IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ALERT 00-041d

"Love-Letter-For-You/AKA Love Bug Virus"
May 07, 2000

As of May 07, 2000, at least nine variants of the love bug worm have been identified. Two other variants J and K are reported to have been confirmed by the anti-virus community. These variants may behave differently than the original worm and may impact different files. Preliminary information on variants A through G is provided in the NIPC alert 00-041c.

H. Vbs.loveletter.h (also known as no comments) (Same as a variant)

Attachment: love-letter-for-you.txt.vbs
Subject:ILOVEYOU
Message body: kindly check the attached loveletter coming from me.
Misc notes: the comment lines at the beginning of the worm code have been removed.

I. Vbs.loveletter.i (also known as important! Read carefully!!)

Attachment: Important.txt.vbs
Subject: Important! Read carefully!!
Message body: check the attached important coming from me!
Misc notes: a new comment line at the beginning: by brainstorm / @electronicsouls. The virus also copies the files eskernel32.vbs & es32dll.vbs, and MIRC script comments referring to brainstorm and electronicsouls and sends a file important.htm to the chat room.

J. Vbs.loveletter.j (new) (Currently being analyzed)

Attachment: unknown
Subject: unknown
Message body: unknown
Misc notes: this appears to be a slight modification of the g variant

K. Vbs.loveletter.k (New)

Attachment: unknown
Subject: unknown
Message body: unknown
Misc notes: this appears to be a slight modification of a previous variant

Secondary executables/program calls:

The virus's visual basic script file, which is the attachment to infected e-mail messages, attempts to download and makes calls to (executes) a file called win-bugfix.exe (exe herein). The exe file first checks to see if the barok trojan is running on the infected system. If barok is present and running, the exe terminates the exe's activities and cedes control over password and username removal to the barok Trojan. If the barok Trojan is not present, the exe takes the following steps in a manner similar to barok's operation:

  • accumulates passwords, usernames and remote access server information such as dial-up modem telephone numbers, usernames and passwords;
  • accumulates information from world wide web browsers such as the url for sites visited, which may contain user log-ins and passwords, as well as the contents of cookie files, which may also contain user log-ins and passwords;
  • accumulates information from the desktop settings files; and
  • packages the accumulated information and sends an e-mail with that information to an e-mail address in the Philippines.

Major anti-virus vendors have posted software to detect and prevent infection by these variants. Affected users should contact their anti-virus software web site frequently for updated information and patches.

Background: On May 04, 2000, the NIPC received reports on and began investigating the propagation of a worm entitled "ILOVEYOU" that has infected government and private industry systems worldwide. The worm first appeared throughout Asia and quickly spread: at least 20 countries have reportedly been affected. New variants of this worm have been discovered. Users are strongly advised to consult frequently their anti-virus software vendors' web sites for updates of inoculations and stay apprised of alerts from NIPC, CERT, and other competent sources.

The original version of the worm is distributed to users in the form of an e-mail message with an attachment called love-letter-for-you.txt.vbs. On a default windows system, the ".vbs" extension may not be visible, leading users to mistake the file as a text file (.txt). (If the user discovers files named mskernal32.vbs, win32dll.vbs, or win-bugsfix.exe, his/her file is infected.) Once the attachment is opened, the worm will use Microsoft Outlook (if installed) to send the following message to everyone in the user's address book:

from:[name-of-the-infected-user]
to:[name-from-the-address-book]
Attachment: love-letter-for-you.txt.vbs
subject: ILOVEYOU
Message body: kindly check the attached loveletter coming from me.

This worm also propagates via the windows-based Internet Relay Chat (IRC) client MIRC, if installed. The worm creates an IRC script, called script.ini, which uses direct chat connection (dcc) within IRC to send copies of itself in html format to other IRC users. In addition to overloading e-mail servers, this worm infects the following types of files on the victim's machine as well as files on shared directories for which the user has "write access:"

.vbs .js
.vbe .jse
.css .wsh
.sct .hta
.jpg .jpeg
.mp2 .mp3

In addition, there are indications that the worm can capture affected caches and transfer that information to a third party.

The FBI has opened an investigation into this activity. NIPC alerts and additional information on this worm, as they become available, will be posted to the NIPC's web page. Please report any evidence of infection to your local FBI office, NIPC, military, or civilian computer incident response group, as appropriate. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206.