Affected Programs

LOVELETTER.A also propagates using mIRC by modifying the "script.ini" file. After connecting to a chat server using mIRC, the virus sends a copy of itself to all users in the chat room in "LOVE-LETTER-FOR-YOU.HTM".

 LOVELETTER.A is a destructive virus. It updates and creates registry keys, overwrites files with certain extensions with the virus code itself, and changes your Internet Explorer starting page. Although compared to Melissa because of some very general similarities in the way in which it is forwarded, it is far worse because of its destructive nature and its ability to run every time you start Windows.

All of the major anti-virus product vendors have information about LOVELETTER.A (although some of the information is conflicting) and a synopsis of the actions and counteractions from a variety of sources is below. The actual VB script file is also included below.

LOVELETTER.A infects Windows NT/98/95 systems with Windows Scripting Host (WSH) installed; reportedly it will also affect Mac running Windows in Virtual PC mode. The virus searches all local and network-mapped drives for files with a .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .mp3, or .mp2 extension; when it finds such a file, it overwrites the file with the virus code and renames the file with a ".vbs" extension, subsequently destroying the original file.

It also copies itself into the following files:

      <root>:\windows\Win32DLL.vbs
      <root>:\windows\system\MSKernel32.vbs
      <root>:\windows\system\LOVE-LETTER-FOR-YOU.TXT.vbs

and modifies the registry so that the virus is run whenever Windows starts up by creating the following keys:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
            MSKernel32, <root>:\windows\system\MSKernel32.vbs
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
            Win32DLL, <root>:\windows\Win32DLL.vbs

The virus searches for a file named "WinFAT32.exe" in the <root>:\windows\system folder/directory. If the file exists, it modifies Internet Explorer’s startup page to one of several Web sites with the file "WIN-BUGSFIX.exe" (it selects the site randomly from a list of four). Norton AntiVirus detects the downloaded "WIN-BUGSFIX.exe" as PWSteal.LoveLetter, another virus.

LOVELETTER.A also searches for a file named "WIN-BUGSFIX.exe" in the <root>:\windows\system folder/directory. If the file does not exist, it modifies Internet Explorer’s startup page to the "about:blank" page and creates the registry key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
            CurrentVersion\Run\WIN-BUGSFIX, \WIN-BUGSFIX.exe

Return to Menu