However, due to Explorer default setting a file named: nameoffile.jpg.vbs, will appear in Windows as nameoffile.jpg only, with the .vbs hidden from view. If you click on this attachment Windows will execute the file instead of opening the default .jpg viewer.

Note: Trend's latest pattern file detects all the variants described below. Trend suspects more variants of this virus will be seen in the wild, since the viral code is very easy to modify.

Variant B (Susitikim variant)

1. Contains one additional comment at the beginning of the code
"rem Modified Lameris Tamoshius / Lithuania (Tovi systems)"

2. Uses a different email subject.
Instead of the subject "ILOVEYOU", it uses the subject:
"Susitikim shi vakara kavos puodukui..."

Variant C (Very Funny variant)
This variant has the following characteristics

Subject: fwd: Joke
Message: (blank message body)
Attachment: Very Funny.vbs

- Creates a file called "Very Funny.HTM".

Variant D (No Manila Header variant)
This one does not contain the following two commented lines:

"rem barok -loveletter(vbe) <i hate go to school>"
"rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines"

Variant E (Mothersday variant)
This one is a bigger re-write which has the name changed to Mothersday.

Subject: Mothers Day Order Confirmation
Message: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place.Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com
Attachment: mothersday.vbs

1. First two lines have been changed from

rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines

to

rem hackers.com
rem by: hackers.com

2. The four Explorer links the virus directs the browser to are changed to:

http://www.hackers.com
http://www.l0pht.com
http://www.2600.com
http://www.hackers.com"

3. elseif(ext="jpg") or (ext="jpeg") then, 
has been changed to
elseif(ext="ini") or (ext="bat") then

4. The mIRC component tries to mail out mothersday.HTM instead of LOVE-LETTER-FOR-YOU.HTM

Variant F (Brainstorm variant)

Subject: Important ! Read carefully !!
Message: Check the attached IMPORTANT coming from me !
Attachment: IMPORTANT.TXT.vbs

1. First two commented lines have been changed to:

rem brain -Important(vbe) <What da fuck ?!>
rem by: BrainStorm / @ElectronicSouls Crew /

2. Instead of using the files:

"MSKernel32.vbs", "Win32DLL.vbs" and "LOVE-LETTER-FOR-YOU.TXT.vbs", 

it uses the following file names:

"ESKernel32.vbs", "ES32DLL.vbs", and 
"Important.TXT.vbs".

Registry changes were made accordingly to point to the new filenames.

3. Script.ini file has been changed from:

";Khaled Mardam-Bey"
";http://www.mirc.com"

to

"BrainStorm"
";http://www.ElectronicSouls.8m.com"

Instead of using the file 

"LOVE-LETTER-FOR-YOU.HTM", 

it uses the file 

"Important.HTM".

Variant G (Symantec Protect variant)

Subject: Virus ALERT!!!
Message:  
Dear Symantec customer,
Symantec's AntiVirus Research Center began receiving reports regarding VBS.LoveLetter.A virus early morning on May 4, 2000 GMT. This worm appears to originate from the Asia Pacific region. Distribution of the virus is widespread and hundreds of thousands of machines are reported infected. The VBS.LoveLetter.A is an Internet worm that uses Microsoft Outlook to e-mail itself as an attachment. The subject line of the e-mail reads ILOVEYOU, with the attachment titled LOVE-LETTER-FOR-YOU.TXT.VBS. Once the attachment is opened, the virus replicates and sends an e-mail to all e-mail addresses listed in the address book. The virus also spreads itself via Internet relay chat and infects files on local and remote drives including files with extensions vbs, vbe, js, sje, css, wsh, sct, hta, jpg, jpeg, mp3, mp2. Users should exercise caution when opening e-mails with this subject line, even if the e-mail is from someone they know, as that is how the virus is spread. Symantec Corp. today announced availability of the virus definition to detect, repair and protect users against the VBS.LoveLetter.A virus. This definition is available now via Symantec's LiveUpdate and can also be downloaded from the following web sites:
http://www.symantecstore.com/AF74211/promo/ loveletter
http://www.digitalriver.com/symantec"&vbcrlf&_
Also as a quick solution Symantec Corp. offers Visual Basic Script to protect your PC against this worm. (See attached.)
Note! When executed, this script will protect Your PC from being INFECTED by VBS.LoveLetter.A virus. To cure already infected PC's download Norton Antivirus Updates mentioned above. Symantec Corporation - a world leader in internet security technology.
Attachment: protect.vbs

