National Infrastructure Protection Center Information System Alert (Alert 00-041E) (LOVE-LETTER-FOR-YOU) Also known as the LOVE BUG VIRUS and variants; UPDATE as of 2000 (EDT) 8 May 2000 As of 8 May 2000, at least thirteen variants of the LOVE BUG worm have been identified. Since 7 May 2000, the anti-virus community has confirmed one new variant, M. These variants may behave differently than the original worm and may impact different files. New information is provided for variants E, F, G, K, L and M. Refer to Alert series 41a-d for earlier information on variants A through J. E. VBS.LoveLetter.E (also known as Mother's Day) Attachment: mothersday.vbs Subject: Mothers Day Order Confirmation Message Body: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place. Thanks Again and have a Happy Mothers Day! mothersday@subdimension.com Note: The follow programs segments were modified: The Internet startup page pointers are changed to "hackers.com, l0pht.com, and 2600.com" instead of WIN- BUGSFIX.exe. The worm additionally overwrites the files with extensions INI and BAT instead of JPG and JPEG. The HTML is modified and renamed to mothersday.htm F. VBS.LoveLetter.F (also known as Virus Warning) Attachment: virus_warning.jpg.vbs Subject: Dangerous Virus Warning Message Body: There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it. Note: The significant changes in the F variant are to the Internet Explore pointers and the file extensions. The new pointer is changed from WIN-BUGFIX.exe to http://skycable.tucows.com/files2/setup24.exe. The new file extensions are: .wav, .txt, .gif, .doc, .htm, .html, and .xls G. VBS.LoveLetter.G (also known as Virus ALERT!!!) Attachment: protect.vbs Subject: Virus ALERT!!! Message Body: (contains a lengthy message regarding the LOVE BUG Virus) Notes: This email poses as a message from Symantec Technical Support. "FROM: support@symantec.com." This variant overwrites files with .bat and .com extensions. Additionally, this variant changes the Internet Explore pointer from WIN-BUGFIX.exe to a pornographic site. K. VBS.LoveLetter.K (Virus-Protection) Attachment: Virus-Protection-Instructions.vbs Subject: How to protect yourself from the IL0VEY0U bug! Message Body: Here's the easy way to fix the love virus. L. VBS.LoveLetter.L (New) (I Can't Believe This!!!) Attachment: KillEmAll.txt.vbs Subject: I Can't Believe This !!! Message Body: I Can't Believe I have just received this hate Email... Take a Look ! Notes: Comment has phrase/words: Killer, by MePhiston. This variant replaces GIF and BMP files instead of JPG and JPEG files. It also hides WAV and MID files instead of MP3 and MP2 files. There is no IRC routine; thus it will not infect chat room users. This variant also copies KILER.HTM, KILLER2.VBS, KILLER1.VBS to the hard disk. M. VBS.LoveLetter.M (New) (Arab Air) Attachment: ArabAir.TXT.vbs Subject: Thank You For Flying With Arab Airlines Message Body: Please check if the bill is correct, by opening the attached file. Notes: This variant replaces DLL and EXE files instead of JPG and JPEG files, and hides SYS and DLL files instead of MP3 and MP2 files. Variant-M copies No-Hate-FOR-YOU.HTM to the hard disk. Major Anti-Virus vendors have posted software to detect and prevent infection by these variants. Affected users should contact their anti-virus software website frequently for updated information and patches. BACKGROUND: On May 4, 2000, the NIPC received reports on and began investigating the propagation of a worm entitled "ILOVEYOU" that has infected government and private industry systems worldwide. The worm first appeared throughout Asia and quickly spread: at least 20 countries have reportedly been affected. New variants of this worm have been discovered. Users are strongly advised to consult frequently their anti-virus software vendor's websites for updates of inoculations and stay apprised of alerts from NIPC, CERT, and other competent sources. The original version of the worm is distributed to users in the form of an email message with an attachment called LOVE-LETTER-FOR-YOU.TXT.VBS. On a default Windows system, the ".vbs" extension may not be visible, leading users to mistake the file as a text file (.txt). (If the user discovers files named MSKernal32.vbs, WIN32DLL.vbs, or WIN-BUGSFIX.exe, his/her file is infected.) Once the attachment is opened, the worm will use Microsoft Outlook (if installed) to send the following message to everyone in the user's address book: From: [Name-of-the-infected-user] To: [Name-from-the-address-book] Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Subject: ILOVEYOU Message Body: Kindly check the attached LOVELETTER coming from me. This worm also propagates via the windows-based Internet Relay Chat (IRC) client mIRC, if installed. The worm creates an IRC script, called script.ini, which uses direct chat connection (DCC) within IRC to send copies of itself in html format to other IRC users. In addition to overloading email servers, this worm infects the following types of files on the victim's machine as well as files on shared directories for which the user has "write access": .vbs .js .vbe .jse .css .wsh .sct .hta .jpg .jpeg .mp2 .mp3 In addition, there are indications that the worm can capture affected caches and transfer that information to a third party. The FBI has opened an investigation into this activity. NIPC alerts and additional information on this worm, as they become available, will be posted to the NIPC's webpage. Please report any evidence of infection to your local FBI office, NIPC, military, or civilian computer incident response group, as appropriate. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/5/6. _________________________________________________________________ [ [1]Back to Advisories, Alerts and Warnings ] References 1. http://www.fbi.gov/nipc/nipcaaw.htm