A new virus is spreading rapidly through email as a file attachment targeted at Outlook and Internet Explorer users. The newly discovered virus comes in the form of a Visual Basic (VB) script that contains a message with a subject line that reads "ILOVEYOU." Vendors have dubbed the new virus "Love Letter."
The email, shown in Screen 1, contains one line of text and the virus file attachment. The text reads "kindly check the attached LOVELETTER coming from me" and the attached file, named "LOVE-LETTER-FOR-YOU.TXT.VBS," is a VB script designed to replicate the virus and destroy particular files on the infected system.
The virus spreads by opening the built-in address book and sending copies of itself to all listed email addresses. In addition, the virus searches the computer for the mIRC chat client, and if the virus detects this software, the virus creates a script.ini file for mIRC that will attempt to spread the virus via HTML to other chat users via direct chat channels (dcc).
The virus makes copies of itself in several files under the main Windows directory (Win32dll.vbs, mskernel32.vbs, and love-letter-for-you.txt.vbs) and modifies a Registry key to cause the virus to trigger when you boot the system. The keys are Run and RunServices, which are located under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion in the Registry. In addition, if an infected system contains the file winfat32.exe, the virus resets the default home page of Internet Explorer (IE) so that it points to one of four randomly selected Web sites that contain a Trojan backdoor in the form of a file named win-bugsfix.exe. If users open IE and let the browser download the Trojan to disk, the virus will install the backdoor by causing the executable to run during system startup. Once you download the Trojan, IE's default home page resets to display a blank page. Once the Trojan executes, it overwrites the original winfat32.exe file. The Web sites that contained the Trojan were inactive at the time of this writing, but were located on the www.skyinet.net Web server.
Furthermore, the virus searches the computer for all files with certain extensions and overwrites those files with copies of the virus. Extensions searched for include VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, JPG, JPEG, MP3, and MP2.
If you receive a copy of this virus via email, you should delete it to prevent accidental execution. However, if you'd like to learn more about how the virus actually works, you can save the email attachment to a text file and open it with Notepad to inspect the actual VB code.
To help prevent infection from script- or HTML-based viruses in the future, be sure to adjust the properties of your Outlook client so that all email processes under the properties of the Restricted Sites zone. Also, be sure to adjust the Attachment Security to the High setting and disable all forms of Active Scripting in the normal Internet Zone.
For more information, click on these links: