F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : LoveLetter.AJ





NAME:LoveLetter.AJ

Information about the original VBS/LoveLetter.A is available at: http://www.F-Secure.com/v-descs/love.shtml

This LoveLetter variant simulates a hoax message. It shows a combination of three common hoaxes that are circulating in the Internet.

LoveLetter.AJ spreads in a message that look as follows: 

    Subject:    Virus Warnings !!!
    Body:       VERY IMPORTANT PLEASE READ THIS TEXT.
                TEXT ATTACHMENT.
    Attachment: very-important-txt.vbs

This variant is similar to LoveLetter.A. Comments at the beginning of the code have been changed to: 

    rem VERY IMPORTANT PLEASE READ THIS TEXT. Autor ( burtai@crosswinds.net)
    rem Begin Joke                                   (Lithuanian)

This worm copies itself to the Windows directory as "win.vbs" and to the Windows System directory as "very-important-txt.vbs".

It also adds the following registry key: 

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\burtai

This will cause the worm to be executed when the system is restarted.

After that, the worm creates a HTML file, "very.htm", to the Windows directory and uses the default web browser to show it. This HTML file contains the worm and a text that is a combination of three common hoaxes. These hoaxes are circulating in the Internet and they are: http://www.F-Secure.com/hoaxes/sellsav.shtml , http://www.F-Secure.com/hoaxes/sandman.shtml and http://www.F-Secure.com/hoaxes/holiday.shtml .

The text in the file looks as follows: 

    VERY IMPORTANT PLEASE READ.


    This was sent to me so am sending to my complete address book.Some
    of us have supposed virus protection while others may
    not......hope this saves someone some grief tho.......thanks


    WARNING No. 1


    If you receive any CELCOM Screen Saver. Pls. do not install it
    This screensaver is very cool. It shows a NOKIA with time
    messages.After it is activated, the PC cannot boot up at all. It
    goes very slow.It destroys your hard disk. The filename is
    CELLSAVER.EXE


    WARNING No. 2


    Bewore! if someone named asks you to check out his page. DO NOT!
    It is at  www.geocities.com/vienna/6318. This page hacks into your
    C:\drive.DO NOT GO THERE... FOWARD THIS MAIL TO EVERYONE YOU KNOW.


    WARNING No. 3


    SEND THIS TO EVERYONE IN YOUR CONTACT LIST! THIS IS NO JOKE,OK?


    WARNING: If you get an E-mail titled : "Win A Holiday" DO NOT open
    it.Delete it immediately.Microsoft just announced yesterday. It is
    a malicious virus that WILL ERASE YOUR HARD DRIVE. At this time
    there is no remedy.


    Forward this to everyone IMMEDIATELY!!

F-Secure receives very often hoax messages which look like the worm message and contain hoaxes in an attached text file.

The worm mass mails itself to every recipient in each Outlook address book.

This variant looks for files with extensions ".js", ".txt", ".doc" and ".hta". It replaces those files with new files that have the same name and extension, and an additional extension ".vbs". These ".vbs" files contain the worm itself, which means that these files are overwritten.

It also replaces all ".vbs" and ".vbe" files and hides all ".mp3" and ".mp2" files creating copy of itself with an additional extension ".vbs" - just like the LoveLetter.A does.

Finally, the worm attempts to shut down the system.

VBS/LoveLetter.AJ does not spread via mIRC.

[Analysis: Katrin Tocheva, Mikko Hypponen, Alexey Podrezov and Sami Rautiainen, F-Secure]