Last revised: May 9, 2000
Source: CERT/CC
A complete revision history is at the end of this file.
The "Love Letter" worm is a malicious VBScript program which
spreads in a variety of ways. As of 5:00 pm EDT(GMT-4) May 8, 2000,
the CERT Coordination Center has received reports from more than 650
individual sites indicating more than 500,000 individual systems are
affected. In addition, we have several reports of sites suffering
considerable network degradation as a result of mail, file, and web
traffic generated by the "Love Letter" worm. You can be infected with the "Love Letter" worm in a variety of
ways, including electronic mail, Windows file sharing, IRC, USENET
news, and possibly via webpages. Once the worm has executed on your
system, it will take the actions described in the Impact section. When the worm executes, it attempts to send copies of itself using
Microsoft Outlook to all the entries in all the address books. The
mail it sends has the following characteristics: People who receive copies of the worm via electronic mail will
most likely recognize the sender. We encourage people to avoid
executing code, including VBScripts, received through electronic mail
regardless of the sender without firsthand prior knowledge of the
origin of the code. When the worm executes, it will attempt to create a file named
script.ini in any directory that contains certain files
associated with the popular IRC client mIRC. The script file will
attempt to send a copy of the worm via DCC to other people in any IRC
channel joined by the victim. We encourage people to disable automatic
reception of files via DCC in any IRC client.
When the worm executes, it will search for certain types of files
and replace them with a copy of the worm (see the
Impact section for more details). Executing (double clicking)
files modified by other infected users will result in executing the
worm. Files modified by the worm may also be started automatically,
for example from a startup script.
There have been reports of the worm appearing in USENET newsgroups.
The suggestions above should be applied to users reading messages in
USENET newsgroups.
When the worm is executed, it takes the following steps:
When the worm executes, it will search for certain types of files
and make changes to those files depending on the type of file. For
files on fixed or network drives, it will take the following steps:
Since the modified files are overwritten by the worm code rather
than being deleted, file recovery is difficult and may be impossible.
Users executing files that have been modified in this step will
cause the worm to begin executing again. If these files are on a
filesystem shared over a local area network, new users may be
affected.
While the worm is examining files as described in the previous
section, it may take additional steps to create a mIRC script file.
If the file name being examined is mirc32.exe,
mlink32.exe, mirc.ini, script.ini, or
mirc.hlp, the worm will create a file named script.ini
in the same folder. The script.ini file will contain:
where DIRSYSTEM varies based on the platform where the worm is
executed. If the file script.ini already exists, no changes
occur.
This code defines an mIRC script so that when a new user joins an
IRC channel the infected user has previously joined, a copy of the
worm will be sent to the new user via DCC. The script.ini file
is created only once per folder processed by the worm.
If the file The worm attempts to use Microsoft Outlook to send copies of itself
to all entries in all address books as described in the Description section.
In addition to other changes, the worm updates the following
registry keys:
Note that when the worm is sending email, it updates the last entry
each time it sends a message. If a large number of messages are sent,
the size of the registry may grow significantly, possibly introducing
additional problems.
It is important for users to update their anti-virus software.
Some anti-virus software vendors have released updated information,
tools, or virus databases to help prevent and combat this worm. A
list of vendor-specific anti-virus information can be found in Appendix A.
Because the worm is written in VBS, it requires the Windows
Scripting Host (WSH) to run. Disabling WSH prevents the worm from
executing. For information about disabling WSH, see:
This change may disable functionality the user desires. Exercise
caution when implementing this solution.
Information about disabling active scripting in Internet Explorer
can be found at:
This change may disable functionality the user desires. Exercise
caution when implementing this solution.
Users of Internet Relay Chat (IRC) programs should disable
automatic reception of files offered to them via DCC.
Sites can use email filtering techniques to delete messages
containing subject lines known to contain the worm. For sites using
unix, here are some possible methods:
Sendmail, Inc. has published information about blocking the worm
in incoming email at:
Add the following line in /etc/postfix/header_checks:
The main Postfix configuration file must contain the
following line to enable the check :
Postfix must also be reloaded after this information is added.
