Selected viruses, spyware, and other threats: sorted alphabetically
VBS/LoveLetter is a script virus written in the script language VBS (Visual Basic Script). The virus was extensively spread within a very short period of time starting at about noon on May 4th 2000. At the beginning of the virus there is the following text:
rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / email@example.com / @GRAMMERSoft Group / Manila,Philippines
When it is run the virus modifies the script timeout setting. Into the directory "windows" it writes the file WIN32DLL and into the directory "system" it writes filed MSKernel32VBS and LOVE-LETTER-FOR-YOU.TXT.VBS. All these files contain the virus code.
Work with registers:
It creates keys: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32",dirsystem&"\MSKernel32.vbs" and "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL",dirwin&"\Win32DLL.vbs". It ensures that when Microsoft Internet Explorer is run one of the four versions of the file WIN-BUGFIX.EXE is downloaded and executed from the server www.skyinet.net.
In the system directory the virus creates the file LOVE-LETTER-FOR-YOU.HTM which contains the worm spreading by means of the program mIRC.
If the user works with MS Outlook the virus sends to all addresses in the address books an email containing the following parts:
Text of the message: kindly check the attached LOVELETTER coming from me.
Destructive actions with files:
The virus overwrites files with extensions: ".js", ".jse", ".css", ".wsh", ".sct" and ".hta" by its code. To files with extensions ".jpg", ".jpeg", ".mp3" or ".mp2" it creates files with identical filename but it adds to them another extension “vbs". In the files again the virus code is located. In case of "jpeg" and "jpg" it deletes the original file. The virus searches for the files in all directories of all disks.
© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.