Symantec United States
global sites
products and services
purchase
support
security response
downloads
about symantec
search
feedback



© 1995-2004 Symantec Corporation.
All rights reserved.
Legal Notices
Privacy Policy

 security response

VBS.LoveLetter Fix

The VBS.LoveLetter Fix tool removes the changes that were made to a computer by all known versions of the VBS.LoveLetter worm except VBS.LoveLetter.CA, VBS.LoveLetter.BJ, VBS.LoveLetter.BM and VBS.LoveLetter.AS.

CAUTION: Before you run the tool, you must update to the most recent virus definitions and run a full system scan, making sure that Norton AntiVirus (NAV) is set to scan all files. If you run the tool before scanning your system, you may see warnings that indicate that files have been infected with LoveLetter. If you see any such warning, choose to delete the files.

NOTES:

  • This tool will have limited effectiveness if you have been infected with VBS.NewLove.A. This variant of LoveLetter destroys all files on the system that are not in use. Therefore an infected system will most likely be unstable.
  • If you are running this tool on Windows NT or Windows 2000, you must have Administrator-level privileges.
  • When the tool has finished running, you will see a message indicating whether or not the computer was infected by VBS.LoveLetter.
  • If you are an administrator, and you want to run the tool without displaying the information dialog box, run the tool with the /auto command line switch; for example, C:\Windows\Desktop\fixlove.exe /auto

To obtain and run the tool:
  1. Go to http://www.symantec.com/avcenter/fixlove.exe.
  2. Download the file to your Windows Desktop.
  3. Double-click the Fixlove.exe file to start the repair tool.
  4. Click Remove! to begin the process, and allow the tool to run.

The digital signature
Fixlove.exe is digitally signed. Symantec recommends that you only use copies of Fixlove.exe that have been downloaded directly from the SARC download site. To check the authenticity of the digital signature, follow these steps:
  1. Go to http://www.wmsoftware.com/free.htm
  2. Download and save the chktrust.exe file to the same folder where you saved Fixlove.exe.
  3. Click Start, point to Programs, and click MS-DOS Prompt.
  4. Change to the folder where Fixlove.exe and Chktrust.exe are stored, and then type:

    chktrust -i fixlove.exe

    For example:

    cd\
    cd download
    chktrust -i fixlove.exe

    Press Enter after typing each command.
  5. If the digital signature is valid, you will see the following:

    Do you want to install and run "fixlove.exe" signed on 5/11/2000 3:19 PM and distributed by Symantec Corporation.

    NOTES:
    • The date and time that are displayed in this dialog will be adjusted to your time zone if your computer is not set to the Pacific time zone.
    • If you are using Daylight Saving time, the time that is displayed will be exactly one hour earlier.
    • If this dialog does not appear or the date and time are not correctly adjusted for your time zone, do not use your copy of Fixlove.exe. It is not from Symantec.
  6. Click Yes to close the dialog box.
  7. Type exit and then press Enter. This will close the MS-DOS session.

What the tool does
The VBS.LoveLetter tool does the following:
  • Deletes the Win32DLL.vbs file from the \Windows folder.
  • Deletes the following files from the \Windows\System folder:
    • MSKernel32.vbs
    • LOVE-LETTER-FOR-YOU.TXT.vbs
    • LOVE-LETTER-FOR-YOU.HTM
    • WINFAT32.EXE
    • WIN-BUGSFIX.EXE
    • Funny Love.vbs
    • Funny Love.htm
  • Removes Winfat32.exe, Win-bugsfix.exe, and all .vbs entries from the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion\Run

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion\RunServices

    HKEY_USERS\username\Software\Microsoft\
    Windows\CurrentVersion\Run     (This is done for all users.)
  • Restores the Timeout value for the Windows Scripting Host key for all users, if present:

    HKEY_USERS\username\SOFTWARE\Microsoft\Windows Scripting Host\Settings
  • Sets the starting page for Internet Explorer in the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page

    to http:/ /www.symantec.com/avcenter/repair_instruct.html.
  • Removes all DWORD values from the registry key:

    HKEY_USERS\username\SOFTWARE\Microsoft\WAB

    except for LDAP Connection Timeout and Server ID. (This is done for all users.)
  • Searches all local hard drives for hidden .mp3 and .mp2 files, and removes the hidden attribute.
  • Searches all local hard drives for LoveLetter Script.ini files. If found, the Script.ini file will be overwritten with a blank file that contains just one line:

    [script]