"Love-Letter-For-You/AKA Love Bug Virus"
May 08, 2000
As of May 08, 2000, at least thirteen variants
of the LOVE BUG worm have been identified. Since May 07, 2000, the anti-virus
community has confirmed one new variant, M. These variants may behave differently
than the original worm and may impact different files. New information is
provided for variants E, F, G, K, L and M. Refer to Alert series 41a-d for
earlier information on variants A through J.
E. VBS.LoveLetter.E (also known as Mother's
- Attachment: mothersday.vbs
Subject: Mothers Day Order Confirmation
Message Body: We have proceeded to charge your credit card for the amount
of $326.92 for the mothers day diamond special. We have attached a detailed
invoice to this e-mail. Please print out the attachment and keep it in a
safe place. Thanks Again and have a Happy Mothers Day!
Note: The follow programs segments were modified:
- The Internet startup page pointers are
changed to "hackers.com, l0pht.com, and 2600.com" instead
of WIN- BUGSFIX.exe.
- The worm additionally overwrites the
files with extensions INI and BAT instead of JPG and JPEG.
- The HTML is modified and renamed to
F. VBS.LoveLetter.F (also known as Virus
- Attachment: virus_warning.jpg.vbs
Subject: Dangerous Virus Warning
Message Body: There is a dangerous virus circulating. Please click attached
picture to view it and learn to avoid it.
Note: The significant changes in the F variant are to the Internet Explore
pointers and the file extensions. The new pointer is changed from WIN-BUGFIX.exe
to http://skycable.tucows.com/files2/setup24.exe. The new file extensions
are: .wav, .txt, .gif, .doc, .htm, .html, and .xls
G. VBS.LoveLetter.G (also known as Virus
- Attachment: protect.vbs
Subject: Virus ALERT!!!
Message Body: (contains a lengthy message regarding the LOVE BUG Virus)
Notes: This e-mail poses as a message from Symantec Technical Support. "FROM:
- This variant overwrites files with .bat and
.com extensions. Additionally, this variant changes the Internet Explore
pointer from WIN-BUGFIX.exe to a pornographic site.
K. VBS.LoveLetter.K (Virus-Protection)
- Attachment: Virus-Protection-Instructions.vbs
Subject: How to protect yourself from the IL0VEY0U bug!
Message Body: Here's the easy way to fix the love virus.
L. VBS.LoveLetter.L (New) (I Can't Believe
- Attachment: KillEmAll.txt.vbs
Subject: I Can't Believe This !!!
Message Body: I Can't Believe I have just received this hate E-mail... Take
a Look !
Notes: Comment has phrase/words: Killer, by MePhiston. This variant replaces
GIF and BMP files instead of JPG and JPEG files. It also hides WAV and MID
files instead of MP3 and MP2 files. There is no IRC routine; thus it will
not infect chat room users. This variant also copies KILER.HTM, KILLER2.VBS,
KILLER1.VBS to the hard disk.
M. VBS.LoveLetter.M (New) (Arab Air)
- Attachment: ArabAir.TXT.vbs
Subject: Thank You For Flying With Arab Airlines
Message Body: Please check if the bill is correct, by opening the attached
Notes: This variant replaces DLL and EXE files instead of JPG and JPEG files,
and hides SYS and DLL files instead of MP3 and MP2 files. Variant-M copies
No-Hate-FOR-YOU.HTM to the hard disk.
- Major Anti-Virus vendors have posted software
to detect and prevent infection by these variants. Affected users should
contact their anti-virus software web site frequently for updated information
BACKGROUND: On May 04, 2000, the NIPC received reports
on and began investigating the propagation of a worm entitled "ILOVEYOU" that
has infected government and private industry systems worldwide. The worm
first appeared throughout Asia and quickly spread: at least 20 countries
have reportedly been affected. New variants of this worm have been discovered.
Users are strongly advised to consult frequently their anti-virus software
vendor's web sites for updates of inoculations and stay apprised of alerts
from NIPC, CERT, and other competent sources.
The original version of the worm is distributed
to users in the form of an e-mail message with an attachment called LOVE-LETTER-FOR-YOU.TXT.VBS.
On a default Windows system, the ".vbs" extension may not be visible,
leading users to mistake the file as a text file (.txt). (If the user discovers
files named MSKernal32.vbs, WIN32DLL.vbs, or WIN-BUGSFIX.exe, his/her file
is infected.) Once the attachment is opened, the worm will use Microsoft
Outlook (if installed) to send the following message to everyone in the user's
- From: [Name-of-the-infected-user]
- To: [Name-from-the-address-book]
- Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
- Subject: ILOVEYOU
- Message Body: Kindly check the attached LOVELETTER
coming from me.
This worm also propagates via the windows-based
Internet Relay Chat (IRC) client mIRC, if installed. The worm creates an
IRC script, called script.ini, which uses direct chat connection (DCC) within
IRC to send copies of itself in html format to other IRC users. In addition
to overloading e-mail servers, this worm infects the following types of files
on the victim's machine as well as files on shared directories for which
the user has "write access:"
- .vbs .js
- .vbe .jse
- .css .wsh
- .sct .hta
- .jpg .jpeg
- .mp2 .mp3
In addition, there are indications that the worm
can capture affected caches and transfer that information to a third party.
The FBI has opened an investigation into this
activity. NIPC alerts and additional information on this worm, as they become
available, will be posted to the NIPC's web page. Please report any evidence
of infection to your local FBI office, NIPC, military, or civilian computer
incident response group, as appropriate. The NIPC Watch and Warning Unit
can be reached at (202) 323-3204/3205/3206.