"To love or not to love?.."

03 May 2000
Virus News

Don't use the computer to find the answer.

Cambridge, UK, May 4, 2000 - Kaspersky Lab Int., a fast-growing international anti-virus software development company, warns about the discovery of the new dangerous worm named I-Worm.LoveLetter. The worm has been found "in-the-wild" and poses a real threat to the computer users. Unknown malefactors have spread an infected "declaration of love" all over the world. It took only a few hours on 4th of May for the worm to infect thousands of computers in many countries.

Detection and disinfection for this worm has been added to Kaspersky Lab's AntiViral Toolkit Pro (AVP).

Spreading and detection:

A user receives an emailwith the subject "ILOVEYOU" and the text message "kindly check the attached LOVELETTER coming from me.."

There is also an attachment called LOVE-LETTER-FOR-YOU.TXT.vbs.

Destructive actions:

After opening the attachment the worm scans all local and mapped network drives for files with extensions VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, JPG, JPEG, MP2, MP3 and writes its worm body over those files thus making them irrevocably lost.

The worm I-Worm.LoveLetter creates two copies of itself, naming them Win32.dll.vbs and MSKernel32.vbs and places them in Windows directory. The worm then registers itself in system registry so that it starts every time during windows boot. When the worm is active, it looks through an address book in order to send its body further - to all recipients found. Thus the worm requires only a few minutes to distribute itself to all of your friends and partners and to irretrievably destroy some possibly useful files. Methods of protection:

DO NOT OPEN THE EMAIL WITH THE SUBJECT "ILOVEYOU"

and more importantly

DO NOT RUN THE ATTACHED FILE LOVE-LETTER-FOR-YOU.TXT.vbs.

If however you have opened the attachment and received a long-awaited declaration of love, you should visit the Kaspersky Lab web site http://www.kasperskylabs.com, where you will find the antidote for this dangerous worm. To remove the worm from an infected computer update the AVP anti-virus database with the latest daily update and scan all drives. AVP will effectively detect and neutralise I-Worm.LoveLetter.

Technical description