ARCHIVED: What is the ILOVEYOU worm, what does it do, and how do I detect and remove it?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

This Knowledge Base document is divided into the following sections:

What is the ILOVEYOU worm?

VBS/LoveLetter is a VBScript worm. It spreads through email as a chain letter, using the Outlook email application. ILOVEYOU is also an overwriting VBS virus, and it spreads itself using the mIRC (Internet Relay Chat) client as well.

What does ILOVEYOU do?

  1. When it is executed, ILOVEYOU first copies itself to the Windows system directory as MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs. It also copies itself to the windows directory as Win32DLL.vbs.
  2. Then it adds itself to the registry, so it will be executed when the system is restarted. The registry keys that it adds are: 
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
  3. Next, the worm replaces the Microsoft Internet Explorer home page with a link that points to an executable program called WIN-BUGSFIX.exe. If the file is downloaded, the worm adds this to the registry as well, causing the program to execute when you restart your system.

    The executable part that the ILOVEYOU worm downloads from the web is a password-stealing Trojan horse. On startup, the Trojan tries to find a hidden window named BAROK.... If it is present, the Trojan exits immediately; if not, the main routine takes control. The Trojan checks for the "WinFAT32" subkey in the following registry key: 

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    If the "WinFAT32" subkey key is not found, the Trojan creates it, copies itself to the \Windows\System\ directory as WINFAT32.EXE, and then runs the file from that location. The above registry key modification makes the Trojan become active every time Windows starts.

  4. Next, the Trojan sets the Internet Explorer startup page to "about:blank". After that, the Trojan tries to find and delete the following keys: 
      Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds
  Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching
  .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds
  .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching
  5. Then the Trojan registers a new window class, creates a hidden window titled BAROK..., and remains resident in Windows memory as a hidden application.

    Immediately after startup and when timer counters reach certain values, the Trojan loads the MPR.DLL library, calls the WNetEnumCashedPasswords function and sends stolen RAS passwords and all cached Windows passwords to mailme@super.net.ph, an email address that most likely belongs to the Trojan's author. The Trojan uses the smtp.super.net.ph mail server to send email messages. The email message's subject line is "Barok... email.passwords.sender.trojan".

    The author's copyright message appears inside the Trojan's body:

    "barok ...i hate go to school suck ->by:spyder @Copyright (c) 2000 GRAMMERSoft Group >Manila,Phils"

    There are also some encrypted text messages in the Trojan's body used for its internal purposes.

  6. After that, the worm creates an HTML file called LOVE-LETTER-FOR-YOU.HTM in the Windows system directory. This file contains the worm, and it will be sent using mIRC whenever the user joins an IRC channel.
  7. Then the worm will use Outlook to mass mail itself to everyone in each address book. The message that it sends will have a "Subject:" line of "ILOVEYOU", the body will say "kindly check the attached LOVELETTER coming from me.", and an attachment called LOVE-LETTER-FOR-YOU.TXT.vbs. ILOVEYOU sends the message once to each recipient. After a message has been sent, it adds a marker to the registry and does not mass mail itself any more.
  8. The virus then searches for certain file types on all folders on all local and remote drives and overwrites them with its own code. The files that are overwritten have either .vbs or .vbe extensions. The virus will create a new file with the same name but using a .vbs extension and delete the original for all files with the following extensions: .js, .jse, .css, .wsh, .sct, and .hta.
  9. Next, the virus adds a new file next to, and deletes the original of, all files with the following extensions: .jpg, .jpeg, .mp3, and .mp2. As an example, for a picture named pic.jpg, the virus will create a new file called pic.jpg.vbs and delete the original.

ILOVEYOU was found globally in the wild on May 4, 2000, and appears to be of Philippine origin. At the beginning of the code, the virus contains the following text: 

  rem  barok -loveletter(vbe) <i hate go to school>
  rem       by: spyder  /  ispyder@mail.com  /  
  @GRAMMERSoft Group  /  Manila,Philippines

You can find this information on the F-Secure Corporation web site at: 

  http://www.f-secure.com/v-descs/love.shtml

Detecting ILOVEYOU

Current Norton/Symantec AntiVirus definitions will protect your system from all of the known variants (82 as of May 31, 2001) of the ILOVEYOU worm. For more information, see the following Knowledge Base documents:

How do I remove the ILOVEYOU virus?

UITS recommends that you disinfect your computer using the fix developed by Symantec, which is the first option listed below. Only manually remove the virus if you are computer savvy, or do not have access to the Symantec tool.

Symantec's tool

You may access a tool provided by Symantec that will detect and remove this worm and most of its variants at: 

  http://service1.symantec.com/SARC/sarc.nsf/info/html/fix.vbs.loveletter.html

Follow the instructions on the page. Note that this tool will have limited effectiveness if you have been infected with the variant VBS.NewLove.A.

Manual removal

To manually remove the ILOVEYOU virus, follow these directions:

Warning:
This contains instructions for editing the registry. If you make any error while editing the registry, you can potentially cause Windows to fail or be unable to boot, requiring you to reinstall Windows. Edit the registry at your own risk. Always back up the registry before making any changes. If you do not feel comfortable editing the registry, do not attempt these instructions. Instead, seek the help of a computing support provider.
  1. Delete these registry entries: 
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
  2. If your Windows system directory contains the file WinFAT32.exe, delete the following registry entries: 
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX 
  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
  3. Delete LOVE-LETTER-FOR-YOU.HTM and LOVE-LETTER-FOR-YOU.TXT .

    Note: Search all non-removable drives (hard disks and network drives) for the files LOVE-LETTER-FOR-YOU.HTM and LOVE-LETTER-FOR-YOU.TXT, and delete all occurrences. Do not open these files.

  4. Look for the following files: 
      mirc32.exe  mlink32.exe  mirc.ini  script.ini  mirc.hlp
    If your computer contains any of the above files, the virus will create a file called script.ini in the folder of that file. Delete all occurrences of script.ini in these folders.
  5. The virus will overwrite all files with the following extensions so that they contain the virus file's content: 
      .vbs  .vbe   .js  .jse   .css  .wsh  
  .sct  .hta  .jpg  .jpeg  .mp3  .mp2
    The MS-DOS name of the files has been changed so that the file is associated with the Windows scripting host. This means that if you double-click or in any other way activate these files, the virus will run again. You will not be able to recreate the original contents of the files (at least not through Windows). You could try to contact a disk rescue company to help you before proceeding.

    If you do not choose disk rescuing measures, this leaves you with little choice but to delete all of the files of the type listed above. Possibly, you may be able to reinstall the affected applications; however, the effect on your computer could be severe.

    Note: In addition to your hard disk, remember to check the network drives to which your computer has access. Check files before you delete them. Affected files will have extension .vbs and be 11K in size. You can also use the file date as an indication, comparing it to when you received the virus.

  6. The virus changes the Internet Explorer start page to: 
      http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe
    You must change the Internet Explorer registry key to: 
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
    Note: If you go to that site, the virus will be launched again. You must reset this back to your original starting page.

More information about ILOVEYOU

You can find more information about the ILOVEYOU worm at the following sites: 

  http://service1.symantec.com/SARC/sarc.nsf/html/VBS.LoveLetter.A.html

  http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=98617

  http://www.itso.iu.edu/bulletins/iloveyou.epl

This is document aioe in the Knowledge Base.
Last modified on 2018-01-18 12:51:11.