How the 'love' virus works

The script worm arrives in an e-mail message with the subject "ILOVEYOU"

and carries an attached file titled LOVE-LETTER-FOR-YOU.TXT.vbs and the

text "kindly check the attached LOVELETTER coming from me."

Because it is based on Visual Basic script, the worm infects only computers

that have Visual Basic, which is included with Windows 2000.

If the attachment is opened, the worm inserts the following files: MSKernel32.vbs

and LOVE-LETTER-FOR-YOU.TXT.vbs in the Windows system directory; Win32DLL.vbs

in the Windows directory; WinFAT32.EXE and WIN-BUGSFIX.EXE in the Internet

download directory; and script.ini in the mIRC directory.

The file WIN-BUGSFIX.exe is a back door created in the Philippines that

collects the network passwords cached in Microsoft Corp.'s Windows operating

system and then sends them to an attacks Web site when the infected user

connects to the Internet.

When it first was detected, the worm also would go out to four different

Internet sites and pull software from those to download on infected computers,

allowing hackers to possibly break into those computers, said Narender Mangalam,

director of security at Computer Associates International Inc. The Internet

sites have been shut down.

Users are advised to immediately delete the message and the attached

file. Mangalam further advised that computer users immediately update antivirus

software.

— Dan Verton contributed to this report.

Featured

  • People
    Federal 100 logo

    Announcing the 2021 Federal 100 Award winners

    Meet the women and men being honored for their exceptional contributions to federal IT.

  • Comment
    Diverse Workforce (Image: Shutterstock)

    Who cares if you wear a hoodie or a suit? It’s the mission that matters most

    Responding to Steve Kelman's recent blog post, Alan Thomas shares the inside story on 18F's evolution.

Stay Connected