ILOVEYOU, also known as LoveLetter, is a computer worm that successfully attacked tens of millions of Windows computers in the year of 2000 when it was sent as an attachment to an email with the text "ILOVEYOU" in the subject line.The worm arrived in email inboxes on and after May 4, 2000 with the simple subject of "ILOVEYOU" and an attachment "LOVE-LETTER-FOR-YOU.TXT.vbs". The final 'vbs' extension was hidden by default, leading unsuspecting users to think it was a just text file. Upon opening the attachment, the worm sent a copy of itself to everyone in the Windows Address Book and with user's sender address. It also made a number of malicious changes to the user's system.
This worm originated in Manila, Philippines. It had wide-spread distribution and infected millions of computers.
This worm sends itself to email addresses in the Microsoft Outlook address book and also spreads to Internet chatrooms using mIRC. This worm overwrites files on local and remote drives, including files with the extensions .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav, .txt, .gif, .doc, .htm, .html, .xls, .ini, .bat, .com, .avi, .qt, .mpg, .mpeg, .cpp, .c, .h, .swd, .psd, .wri, .mp3, and .mp2.
The contents of most of these files are replaced with the source code of the worm, destroying the original contents. The worm also appends the .vbs extension to each of these files. For example, image.jpg becomes image.jpg.vbs. However, files with .mp2 and .mp3 extensions are merely hidden and not destroyed.
LoveLetter also tries to download a password-stealing Trojan horse program from a Web site.
When executed, the worm copies itself to the \Windows\System folder as both Mskernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs, and to the \Windows folder as Win32dll.vbs The worm checks for the presence of Winfat32.exe in the Windows\System folder.
If the file does not exist, then the worm sets the Internet Explorer start page to a Web site with the Win-bugsfix.exe file. This Web site has been shut down.
If the file does exist, the worm creates the following registry key:
and executes the file during system startup. The Internet Explorer start page is then replaced with a blank page.
Removal of this infection can permanently damage your system if any mistakes are made in the process. Thus, manual removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend malware and spyware removal applications.