• I Love You Virus Code
• I Love You Virus Youtube
• Iloveyou Virus

This Knowledge Base document is divided into the following sections:

What is the ILOVEYOU worm?

Onel De Guzman When was the Attack? What is the ILOVEYOU Virus Attack? The attack came from the Phillippines on May 4, 2000, the virus spread so quickly that e-mail had to be shut down in a number of major enterprises such as the Ford Motor Company. May 03, 2020. Virus Brings Publicity to Computer Subculture in Philippines. Suspicion that 'I Love You' computer virus, world's most destructive to date, may have been unleashed from noisy inner-city slum in. The Love Letter Virus, also known as the Iloveyou virus, ILOVEYOU, and Love Letter, was a computer worm originating in the Philippines, which began infecting computers on May 5, 2000. It spread by e-mail, arriving with the subject line 'ILOVEYOU' and an attachment, 'LOVE-LETTER-FOR-YOU.txt.vbs'.

VBS/LoveLetter is a VBScriptworm. It spreadsthrough email as a chain letter, using the Outlook emailapplication. ILOVEYOU is also an overwriting VBS virus, andit spreads itself using the mIRC (Internet Relay Chat) client as well.

What does ILOVEYOU do?

1. When it is executed, ILOVEYOU first copies itself to the Windowssystem directory as MSKernel32.vbs andLOVE-LETTER-FOR-YOU.TXT.vbs. It also copies itself to thewindows directory as Win32DLL.vbs.
2. Then it adds itself to the registry, so it will beexecuted when the system is restarted. The registry keys that it addsare:
3. Next, the worm replaces the Microsoft Internet Explorerhome page with a link that points to an executable program calledWIN-BUGSFIX.exe. If the file is downloaded, the worm addsthis to the registry as well, causing the program to execute when yourestart your system.

   The executable part that the ILOVEYOU worm downloads from theweb is a password-stealing Trojan horse. On startup, theTrojan tries to find a hidden window namedBAROK.... If it is present, the Trojan exitsimmediately; if not, the main routine takes control. The Trojan checksfor the 'WinFAT32' subkey in the following registry key:

   If the 'WinFAT32' subkey key is not found, the Trojan creates it,copies itself to the WindowsSystem directory asWINFAT32.EXE, and then runs the file from thatlocation. The above registry key modification makes the Trojan becomeactive every time Windows starts.
   

4. Next, the Trojan sets the Internet Explorer startup page to'about:blank'. After that, the Trojan tries to find and deletethe following keys:
5. Then the Trojan registers a new window class, creates a hiddenwindow titled BAROK..., and remains resident inWindows memory as a hidden application.

   Immediately after startup and when timer counters reach certainvalues, the Trojan loads the MPR.DLL library, calls theWNetEnumCashedPasswords function and sends stolen RAS passwords andall cached Windows passwords tomailme@super.net.ph, an email address thatmost likely belongs to the Trojan's author. The Trojan uses thesmtp.super.net.ph mail server to send emailmessages. The email message's subject line is'Barok... email.passwords.sender.trojan'.

   The author's copyright message appears inside the Trojan's body:

   'barok ...i hate go to school suck ->by:spyder @Copyright (c) 2000GRAMMERSoft Group >Manila,Phils'

   There are also some encrypted text messages in the Trojan's body usedfor its internal purposes.
   

6. After that, the worm creates an HTML file calledLOVE-LETTER-FOR-YOU.HTM in the Windowssystem directory. This file contains the worm, and itwill be sent using mIRC whenever the user joins an IRCchannel.
7. Then the worm will use Outlook to mass mail itself to everyone ineach address book. The message that it sends will have a 'Subject:'line of 'ILOVEYOU', the body will say 'kindly check the attachedLOVELETTER coming from me.', and an attachment calledLOVE-LETTER-FOR-YOU.TXT.vbs.ILOVEYOU sends the message once to each recipient. After a message hasbeen sent, it adds a marker to the registry and does not mass mailitself any more.
8. The virus then searches for certain file types on all folders onall local and remote drives and overwrites them with its own code. Thefiles that are overwritten have either .vbs or.vbe extensions.The virus will create a new file with the same name but using a.vbs extension and delete the original for all files withthe following extensions: .js, .jse,.css, .wsh, .sct, and.hta.
9. Next, the virus adds a new file next to, and deletes the originalof, all files with the following extensions: .jpg,.jpeg, .mp3, and .mp2. As anexample, for a picture named pic.jpg, the virus willcreate a new file called pic.jpg.vbs and delete theoriginal.

