One part of the worm is contained in the following website: http://www.terra.es/personal2/sereson. When users connect to this web page a file called LOVEDAY14-A.HTA is downloaded to the hard disk. On the other hand, the other part of this worm is contained in the following web page: http://www.terra.es/personal/acaymo. When users connect to this web page a file called LOVEDAY14-B.HTA will be downloaded.
The virus checks to see if the language of the Internet browser is Spanish in order to identify the path of the start menu.
Then, it creates a file called INDEX.HTML in the C:\Windows\System directory. This file contains the virus code as well as the following text:
Loveday14 by One12 Melilla, España
Feliz san valentin davinia
Once this file has been created, the worm displays a window that looks as follows:
Next, it copies the INDEX.HTML file in the automatic signature of Outlook Express (version 5). This way the worm manages to send itself included in all outgoing messages.
In addition, the worm changes the browser's home page to http://www.terra.es/personal/acaymo. In this way, when the Internet browser is started up, it connects directly to this page. When this occurs, a file called LOVEDAY14-B.HTA will be placed in the system directory.
If the day of the month is coincides with the following: 8, 14, 23 or 29, the virus creates folders in the C: drive with the same name as the existing ones, adding the text "happysavalentin" and deletes the content of the subfolders contained in the different directories of the C: drive with the exception of those that are currently in use.
The file LOVEDAY14-B.HTA creates a file called MAIN.HTML in the C:\Windows\System directory. This file contains the virus code. In this file, there is also the same text referring to the author as in the file INDEX.HTML mentioned above.
The worm then goes on to send itself to all addresses in the user's address book. The person receiving this message will not see anything in either the subject field or the message body. The message does however, contain the virus code in HTML format. The worm also generates random six-figure numbers so as to send messages to mobile phones, using the address @correo.movistar.net, whose prefixes are 609, 619, 629, 630, 639, 646, 649 or 696. The message subject is "Feliz san valentin" and the message consists of the following text: "Feliz san valentin. Por favor visita (Please visit) http://www.terra.es/personal/acaymo". If the person who receives the message visits this page, then the process described above will begin.
The worm proceeds to find the following files in drive C: MIRC32.EXE and MLINK32.EXE. If any of these two files is found it creates a file called SCRIPT.INI in its corresponding folder. This is the file that sends the worm via IRC. When users join the same channel as the affected user, they will receive a message containing the INDEX.HTML file that it created previously. If the worm does not find any of these files it will find all the shortcuts to Internet web pages on the system and modifies them so that they point to the following address:
If the day of the month is coincides with the following: 8, 14, 23 or 29, the worm triggers its payload, which consists of replacing the contents of all the files in drive C: with the following text:
Hola, me llamo Onel2 y voy a utilizar tus archivos para declararle mi amor
a Davinia, la chica mas guapa del mundo.
Feliz san Valentin Davinia. Eres la mas bonita y la mas simpatica.
Todos los dias a todas horas pienso en ti y cada segundo que no te veo
es un infierno.
Quieres salir conmigo?
En cuanto a ti usuario, debo decirte que tus ficheros
no han sido contaminados por un virus,
sino sacralizados por el amor que siento por Davinia.
Once this action has been carried out a window will be displayed, which looks as follows: