VBS/LoveLetter is a family of mass-mailing worms that targets computers running certain versions of Microsoft Windows. The worm can spread as an e-mail attachment and through an IRC channel. The worm can download, overwrite, delete, infect, and run files on the infected computer.

Threat behavior

VBS/LoveLetter copies itself to multiple locations on the computer using various file names. It modifies the startup configuration so that the worm runs each time Windows starts. 
The worm can spread through an IRC channel. It can also spread by sending a copy of itself as an attachment to e-mail addresses that it finds in the Outlook address book. The sender appears as the Outlook address of the current user. The subject line, message body, and attachment name may resemble the following example:
Message body: kindly check the attached LOVELETTER coming from me.

Some VBS/LoveLetter variants may also perform actions such as:
  • Overwriting files.
  • Downloading and running files.
  • Infecting files so they are only recoverable from backups.
  • Deleting everything on the C drive.
  • Placing shortcuts with misleading icons on the desktop. 


There may be no readily apparent indications of infection by VBS/LoveLetter. However, the following symptoms may appear unexpectedly on a computer infected by this worm:
  • High outbound SMTP traffic.
  • A desktop shortcut that points to a Web site but has a misleading icon such as that of the Solitaire game.
  • Items in the Outlook "Sent Items" folder with an attachment name that has extension .vbs.


Alert level: Severe
First detected by definition:
Latest detected by definition: 1.117.2303.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Aug 10, 2005
This entry was updated on: Mar 23, 2007

This threat is also detected as:
  • VBS.LoveLetter (Symantec)
  • VBS/Loveletter (McAfee)
  • VBS_LOVELETTER (Trend Micro)
  • VBS.ILoveYou (CA)