The VBS.LoveLetter.A Worm

What is the VBS.LoveLetter.A worm?

The VBS.LoveLetter.A worm appeared on the morning of 4 May 2000 and infects PCs. According to Symantec's Web site (www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html), "This worm sends itself out to email addresses in the Microsoft Outlook address book and the worm also will spread itself via mIRC and infect files on local and remote drives including files with the extensions vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, mp2". The Web site listed above has more information.

Typically, a person receives an e-mail message with the following subject line:

Subject: ILOVEYOU

The message text is:

"kindly check the attached LOVELETTER coming from me."

The message contains, as an attachment, a VBS named LOVE-LETTER-FOR-YOU.TXT.vbs. If the recipient opens the attachment, the recipient's machine is then infected and the worm will attempt to spread itself to other machines.

Receiving and reading the e-mail is not sufficient to become infected, you must open the VBS attachment to become infected. If Outlook is not present on your system, the worm will not be spread to others via e-mail; however, once your system is infected, the worm can be spread through other means.

You can protect yourself by deleting any mail you receive with a subject line "ILOVEYOU", not opening the attached VBS file.

Are there any variants?

Several variants have been reported, including:

• a couple that purport to contain a joke within the attachment
• one with a Lithuanian subject line, "Susitikim shi vakara kavos puodukui..." (reportedly, "Let's meet this evening for a cup of coffee...")
• one with a subject line, "Mothers Day Order Confirmation" [sic] and a message saying that the attachment contains a detailed invoice for a $326.92 charge to your credit card for a diamond special.

Where can I find more information about this worm?

Below are some links to information posted by others. While we believe this information may be useful and reasonably accurate, we have neither authenticated nor verified any of it.

F-Secure's Web site, extensive description

Text of CERT Advisory, 4-May-2000

Posting to alt.comp.virus by Fridrik Skulason, author of F-Prot, 4-May-2000 14:05

ZDNet, ongoing coverage

Symantec's and Network Associates' 4-May-00 virus definitions both include protection against this worm. You should use your regular update mechanisms to get the latest version of these virus definition files. See Symantec's Web site for current information on Norton AntiVirus updates and NAI's Web site for current information on McAfee VirusScan and Dr. Solomon's updates.

How can I remove the VBS.LoveLetter.A worm?

Removal is a multi-step process, requiring inspection and removal of damaged files and registry edits. Contact the PCSC for help (353-7272, pcsc@bu.edu)..

If you are affiliated with Boston University, you can download and install the latest version of Network Associates' McAfee VirusScan for free, as Boston University has a site license for this product. Please visit BU's anti-virus software Web site for more information. This site will prompt you for your BU login name and password before allowing access. Note that this program checks for, but does not remove, the VBS.LoveLetter.A worm.

The University of Texas has posted instructions on how to remove the VBS.LoveLetter.A worm. That page includes instructions for getting McAfee VirusScan from their site; at that point you should NOT follow the University of Texas links, but rather substitute the directions on BU's anti-virus software Web site to get McAfee from Boston University's local site.

I received e-mail saying that a message I sent to someone at Boston University could not be delivered because my message might contain the VBS.LoveLetter.A worm. What should I do?

It appears that your system may be infected. As described above, the VBS.LoveLetter.A worm has probably used Outlook on your system to send infected e-mail to the addresses in your MAPI address book. To avoid sending this virus on to new recipients, you should download the appropriate virus definitions for your anti-virus product and then disconnect your computer from the network until you have completely removed the VBS.LoveLetter.A worm and protected your computer against re-infection.

Return to main virus information page