VBS/LoveLet-AE

Please follow the instructions for removing infected executable files.

VBS/LoveLet-AE is a virus that also attempts to send itself in an email to all contacts in the Windows Address Book, as well as to users on mIRC.

VBS/LoveLet-AE attempts to send itself as an attachment LOVE-LETTER-FOR-YOU.TXT.vbs in emails with the subject "ILOVEYOU" and message text "kindly check the attached DreamTeam coming from me.".

When first run, VBS/LoveLet-AE attempts to copy itself to the following locations:

<System>\LOVE-LETTER-FOR-YOU.TXT.vbs
<System>\MSKernel32.vbs
<Windows>\Win32DLL.vbs

VBS/LoveLet-AE also attempts to drop the file <System>\LOVE-LETTER-FOR-YOU.HTM.

VBS/LoveLet-AE creates the following registry entries to run itself on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MSKernel32
<System>\MSKernel32.vbs

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Win32DLL
<Windows>\Win32DLL.vbs

VBS/LoveLet-AE searches for files on the infected computer. It will overwrite files with VBE and VBS extenions with a copy of itself, overwrite files with JS, JSE, CSS, WSH, SCT , HTA, JPG and JPEG files before copying them with an extra VBS extension, and hides files with MP2 and MP3 extensions while copying itself to the same filename with an extra VBS extension.

VBS/LoveLet-AE sets the following registry entry to change the start page of Microsoft Internet Explorer, pointing the user at an executable file called WIN-BUGSFIX.exe:

HKCU\Sofware\Microsoft\Internet Explorer\Main\Start Page

If the file WINBUGFIX.exe is downloaded, VBS/LoveLet-AE attempts to set the following registry entry to run it on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WIN-BUGSFIX

VBS/LoveLet-AE attempts to set the following registry entry:

HKCU\Software\Microsoft\Windows Scripting Host\Settings\Timeout