ILOVEYOU was found globally in the wild on May 4, 2000, and appearsto be of Philippine origin. At the beginning of the code, the viruscontains the following text:

You can find this information on the F-Secure Corporation web site at:

Detecting ILOVEYOU

Current Norton/Symantec AntiVirus definitions will protect your systemfrom all of the known variants (82 as of May 31, 2001) of the ILOVEYOUworm. For more information, see the following Knowledge Basedocuments:

How do I remove the ILOVEYOU virus?

UITS recommends that you disinfect your computer using thefix developed by Symantec, which isthe first option listed below. Only manually remove the virus if youare computer savvy, or do not have access to the Symantec tool.

Symantec's tool

You may access a tool provided by Symantec that willdetect and remove this worm and most of its variants at:

Follow the instructions on the page. Note that this tool will havelimited effectiveness if you have been infected with the variant VBS.NewLove.A.

Manual removal

To manually remove the ILOVEYOU virus, follow these directions:

1. Delete these registry entries:
2. If your Windows system directory contains the fileWinFAT32.exe, delete the following registry entries:
3. Delete LOVE-LETTER-FOR-YOU.HTM andLOVE-LETTER-FOR-YOU.TXT .

   Note: Search all non-removable drives (hard disks andnetwork drives) for the files LOVE-LETTER-FOR-YOU.HTM andLOVE-LETTER-FOR-YOU.TXT, and delete alloccurrences. Do not open these files.
   

4. Look for the following files:If your computer contains any of the above files, the virus willcreate a file called script.ini in the folder of thatfile. Delete all occurrences of script.ini in thesefolders.
5. The virus will overwrite all files with the following extensionsso that they contain the virus file's content:The MS-DOS name of the files has been changed so that the file isassociated with the Windows scripting host. This means that if youdouble-click or in any other way activate these files, the virus willrun again. You will not be able to recreate the original contents ofthe files (at least not through Windows). You could try to contact adisk rescue company to help you before proceeding.

   If you do not choose disk rescuing measures, this leaves you withlittle choice but to delete all of the files of the type listedabove. Possibly, you may be able to reinstall the affectedapplications; however, the effect on your computer could be severe.

   Note: In addition to your hard disk, remember tocheck the network drives to which your computer hasaccess. Check files before you delete them. Affectedfiles will have extension .vbs and be 11K in size. Youcan also use the file date as an indication, comparing it to when youreceived the virus.

6. The virus changes the Internet Explorer start page to:You must change the Internet Explorer registry key to:Note: If you go to that site, the virus will belaunched again. You must reset this back to your original startingpage.

More information about ILOVEYOU

You can find more information about the ILOVEYOU worm atthe following sites:

Gosh! There are so many virus and of different names that the virus creators seems to run short of the names. “I Love You virus” is a strange name used by its creator. Requested by one of our viewers, here are the steps to remove the virus.

But before discussing the solution, let’s see the details of this virus. The “I Love you” virus also known as the “Love” virus and spreads mainly via emails. The name is believed to originate from the subject of the mails but there have been some other modifications in the name like “Mother’s Day” and “Joke” virus.

This is the format of the e-mail that contains this virus.

Sender: Someone a user know
Subject: ILOVEYOU
Body: Kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

The default settings of Windows don’t display the last extension and this is where a user thinks this virus as a normal text document.

Steps to remove Love Virus:

1. Kill any process containing “love” from the task manager; also remove it from the computer’s startup list (run msconfig in the run box).

2. Search your hard disk for following entries:

LOVE-LETTER-FOR-YOU.TXT.vbs
LOVE-LETTER-FOR-YOU.HTM
MSKernel32.vbs
Win32DLL.vbs
WIN-BUGSFIX.exe

Permanently delete the files found from above search result.

3. Run regedit in the Run box and delete the following entries, if any:

I Love You Virus Code

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunMSKernel32
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesWin 32DLL
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunWIN-BUGSFIX HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunWinFAT32=WinFAT32.EXE

This will restore the settings back to the original after rebooting the computer.

I Love You Virus Youtube

4. You may also like to Change the default URL in the registry to:

Iloveyou Virus

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainStart Page “http://www.msn.com” or any of your choice.