FRISK Software International

Virus Info > Virus Threats > LoveLetter.AS


Summary of VBS/LoveLetter.AS
Alias:Plan, Colombia
Discovered: 1 May 2000
Distribution:High
Infection Method:Infected e-mail attachments
 
Jump to:
Brief description
Technical description

Brief Description
Information about the original VBS/LoveLetter.A is available at:
http://www.f-prot.com/virusinfo/descriptions/loveletter.html


Technical Description
VBS/LoveLetter.AS spreads in messages with the following characteristics: 


 Subject:    US PRESIDENT AND FBI SECRETS
               =PLEASE VISIT =>(http://WWW.2600.COM)<=


 Body:       VERY JOKE..! SEE PRESIDENT AND FBI TOP
               SECRET PICTURES..


 Attachment: (random_name.ext).vbs
Subject or body - or both - might contain only a string of random upper case characters. The length of the random subject is 6 characters, and the length of the random body is 10 characters.

The attachment name is also random and the length is from 4 to 8 characters. The extension is chosen from one of the following: 

    .GIF.vbs
    .BMP.vbs
    .JPG.vbs
When the worm is executed, it replaces all files from every drive in the same way the VBS/LoveLetter.A virus does. The worm also copies itself to Windows System directory as "linux32.vbs". This file is added to the registry and executed in every system startup.

This variant has an additional payload. It activates in September 17th, when the worm shows a message box with the following text: 

    Dedicated to my best brother=>Christiam Julian(C.J.G.S.)
    Att.  (random_string)   (M.H.M. TEAM)
After the message box has been shown, the worm disconnects all network drives from E: to Z:.


[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]
 
Virus Info by Platform

Virus Info by Letter:

F-PROT Antivirus Alerts
Stay up to date with important developments via e-mail.
more...
Life cyle policy
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
more...
RSS News Feeds
Virus news and information directly to your desktop.
more...
Glossary of Terms
Definitions of common antivirus terminology.
more...
More Virus Info
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is 00a@eircom.net 0maaahonyy@eircom.net 950@eircom.net af@eircom.net am@eircom.net ar@eircom.net as@eircom.net b1@eircom.net boss3@eircom.net ceih@eircom.net cera@eircom.net chxe@eircom.net cs@eircom.net cydw@eircom.net d71@eircom.net dpfy@eircom.net dzuv@eircom.net ehpa@eircom.net epin@eircom.net f1@eircom.net fa@eircom.net fdld@eircom.net fdnv@eircom.net gacg@eircom.net gafj@eircom.net gc@eircom.net gz@eircom.net ha@eircom.net he@eircom.net ia@eircom.net ja@eircom.net k2@eircom.net lleahy6@eircom.net m1@eircom.net no@eircom.net pb@eircom.net qq@eircom.net r6oo@eircom.net ra@eircom.net s2@eircom.net t2@eircom.net ua@eircom.net va@eircom.net vb@eircom.net w2@eircom.net ww2@eircom.net xxxkiss@eircom.net y1@eircom.net ya@eircom.net zz@eircom.net