>National Infrastructure Protection Center Information System Alert >(Alert 00-041b) (LOVE-LETTER-FOR-YOU) Also known as the LOVE BUG VIRUS ; >UPDATE > > >On May 4, 2000, the NIPC received reports on and began investigating the >propagation of a worm entitled "ILOVEYOU" that has infected government >and private industry systems worldwide. The worm first appeared >throughout Asia and quickly spread: at least 20 countries have >reportedly been affected. Late this evening new variants of this worm >have been discovered. Preliminary information on these new variants is >included below. Users are strongly advised to consult frequently their >anti-virus software vendors' websites for updates of inoculations and >stay apprised of alerts from NIPC, CERT, and other competent sources. > > >The original version of the worm is distributed to users in the form of >an email message with an attachment called LOVE-LETTER-FOR-YOU.TXT.VBS. >On a default Windows system, the ".vbs" extension may not be visible, >leading users to mistake the file as a text file (.txt). (If the user >discovers files named MSKernal32.vbs, WIN32DLL.vbs, or WIN-BUGSFIX.exe, >his/her file is infected.) Once the attachment is opened, the worm will >use Microsoft Outlook (if installed) to send the following message to >everyone in the user's address book: > > > From: [Name-of-the-infected-user] > To: [Name-from-the-address-book] > Subject: ILOVEYOU > > > Kindly check the attached LOVELETTER coming from me. > > > Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs > > > This worm also propagates via the windows-based Internet Relay Chat >(IRC) client mIRC, if installed. The worm creates an IRC script, called >script.ini, which uses direct chat connection (DCC) within IRC to send >copies of itself in html format to other IRC users. In addition to >overloading email servers, this worm infects the following types of >files on the victim's machine as well as files on shared directories for >which the user has "write access": > .vbs .js > .vbe .jse > .css .wsh > .sct .hta > .jpg .jpeg > .mp2 .mp3 > > >In addition, there are indications that the worm can capture affected >caches and transfer that information to a third party. > > >Subsequent variants of this worm are believed to use subject lines of >"Joke" and "Susitikim shi vakara kavos puodukui." These variants may >behave differently than the original worm and impact different files. >Preliminary information indicates that current inoculation software is >effective against the original worm, but it is unclear whether the >current inoculations detect and prevent infection by variants. Affected >users should contact their anti-virus software website frequently for >updated information and patches.