My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

VBS.LoveLetter.A

HIGH
HIGH
HTML file: 16122 bytes, VBS File: 10307 bytes
(N/A)

Symptoms

-instead of every vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, mp2 file there is a copy of the virus,
with the same name as the original file and the .vbs extension.
-when opening Internet Explorer, this will try to automatically download the WIN-BUGSFIX.exe file.
-The key:
 "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32"
has the value
"%dirsystem%\MSKernel32.vbs"

and the key:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL"
the value
"%dirwin%\Win32DLL.vbs"


where %dirsystem% is C:\Windows\System or C:\Winnt\System32 and
%dirwin% is C:\Windows or C:\Winnt .

Removal instructions:

If you don't have BitDefender installed click here to download an evaluation version.

1. Make sure that you have the latest updates using
BitDefender Live!;

2. Make the following changes in the windows registry:

Please make sure to
modify only the values that are specified. It is also recommended to backup
the Windows Registry before proceeding with these changes.

a) Select Run... from
the Start menu, then type regedit
and press Enter;
b) Delete following keys:

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32"


"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL"


"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX"


3. Perform
a full scan of your system (selecting, from the Action tab, the option "Prompt
user for action"). Choose to delete all the files infected with VBS.LoveLetter.A

4. In addition, the file script.ini will also have to be deleted from the mIRC directory.

Note: If you encounter another version of the VBS.LoveLetter (there are more than 40 versions of this virus) please attach the scan log from BitDefender to an email and send to support@bitdefender.com in order to receive specific removal instructions.

Analyzed By

Bogdan Dumitru BitDefender Virus Researcher

Technical Description:

VBS.LoveLetter.A is an Internet worm using the Outlook Adress Book to spread itself.
It is extremely aggressive when spreading in the network.

Once the attachment is executed, the virus copies itself in three files on the system,
 "MSKernel32.vbs" and "LOVE-LETTER-FOR-YOU.TXT.vbs" in system folder ("C:\Windows\System" or "C:\Winnt\System32")
and "Win32DLL.vbs" in windows folder ("C:\Windows" or "C:\Winnt")

At the same time, the system registry is modified so that two of these files are executed every time the system starts:
The key:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32\"
with the value
"%dirsystem%\MSKernel32.vbs"

and the key:

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL"
the value
"%dirwin%\Win32DLL.vbs"


where %dirsystem% is C:\Windows\System or C:\Winnt\System32 and
%dirwin% is C:\Windows or C:\Winnt .

If there is no WinFAT32.exe file in the system directory, the virus automatically sets the key

"HKCU\Software\Microsoft\Internet Explorer\Main\Start Page\"
(the homepage for Internet Explorer)
to be one of the following:

"http://www.skyinet.net/~young1s/.../WIN-BUGSFIX.exe"
"http://www.skyinet.net/~angelcat/.../WIN-BUGSFIX.exe"
"http://www.skyinet.net/~koichi/.../WIN-BUGSFIX.exe"
"http://www.skyinet.net/~chu/.../WIN-BUGSFIX.exe"



Thus, when opening Internet Explorer, this will try to automatically download the WIN-BUGSFIX.exe file,
which will be executed when the system is restarted.

In order to do that it writes the registry key
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX\"

with the value "%downloaddirectory%\WIN-BUGSFIX.exe" where %downloaddirectory% is the folder found in the registry keys
"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory".

VBS.LoveLetter.A searches in the system and on the mapped drives inside the network, all files with the
vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, mp2
extensions, overwriting them into .vbs files.
At the same time, VBS.LoveLetter.A creates a file LOVE-LETTER-FOR-YOU.HTM in the system directory
and a file "script.ini" in the mIRC directory (if it exists) in order to send the html file, which includes the virus,
through mIRC to mIRC users who entered the same chat room.

The LOVE-LETTER-FOR-YOU.HTM file includes the VBS form of the virus that infects the system if the user allows
ActiveX elements from HTML pages.

It also spread itself to all the contacts in Outlook Adress Book. The mail format is:
Subject: "ILOVEYOU"
Body: "kindly check the attached LOVELETTER coming from me."
Attachment: a copy of the virus, the file "LOVE-LETTER-FOR-YOU.TXT.vbs"