x
48h OFFER
If you're already a customer of
our homeusers protection,
renew now with a 50% off
RENEW NOW
x
SPECIAL OFFER
If you're already a customer of
our homeusers protection,
renew now with a 50% off
RENEW NOW
x
HALLOWEEN OFFER
take advantage of our
terrific discounts
BUY NOW AND GET A 50% OFF
x
CHRISTMAS OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 40% OFF
x
SPECIAL OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 50% OFF
x
BLACKFRIDAY OFFER
Buy the best antivirus
at the best price
TODAY ONLY UP TO 70% OFF
x
CYBERMONDAY OFFER
Buy the best antivirus
at the best price
(Only for homeusers)
TODAY ONLY UP TO 70% OFF
Active Scan. Scan your PC free
Panda Protection

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

LoveLetter.Y

 
Threat LevelModerate threatDamageHighDistributionNot widespread
Common name:LoveLetter.Y
Technical name:VBS/LoveLetter.Y
Threat level:Low
Type:Worm
Effects:   It spreads and affects other computers. It does not spread automatically using its own means.
Affected platforms:

Windows XP/2000/NT/ME/98/95

First detected on:
Detection updated on:June 6, 2007
StatisticsNo
Family:LOVELETTER (I LOVE YOU)

Brief Description 

    

VBS/LoveLetter.Y is a worm that uses the e-mail and IRC to carry out its infections. It appeared on 04-05-2000. The worm sends itself as a file attached to an e-mail message to all the address in the user's Address Book.

In order to ensure infection it creates several copies of itself in different hard disk folders. These copies are called:

  • MSKERNEL32.VBS. In the Windows System folder.

  • WIN32DLL.VBS. In the Windows installation folder.

  • LOVE-LETTER-FOR-YOU.TXT.VBS. In the Windows System folder.

  • This virus not only sends itself out via e-mail using Outlook but also creates a file called LOVE-LETTER-FOR-YOU.HTM, which will be sent via IRC (chat channels) to all users connected to the same channel as the infected user.

The worm's payload (destructive action) consists of searching for and performing malicious actions on certain files found on the hard disk and network drives.

  • Those files with VBS, VBE, JS, JSE, CSS, WSH, SCT or HTA extensions are overwritten (thereby deleting the original file data). In addition, their size is truncated and their extension changed to VBS.

  • Files with JPG or JPEG extensions are also overwritten and truncated. The VBS extension is added to the original file name, thereby giving .JPG.VBS or .JPEG.VBS extensions).

  • If the worm finds files with MP3 or MP2 extensions, it creates a copy of itself. This copy has the same name as the original file (including the extension), to which the VBS extension is added. The worm then hides the original file.

The Trojan downloads the WIN-BUGSFIX.EXE from a web site selected at random from among four possible www addresses. It then runs this file and renames it as WINFAT32.EXE. This file performs the following operations:

  • Every 150 milliseconds it looks for a window entitled "Connect to." This only occurs in computers running under English-language operating systems.>.

  • If this window is found (corresponding to a network connection), it manages to convert the password used originally for the connection into the default password. It does this by checking the option every 150 milliseconds that allows you to save the password used to connect.

  • The day after infection takes place, the trojan gathers confidential system data every 48 seconds. Subsequently it sends all data obtained to the e-mail address mailme@super.net.ph (in the Philippines). The message body of the e-mail sent to this address is:

    From: test@192.168.8.36
    To: mailme@super.net.ph
    Subject: Barok... email.passwords.sender.trojan
    X-Mailer: Barok...
    email.passwords.sender.trojan---by: spyder
    Date: Fri, 5 May 2000 05:17:28 +0200
    Message-Id: 891900275@super.net.ph
    Host:
    "name of the infected computer"
    Username: "name of the infected user"
    IP Address: "IP address in format xxx.xxx.xxx.xxx"

    RAS Passwords:

    description of the connection
    U: "user"
    P: "password"
    N#: "telephone number of the RAS connection in format (cc)ac-nnnnnnn"

    Cache Passwords: "List of passwords in cache"

Visible Symptoms 

    

Once the worm is activated, it carries out certain actions with the files that meet the following conditions:

  • Those files with VBS, VBE, JS, JSE, CSS, WSH, SCT or HTA extensions are overwritten (thereby deleting the original file data). In addition, their size is truncated and their extension changed to VBS.

  • Files with JPG or JPEG extensions are also overwritten and truncated. The VBS extension is added to the original file name, thereby giving .JPG.VBS or .JPEG.VBS extensions).

  • If the worm finds files with MP3 or MP2 extensions, it creates a copy of itself. This copy has the same name as the original file (including the extension), to which the VBS extension is added. The worm then hides the original file.

The worm creates the file SCRIPT.INI in all the directories where the following files are found: MIRC32.EXE, MLINK32.EXE, MIRC.INI, SCRIPT.INI, or MIRC.HLP. This file is in charged of sending the file LOVE-LETTER-FOR-YOU.HTM via IRC to all users connected to same IRC channel as the infected user.

The Trojan downloads the WIN-BUGSFIX.EXE from a web site selected at random from among four possible www addresses. It then runs this file and renames it as WINFAT32.EXE. This file performs the following operations:

  • Every 150 milliseconds it looks for a window entitled "Connect to." This only occurs in computers running under English-language operating systems.

  •  

  • If this window is found (corresponding to a network connection), it manages to convert the password used originally for the connection into the default password. It does this by checking the option every 150 milliseconds that allows you to save the password used to connect.

  • The day after infection takes place, the trojan gathers confidential system data every 48 seconds. Subsequently it sends all data obtained to the e-mail address mailme@super.net.ph (in the Philippines). The message body of the e-mail sent to this address is:

From: test@192.168.8.36
To: mailme@super.net.ph
Subject: Barok... email.passwords.sender.trojan
X-Mailer: Barok...
email.passwords.sender.trojan---by: spyder
Date: Fri, 5 May 2000 05:17:28 +0200
Message-Id: 891900275@super.net.ph
Host:
"name of the infected computer"
Username: "name of the infected user"
IP Address: "IP address in format xxx.xxx.xxx.xxx"

RAS Passwords:

description of the connection
U: "user"
P: "password"
N#: "telephone number of the RAS connection in format (cc)ac-nnnnnnn"

Cache Passwords: "List of passwords in cache"