CERT Advisory Please Read.
VBS/LoveLetter.B (also known as Very Funny)
VBS/LoveLetter.B is a variant of the VBS/LoveLetter.A worm.
The two only differences are the subject of the arriving e-mail and the
name of the attachment. The subject used by VBS/LoveLetter.B is
Instead of the original "ILOVEYOU" subject line, the name of the attachment is:
Instead of LOVE-LETTER-FOR-YOU.TXT.vbs., the HTML file sent through IRC is called:
VBS.LoveLetter.A is an email worm, mIRC worm, and a file infector. VBS.LoveLetter.A will use Microsoft Outlook and email itself out as an attachment with the above subject line and attachment name. The body of the message will be "kindly check the attached LOVELETTER coming from me".
The virus will also infect files with the following extensions: vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, and mp2.
The virus will insert the following files:
Win32DLL.vbs in the Windows directory
LOVE-LETTER-FOR-YOU.TXT.vbs in the Windows System directory
WinFAT32.EXE in the Internet download directory
WIN-BUGSFIX.EXE in the Internet download directory
The WORM replaces the Internet Explorer home page with a link that points to an executable BUGSFIX.exe. If the file is downloaded, the worm adds this to the registry as well; causing that to be executed when the system is restarted.
Please go to one of the following sites for more information and fixes:
NOTE: THESE sites are "extremely busy" as this virus is rapidly spreading over the world. It may take you a while to get access to the sites. When we get the chance we will post any "fix" or update programs here and on our FTP site. KEEP TRYING...
PLEASE DO NOT USE YOUR EMAIL PROGRAM IF YOU THINK YOU ARE
INFECTED AS THIS SIMPLY SENDS THE VIRUS TO MORE AND MORE PEOPLE.
Use your WEB Browser to keep touch with events and wait until
there is a patch or fix available before sending mail.
Manual Patch from Kurt at The Pope.Org site (requires editing the registry and manually finding/identifying infected files).