x
48h OFFER
If you're already a customer of
our homeusers protection,
renew now with a 50% off
RENEW NOW
x
SPECIAL OFFER
If you're already a customer of
our homeusers protection,
renew now with a 50% off
RENEW NOW
x
HALLOWEEN OFFER
take advantage of our
terrific discounts
BUY NOW AND GET A 50% OFF
x
CHRISTMAS OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 40% OFF
x
SPECIAL OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 50% OFF
x
BLACKFRIDAY OFFER
Buy the best antivirus
at the best price
TODAY ONLY UP TO 70% OFF
x
CYBERMONDAY OFFER
Buy the best antivirus
at the best price
(Only for homeusers)
TODAY ONLY UP TO 70% OFF
Active Scan. Scan your PC free
Panda Protection

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

LoveLetter.D

 
Threat LevelModerate threatDamageHighDistributionNot widespread
Common name:LoveLetter.D
Technical name:VBS/LoveLetter.D
Threat level:Low
Alias:Worm/LoveLetter¿½,
Type:Worm
Affected platforms:

Windows XP/2000/NT/ME/98/95

First detected on:
Detection updated on:Nov. 24, 2003
StatisticsNo
Country of origin:AFGHANISTAN
Family:LOVELETTER (I LOVE YOU)

Brief Description 

    

LOVE LETTER D is a Script virus, Worm with the following characteristics:

  • It belongs to the LOVELETTER (I LOVE YOU) family.
  • It is 12606 Bytes in size.

Visible Symptoms 

    

Once the worm is activated, it carries out certain actions with the files that meet the following conditions:

  • Those files with VBS, VBE, JS, JSE, CSS, WSH, SCT or HTA extensions are overwritten (thereby deleting the original file data). In addition, their size is truncated and their extension changed to VBS.

  • Files with INI or BAT extensions are also overwritten and truncated. The VBS extension is added to the original file name, thereby giving .JPG.VBS or .JPEG.VBS extensions).

  • If the worm finds files with MP3 or MP2 extensions, it creates a copy of itself. This copy has the same name as the original file (including the extension), to which the VBS extension is added. The worm then hides the original file.

The worm creates the file SCRIPT.INI in all the directories where the following files are found: MIRC32.EXE, MLINK32.EXE, MIRC.INI, SCRIPT.INI, or MIRC.HLP. This file is in charged of sending the file MOTHERSDAY.HTM via IRC to all users connected to same IRC channel as the infected user.

The Trojan downloads the WIN-BUGSFIX.EXE from a web site selected at random from among four possible www addresses. It then runs this file and renames it as WINFAT32.EXE. This file performs the following operations:

  • Every 150 milliseconds it looks for a window entitled "Connect to." This only occurs in computers running under English-language operating systems.

  • If this window is found (corresponding to a network connection), it manages to convert the password used originally for the connection into the default password. It does this by checking the option every 150 milliseconds that allows you to save the password used to connect.

  • The day after infection takes place, the trojan gathers confidential system data every 48 seconds. Subsequently it sends all data obtained to the e-mail address mailme@super.net.ph (in the Philippines). The message body of the e-mail sent to this address is:

From: test@192.168.8.36
To: mailme@super.net.ph
Subject: Barok... email.passwords.sender.trojan
X-Mailer: Barok...
email.passwords.sender.trojan---by: spyder
Date: Fri, 5 May 2000 05:17:28 +0200
Message-Id: 891900275@super.net.ph
Host:
"name of the infected computer"
Username: "name of the infected user"
IP Address: "IP address in format xxx.xxx.xxx.xxx"

RAS Passwords:

description of the connection
U: "user"
P: "password"
N#: "telephone number of the RAS connection in format (cc)ac-nnnnnnn"

Cache Passwords: "List of passwords in cache"