x
48h OFFER
If you're already a customer of
our homeusers protection,
renew now with a 50% off
RENEW NOW
x
SPECIAL OFFER
If you're already a customer of
our homeusers protection,
renew now with a 50% off
RENEW NOW
x
HALLOWEEN OFFER
take advantage of our
terrific discounts
BUY NOW AND GET A 50% OFF
x
CHRISTMAS OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 40% OFF
x
SPECIAL OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 50% OFF
x
BLACKFRIDAY OFFER
Buy the best antivirus
at the best price
TODAY ONLY UP TO 70% OFF
x
CYBERMONDAY OFFER
Buy the best antivirus
at the best price
(Only for homeusers)
TODAY ONLY UP TO 70% OFF
Active Scan. Scan your PC free
Panda Protection

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

LoveLetter.R

 
Threat LevelModerate threatDamageHighDistributionNot widespread
Common name:LoveLetter.R
Technical name:VBS/LoveLetter.R
Threat level:Low
Type:Virus
Effects:   It carries out damaging actions on the affected computer. It does not spread automatically using its own means.
Affected platforms:

Windows 2003/XP/2000/NT/ME/98/95

Detection updated on:June 6, 2007
StatisticsNo
Family:LOVELETTER (I LOVE YOU)

Brief Description 

    
VBS/LoveLetter.R is a worm that uses the e-mail and IRC to carry out its infections. It appeared on 04-05-2000. The worm sends itself as a file attached to an e-mail message to all the address in the user's Address Book.

The only difference between the BBS/LoveLetter and the BBS/LoveLetter.R variants is that BBS/LoveLetter.R includes spaces and reutrns in the text within its code.

In order to ensure infection it creates several copies of itself in different hard disk folders. These copies are called:

  • MSKERNEL32.VBS. In the Windows System folder.


  • WIN32DLL.VBS. In the Windows installation folder.


  • PROTECT.VBS. In the Windows System folder.


The worm's payload (destructive action) consists of searching for and performing malicious actions on certain files found on the hard disk and network drives.

  • Those files with VBS, VBE, JS, JSE, CSS, WSH, SCT or HTA extensions are overwritten (thereby deleting the original file data). In addition, their size is truncated and their extension changed to VBS.


  • Files with JPG or JPEG extensions are also overwritten and truncated. The VBS extension is added to the original file name, thereby giving .JPG.VBS or .JPEG.VBS extensions).


  • If the worm finds files with MP3 or MP2 extensions, it creates a copy of itself. This copy has the same name as the original file (including the extension), to which the VBS extension is added. The worm then hides the original file.



Visible Symptoms 

    

Once the worm is activated, it carries out certain actions with the files that meet the following conditions:

  • Those files with VBS, VBE, JS, JSE, CSS, WSH, SCT or HTA,com and BAT extensions are overwritten (thereby deleting the original file data). In addition, their size is truncated and their extension changed to VBS.


  • Files with JPG or JPEG extensions are also overwritten and truncated. The VBS extension is added to the original file name, thereby giving .JPG.VBS or .JPEG.VBS extensions).


  • If the worm finds files with MP3 or MP2 extensions, it creates a copy of itself. This copy has the same name as the original file (including the extension), to which the VBS extension is added. The worm then hides the original file.



The worm creates the file SCRIPT.INI in all the directories where the following files are found: MIRC32.EXE, MLINK32.EXE, MIRC.INI, SCRIPT.INI, or MIRC.HLP. This file is in charged of sending the file PROTECT.HTM via IRC to all users connected to same IRC channel as the infected user.