VBS, VBE:
Overwrites files with the worm body.
JS, JSE, CSS, VSH, HST, HTA:
Creates a new file with original filename and extention .VBS and deletes original
file.
JPG, JPEG:
Creates new file with extention .VBS (adds this extention to old file name and
extention) (i.e. PIC1.JPG.VBS). Writes worm body to it and deletes original
file.
MP2, MP3:
Creates a new file with extention .VBS (adds to old file name, see above for
details). It writes its body to it and sets thef file attribute "hidden" to
the original file.
MIRC32.EXE, MLINK32.EXE, SCRIPT.INI, MIRC.HLP, MIRC.INI:
If one of these files was found the worm creates the file SCRIPT.INI in the
directory were one of the above files resides.
The worm also creates some files with its body in system directory.
MSKERNEL32.VBS, WIN32DLL.VBS, LOVE-LETTER-FOR-YOU.TXT.VBSIt sets appropriates keys in the system registry (Automatic run keys) with full names of files:
MSKernel32.vbs, Win32DLL.vbsIt adds system registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
The letter's subject:
ILOVEYOUMessage body:
kindly check the attached LOVELETTER coming from me.Attached file name:
LOVE-LETTER-FOR-YOU.TXT.vbsThe virus creates a HTML dropper in Windows system directory. The HTML dropper displays the message:
This HTML file need ActiveX Control To Enable to read this HTML file - Please press 'YES' button to Enable ActiveX
After this the dropper creates the MSKERNEL32.VBS with the worm body and sets it for auto execution from system registry.
Virus analysis texts © Copyright 1996-2000 Eugene Kaspersky.