"The Mother's Day version of this worm is quite cunning", comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation. "The e-mail appears to be a confirmation of an order for 'Mother's Day diamond special', and the attached file mothersday.vbs is portrayed as if it were an invoice. When users get such e-mails they assume there is some mistake and will naturally open the attachment - infecting their computer. With only eight days to go until Mother's Day, this attack is quite credible." The worm arrives in an e-mail message attachment called mothersday.vbs. On a default Windows system, the ".vbs" extension is not visible. If the recipient opens the attachment, the worm will use Microsoft Outlook (if installed) to send a message to everyone in any address books (including global access books of the organization; these typically contains hundreds or thousands of addresses). The message looks like this: From: Name-of-the-infected-user To: Random-name-from-the-address-book Subject: Mothers Day Order Confirmation We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place.Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com Attachment: mothersday.vbs As address books typically contain group addresses, the result of executing the VBS/LoveLetter worm inside an organization is that the first infected user sends the message to everybody in the organization. After this, other users open the message and send the message again to everyone else. This quickly overloads e-mail servers. In addition, this worm deletes all INI and BAT files from all drives and directories. This may leave the system in an unbootable state and might do serious damage to network files. This variant is detected as VBS/LoveLetter.E by F-Secure Anti-Virus. Like the original version of the worm, VBS/LoveLetter.E is written in the VBScript language. The other known variants of the worm are known as VBS/LoveLetter.A, B, C and D. The A variant was the original LoveLetter worm. The B variant has been modified in Lithuania, and the subject field of the sent e-mail messages is "Susitikim shi vakara kavos puodukui...", which in Lithuanian means "Let's meet this evening for a cup of coffee..." The C variant has the subject field of "fwd: Joke" and the attachment is called "Very Funny.vbs" The D variant is almost identical to the original LoveLetter worm. It has been modified slightly, probably to make it undetectable to some anti-virus programs. A technical description of the worm is available in the F-Secure virus description database at: http://www.F-Secure.com/v-descs/love.htm Sample pictures of e-mail messages generated by VBS/LoveLetter are available in the F-Secure virus screenshots center at: http://www.F-Secure.com/virus-info/v-pics/