What's New  


Click here to subscribe
to our weekly newsletter
Exchange Messaging Outlook
EMO back issues

How to Recover from the ILOVEYOU (VBS/Loveletter) Virus

The VBS/Loveletter (aka ILOVEYOU or LoveBug) virus is quite destructive because it adds files, changes Windows registry entries, deletes some files and makes others hidden. This page provides information on how to clean an infected system of the original version of this virus. Be aware, though, that many variations exist that may require additional or different recovery procedures. The pages listed at ILOVEYOU Virus Links should give you an idea of what damage any particular variant may have done to your system. 

Many thanks to Chris Waters and Siegfried Weber for their contributions to this report, via the Outlook-users mailing list.

 Stop the Virus | Delete Messages and Files | Fix Windows Registry | Recover Files | More Information

Stop the Virus

 Press Ctrl+Alt+Del to invoke the Close Program dialog or Task Manager, depending on your operating system. Select any instance of Wscript.exe that is running, and choose End Task to kill it. Do the same with WINS-BUGFIX.exe and WinFat32.exe.
Back to Top

Delete Messages and Files

In Outlook, use Tools | Advanced Find to locate any items with one of these subjects and a file attachment. Delete them:

  • ILOVEYOU
  • Susitikim shi vakara kavos puodukui
  • fwd: Joke
  • Mothers Day Order Confirmation
  • Dangerous Virus Warning
  • Virus ALERT!!!
  • Important ! Read carefully !!
  • How to protect yourself from the IL0VEY0U bug!

    • Delete the following files, adjusting the paths as needed to match your system. Start | Find is probably the best way to locate all of these:

  • C:\Temp\LOVE-LETTER-FOR-YOU.TXT.vbs
  • C:\Temp\LOVE-LETTER-FOR-YOU.TXT1.vbs
  • <Windows>\WIN32DLL.vbs 
  • <Windows>\<System32>\LOVE-LETTER-FOR-YOU.TXT.vbs
  • <Windows>\<System32>\MSKERNEL32.vbs
  • Any instances of WINS-BUGFIX.exe anywhere on the system 
  • Any instances of Very Funny.vbs 
  • Any instances of Mothersday.vbs
  • Any instances of virus_warning.jpg.vbs
  • Any instances of protect.vbs
  • Any instances of IMPORTANT.TXT.vbs
  • Virus-Protection-Instructions.vbs

    • Delete or examine all VBS and VBE files on your system. The virus will have overwritten these types of files with copies of itself. 

    The virus also deletes JS, JSE, CSS, WSH, SCT, HTA, JPG, and JPEG files. It then saves another copy of the payload virus script using the original file's name, with the VBS extension added, e.g. image.jpg.vbs. The files will all have the same size and the date and time that the virus ran. You should delete these files as well. 

    If you use Internet Relay Chat, look for a file named Script.ini. If it contains a reference to LOVE-LETTER-FOR-YOU.HTM, you'll need to delete it or replace it with your original Script.ini, if you have a backup.

    Don't forget that there are variants with other subject lines and attachment names that may affect other files. See ILOVEYOU Virus Links for sites with the latest information on these variants.

    Back to Top

    Fix Windows Registry

    		 Remember to back up the Registry before making any changes! 

    Remove the following Windows Registry entries:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKERNEL32
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\WIN32DLL
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinFAT32
    •  In the HKEY_CURRENT_USER\Software\Microsoft\WAB\ key, remove all the individual STRING and DWORD entries, but not the (default) entry or any subkeys. 

    Rename the value of the following registry entry to your desired Internet Explorer home page:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
    •

    You may need to restore these registry entries to HKEY_CURRENT_USER, HKEY_USERS and HKEY_LOCAL_MACHINE. A system policy file that loads at network logon should take care of that automatically:

  • Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds
  • Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching
  • .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds
  • .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching
    •
    Back to Top

    Recover Files

    		 If you find files with the pattern *.mp3.vbs or *.mp2.vbs, the original MP3 and MP2 files should still be available, only hidden. Make sure that Windows Explorer is set on the View | Options dialog to show all hidden files. 

    As noted above, the virus deletes many web-related and script files, replacing them with copies of itself. The only way to recover those files yourself is from a backup copy or by reinstalling the program that provided the files in the first place. 
    Back to Top

    More Information
  • ILOVEYOU Virus Links
  • Protecting Microsoft Outlook against Viruses
  • Anti-virus Tools
  • Content Control Tools
  • Loveletter updated virus definitions and recovery tools (CNET)
    •
    Updated Jul 16 2008
    Copyright Slipstick Systems. All rights reserved.
    Send comments using our Feedback page

    Home | What's New | Exchange Server | Outlook | Utilities | Bookstore
    About Slipstick | Feedback | Privacy Policy | Site Map | Archived Pages | Link to Us | Advertise