My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



(Worm/LovLorn.6, WORM_LOVELORN.A, W32/Lovelorn.C@mm, Email-Worm.Win32.Lovelorn.f, System error, VBS.Lovelorn.A, W32/Lovelorn@MM, I-Worm/Lovelorn.dropper, Generic.PWStealer.82B4027D, W32/Lovelorn.dr, Parser error, I-Worm/Lovelorn.B, Email-Worm.Win32.Charches.a, VirTool.Win32.Hex2Vbs.a, Win32.Petuk.DR@mm, I-Worm/Lovelorn.CA, VBS/Lovelorn!dropper!Worm, Worm/c.A, VBS_LOVELORN.A, Email-Worm.Win32.Petuk.dr)

Added to the Dr.Web virus database: 2003-04-29

Virus description added:


Win32.HLLM.LoveLorn is a mass-mailing worm written in Borland C++. It affects computers running under Windows 95/98/Me/NT/2000/XP. The worm\'s size is 102,400 bytes.


To secure its automatic launching at every Windows start up the worm adds the value
\"explorer = \"%\\SYSTEM%\\explorer.exe\"
to the registry entry


The worm propagates to all the addresses found in the local Windows address book (WAB). It generates mail messages sent from the infected computer using its own SMTP engine.

The worm inserts the - based sender`s address, for example,, or to the From: filed.
The subjects of the messages formed by the worm vary and may be the followin:

Read this file 
Re:baby!your friend send this file to you !
Read File attach .
Re:Get Password  mail...
There\'re some Passwords here
The Sexy story and 4 sexy picture of BINLADEN !
Souvenir for you from file attach...
See the Greeting-card .
Re:I Love You...OKE!
A Greeting-card for you .
Read file attach 
I like Sexy with you.
Re:Kiss you..
Guide to fuck ...
Play the game from file attach
Re:Baby! 2000USD,Win this game...
The texts accompanying messages may be the following:
Read this file 
Read File attach .
run File Attach to extract:BinladenSexy.jpg...
Souvenir for you from file attach...
See the Greeting-card .
I like Sexy with you.
Play the game from file attach
The attachment names to all message types are entitled as %%%.KISS.OK.EXE or %%%.HTM, where % is a variable and may be, for example, lovelorn, love_lorn or thuyguyen.


Being released on a computer the worm drops to the %System% folder (in Windows 9x and Windows ME it is C:\\Windows\\System, in Windows NT/2000 it is C:\\WINNT\\System32, in Windows XP it is C:\\Windows\\System32) several files:

  • explorer.exe, kernel32.exe, netdll.dll, serscg.dll are copies of the worm
  • setup.htm is a web-page with a script embedded into it written in Visual Basic. This file is detected by DrWeb® anti-virus program as Win32.HLLM.LoveLorn. After this file is run the worm places to the Windows temporary folder one more file named temp.exe.
  • netsn.dll is a base-64 - encoded copy of the worm - a mail encoding compatible with MIME
  • bsbk.dll is a base-64 - encoded copy of the worm\'s html-dropper.
  • © Doctor Web
    2003 — 2022

    Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies