National Infrastructure Protection Center Information System Alert (Alert 00-041F) (LOVE-LETTER-FOR-YOU) Also known as the LOVE BUG VIRUS and variants; UPDATE as of 1900 (EDT) 9 May 2000 As of 9 May 2000, thirteen new variants of the LOVE BUG worm have been identified. Preliminary information is provided here for six of the new variants, N through S. As soon as analysis is complete on the next seven variants T through Z, the NIPC will release further updates. These variants may behave differently than the original worm and may impact different files. Refer to Alert series 41a-e for information on variants A through M. N. VBS.LoveLetter.N (also known as Virus Warning) Attachment: IMPORTANT.TXTvbs Subject: Variant Test Message Body: This is a variant to the vbs virus. Notes: This variant copies itself as sndvol32.vbs and IEAKDLL.vbs. The Internet Explorer start page was modified to http://altalavista.box.sk. It also does not download the password stealing Trojan. However the virus still overwrites *.mpg, *.mpeg, *.avi, *.qt, *.qtm files. This variant also sends the file important.htm into Internet chat rooms via IRC. O. VBS.LoveLetter.O (Same as the original) Attachment: LOVE-LETTER-FOR-YOU.TXT Subject: ILOVEYOU Message Body: kindly check the attached LOVELETTER coming from me. Misc Notes: The file script.ini, which it sends into Internet chat rooms, has a modified comment line. P. VBS.LoveLetter.P ( also known as Yeah Yeah) Attachment: Vir-Killer.vbs Subject: Yeah, Yeah another time to DEATH... Message Body: This is the Killer for VBS.LOVE-LETTER.WORM Notes: This variant sets the Internet Explorer start page to http://www.yahoo.com/Vir-Killer.exe. It does not download the password stealing Trojan. This variants also overwrites *.ZIP and *.RAR files instead of *.JPG and *.JPEG files. It hides *.PAS and *.ASM files instead of *.MP3 and *.MP2 files. Q. VBS.LoveLetter.Q (also known as LOOK!) Attachment: LOOK.vbs Subject: LOOK! Message Body: hehe...check this out. Notes: Copies itself as MSUser32.vbs and User32DLL.vbs. The variant also overwrites *.XLS and *.MDB files instead of *.JPG and *.JPEG files. The variant hides *.EXE and *.LNK files instead of *.MP3 and *.MP2 files. The variant changes the HTM file to LOOK.HTM R. VBS.LoveLetter.R (also known as Bewerbung) Attachment: BEWERBUNG.TXT.vbs Subject: Bewerbung Kreolina Message Body: Sehr geehrte Damen und Herren! Note: This variant sends a copy of BEWERBUNG.HTM into a connected Internet chat room. S. VBS.LoveLetter.S (Same as the Original version) Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Subject: ILOVEYOU Message Body: kindly check the attached LOVELETTER coming from me Note: Several comment lines have been added. The FBI has opened an investigation into this activity. NIPC alerts and additional information on this worm, as they become available, will be posted to the NIPC's webpage. Please report any evidence of infection to your local FBI office, NIPC, military, or civilian computer incident response group, as appropriate. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/5/6. _________________________________________________________________ [ [1]Back to Advisories, Alerts and Warnings ] References 1. http://www.fbi.gov/nipc/nipcaaw.htm