ARCHIVED: What is the ILOVEYOU worm, what does it do, and how do I detect and remove it?
This Knowledge Base document is divided into the following sections:
- What is the ILOVEYOU worm?
- What does ILOVEYOU do?
- Detecting ILOVEYOU
- How do I remove ILOVEYOU?
- More information about ILOVEYOU
What is the ILOVEYOU worm?
VBS/LoveLetter is a VBScript worm. It spreads through email as a chain letter, using the Outlook email application. ILOVEYOU is also an overwriting VBS virus, and it spreads itself using the mIRC (Internet Relay Chat) client as well.
What does ILOVEYOU do?
- When it is executed, ILOVEYOU first copies itself to the Windows
system
directory asMSKernel32.vbs
andLOVE-LETTER-FOR-YOU.TXT.vbs
. It also copies itself to thewindows
directory asWin32DLL.vbs
. - Then it adds itself to the registry, so it will be
executed when the system is restarted. The registry keys that it adds
are:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
- Next, the worm replaces the Microsoft Internet Explorer
home page with a link that points to an executable program called
WIN-BUGSFIX.exe
. If the file is downloaded, the worm adds this to the registry as well, causing the program to execute when you restart your system.The executable part that the ILOVEYOU worm downloads from the web is a password-stealing Trojan horse. On startup, the Trojan tries to find a hidden window named
BAROK...
. If it is present, the Trojan exits immediately; if not, the main routine takes control. The Trojan checks for the "WinFAT32" subkey in the following registry key:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
If the "WinFAT32" subkey key is not found, the Trojan creates it, copies itself to the
\Windows\System\
directory asWINFAT32.EXE
, and then runs the file from that location. The above registry key modification makes the Trojan become active every time Windows starts.
- Next, the Trojan sets the Internet Explorer startup page to
"about:blank". After that, the Trojan tries to find and delete
the following keys:
Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching
- Then the Trojan registers a new window class, creates a hidden
window titled
BAROK...
, and remains resident in Windows memory as a hidden application.Immediately after startup and when timer counters reach certain values, the Trojan loads the
MPR.DLL
library, calls the WNetEnumCashedPasswords function and sends stolen RAS passwords and all cached Windows passwords tomailme@super.net.ph
, an email address that most likely belongs to the Trojan's author. The Trojan uses thesmtp.super.net.ph
mail server to send email messages. The email message's subject line is "Barok... email.passwords.sender.trojan".The author's copyright message appears inside the Trojan's body:
"barok ...i hate go to school suck ->by:spyder @Copyright (c) 2000 GRAMMERSoft Group >Manila,Phils"
There are also some encrypted text messages in the Trojan's body used for its internal purposes.
- After that, the worm creates an HTML file called
LOVE-LETTER-FOR-YOU.HTM
in the Windowssystem
directory. This file contains the worm, and it will be sent using mIRC whenever the user joins an IRC channel. - Then the worm will use Outlook to mass mail itself to everyone in
each address book. The message that it sends will have a "Subject:"
line of "ILOVEYOU", the body will say "kindly check the attached
LOVELETTER coming from me.", and an attachment called
LOVE-LETTER-FOR-YOU.TXT.vbs
. ILOVEYOU sends the message once to each recipient. After a message has been sent, it adds a marker to the registry and does not mass mail itself any more. - The virus then searches for certain file types on all folders on
all local and remote drives and overwrites them with its own code. The
files that are overwritten have either
.vbs
or.vbe
extensions. The virus will create a new file with the same name but using a.vbs
extension and delete the original for all files with the following extensions:.js
,.jse
,.css
,.wsh
,.sct
, and.hta
. - Next, the virus adds a new file next to, and deletes the original
of, all files with the following extensions:
.jpg
,.jpeg
,.mp3
, and.mp2
. As an example, for a picture namedpic.jpg
, the virus will create a new file calledpic.jpg.vbs
and delete the original.
ILOVEYOU was found globally in the wild on May 4, 2000, and appears to be of Philippine origin. At the beginning of the code, the virus contains the following text:
rem barok -loveletter(vbe) <i hate go to school> rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
You can find this information on the F-Secure Corporation web site at:
http://www.f-secure.com/v-descs/love.shtml
Detecting ILOVEYOU
Current Norton/Symantec AntiVirus definitions will protect your system from all of the known variants (82 as of May 31, 2001) of the ILOVEYOU worm. For more information, see the following Knowledge Base documents:
- ARCHIVED: What is Symantec/Norton AntiVirus software, and where can I get it?
- ARCHIVED: At IU, how can I obtain Symantec/Norton AntiVirus?
- ARCHIVED: For Symantec virus protection software, what are my options for updating the virus definitions?
- ARCHIVED: Using Symantec/Norton AntiVirus Corporate Edition, how do I immediately scan a file, folder, or drive for viruses?
- ARCHIVED: In Symantec/Norton AntiVirus for Windows, how do I schedule automatic LiveUpdates and virus scans?
How do I remove the ILOVEYOU virus?
UITS recommends that you disinfect your computer using the fix developed by Symantec, which is the first option listed below. Only manually remove the virus if you are computer savvy, or do not have access to the Symantec tool.
Symantec's tool
You may access a tool provided by Symantec that will detect and remove this worm and most of its variants at:
http://service1.symantec.com/SARC/sarc.nsf/info/html/fix.vbs.loveletter.html
Follow the instructions on the page. Note that this tool will have
limited effectiveness if you have been infected with the variant VBS.NewLove.A.
Manual removal
To manually remove the ILOVEYOU virus, follow these directions:
- Delete these registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
- If your Windows
system
directory contains the fileWinFAT32.exe
, delete the following registry entries:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
- Delete
LOVE-LETTER-FOR-YOU.HTM
andLOVE-LETTER-FOR-YOU.TXT
.Note: Search all non-removable drives (hard disks and network drives) for the files
LOVE-LETTER-FOR-YOU.HTM
andLOVE-LETTER-FOR-YOU.TXT
, and delete all occurrences. Do not open these files.
- Look for the following files:
mirc32.exe mlink32.exe mirc.ini script.ini mirc.hlp
If your computer contains any of the above files, the virus will create a file calledscript.ini
in the folder of that file. Delete all occurrences ofscript.ini
in these folders. - The virus will overwrite all files with the following extensions
so that they contain the virus file's content:
.vbs .vbe .js .jse .css .wsh .sct .hta .jpg .jpeg .mp3 .mp2
The MS-DOS name of the files has been changed so that the file is associated with the Windows scripting host. This means that if you double-click or in any other way activate these files, the virus will run again. You will not be able to recreate the original contents of the files (at least not through Windows). You could try to contact a disk rescue company to help you before proceeding.If you do not choose disk rescuing measures, this leaves you with little choice but to delete all of the files of the type listed above. Possibly, you may be able to reinstall the affected applications; however, the effect on your computer could be severe.
Note: In addition to your hard disk, remember to check the network drives to which your computer has access. Check files before you delete them. Affected files will have extension
.vbs
and be 11K in size. You can also use the file date as an indication, comparing it to when you received the virus. - The virus changes the Internet Explorer start page to:
http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe
You must change the Internet Explorer registry key to:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
Note: If you go to that site, the virus will be launched again. You must reset this back to your original starting page.
More information about ILOVEYOU
You can find more information about the ILOVEYOU worm at the following sites:
http://service1.symantec.com/SARC/sarc.nsf/html/VBS.LoveLetter.A.html http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=98617 http://www.itso.iu.edu/bulletins/iloveyou.epl
This is document aioe in the Knowledge Base.
Last modified on 2018-01-18 12:51:11.