I-Worm.LoveLetter is Internet worm written in the scripting language "Visual Basic Script" (VBS). It works only on computers on which the Windows Scripting Host (WSH) is installed. In Windows 98 and Windows 2000, WHS is installed by default. The worm performs destructive actions and sends its copy bye E-mail.
After starting from the VBS file the worm searches all files on all local and mapped network drivers. For some extensions of filenames the worm does the following:
The worm also creates some files with its body in system directory.
MSKERNEL32.VBS, WIN32DLL.VBS, LOVE-LETTER-FOR-YOU.TXT.VBS
It sets appropriates keys in the system registry (Automatic run keys) with full names of files:
MSKernel32.vbs, Win32DLL.vbs
It adds system registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
The worm sends itself via E-mail. To achieve this the worm sends itself to each address from address book. It works only when the email program Outlook 97/98/2000 is installed.
The letter's subject:
ILOVEYOU
Message body:
kindly check the attached LOVELETTER coming from me.
Attached file name:
LOVE-LETTER-FOR-YOU.TXT.vbs
The virus creates a HTML dropper in Windows system directory. The HTML dropper displays the message:
This HTML file need ActiveX Control To Enable to read this HTML file - Please press 'YES' button to Enable ActiveX
After this the dropper creates the MSKERNEL32.VBS with the worm body and sets it for auto execution from system registry.
Virus analysis texts © Copyright 1996-2000 Eugene Kaspersky.