[05may, 8:54 am]
The VBS/LoveLet.A worm.
Note: Earlier versions of this note referred to the ILOVEYOU malware
as a trojan. My brother sent a note convincing me that it is more
properly characterized as a worm. The anti-virus companies have
settled on this terminology as well.
[05may, 9:23 am]
For the most authoritative description of the worm, see the
This worm, possibly from the Phillipines, is spreading like wildfire
as we speak. One news report claimed it has twice the velocity of
Melissa. I received 8 copies of it in the hour preceding the first
version of this note (to no ill effect, as I'm Mac- and
Eudora-based). The worm carries a simple VBscript attachment named
LOVE-LETTER-FOR-YOU.TXT.vbs. The worm infects Windows machines on
which Windows Scripting Host is running and spreads using the
Outlook email agent and the mIRC client, if present. If you use
another email client you could still be infected -- you'd have to
execute the attachment -- but the worm won't propagate further by
Mutations are already in circulation. The first used the subject
line fwd: Joke and an attachment named Very Funny.vbs;
aside from the name change it's identical to VBS/LoveLet.A.
[05may, 8:54 am]
Subtler variations are springing up. David 'Pablo' Cohn sent me an
email he had received yesterday evening just before 10:00 pm EDT. It
had no subject and the following text. Cohn writes, "The message was
surprising enough that I almost opened the attachment, before
realizing that it was VBScript." The attachment was, of course,
Thanks for your purchase!
We have proceeded to charge your credit card for the amount of $326.92 for
the mothers day diamond special. We have attached a detailed invoice to this
email. Please print out the attachment and keep it in a safe place.
Thanks Again and Have a Happy Mothers Day!
If you receive an email titled ILOVEYOU, don't click on it.
Depending on how you have Outlook's preview pane set up, merely
selecting the message can trigger the worm. The worm also runs each
time your machine is rebooted. It'll send itself to everybody in all
your Outlook address books, mess about in your registry, and
overwrite with a copy of itself all of your files with any of these
extensions: vbs, vbe, js, jse, css, wsh, sct, hta, jpg, and jpeg. It
merely hides -- but does not delete -- .mp2 and .mp3 files, after
copying itself into files of the same names with .vbs appended. It
overwrites both local files and files on any mapped network drives.
If you ever double-click on one of these, your formerly beloved
files, the worm's payload will fire all over again.
The worm also tries to download a program, which runs at system
startup, to steal your passwords and mail them off to the
Phillipines. The four URLS in the original worm, one of which is
chosen at random when the worm runs, are no longer valid. (Note to
the Phillipine authorities: start by questioning the users
young1s, angelcat, koichi, and chu at
skyinet.net in Manila, followed by mailme at super.net.ph.)
gives a good overview, Kurt DeMaagd provides
and a script
for cleaning up after the worm, if you feel comfortable
editing your Windows registry. Response from this site may be
slow as this link was Slashdotted. Go
here for a
Sendmail patch that will stop ILOVEYOU at the border -- not a PC
anti-virus payload, rather a sysadmin tool.
Here are some recent links with more authoritative descriptions:
In Slashdot's informative
on the worm, several posters suggest that Microsoft should change the name
of Outlook to Microsoft Lookout.
Here's a fine example of how not to write about viruses: this
article is full of hysteria and misinformation. Thanks to Ian Usher for