IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ALERT 00-041g

"Love-Letter-For-You/AKA Love Bug Virus"
May 10, 2000

As of May 10, 2000, 29 variants of the LOVE BUG worm have been identified. Preliminary information is provided below for the ten most recent variants, T through AC. These variants may behave differently than the original worm and may impact different files. Please refer to Alert series 41a-f for information on variants A through S.

T. VBS.LoveLetter.T (also known as BAND-AID)
ATTACHMENT: BAND-AID.DOC.VBS
SUBJECT LINE: Recent Virus Attacks-Fix
MESSAGE BODY: Attached is a copy of a script that will reverse the effects of the LOVE-LETTER-TO-YOU.TXT.vbs as well as the FW:JOKE, Mother's Day and Lithuanian siblings.
NOTES: Sets Internet Explorer start page to a virus-related web site. Deletes files with .BAT, .GIF, .TIF,.TIFF, .WAV, .LNK, .BAK, .DOC, .XLS, .RTF, .TXT, .HTM,.HTML, .XML, .MNY, .ZIP, .BMP, .CAB, and .INF extensions. It doesn't hide MP3 and MP2 files but deletes them. Uses mIRC to send BAND-AID.HTM into Internet chat rooms.

U. VBS.LoveLetter.U (also known as Presente)
ATTACHMENT: UOL.TXT.vbs
SUBJECT LINE: PresenteUOL
MESSAGE BODY: O UOL tem um grande presente para voce, e eh exclusivo.Veja o arquivo em anexo.
NOTES: Sets Internet Explorer start page to http://www.uol.com.br. It also hides .EXE, .COM, and .INI files. Uses mIRC to send UOL.HTM into Internet chat rooms.

V. VBS.LoveLetter.V (Same as original)
ATTACHMENT: LOVE-LETTER-FOR-YOU.TXT.vbs
SUBJECT LINE: ILOVEYOU
MESSAGE BODY: kindly check the attached LOVELETTER coming from me.
NOTES: Several comment lines have been added.

W. VBS.LoveLetter.W (Same as original)
ATTACHMENT: Bug and virus fix.vbs
SUBJECT LINE: IMPORTANT: Official virus and bug fix
MESSAGE BODY: This is an official virus and bug fix. I got it from our system admin. It may take a short while to update your system files after you run the attachment.
NOTES: Sets Internet Explorer Start page to a virus-related site. Overwrites files with the following extensions: .EXE, .COM, .DLL, .SYS, .PWL, and .TXT. Uses mIRC to send "Bug and virus fix.htm" into Internet chat rooms.

X. VBS.LoveLetter.X (also known as ANTI-VIRUS-LISTE)
ATTACHMENT: ANTI-VIRUS-LISTE.TXT.vbs
SUBJECT LINE: NEUE ANTI-VIRUS-LISTE
MESSAGE BODY: Hiermit senden wir Ihnen/Dir eine neue Liste mit LOVE-LETTER-VIRUS Namen, die nicht geoeffnet werden sollten, bitte sofort lesen, danke.
NOTES: Overwrites files with the following extensions: .MDB, .PDF, .WSH, .DOT, .HTA, .JS, .DRV, and .INI. Hides files with the following extensions: .XLS and .DOC. Uses mIRC to send "ANTI-VIRUS-LISTE.HTM" into Internet chat rooms.

Y. VBS.LoveLetter.Y (also known as LOOK! 2)
ATTACHMENT: LOOK.vbs
SUBJECT LINE: LOOK!
MESSAGE BODY: hehe...check this out.
NOTES: similar to Q variant but Hides MP3 and MP2

Z. VBS.LoveLetter.Z (also known as BUG & VIRUS FIX)
ATTACHMENT: MAJOR BUG & VIRUS FIX.vbs
SUBJECT LINE: BUG & VIRUS FIX
MESSAGE BODY: I got this from our system admin. Run this to help prevent any recent or future bug & virus attack's. It may take a small while up update your files.
NOTES: Sets Internet Explorer Start Page to a virus-related site. Overwrites files with the extensions .COM, .DLL, .EXE, .TXT, .BAT, and .SYS. Uses mIRC to send "BUG & VIRUS FIX.HTM" into Internet chat rooms.

AA. VBS.LoveLetter.AA (same as A version)
ATTACHMENT: LOVE-LETTER-FOR-YOU.TXT.vbs
SUBJECT LINE: ILOVEYOU
MESSAGE BODY: kindly check the attached
LOVELETTER coming from me.
NOTES: Several comment lines have been added.

AB. VBS.LoveLetter.AB (same as A version)
ATTACHMENT: LOVE-LETTER-FOR-YOU.TXT.vbs
SUBJECT LINE: ILOVEYOU
MESSAGE BODY: kindly check the attached LOVELETTER coming from me.
NOTES: a few lines of comment and instructions have been removed.

AC. VBS.LoveLetter.AC (also known as antivirusupdate)
ATTACHMENT: antivirusupdate.vbs
SUBJECT LINE: New Variation on LOVEBUG Update Anti-Virus!!
MESSAGE BODY: There is now a newer variant of love bug. It was released at 8:37 PM Saturday Night. Please Download the following patch. We are trying to isolate the virus. Thanks Symantec."
NOTES: Several comment lines have been modified. Uses mIRC to send antivirusupdate.htm into Internet chat rooms.

The FBI has opened an investigation into this activity. NIPC alerts and additional information on this worm, as they become available, will be posted to the NIPC's web page. Please report any evidence of infection to your local FBI office, NIPC, military, or civilian computer incident response group, as appropriate. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206.