This information was found at http://www.cai.com/
VBS/LoveLetter.A worm
Letter is a Visual Basic Script (VBS) VBS based e-mail worm. It arrives as an attachment of an e-mail with the subject line
ILOVEYOU
The e-mail body reads:
kindly check the attached LOVELETTER coming from me.
And the e-mail has a attachment called
LOVE-LETTER-FOR-YOU.TXT.vbs
Depending on the system configuration the extension .VBS might be displayed or not displayed.
If you receive an e-mail that fits the above description do not open the attachment. Delete the e-mail right away.
The worm spreads itself by generating an e-mail like described above, attaching itself and send that e-mail to all recipients in all Outlook address books. In big organizations the volume of e-mail generated has the potential to overload e-mail servers.
The worm will spread targeting Windows 98, Windows 2000 by default and Windows NT 4.0 and Windows 95 if the Windows Scripting Host (WSH) engine is installed. The worm will copy itself to multiple subdirectories using different names.
In the Windows directory the name is Win32DLL.vbs, in the Windows system directory the names are MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs.
The worm modifies the registry information to make itself run during next boot-up:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32=C:\WINDOWS\SYSTEM\MSKernel32.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL=C:\WINDOWS\Win32DLL.vbs
Also, it sets the default page of Internet Explorer to download a copy of WIN_BUGFIX.exe, which appears to be a backdoor server. The actual location of the files on the Web are currently shut down.
The executable will be renamed and installed to run on start-up as well:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinFAT32=C:\WINDOWS\SYSTEM\WinFAT32
It searches through the all subdirectories and overwrites all files with the extensions JPG, VBS, JS, JSE, CSS, WSH, SCT, HTA, MP3, MP2 with its own copy and adding the extension VBS. A file called Satisfaction.MP3 would become Satisfaction.MP3.VBS. Next time the affected file is clicked or activated the worm will start.
If the Internet Relay Chat (IRC) client is present in the system the worm will generate an HTML file to send itself over the IRC channels. InoculateIT signature update 11.16 detects all components of the VBS/LoveLetter.A worm. To guarantee protection, that VBS files are included in the list of files to scan. To clean an infected system all detected files have to be deleted and the registry keys mentioned above has to be removed.
To remove the registry key,
The link is http://www.cai.com/virusinfo/encyclopedia/descriptions/reg/loveletter.reg
