Home / malware VBS.LoveLetter.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
VBS.LoveLetter.A is also known as N/A.
Explanation :
VBS.LoveLetter.A is an Internet worm using the Outlook Adress Book to spread itself.
It is extremely aggressive when spreading in the network.
Once the attachment is executed, the virus copies itself in three files on the system,
"MSKernel32.vbs" and "LOVE-LETTER-FOR-YOU.TXT.vbs" in system folder ("C:WindowsSystem" or "C:WinntSystem32")
and "Win32DLL.vbs" in windows folder ("C:Windows" or "C:Winnt")
At the same time, the system registry is modified so that two of these files are executed every time the system starts:
The key:
"HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunMSKernel32" with the value
"%dirsystem%MSKernel32.vbs"
and the key:
"HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesWin32DLL" the value
"%dirwin%Win32DLL.vbs"
where %dirsystem% is C:WindowsSystem or C:WinntSystem32 and
%dirwin% is C:Windows or C:Winnt .
If there is no WinFAT32.exe file in the system directory, the virus automatically sets the key
"HKCUSoftwareMicrosoftInternet ExplorerMainStart Page" (the homepage for Internet Explorer)
to be one of the following:
"http://www.skyinet.net/~young1s/.../WIN-BUGSFIX.exe"
"http://www.skyinet.net/~angelcat/.../WIN-BUGSFIX.exe"
"http://www.skyinet.net/~koichi/.../WIN-BUGSFIX.exe"
"http://www.skyinet.net/~chu/.../WIN-BUGSFIX.exe"
Thus, when opening Internet Explorer, this will try to automatically download the WIN-BUGSFIX.exe file,
which will be executed when the system is restarted.
In order to do that it writes the registry key
"HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunWIN-BUGSFIX"
with the value "%downloaddirectory%WIN-BUGSFIX.exe" where %downloaddirectory% is the folder found in the registry keys
"HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDownload Directory".
VBS.LoveLetter.A searches in the system and on the mapped drives inside the network, all files with the
vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, mp2 extensions, overwriting them into .vbs files.
At the same time, VBS.LoveLetter.A creates a file LOVE-LETTER-FOR-YOU.HTM in the system directory
and a file "script.ini" in the mIRC directory (if it exists) in order to send the html file, which includes the virus,
through mIRC to mIRC users who entered the same chat room.
The LOVE-LETTER-FOR-YOU.HTM file includes the VBS form of the virus that infects the system if the user allows
ActiveX elements from HTML pages.
It also spread itself to all the contacts in Outlook Adress Book. The mail format is:
Subject: "ILOVEYOU"
Body: "kindly check the attached LOVELETTER coming from me."
Attachment: a copy of the virus, the file "LOVE-LETTER-FOR-YOU.TXT.vbs"Last update 21 November 2011