If you have Loveletter spyware installed on your computer, this guide can help you fix it.

Technical Details

This is the Internet worm that caused the current global epidemic in May 2000. This worm spreads like email, sending messages from
affected computers. When spreading, the worm works with MS Outlook and forwards to itself all the addresses stored in the MS Outlook address book. As a result, the infected computer sends many messages to many addresses stored in the current MS Outlook contact list.

The worm is likely written in the basic scripting language “Visual Script” (VBS). It only works on computers that have a full Windows Scripting Host (WSH) installed. In Windows 98 and Windows 2007, WHS is installed by default. To
propagates, the worm gains access to MS Outlook and uses its functions and solution lists, which are only available in Outlook 98/2000, so the worm
can only be distributed if this version of MS Outlook is properly installed.

When launched, the worm sends its real copies by e-mail, installs itself according to the system, performs destructive actions, downloads and installs the Trojan. wormь can also be distributed via mIRC channels.

loveletter spyware

from: spyder and [email protected] via @GRAMMERSoft Group / Manila, Philippines


The worm arrives on the computer as an e-mail message with an associated VBS file, which is the worm itself. Message in the old version of the worm:

Message text: Please check the attached LOVE LETTER from me.
Attached concept file: LOVE-LETTER-FOR-YOU.TXT.vbs

When activated by this user, the Double worm launches (by clicking on a very good attached file) MS Outlook, accesses the address book and receives all addresses from there in full
and sends messages to everyone with a copy attached. The subject, text and name of the lodge attached to the message are always the same.

The worm also installs itself on the host system. It creates copies of itself found in Windows with directories with our names:

in Windows directory: WIN32DLL.VBS in Windows directory: System MSKERNEL32.VBS, LOVE-LETTER-FOR-YOU.TXT.VBS

These files are then written back to the system registry during Windows autostart:


HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesWin32DLL = Win32DLL.VBS

As a result, the specific worm is reactivated each time Windows is restarted. worm

This also creates any type of HTM dropper in the Windows policy catalog for use when publishing to mIRC channels (see below). This copy is titled LOVE-LETTER-FOR-YOU:


Download Trojan horse file

In order to install the Trojan on the system, the worm changes the URL of the Internet Explorer home page. The new URL points to a website (randomly selected from four options) and causes File Explorer to download the EXE file
Belonging. The file is called WIN-BUGFIX.EXE and is a Trojan. The worm then saves this file in the system registry in a new autorun section:

=hklmsoftwaremicrosoftwindowscurrentversionrunwin-bugsfix WIN-BUGSFIX.exe

The next time I run it, Internet Explorer downloads my trojan cache and usually ends up in the system download directory. The next time you start Windows, the Trojan will take control and
copy t itself into the exact Windows directory system named WINFAT32.EXE.

If the Trojan was installed by default, the worm sets the Internet Explorer home page to “about:blank”.

The downloaded and installed file is a Trojan that steals passwords. It gets your local computer and IP address, network logins and passwords, RAS
information, etc. And sends them to the owner of the Trojan. Recently scanned samples send messages to “[email protected]”, often with a subject line like this
like the next Baroque…:


Broadcast on IRC channels


In extreme cases, at least one of these found files is likely to be in a subdirectory of the worm
puts a big new SCRIPT.INI file there. This file contains mIRC
instructionsthat the mail worm (LOVE-LETTER-FOR-YOU.TXT.File) copies htm if you want all users
join a corrupt IRC channel.

mIRC script
Please don’t modify this script… mIRC will most likely becorrupted if mIRC does this
damaged… WINDOWS will be damaged and will not work properly. thank you

loveletter spyware

Khaled Mardam Bey

When an IRC user receives this HTML code, they are re-infected in the IRC download directory. The worm is then activated from the idea file only when the user clicks on it. Since the browser’s security settings do not allow scripts to guarantee that you are accessing files on disk and displaying a message, the worm uses a trick to prevent this. First, the scammer will see the message:

This HTML file requires an ActiveX