Valentine will run whenever Windows is started, and spreads by attaching itself to every e-mail sent through Outlook. Valentine is a mass mailing worm that will attempt to send e-mail to every address listed in the Outlook address book. Valentine also changes Internet Explorer's default page to point to a Web site (now shut down) from which the worm can download a potentially destructive payload onto an infected computer. With the downloaded payload in place, Valentine will attempt to delete every file from the C:/ drive and rename every folder by adding the text happysanvalentine (for example, C:\Programs\MyDocuments\Excelhappysanvalentine) on the 8th, 14th, 23rd, or 29th day of any month. Even though the damaging component is no longer available, Valentine could still slow down e-mail servers.
How it spreads
Valentine.A arrives as an e-mail with the following:
Subject: blank
Body: anything
Attachment: none
Valentine spreads by imbedding itself to the HTML-format signature file of every outgoing Outlook e-mail and attempts to send itself to every address listed in the Outlook address book. Microsoft has issued a patch for the vulnerability in ActiveX that allows worms like Valentine to infect. Users should download the scriptlet.typelib/Eyedog patch, if they have not already done so.
Removal
At the moment, only Sophos and McAfee have posted updated signature files. Other anti-virus software vendors are expected to follow shortly.
