The worm arrives in an infected message sent with Microsoft Outlook.
When it is openend, it first drops "loveday14-b.hta" to the Windows
Startup directory in both Spanish and English versions of Windows.
When the system is restarted, "loveday14-b.hta" will be executed and
the following message box is shown.
The worm creates an infected "main.html" file to the Windows System
directory and sets the Internet Explorer start page to point to a web
page that contains another worm, VBS/San.A@m. Further information
about VBS/San.A@m is available at:
VBS/Valentine.A sends itself to every recipient in each address book.
The infected message has the following content:
Body: Que cosa mas tonta
Message does not have an attachment. The worm code is embedded into
the HTML message itself on a similar way as VBS/BubbleBoy.
Like VBS/Timofon.A, this worm attempts to send messages to cellular
phones using a SMS gateway at Movistar.net. These messages contain the
Feliz san valentin.
These messages are visible in Outlook Sent Items folder. They look as
Subject: Feliz san valentin
Body: Feliz san valentin. Por favor visita (link to a web page)
where (link to a web page) is a link to the worm itself.
Next VBS/Valentine.A searcs all network and local drives for a mIRC
installation, and if such is found, it replaces the "script.ini" file
with its own causing that the "mail.html" from the Windows System
directory will be sent when an user joins the same channel where an
infected user is.
At 8th, 14th, 23rd and 29th of any month the worm activates its
payload deleting all files from all drives, replacing deleted files
with text files that has the same name but an additional ".txt"
extension. These text files have the following content:
Hola, me llamo Onel2 y voy a utilizar tus archivos para declararle mi amor
a Davinia, la chica mas guapa del mundo.
Feliz san Valentin Davinia. Eres la mas bonita y la mas simpatica.
Todos los dias a todas horas pienso en ti y cada segundo que no te veo
es un infierno.
Quieres salir conmigo?
En cuanto a ti usuario, debo decirte @ue tus ficheros
no han sido contaminados por un virus,
sino sacralizados por el amor que siento por Davinia.
This worm has been available on a public web page in the Internet and
it has been posted to several Usenet newsgroups. Even after the
infected web page has been removed from the Internet, the worm is able
to spread via Outlook Express.
This worm uses the same security vulnerability as JS/Kak.A@m. A fix
and futher information about this vulnerability is available from
Further information about JS/Kak.A@m is available at:
[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure; February 2000]