The LoveLetter worm :

Once activated, the worm deletes files of these extensions:
mp3, mp2, css, wsh, sct, hta, jpg, jpeg, jse, js, vbe, vbs. In their place, the virus creates new copies of itself with the file extension .vbs. For example, a file called Amazing.mp3 would be deleted and replaced by a file called Amazing.mp3.vbs. If you activate any of these files by double-clicking on them, your computer will be reinfected with LoveLetter.
It will send a copy of itself via email to every address in the Microsoft Outlook address book It will transmit itself as a webpage file (Love-letter-for-you.htm) over mIRC channels.
It will change the home page for Internet Explorer 5 so that when Internet Explorer is opened, it will visit a webpage where a Trojan horse program with the filename WIN-BUGSFIX.exe will download onto the system. This trojan will try to send any Windows passwords back to the hacker who created it. (This information has been verified since the last revision of this webpage).

It creates the following files:
C:\Windows\System\MSKernel32.vbs
C:\Windows\Win32DLL.vbs
C:\Windows\System\LOVE-LETTER-FOR-YOU.
TXT.vbs
WinFAT32.EXE in the Internet download directory
WIN-BUGSFIX.EXE in the Internet download directory (only if the Trojan program was downloaded) script.ini in the mIRC directory

The worm makes changes to the registry that loads the worm each time Windows is started.

It creates the following entries:
"HKEY_LOCAL_MACHINE\Software\
Microsoft\
Windows\CurrentVersion\Run\MSKernel32",
set to ":\windows\system\MSKernel32.vbs"
"HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\
RunServices\Win32DLL",
set to ":\windows\\Win32DLL.vbs"

If the Trojan horse is downloaded, and the file WIN-BUGSFIX.exe does not exist in the Windows system folder, then it will create the key:
    "HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Run\
WIN-BUGSFIX"
and set it to "\WIN-BUGSFIX.exe"

You must delete these registry keys as part of the removal process, otherwise you will experience errors when Windows tries to load these files.

In-depth Technical Details

Removal of the Worm

Automated Removal

There are now some tools available that can help you to clean the virus from your system. These tools can help you accomplish the three steps to removing this virus:

1.  Fixing the Registry

Computer Associates has developed an executable program that will remove the registry changes made by the virus. It is available at:
http://www.ca.com/virusinfo/encyclopedia/
descriptions/reg/love_letter_clean.exe

Once you download the file, double-click on it to run the program and remove the registry keys.

2.  Removing the Infected Files

Trend Micro has a website that will scan for the infected files online (we have ourselves not verified that it will remove the infected files as of yet). Their virus-cleaning website is http://housecall.antivirus.com/

3.  Resetting your Internet Explorer home page

The virus changes the home page for Internet Explorer so the next time you open up the browser, you will be taken to a web page where it is suspected that another virus or trojan program will be downloaded (if your IE has already visited this page, it may have transmitted your Windows passwords, so be sure to change them just to be safe).

To fix this:
Click on the Start button, choose Settings, and choose Control Panel.
In the Control Panel, double-click on Internet Options.
Click on the General tab. In the Home Page section, highlight the entry in the Address box and delete it. Then type in the Internet address of the home page you used to have (you cannot leave the address box blank, or it will return to the address put there by the worm).
Click the Apply button, and then the OK button. Close the Control Panel window.

Once you have gone through all three of the above steps, you system should be clean.

Step-by-Step Removal Instructions
NOTE:  These steps involve using the Registry Editor.  If you have local technical support available, you may want to notify them that you will be using the Registry Editor.

