How the 'love' virus works

The script worm arrives in an e-mail message with the subject "ILOVEYOU"

and carries an attached file titled LOVE-LETTER-FOR-YOU.TXT.vbs and the

text "kindly check the attached LOVELETTER coming from me."

Because it is based on Visual Basic script, the worm infects only computers

that have Visual Basic, which is included with Windows 2000.

If the attachment is opened, the worm inserts the following files: MSKernel32.vbs

and LOVE-LETTER-FOR-YOU.TXT.vbs in the Windows system directory; Win32DLL.vbs

in the Windows directory; WinFAT32.EXE and WIN-BUGSFIX.EXE in the Internet

download directory; and script.ini in the mIRC directory.

The file WIN-BUGSFIX.exe is a back door created in the Philippines that

collects the network passwords cached in Microsoft Corp.'s Windows operating

system and then sends them to an attacks Web site when the infected user

connects to the Internet.

When it first was detected, the worm also would go out to four different

Internet sites and pull software from those to download on infected computers,

allowing hackers to possibly break into those computers, said Narender Mangalam,

director of security at Computer Associates International Inc. The Internet

sites have been shut down.

Users are advised to immediately delete the message and the attached

file. Mangalam further advised that computer users immediately update antivirus

software.

— Dan Verton contributed to this report.

Featured

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.