First published: 04th May 2000New Melissa-like worm went world-wide in hours
Hong Kong, China, May 4th, 2000, Yui Kee is warning users about a new e-mail worm called VBS/LoveLetter. This worm spread by e-mailing a file called LOVE-LETTER-FOR-YOU.TXT.vbs around.
VBS/LoveLetter is written in the VBScript language. By default, programs written in VBScript operate only under Windows 98 and Windows 2000. However, Windows 95 and NT 4 users are vulnerable as well if they have installed version 5 of Microsoft Internet Explorer.
The LoveLetter worm activates by overwriting picture and music files from the local and network drives. Files with extension JPG, JPEG, MP2 and MP3 are overwritten and will have to be restored from backups.
The worm was most likely written in the Philippines. It was first spotted in the afternoon of Thursday the 4th of May (Hong Kong time).
This is a worm which tries to spread itself in several ways. Most commonly, it sends itself as an attachement to an email.
Infected emails have the subject line:
The message text is:
kindly check the attached LOVELETTER coming from me.
The attachment is called "LOVE-LETTER-FOR-YOU.TXT.vbs", which has a "double extension". Mailers which suppress well-known extensions such as .vbs may present this file as "LOVE-LETTER-FOR-YOU.TXT", which appears more innocent. Do not be misled by a trick like this. If the recipient open the attachment, the worm will use Microsoft Outlook (if installed) to send a message to everyone in any address books (including global access books of the organization - these typically contains hundreds or thousands of addresses).
As address books typically contain group addresses, the end result of executing the VBS/LoveLetter worm inside an organization is that the first infected user sends the message to everybody in the organization. After this, other users open the message and send the message again to everyone else. This quickly overloads e-mail servers.
"This worm spreads amazingly fast", comments Allan Dyer, Technical Director at Yui Kee Co. Ltd., "we first got a local report around 16:40 on Thursday afternoon, and soon learnt that it had been seen in Norway three hours earlier. By 18:00 we had reports from over 20 countries. We estimate that total number of infected machines is already in tens of thousands of machines."
Because the virus arrives in a VBS file, it requires the Windows Scripting Host (WSH) in order to work. If you disable WSH, the viral attachment will be rendered harmless.
To switch of the WSH (for example under Windows 98, where it is installed by default) try:
Settings/Control Panel/Add-Remove Programs/Windows Components/Accessories
and deselect the WSH.
The virus also drops an HTM file which can spread the virus, and a mIRC script which tries to distribute it. It also tries to download a file called WIN-BUGSFIX.exe from the internet, and injects two copies of its VBS script into the system directory where they are executed each time the computer reboots.
The virus contains this text:
by: spyder / firstname.lastname@example.org / @GRAMMERSoft Group / Manila,Philippines
All anti-virus developers are releasing new virus definitions to detect and prevent this worm.