A generic Windows-executable content-blocking filter has been
produced for Exim. This will block messages with attachments whose
extensions are vbs, as well as several other types that Windows
may consider executable by default. The filter, which includes some
supporting installation documention within the filter file itself, can
be found at:
This procmail rule also deletes any messages with the Subject: line
containing "ILOVEYOU":
Note that in all of these examples, [tab] represents a literal tab
character, and must be replaced with a tab for them to work correctly.
It is important to note that these three methods, as described, do
not prevent the worm from spreading if the Subject: line of the email
has changed. Administrators can use more complicated procmail rules
to block the worm based on the body of the email, but such methods
require more processing time on mail servers, and may not be feasible
at sites with high volumes of email traffic.
Exercise caution with attachments in email. Users should disable
auto-opening or previewing of email attachments in their mail
programs. Users should never open attachments from an untrusted
origin, or that appear suspicious in any way.
This variant changes several references to
LOVE-LETTER-FOR-YOU in the source code to Very Funny.
This primarily results in an email attachment name Very
Funny.vbs. The email messages sent by this variant have a subject
of "fwd: Joke", and an empty message body.
The subject of this variant is "Thanks for your purchase!" and the
body of the message contains:
This variant infects files as previously described, with the
exception of jpg and jpeg files. Instead, this variant
infects ini and bat in a similar way. Specifically, for
files whose extension is ini or bat, it will replace
those files with a copy of the worm and add a vbs extension.
For example, a file named x.ini will be replaced by a file
called x.ini.vbs containing a copy of the worm.
This variant also includes different URLs for the Internet Explorer
Start Page.
The CERT Coordination Center thanks David Slade of Lucent
Technologies for help in constructing this advisory; Christopher
Lindsey for the providing the procmail rule; and Jeff Rife for
catching an error in an earlier version of this advisory. The following people were involved in the creation of this
document: Jeff Carpenter, Cory Cohen, Chad Dougherty, Ian Finlay,
Kathy Fithen, Rhonda Green, Robert Hanson, Jeff Havrilla, Shawn
Hernan, Kevin Houle, Brian King, Jed Pickel, Joseph Pruszynski, Robin
Ruefle, John Shaffer, and Mark Zajicek
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more
information.
CERT publications and other security information are available from
our web site
To subscribe to the CERT mailing list for advisories and bulletins, send email to
majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
NO WARRANTY
Copyright 2000 Carnegie Mellon University. Revision History
Systems Affected
Overview
I. Description
Electronic Mail
Internet Relay Chat
Executing Files on Shared File Systems
Reading USENET News
II. Impact
Replaces Files with Copies of the Worm
Creates an mIRC Script
[script]
n0=on 1:JOIN:#:{
n1= /if ( $nick == $me ) { halt }
n2= /.dcc send $nick DIRSYSTEM\LOVE-LETTER-FOR-YOU.HTM
n3=}
Modifies the Internet Explorer Start Page
Sends Copies of Itself via Email
Modifies Other Registry Keys
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\WAB\*
III. Solution
Update Your Anti-Virus Product
Disable Windows Scripting Host
Disable Active Scripting in Internet Explorer
Disable Auto-DCC Reception in IRC Clients
Filter the Worm in E-Mail
Sendmail
PostFix
/^Subject: ILOVEYOU/ REJECT
Exim
Procmail
:0 D
* ^Subject:[[tab] ]+ILOVEYOU
/dev/null
Exercise Caution When Opening Attachments
Appendix A. Anti-Virus Vendor Information
Aladdin Knowledge Systems
Command Software Systems, Inc.
Computer Associates
F-Secure
Finjan Software, Ltd.
McAfee / Network Associates
Proland Software
Sophos
Symantec
Trend Micro
Appendix B. Variants
The CERT Coordination Center has received reports of worms that are
nearly identical or are very similar to the Love Letter worm. The
information provided above applies to these variants except as noted
below. This section is not intended to be comprehensive, and we are
aware of reports involving additional variants not described here.
Joke / Very Funny
Mothers Day
This document is available from:
http://www.cert.org/advisories/CA-2000-04.html
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
Using encryption
Getting security information
Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any
kind with respect to freedom from patent, trademark, or copyright
infringement.
Conditions for use, disclaimers, and sponsorship information
May 4, 2000: Initial release
May 5, 2000: Updates to Postfix information
May 5, 2000: Fixed an error in the statement regarding the actions
of the worm when it checks for the existance of the