Threat Description



Category: Malware
Type: Worm
Platform: VBS
Aliases: Valentine


VBS/Valentine is a mass mailing worm written in Visual Basic Script.

On February 19th 2001, this worm has been posted to several Usenet newsgroups. F-Secure Anti-Virus detects this worm with updates released February 13rd, 2001 or later.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details


The worm arrives in an infected message sent with Microsoft Outlook. When it is openend, it first drops "loveday14-b.hta" to the Windows Startup directory in both Spanish and English versions of Windows.

When the system is restarted, "loveday14-b.hta" will be executed and the following message box is shown.

The worm creates an infected "main.html" file to the Windows System directory and sets the Internet Explorer start page to point to a web page that contains another worm, VBS/San.A@m. Further information about VBS/San.A@m is available at:

VBS/Valentine.A sends itself to every recipient in each address book. The infected message has the following content:

  Subject:     Body:       Que cosa mas tonta   

Message does not have an attachment. The worm code is embedded into the HTML message itself on a similar way as VBS/BubbleBoy.

Like VBS/Timofon.A, this worm attempts to send messages to cellular phones using a SMS gateway at These messages contain the following text:

  Feliz san valentin.   

These messages are visible in Outlook Sent Items folder. They look as follows:

  Subject:    Feliz san valentin     Body:       Feliz san valentin. Por favor visita (link to a web page)   

where (link to a web page) is a link to the worm itself.

Next VBS/Valentine.A searcs all network and local drives for a mIRC installation, and if such is found, it replaces the "script.ini" file with its own causing that the "mail.html" from the Windows System directory will be sent when an user joins the same channel where an infected user is.

At 8th, 14th, 23rd and 29th of any month the worm activates its payload deleting all files from all drives, replacing deleted files with text files that has the same name but an additional ".txt" extension. These text files have the following content:

  Hola, me llamo Onel2 y voy a utilizar tus archivos para declararle mi amor     a Davinia, la chica mas guapa del mundo.     Feliz san Valentin Davinia. Eres la mas bonita y la mas simpatica.     Todos los dias a todas horas pienso en ti y cada segundo que no te veo     es un infierno.     Quieres salir conmigo?     En cuanto a ti usuario, debo decirte @ue tus ficheros     no han sido contaminados por un virus,     sino sacralizados por el amor que siento por Davinia.   

This worm has been available on a public web page in the Internet and it has been posted to several Usenet newsgroups. Even after the infected web page has been removed from the Internet, the worm is able to spread via Outlook Express.

This worm uses the same security vulnerability as JS/Kak.A@m. A fix and futher information about this vulnerability is available from Microsoft:

Further information about JS/Kak.A@m is available at:

Technical Details:Katrin Tocheva and Sami Rautiainen, F-Secure; February 2000


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More