The "LoveLetter" Never Dies

26 Feb 2001
Virus News

Kaspersky Lab sends out a warning about the new modification of the LoveLetter worm

Cambridge, United Kingdom, February 27, 2001 - Kaspersky Lab, an international data-security, software-development company, warns computer users about the possible recurrence of the epidemic of the LoveLetter worm caused by its new modification - "Myba"! Kaspersky Lab has already received several reports of the worm "in-the-wild".

"Myba" arrives as an EXE file written in Visual Basic programming language, afterwards compiled into an EXE application. Portions of the worm's code are very clearly based on the infamously-known "LoveLetter" worm as some of their routines are nearly identical.

"Myba" spreads via e-mail messages containing the infected attached file MYBABYPIC.EXE. The message appears as follows:

The Subject: My baby pic !!!
Message body: Its my animated baby picture !!
Attached file name: mybabypic.exe

When the attached file is run, the worm registers itself in the system and distributes its copies, unbeknownst to the user, to all e-mail addresses found in the MS Outlook address book. The subject, message-body and name of the attached file are the same as aforementioned.

When installing into the system, "Myba" creates a set of files in the Windows system folder containing the worm's copies, and registers them in the startup section of the Windows system registry. This allows the worm to be executed each time the computer is started.

"Myba" carries a very dangerous payload that can easily destroy important data on your computer. Depending on the current time and date, "Myba":

  • switches on/off NumLock, CapLock and ScrollLock keys
  • sends to keyboard buffer the message: ".IM_BESIDES_YOU_"
  • connects the http://www.youvebeenhack.com site and sends there one of the following texts messages:
    FROM BUGGER
    HAPPY VALENTINES DAY FROM BUGGER
    HAPPY HALLOWEEN FROM BUGGER

"Myba" also enumerates all the available disk drives, and corrupts files having the following extensions: VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, PBL, CPP, PAS, C, H, JPG, JPEG, MP2, and MP3.

Protection against "Myba" has already been added to the KasperskyTM Anti-Virus daily anti-virus database update. More details about the worm are available at Kaspersky's Virus Encylopedia.

Kaspersky Anti-Virus can be purchased in the Kaspersky Lab online store or from a worldwide network of Kaspersky Anti-Virus distributors and resellers.