LOVELETTER VIRUS

CERT Advisory Please Read.

UPDATE - 05 May, 2000 - New Variations:

VBS/LoveLetter.B (also known as Very Funny)

VBS/LoveLetter.B is a variant of the VBS/LoveLetter.A worm.

The two only differences are the subject of the arriving e-mail and the name of the attachment. The subject used by VBS/LoveLetter.B is
fwd: Joke

Instead of the original "ILOVEYOU" subject line, the name of the attachment is:

Very Funny.vbs

Instead of LOVE-LETTER-FOR-YOU.TXT.vbs., the HTML file sent through IRC is called:

Very Funny.HTM

www.mcafee.com

04 May, 2000:

VBS.LoveLetter.A is an email worm, mIRC worm, and a file infector. VBS.LoveLetter.A will use Microsoft Outlook and email itself out as an attachment with the above subject line and attachment name. The body of the message will be "kindly check the attached LOVELETTER coming from me".

The virus will also infect files with the following extensions: vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, and mp2.

The virus will insert the following files:
MSKernel32.vbs in the Windows System directory

Win32DLL.vbs in the Windows directory

LOVE-LETTER-FOR-YOU.TXT.vbs in the Windows System directory

WinFAT32.EXE in the Internet download directory

WIN-BUGSFIX.EXE in the Internet download directory
script.ini in the mIRC directory

The WORM replaces the Internet Explorer home page with a link that points to an executable BUGSFIX.exe. If the file is downloaded, the worm adds this to the registry as well; causing that to be executed when the system is restarted.

Please go to one of the following sites for more information and fixes:

NOTE: THESE sites are "extremely busy" as this virus is rapidly spreading over the world. It may take you a while to get access to the sites. When we get the chance we will post any "fix" or update programs here and on our FTP site. KEEP TRYING...

PLEASE DO NOT USE YOUR EMAIL PROGRAM IF YOU THINK YOU ARE INFECTED AS THIS SIMPLY SENDS THE VIRUS TO MORE AND MORE PEOPLE. Use your WEB Browser to keep touch with events and wait until there is a patch or fix available before sending mail.

SENDING MAIL TO ALL YOUR FRIENDS ABOUT THE VIRUS DOES NOT HELP. It only makes the email situation (which is pretty bad right now) MUCH, MUCH worse!!!!

Prelimenary

The following information is being provided strictly as an aid in getting information out to the public on this issue. Please consult the actual center for latest or more detailed information, but copies of current detection information are now available on our FTP site at: ECSIS Virus Area

Manual Patch from Kurt at The Pope.Org site  (requires editing the registry and manually finding/identifying infected files).

Registry cleanup tool

http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html

http://www.fsecure.com/v-descs/love.htm

http://www.mcafee.com

 



Site Map Services Policy Help Desk Community Public
Chalkboards Business Online Assorted Links Downloads Kid Stuff Net Users
Mac Users Dyer County Lake County Obion County Lauderdale Co. Missouri

E-Mail Guest BookFeedbackHome


ECS Mascot..."Scratch"
Electronic Communication Systems
640-I Highway 51 ByPass East
Dyersburg, TN 38024
Phone: (731) 285-5936 Fax: (731) 285-2240