National Infrastructure Protection Center Information System Alert
   (Alert 00-041G) (LOVE-LETTER-FOR-YOU) Also known as the LOVE BUG VIRUS
             and variants; UPDATE as of 1700 (EDT) 10 May 2000
                                      
   As of 10 May 2000, 29 variants of the LOVE BUG worm have been
   identified. Preliminary information is provided below for the ten most
   recent variants, T through AC. These variants may behave differently
   than the original worm and may impact different files. Please refer to
   Alert series 41a-f for information on variants A through S.
   
   T. VBS.LoveLetter.T (also known as BAND-AID)
   ATTACHMENT: BAND-AID.DOC.VBS
   SUBJECT LINE: Recent Virus Attacks-Fix
   MESSAGE BODY: Attached is a copy of a script that will reverse the
   effects of the LOVE-LETTER-TO-YOU.TXT.vbs as well as the FW:JOKE,
   Mother's Day and Lithuanian siblings.
   NOTES: Sets Internet Explorer start page to a virus-related web site.
   Deletes files with .BAT, .GIF, .TIF,.TIFF, .WAV, .LNK, .BAK, .DOC,
   .XLS, .RTF, .TXT, .HTM,.HTML, .XML, .MNY, .ZIP, .BMP, .CAB, and .INF
   extensions. It doesn't hide MP3 and MP2 files but deletes them. Uses
   mIRC to send BAND-AID.HTM into Internet chat rooms.
   
   U. VBS.LoveLetter.U (also known as Presente)
   ATTACHMENT: UOL.TXT.vbs
   SUBJECT LINE: PresenteUOL
   MESSAGE BODY: O UOL tem um grande presente para voce, e eh
   exclusivo.Veja o arquivo em anexo.
   NOTES: Sets Internet Explorer start page to http://www.uol.com.br. It
   also hides .EXE, .COM, and .INI files. Uses mIRC to send UOL.HTM into
   Internet chat rooms.
   
   V. VBS.LoveLetter.V (Same as original)
   ATTACHMENT: LOVE-LETTER-FOR-YOU.TXT.vbs
   SUBJECT LINE: ILOVEYOU
   MESSAGE BODY: kindly check the attached LOVELETTER coming from me.
   NOTES: Several comment lines have been added.
   
   W. VBS.LoveLetter.W (Same as original)
   ATTACHMENT: Bug and virus fix.vbs
   SUBJECT LINE: IMPORTANT: Official virus and bug fix
   MESSAGE BODY: This is an official virus and bug fix. I got it from our
   system admin. It may take a short while to update your system files
   after you run the attachment.
   NOTES: Sets Internet Explorer Start page to a virus-related site.
   Overwrites files with the following extensions: .EXE, .COM, .DLL,
   .SYS, .PWL, and .TXT. Uses mIRC to send "Bug and virus fix.htm" into
   Internet chat rooms.
   
   X. VBS.LoveLetter.X (also known as ANTI-VIRUS-LISTE)
   ATTACHMENT: ANTI-VIRUS-LISTE.TXT.vbs
   SUBJECT LINE: NEUE ANTI-VIRUS-LISTE
   MESSAGE BODY: Hiermit senden wir Ihnen/Dir eine neue Liste mit
   LOVE-LETTER-VIRUS Namen, die nicht geoeffnet werden sollten, bitte
   sofort lesen, danke.
   NOTES: Overwrites files with the following extensions: .MDB, .PDF,
   .WSH, .DOT, .HTA, .JS, .DRV, and .INI. Hides files with the following
   extensions: .XLS and .DOC. Uses mIRC to send "ANTI-VIRUS-LISTE.HTM"
   into Internet chat rooms.
   
   Y. VBS.LoveLetter.Y (also known as LOOK! 2)
   ATTACHMENT: LOOK.vbs
   SUBJECT LINE: LOOK!
   MESSAGE BODY: hehe...check this out.
   NOTES: similar to Q variant but Hides MP3 and MP2
   
   Z. VBS.LoveLetter.Z (also known as BUG & VIRUS FIX)
   ATTACHMENT: MAJOR BUG & VIRUS FIX.vbs
   SUBJECT LINE: BUG & VIRUS FIX
   MESSAGE BODY: I got this from our system admin. Run this to help
   prevent any recent or future bug & virus attack's. It may take a small
   while up update your files.
   NOTES: Sets Internet Explorer Start Page to a virus-related site.
   Overwrites files with the extensions .COM, .DLL, .EXE, .TXT, .BAT, and
   .SYS. Uses mIRC to send "BUG & VIRUS FIX.HTM" into Internet chat
   rooms.
   
   AA. VBS.LoveLetter.AA (same as A version)
   ATTACHMENT: LOVE-LETTER-FOR-YOU.TXT.vbs
   SUBJECT LINE: ILOVEYOU
   MESSAGE BODY: kindly check the attached
   LOVELETTER coming from me.
   NOTES: Several comment lines have been added.
   
   AB. VBS.LoveLetter.AB (same as A version)
   ATTACHMENT: LOVE-LETTER-FOR-YOU.TXT.vbs
   SUBJECT LINE: ILOVEYOU
   MESSAGE BODY: kindly check the attached LOVELETTER coming from me.
   NOTES: a few lines of comment and instructions have been removed.
   
   AC. VBS.LoveLetter.AC (also known as antivirusupdate)
   ATTACHMENT: antivirusupdate.vbs
   SUBJECT LINE: New Variation on LOVEBUG Update Anti-Virus!!
   MESSAGE BODY: There is now a newer variant of love bug. It was
   released at 8:37 PM Saturday Night. Please Download the following
   patch. We are trying to isolate the virus. Thanks Symantec."
   NOTES: Several comment lines have been modified. Uses mIRC to send
   antivirusupdate.htm into Internet chat rooms.
   The FBI has opened an investigation into this activity. NIPC alerts
   and additional information on this worm, as they become available,
   will be posted to the NIPC's webpage. Please report any evidence of
   infection to your local FBI office, NIPC, military, or civilian
   computer incident response group, as appropriate. The NIPC Watch and
   Warning Unit can be reached at (202) 323-3204/5/6.
     _________________________________________________________________
                                      
               [ [1]Back to Advisories, Alerts and Warnings ]

References

   1. http://www.fbi.gov/nipc/nipcaaw.htm