How the 'love' virus works
- By IDG News Service
- May 04, 2000
The script worm arrives in an e-mail message with the subject "ILOVEYOU"
and carries an attached file titled LOVE-LETTER-FOR-YOU.TXT.vbs and the
text "kindly check the attached LOVELETTER coming from me."
Because it is based on Visual Basic script, the worm infects only computers
that have Visual Basic, which is included with Windows 2000.
If the attachment is opened, the worm inserts the following files: MSKernel32.vbs
and LOVE-LETTER-FOR-YOU.TXT.vbs in the Windows system directory; Win32DLL.vbs
in the Windows directory; WinFAT32.EXE and WIN-BUGSFIX.EXE in the Internet
download directory; and script.ini in the mIRC directory.
The file WIN-BUGSFIX.exe is a back door created in the Philippines that
collects the network passwords cached in Microsoft Corp.'s Windows operating
system and then sends them to an attacks Web site when the infected user
connects to the Internet.
When it first was detected, the worm also would go out to four different
Internet sites and pull software from those to download on infected computers,
allowing hackers to possibly break into those computers, said Narender Mangalam,
director of security at Computer Associates International Inc. The Internet
sites have been shut down.
Users are advised to immediately delete the message and the attached
file. Mangalam further advised that computer users immediately update antivirus
— Dan Verton contributed to this report.