The virus changes the home page for Internet Explorer so the next time you open up the browser, you will be taken to a web page where it is suspected that another virus or trojan program will be downloaded (if your IE has already visited this page, it may have transmitted your Windows passwords, so be sure to change them just to be safe). To fix this, click on the Start button, choose Settings, and choose Control Panel.
In the Control Panel, double-click on Internet Options.
Click on the General tab. In the Home Page section, highlight the entry in the Address box and delete it. Then type in the Internet address of the home page you used to have (you cannot leave the address box blank, or it will return to the address put there by the worm).
Click the Apply button, and then the OK button. Close the Control Panel window.
Hit the Control-Alt-Delete keys simultaneous on your computer.
On Windows 95/98, this will display the Close Program box which lists the programs currently running on your system.
If Wscript is in the list, click on Wscript once and then click on the End Task button.  Close the Close Program window.
On Windows NT/2000, this will display the a dialog box.
Click on Task Manager.  In the Task Manager window, click on the Applications tab.  If you see Wscript or Windows Scripting Host listed, click on it once and click on the End Task button. Close the Task Manager.
Click on the Start button and choose Run. In the Open box, type "regedit" (without the quotation marks). Hit the Enter/Return key.
The Registry Editor window will appear.
You can think of the list in the left column as a directory list, and by clicking on the "+" sign next to each folder you go deeper into the directory list.
In this left column, click on the "+" signs next to the following directories (each "+" sign you click will reveal a new list that will contain the next entry:
HKEY_Local_Machine
Software
Microsoft
Windows
CurrentVersion

In the Current Version directory list in the left column, click on directory labeled Run so that the Run folder opens.
In the right hand column are the registry settings for this particular directory.  Find the entry named MSKernel32 and click on it once so that it is highlight.

Hit the Delete key. When asked if you want to delete this registry key, click on the Yes button. The entry should then disappear.
In this same right-hand list, look for an entry with the name WIN-BUGSFIX. Highlight it by clicking on it once and then hit the Delete key. When asked if you want to delete this registry key, click on the Yes button. The entry should then disappear.
In the left-hand column, click on the directory labeled RunServices. In the right-hand column, look for an entry named Win32DLL. Highlight it by clicking on it once and then hit the Delete key. When asked if you want to delete this registry key, click on the Yes button. The entry should then disappear.
Close the Registry Editor window.
Click on the Start button and choose Find, then Files or Folders.
The Find window will appear. In the Named box, type "mskernel32.vbs" (without the quotation marks). In the Look in box, use the drop-down box to choose "My Computer" from the drop-down list. Then, make sure the checkbox labeled Include subfolders is checked.

Click the Find Now button to start the search. The search results will be listed in the window below. Click on the MSKernel32.vbs file once to highlight it (as shown above), and then hit the Shift key and the Delete key simultaneously. When asked if you want to really delete this file, click the Yes button.
Repeat the last two steps to search for and delete the following files:
win32dll.vbs
love-letter-for-you.txt.vbs (There may be more than one copy of this file. Delete them all) love-letter-for-you.htm (There may be more than one copy of this file. Delete them all) winfat32.exe (You may not have this file on your system, so do not be alarmed if you do not find it) win-bugsfix.exe (You may not have this file on your system, so do not be alarmed if you do not find it) script.ini (Only delete this file if it is located in your mIRC directory)
Having been infected with the virus, all of the .vbs files on your system are now copies of the LoveLetter virus, and activating them will reinfect your system. You have two options for protecting yourself from accidently deleting these files.
Deleting all of the .vbs files by searching for them via File Find (in the Named box, type "*.vbs" without the quotation marks to find all the .vbs files) and deleting them much like you did in the last three steps.
Turning off Windows Scripting Host so that the files cannot be activated.
To do this:
Click on the Start button, choose Settings and choose Control Panel.
In the Control Panel window, double-click on Add/Remove Programs.
Click on the tab for Windows Setup.
In the Components list box, click on Accessories, then click on the Details button.
Clicking on the Details button will change the list of components. In that list, uncheck Windows Scripting Host.
Then click the OK button.
Click the Apply button.  Windows will then process the change for several seconds.  Then click the OK button to close the Add/Remove Programs window.

Restart your computer.