1. Comment has been changed to:
"rewritten by OmmenŠ / directly from HELL!!! / <Fuck teachers, burn schools"

2. Virus uses filename "protect.htm" instead of "LOVE-LETTER-FOR-YOU.HTM".

3. Internet Explorer links have been changed. Virus does not try to download
"WIN-BUGSFIX.exe".

4. .com and .bat files have been added to payload list of file extensions to be infected.

5. mIRC script has been changed

Variant H (Virus Warning variant)
This variant is attached to an email that pretends to be a virus fix and has the following characteristics. This attachment appears to be a graphic (.jpg) file because Windows hides the extension .vbs.

Subject: Dangerous Virus Warning
Message: There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it.
Attachment: virus_warning.jpg.vbs

1. Comment on top section of code has been removed.

2. Internet Explorer links have been changed and now try to download "setup24.exe".

3. .wav, .txt, .gif, .doc, .htm, .html and .xls files have been added to payload list of file extensions.

4. mIRC script has been changed.

5. Virus uses "Urgent_virus_warning.htm" instead of "LOVE-LETTER-FOR-YOU.HTM".

Variant I (Corrupted variant)
This is a corrupted variant with additional code on the top section of the code.

Variant J (Packet Storm variant)

Subject: Thank You For Flying With Arab Airlines
Message: Please check if the bill is correct, by opening the attached file.
Attachment: ArabAir.TXT.vbs

1. Virus comment has been changed to:

"Originally submitted to Packet Storm as Win32DLL.txt"
"barok -loveletter(vbe) <i hate go to school>"
"by: *.* / *.*@internet.com / @*.* / Microsoft, RedMond"

2. The payload for .mp2 and .mp3 files now refers to .sys and .dll files.

3. The payload for .jpg and .jpeg now refers to .exe and .dll files.

4. Virus uses the file "no-hate-FOR-YOU.HTM" instead of "LOVE-LETTER-FOR-YOU.HTM".

Variant K (Virus Protection Instructions variant)

Subject: How to protect yourself from the IL0VEY0U bug!
Message: Here's the easy way to fix the love virus.
Attachment: Virus-Protection-Instructions.vbs

1. Virus comment has one additional line:

"Barok writes fucked code. And he can't spell for crap, either."

2. mIRC script has been changed.

3. Virus uses the file "Virus-Protection-Page.HTM" instead of "LOVE-LETTER-FOR-YOU.HTM".

Variant L (Lucky variant)
This variant is another attempt to rewrite the virus. It fails to execute.

Variant M (Bla Bla Bla variant)

This variant is very similar to variant D. However, some of the text in the
mIRC script has been changed from "Khaled Mardam-Bey" to "Bla Bla Bla".

Variant N (Software Testing variant)

Subject: Variant Test
Message: This is a variant to the vbs virus.
Attachment: IMPORTANT.TXT.vbs

1. Virus comment has been changed to:

"Loveletter virus variant"
"for testing Anti-Virus software"

2. Viruses uses the files:
"sndvol32.vbs", "IEAKDLL.vbs" and "IMPORTANT.TXT.vbs" instead of  "MSKernel32.vbs", "Win32DLL.vbs", and "LOVE-LETTER-FOR-YOU.TXT.vbs"

3. Registry has been changed accordingly.

4. Payload file extensions have been changed to "mpeg" and "avi".

5. The payload for .jpg and .jpeg now refers to .qt and .qtm.

6. The payload for .mp3 and .mp2 now refers to .mpeg and .mpg.

7. Virus uses the file "IMPORTANT.HTM" instead of "LOVE-LETTER-FOR-YOU.HTM"

Variant O (The Hidden variant)

1. Virus comment has one additional line:

"Comments begining with ' added by The Hidden May 4 2000"

2. The viral code contains several more comments by the virus author.

Variant P (Unix variant)
This variant is an attempt to convert VBS_LOVELETTER to the Unix platform. It is not in-the-wild and we don't expect to see it on customer systems.

