Name: VBS/LoveLet-DO Aliases: VBS/LoveLetter@MM, VBS/LoveLetter.gen, I-Worm.LoveLetter Type: Visual Basic Script worm Date: 15 August 2002 At the time of writing Sophos has received just one report of this worm from the wild. Note: This IDE includes detection for VBS/LoveLet-DO and mIRC/LoveLet-DO Description VBS/LoveLet-DO arrives in an email with the following characteristics: Subject line: fwd: Joke Attached file: Very Funny.vbs The email contains no message text. When the worm is first executed it creates three copies of itself as C:\Windows\System\MSKernel32.vbs, C:\Windows\Win32DLL.vbs and C:\Windows\System\Very Funny.vbs. The following two entries are added to the registry and point to the infected files MSKernel32.vbs and Win32DLL.vbs respectively: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL This will run the worm when Windows starts up. If the file C:\Windows\System\WinFAT32.exe exists then the Internet Explorer start page will be changed, via the registry setting HKCU\Software\Microsoft\Internet Explorer\Main\Start Page to one of the following four addresses: http://www.xxx.xxx/xxx/xxx/WIN-BUGSFIX.exe http://www.xxx.xxx/xxx/xxx/WIN-BUGSFIX.exe http://www.xxx.xxx/xxx/xxx/WIN-BUGSFIX.exe http://www.xxx.xxx/xxx/xxx/WIN-BUGSFIX.exe If the file WIN-BUGSFIX.exe is downloaded from one of the above addresses then the following entry is added to the registry and points to the downloaded file: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX The Internet Explorer start page will then be set to a blank page. At the time of writing, the file WIN-BUGSFIX.exe is not available from any of the above addresses. The virus infects VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, JPG, JPEG, MP2 and MP3 files by overwriting their original contents with a copy of itself and adding a VBS extension, except in the case of VBS and VBE files. The worm searches for a mIRC installation and creates a new script.ini file in the mIRC folder. This script.ini file attempts to send the infected file C:\Windows\System\Very Funny.vbs to all users who join the current channel. Script.ini will be detected by Sophos as mIRC/LoveLet-DO. The virus is sent to all contacts in the user's Windows address book in an email as described at the start of this description. An HTML file named Very Funny.HTM is created in the Windows system folder. This HTM file contains a VBScript that will not execute correctly. More information about VBS/LoveLet-DO can be found at http://www.sophos.com/virusinfo/analyses/vbsloveletdo.html Note from FanJ: I have deleted some links