also propagates using mIRC by modifying the "script.ini" file. After
connecting to a chat server using mIRC, the virus sends a copy of itself to all
users in the chat room in "LOVE-LETTER-FOR-YOU.HTM".
is a destructive virus. It updates and creates registry keys, overwrites
files with certain extensions with the virus code itself, and changes your
Internet Explorer starting page. Although compared to Melissa because of some
very general similarities in the way in which it is forwarded, it is far worse
because of its destructive nature and its ability to run every time you start
of the major anti-virus product vendors have information about LOVELETTER.A
(although some of the information is conflicting) and a synopsis of the actions
and counteractions from a variety of sources is below. The actual VB script file
is also included below.
infects Windows NT/98/95 systems with Windows Scripting Host (WSH) installed;
reportedly it will also affect Mac running Windows in Virtual PC mode. The virus
searches all local and network-mapped drives for files with
also copies itself into the following files:
modifies the registry so that the virus is run whenever Windows starts up by
creating the following keys:
virus searches for a file named "WinFAT32.exe" in the
<root>:\windows\system folder/directory. If the file exists, it modifies
Internet Explorerís startup page to one of several Web sites with the file
"WIN-BUGSFIX.exe" (it selects the site randomly from a list of four).
Norton AntiVirus detects the downloaded "WIN-BUGSFIX.exe" as
PWSteal.LoveLetter, another virus.
also searches for a file named "WIN-BUGSFIX.exe" in the
<root>:\windows\system folder/directory. If the file does not exist, it
modifies Internet Explorerís startup page to the "about:blank" page
and creates the registry key:
Return to Menu