IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ALERT 00-041f

"Love-Letter-For-You/AKA Love Bug Virus"
May 09, 2000

As of May 09, 2000, thirteen new variants of the LOVE BUG worm have been identified. Preliminary information is provided here for six of the new variants, N through S. As soon as analysis is complete on the next seven variants T through Z, the NIPC will release further updates. These variants may behave differently than the original worm and may impact different files. Refer to Alert series 41a-e for information on variants A through M.

N. VBS.LoveLetter.N (also known as Virus Warning)
Attachment: IMPORTANT.TXTvbs
Subject: Variant Test
Message Body: This is a variant to the vbs virus.
Notes: This variant copies itself as sndvol32.vbs and IEAKDLL.vbs. The Internet Explorer start page was modified to http://altalavista.box.sk. It also does not download the password stealing Trojan. However the virus still overwrites *.mpg, *.mpeg, *.avi, *.qt, *.qtm files. This variant also sends the file important.htm into Internet chat rooms via IRC.

O. VBS.LoveLetter.O (Same as the original)
Attachment: LOVE-LETTER-FOR-YOU.TXT
Subject: ILOVEYOU
Message Body: kindly check the attached LOVELETTER coming from me.
Misc Notes: The file script.ini, which it sends into Internet chat rooms, has a modified comment line.

P. VBS.LoveLetter.P ( also known as Yeah Yeah)
Attachment: Vir-Killer.vbs
Subject: Yeah, Yeah another time to DEATH…
Message Body: This is the Killer for VBS.LOVE-LETTER.WORM
Notes: This variant sets the Internet Explorer start page to http://www.yahoo.com/Vir-Killer.exe. It does not download the password stealing Trojan. This variants also overwrites *.ZIP and *.RAR files instead of *.JPG and *.JPEG files. It hides *.PAS and *.ASM files instead of *.MP3 and *.MP2 files.

Q. VBS.LoveLetter.Q (also known as LOOK!)
Attachment: LOOK.vbs
Subject: LOOK!
Message Body: hehe…check this out.
Notes: Copies itself as MSUser32.vbs and User32DLL.vbs. The variant also overwrites *.XLS and *.MDB files instead of *.JPG and *.JPEG files. The variant hides *.EXE and *.LNK files instead of *.MP3 and *.MP2 files. The variant changes the HTM file to LOOK.HTM

R. VBS.LoveLetter.R (also known as Bewerbung)
Attachment: BEWERBUNG.TXT.vbs
Subject: Bewerbung Kreolina
Message Body: Sehr geehrte Damen und Herren!
Note: This variant sends a copy of BEWERBUNG.HTM into a connected Internet chat room.

S. VBS.LoveLetter.S (Same as the Original version)
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Subject: ILOVEYOU
Message Body: kindly check the attached LOVELETTER coming from me
Note: Several comment lines have been added.

The FBI has opened an investigation into this activity. NIPC alerts and additional information on this worm, as they become available, will be posted to the NIPC's web page. Please report any evidence of infection to your local FBI office, NIPC, military, or civilian computer incident response group, as appropriate. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206.