Renamed Love Letter Worm Still Spreads

PC users should watch for two variants of the worm spreading rapidly through e-mail, as the Love Letter virus that has wreaked havoc Thursday is apparently renamed and still spreading.

Loveletter.B is a variant of the VBS/LoveLetter.A worm, according to antivirus experts at Computer Associates. The only differences are that instead of the subject line "ILOVE YOU," the variant's subject line is "fwd: Joke" and the trouble-causing attachment is named "Very Funny.vbs" instead of "LOVE-LETTER-FOR-YOU.TXT.vbs." Computer Associates has posted the updated information at its InoculateIT Virus Information Center.

Like the Love Letter virus, the variant spreads when the 10307-byte attachment is opened. In the original version, the message text reads, "kindly check the attached LOVELETTER coming from me." In both versions, the .vbs extension indicates a Visual Basic Script. If you open the attachment, the script inserts a number of files into Windows system directories. The virus then sends a copy of itself to all the addresses in a Microsoft Outlook or Outlook Express directory.

In addition, both versions invoke the Internet Relay Chat client called MIRC, and each attempts to replicate itself to all recipients of chat channels and everyone who joins afterwards. In IRC, the variation is called "Very Funny.HTM" instead of "LOVE-LETTER-FOR-YOU.HTM."

Industry sources report the worm was launched by a Filipino virus writer at 3 a.m. Eastern Time Thursday, and first appeared in Hong Kong, affecting banks and public relations firms. It quickly spread into Europe. As the day has progressed, it's become widespread in the United States as well.

Peter Tippett, president of the ICSA, a security organization that certifies antivirus software, says this worm is "the most virulent, expensive, and fast-spreading infection in virus history."

Who can resist opening an e-mail message with a subject line that reads, "ILOVE YOU"? Apparently, not too many people. ICSA expects the worm will cost companies up to $1 billion, and it is expected to infect as many as half of all U.S. corporations before it runs its course. By 9 a.m. Eastern Time Thursday morning, estimates were that it had already infected over a million PCs.

Besides affecting companies, the worm struck the British houses of parliament. Both the House of Commons and House of Lords were hit, leading to a shutdown of e-mail that lasted a couple of hours.

"The message was noticed before lunch. It was a message sending love to you, which is the sort of message a lot of us here don't expect to be receiving," says Muir Morton, the deputy sergeant at arms for the House of Commons.

You should immediately delete the message and the attached file, "even if it's from your spouse," says Narender Mangalam, Computer Associates' director of security.

Worm Trashes Music, Graphics

Despite initial reports that Loveletter didn't cause any additional damage, virus researchers soon found that the worm contains an even more destructive payload. It looks for 12 types of files, including popular .jpg graphics and .mp3 music files, and overwrites them with itself. It does not affect standard data files such as .doc files.

Worse, the worm doesn't just affect files on a local computer. If your PC is connected to a local-area network, the worm finds all of the 12 types of files on all accessible machines on the network and overwrites them, also infecting the other machines.

Most major antivirus software makers have already released updates of their virus signature files to detect and remove Loveletter. But if files have been overwritten, there remains the expensive and time-consuming job of restoring those files from backups, if backups exist.

If your antivirus software has an automatic update feature, you should use it as soon as possible to download the solution.

Meanwhile, if you haven't been infected, the best advice is to immediately delete any message that contains the "ILOVE YOU" subject line. (Note the lack of a space between the I and the L.) In any case, do not open the attachment, which is the only way the virus can spread.

ICSA also suggests that network administrators set filters on e-mail servers to reject all messages with "LOVE" in the subject, as well as block all messages with .vbs attachments and block Internet Relay Chat.

(IDG News Service contributed to this report.)

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Stan Miastkowski

PC World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?