Threat description




VBS/Valentine is a mass mailing worm written in Visual Basic Script.

On February 19th 2001, this worm has been posted to several Usenet newsgroups. F-Secure Anti-Virus detects this worm with updates released February 13rd, 2001 or later.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details


The worm arrives in an infected message sent with Microsoft Outlook. When it is openend, it first drops "loveday14-b.hta" to the Windows Startup directory in both Spanish and English versions of Windows.

When the system is restarted, "loveday14-b.hta" will be executed and the following message box is shown.

The worm creates an infected "main.html" file to the Windows System directory and sets the Internet Explorer start page to point to a web page that contains another worm, VBS/San.A@m. Further information about VBS/San.A@m is available at:

VBS/Valentine.A sends itself to every recipient in each address book. The infected message has the following content:



 Que cosa mas tonta

Message does not have an attachment. The worm code is embedded into the HTML message itself on a similar way as VBS/BubbleBoy.

Like VBS/Timofon.A, this worm attempts to send messages to cellular phones using a SMS gateway at These messages contain the following text:

Feliz san valentin.

These messages are visible in Outlook Sent Items folder. They look as follows:


Feliz san valentin


 Feliz san valentin. Por favor visita (link to a web page)

where (link to a web page) is a link to the worm itself.

Next VBS/Valentine.A searcs all network and local drives for a mIRC installation, and if such is found, it replaces the "script.ini" file with its own causing that the "mail.html" from the Windows System directory will be sent when an user joins the same channel where an infected user is.

At 8th, 14th, 23rd and 29th of any month the worm activates its payload deleting all files from all drives, replacing deleted files with text files that has the same name but an additional ".txt" extension. These text files have the following content:

Hola, me llamo Onel2 y voy a utilizar tus archivos para declararle mi amor

 a Davinia, la chica mas guapa del mundo.

 Feliz san Valentin Davinia. Eres la mas bonita y la mas simpatica.

 Todos los dias a todas horas pienso en ti y cada segundo que no te veo

 es un infierno.

 Quieres salir conmigo?

 En cuanto a ti usuario, debo decirte @ue tus ficheros

 no han sido contaminados por un virus,

 sino sacralizados por el amor que siento por Davinia.

This worm has been available on a public web page in the Internet and it has been posted to several Usenet newsgroups. Even after the infected web page has been removed from the Internet, the worm is able to spread via Outlook Express.

This worm uses the same security vulnerability as JS/Kak.A@m. A fix and futher information about this vulnerability is available from Microsoft:

Further information about JS/Kak.A@m is available at:

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info