The ILOVEYOU virus is an email attachment written in Visual Basic and smartly disguised as a love letter. Who wouldn't want to receive a love letter afterall? The email attachment was called LOVE-LETTER-FOR-YOU.TXT.vbs and when opened wrecked havoc throughout a computer system by overwriting files or hiding them throughout the system and in the case of people using Microsoft Outlook it sent a copy of the virus to everyone in the computer's address book.
The Love Bug infects files with the following extensions: "vbs", "vbe", "js", "jse", "css", "wsh", "sct", "hta", "jpg", "jpeg", "mp3", or "mp2". Except for "mp3" and "mp2" files, the virus overwrites the whole file with its virus code and the original file is destroyed.
For "vbs" and "vbe" files the virus does not change the host filename.
For "js", "jse", "css", "wsh", "sct" or "hta" files
It changes the filename to "
For "jpg" and "jpeg" files
It changes the filename to "
For "mp3", or "mp2" files
It changes the attribute of the original audio file as the hidden system file and creates a copy of the virus self in the filename of "
Once executed, this virus drops the following files:
\windows\Win32DLL.vbs \system\MSKernel32.vbs \system\LOVE-LETTER-FOR-YOU.TXT.vbs.
\system\LOVE-LETTER-FOR-YOU.HTM
It also modifies the following registry entries so that the virus is executed at each Windows starts up:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL” :\windows\\Win32DLL.vbs
It searches for a file named WinFAT32.exe in the :\Windows\system folder. If the file does not exist, it modifies Internet Explorer’s startup page with one of the following sites:
http://www.skyinet.net/~young1s/
HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/
WIN-BUGSFIX.exe
http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIy
qwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hf
FEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe
http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBh
AFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw
237461234iuy7thjg/WIN-BUGSFIX.exe
It also searches your system for a file called WIN-BUGSFIX.exe (same as WinFAT32.exe). Before searching the file, the virus first checks whether the key Download Directory located at HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
contains a value. If it does, the virus proceeds to look for the file WIN-BUGSFIX.EXE at the path specified in the Download Directory key. But if the registry key does not contain any value, then the virus looks for WIN-BUGSFIX.EXE at C:\. VBS_LOVELETTER and then modifies Internet Explorer’s startup page to “about:blank”.
It also modifies the registry key to : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\WIN-BUGSFIX,
CurrentVersion\Run\WIN-BUGSFIX ,C:\WIN-BUGSFIX.EXE if it does not contain a value.
The file WIN-BUGSFIX.EXE is actually a password stealing Trojan.
How Do I Remove the Virus?
Unfortunately after the virus has struck there's not much that can be done to retrieve the destroyed data except to reload the destroyed files from a backup. However, after updating your anti-virus program or buying one, then follow these steps to correct the registry and get your computer working again.
Using the REGEDIT program, remove the following keys from your Windows registry.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run\ MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunServices\ Win32DLL=C:\WINDOWS\Win32DLL.vbs
Not comfortable with Regedit? You can download a small free program called Love_Letter_Clean.exe from Computer Associates, Inc. that automatically removes the registry keys for you. It's available here. When you click on the link, select "Open this file from it's current location" and click OK, or visit any of the top virus protection site like McAfee, Norton, or Trend Micro to download a similar program..
Finally, let's straighten out your IE home page, which the virus reset to www.skyinet.net. From IE's Tools menu, select Internet Options. Right at the top of the dialog you'll see the Home page setting. Type in the URL of the page you use for your home page, and click Ok. That should be it. If you followed all the steps above your system should be free and clean from this painful love letter.
Information on NewLove - a far more dangerous worm/virus
On May 19th a far more dangerous variation of the LoveLetter worm struck, the worm spreads via Microsoft Outlook and sends itself to everyone in the address book just like its predecessor, but this version overwrites ALL files that are not currently in use at the time of the infection. Thus destroying most everything on the hard drive. It also is more dangerous because it changes the wording in the subject line and the name of the attachment it sends by picking a random filename from the users Start folder or making one up.
