LETTER-FOR-YOU.TXT.VBS. On a default Windows system, the ".vbs" extension may not be visible, leading users to mistake the file as a text file (.txt). (If the user discovers files named MSKernal32.vbs, WIN32DLL.vbs, or WIN-BUGSFIX.exe, his/her file is infected.) Once the attachment is opened, the worm will use Microsoft Outlook (if installed) to send the following message to everyone in the user's address book:

From: [Name-of-the-infected-user]
To: [Name-from-the-address-book]
Subject: ILOVEYOU
Kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

This worm also propagates via the windows-based Internet Relay Chat (IRC) client mIRC, if installed. The worm creates an IRC script, called script.ini, which uses direct chat connection (DCC) within IRC to send copies of itself in html format to other IRC users. In addition to overloading e-mail servers, this worm infects the following types of files on the victim's machine as well as files on shared directories for which the user has "write access:"

.vbs .js
.vbe .jse
.css .wsh
.sct .hta
.jpg .jpeg
.mp2 .mp3

In addition, there are indications that the worm can capture affected caches and transfer that information to a third party.

Subsequent variants of this worm are believed to use subject lines of "joke" and "Susitikim shi vakara kavos puodukui…" These variants may behave differently than the original worm and impact different files. Preliminary information indicates that current inoculation software is effective against the original worm, but it is unclear whether the current inoculations detect and prevent infection by variants. Affected users should contact their anti-virus software web site frequently for updated information and patches.

The FBI has opened an investigation to determine the origin of the virus. NIPC alerts and additional information on this worm, as it becomes available, will be posted to the NIPC's web page. Please report any evidence of infection to your local FBI office, NIPC, military, or civilian computer incident response group, as appropriate. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206.