I-Worm.LoveLetter Internet worm written on script language Visual Basic Script (VBS). It works only on computer with installed Windows Scripting Host (WSH). In Windwos 98 and Windows 2000 the WHS installed by default. The worm makes destructive actions and sends its copy by E-mail. The destructive actions After starting from VBS file the worm searches all files in all local and network drivers. For some extention of file names the worm makes: VBS, VBE: Overwrite file by itself. JS, JSE, CSS, VSH, HST, HTA: Creates new file with original name and extention VBS and deletes original file. JPG, JPEG: Creates new file with extention .VBS (adds this extention to old file name and extention) (i.e. PIC1.JPG.VBS). Writes worm body to it and deletes original file. MP2, MP3: Creates new file with extention .VBS (adds to old file name, see above for detais). Writes its body to it and sets attribute "hidden" to original file. MIRC32.EXE, MLINK32.EXE, SCRIPT.INI, MIRC.HLP, MIRC.INI If one of these files was found the worm creates the file SCRIPT.INI in this directory. The worm also creates in system directory some files with its body. MSKERNEL32.VBS, WIN32DLL.VBS, LOVE-LETTER-FOR-YOU.TXT.VBS It sets in the system registry (Automatic run keys) files with full names: MSKernel32.vbs, Win32DLL.vbs It adds system registry keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL Speards by E-mail The worm sends itself via E-mail. To do it the worm gives all addresses from addres book. and sends itself. It works only under mail program Outlook 97/98/2000. Letter's subject: ILOVEYOU Message body: kindly check the attached LOVELETTER coming from me. Attached file name: LOVE-LETTER-FOR-YOU.TXT.vbs The virus creates HTML dropper in Windows system directory. The HTML dropper displays the message: This HTML file need ActiveX Control To Enable to read this HTML file - Please press 'YES' button to Enable ActiveX After that the dropper creates and opens MSKERNEL32.VBS with worm body and opened it.