It contains the following comment:

"This is a demonstration how easy a virus like the LoveLetter virus"
"can be portet to a unix systems"

Subject: LOOK!
Message: hehe...check this out.
Attachment: LOOK.vbs

1. Comment has been removed (similar to variant D)

2. Virus uses the files "MSUser32.vbs", "User32DLL.vbs" and "LOOK.vbs"

3. The payload for .jpg and .jpeg files now refers to .xls and .mdb files.

4. The payload for .mp2 and .mp3 files now refers to .lnk and .exe files.

5. mIRC script has been changed

6. Virus uses the file "LOOK.HTM" instead of "LOVE-LETTER-FOR-YOU.HTM".

Variant R: (Additional "-" character variant)
This variant contains an additional character "-" in one of the registry entries (WIN- -BUGSFIX.exe).

Variant S: (Additional "<" character variant)
This variant is very similar to variant G. It contains an additional character "<" in the commented code.

Subject: I Cant Believe This!!!
Message: I Cant Believe I Have Just Recieved This Hate Email .. Take A Look!
Attachment: KillEmAll.TXT.vbs

1. Virus comment has been changed to:

"barok -Killer(vbe) <killer H8letter virus>"

"by: MePhIsToN / dfgdfghd@gdgf.com / @INFERNOSoft Group / gggz.HK"

2. Virus uses the files "killer1.vbs", "killer2.vbs" and "KillEmAll.TXT.vbs" instead of the files "MSKernel32.vbs", "Win32DLL.vbs" and "LOVE-LETTER-FOR-YOU.TXT.vbs".

3. The payload for .jpg and .jpeg files now refers to .gif and .bmp files.

4. The payload for .mp3 and .mp2 files now refers to .wav and .mid files.

5. Does not try to propagate through mIRC (code is missing).

8. Virus uses the file "killer.HTM" instead of "LOVE-LETTER-FOR-YOU.HTM"

Subject: Bewerbung Kreolina
Message: Sehr geehrte Damen und Herren!
Attachment: BEWERBUNG.TXT.vbs

1. Virus comment has been removed (similar to variant D)

2. Virus uses the file "BEWERBUNG.TXT.vbs" instead of "LOVE-LETTER-FOR-YOU.TXT.vbs".

3. mIRC script has been changed.

4. Virus uses the file "BEWERBUNG.HTM" instead of "LOVE-LETTER-FOR-YOU.HTM".

Subject: Recent Virus Attacks-Fix
Message: 
Attached is a copy of a script that will reverse the effects of the LOVE-LETTER-TO-YOU.TXT.vbs as well as the FW:JOKE, Mother's Day and Lithuanian Siblings.
Attachment: BAND-AID.DOC.vbs

1. Virus comment has been changed to

"Band-Aid"
"<i hate listen to wine> Seattle, WA candystore@mail.com"

2. Virus uses the file "BAND-AID.DOC.vbs" instead of "LOVE-LETTER-FOR-YOU.TXT.vbs".

3. Internet Explorer URL has been changed to "http://www.2600.com".

4. Virus does not attempt to download "WIN-BUGSFIX.exe".

5. Payload also includes files with the following extensions:

.bat, .gif, .tif, .tiff, .wav, .mp2, .mp3, .lnk, .bak, .doc, .xls, .rtf, .txt, .htm, .html, .xml, .mny, .zip, .bmp, .cab, .inf.

6. mIRC script has been changed.

7. Virus code that created "LOVE-LETTER-FOR-YOU.HTM" file has been removed.

Variant Y: (Image of the Millenium variant)

Subject: Image of the Millenium
Message: 
Hi, my name is Nelma Marisa, and I'm here to present the Image of the Millenium. Just unzip Nelma.zip and read the readme file included first. Then open the image called Millenium.gif. Thanks...
Attachment: nelma.zip

1. Comment on top section of code has been removed.

2. Payload file extension has been changed from mp2 or mp3 to jpg.

3. Files with the extension jpg or jpeg does not change its original filename. .