ILOVEYOU

ILOVEYOU

Aliases	The Love Bug, Loveletter
Written in	VBScript

ILOVEYOU or LOVELETTER was a computer worm that successfully attacked tens of millions of Windows computers in 2000 when it was sent as an attachment to an email message with the text "ILOVEYOU" in the subject line. The worm arrived in e-mail boxes on and after 5 May 2000 with the simple subject of "ILOVEYOU" and an attachment "LOVE-LETTER-FOR-YOU.TXT.vbs". The final 'vbs' extension was hidden by default, leading unsuspecting users to think it was a mere text file. Upon opening the attachment, the worm sent a copy of itself to everyone in the Windows Address Book and with the user's sender address. It also made a number of malicious changes to the user's system.

Such propagation mechanism had been known (though in IBM mainframe rather than in the MS Windows environment) and used already in the Christmas Tree EXEC of 1987 which brought down a number of the world's mainframes at the time.^{[citation needed]}

Four aspects of the worm made it effective:

• It relied on social engineering to entice users to open the attachment and ensure its continued propagation.
• It relied on a flawed Microsoft algorithm for hiding file extensions. Windows had begun hiding extensions by default; the algorithm parsed file names from right to left, stopping at the first 'period' ('dot'). In this way the exploit could insert the second file extension 'TXT' which to the user appeared to be the real extension; text files were presumed to be innocuous.
• It relied on the scripting engine being enabled. This was actually a system setting; the engine had not been known to have been ever used before this; Microsoft received scathing criticism for leaving such a powerful (and dangerous) tool enabled by default with no one the wiser for its existence.
• It exploited the weakness of the email system design that an attached program could be run easily by simply opening the attachment and gain complete access to the file system and the Registry.

Spread

Its massive spread moved westward as workers arrived at their offices and encountered messages generated in the Philippines. Because the worm used mailing lists as its source of targets, the messages often appeared to come from acquaintances and would therefore be considered "safe", providing further incentive to open the attachments. All it took was a few users at each site to access the attachment to generate the millions of messages that crippled POP systems under their weight, not to mention the fact the worm overwrote millions of files on workstations and accessible servers.

Effects

The worm began in the Philippines on 5 May 2000 and spread across the world in one day, moving inexorably on to Hong Kong and then to Europe and the US,^[1] causing an estimated $5.5 billion in damage.^[2] By 13 May 2000, 50 million infections had been reported.^[3] Most of the damage cited was the labour of getting rid of the worm. The Pentagon, CIA, and the British Parliament had to shut down their mail systems to get rid of it, as did most large corporations.^[4]

This particular malware caused widespread damage. The worm overwrote important files - music files, multimedia files, and more - with a copy of itself. It also sent the worm to everyone on a user's contact list. Because it was written in Visual Basic Script and interfaced with the Outlook Windows Address Book, this particular worm only affected computers running the Microsoft Windows operating system. While any other computer accessing e-mail could receive an "ILOVEYOU" e-mail, only Microsoft Windows systems would be infected.

Architecture of the Worm

The virus is written using Microsoft Visual Basic Scripting (VBS), and requires that the user run the script in order to deliver the payload. It adds a number of Registry keys so the worm is initialised on system boot.

The worm will then search all drives which are connected to the infected computer and replace files with the extensions *.JPG, *.JPEG, *.VBS, *.VBE, *.JS, *.JSE, *.CSS, *.WSH, *.SCT, *.DOC *.HTA with copies of itself, while appending to the file name a .VBS. extension. The worm will also locate *.MP3 and *.MP2 files, and when found, make the files hidden, copy itself with the same filename and append a .VBS extension.

The worm propagates by sending out copies of itself to all entries in the Microsoft Outlook address book. It also has an additional component, in which it will download and execute an infected program called variously "WIN-BUGSFIX.EXE" or "Microsoftv25.exe". This is a password-stealing program which will e-mail cached passwords.

Legislative aftermath

The alleged authors of the worm were reported to be Filipinos. Siblings Irene and Onel de Guzman of Manila^[5]; Irene's boyfriend, Reomel Lamores who was briefly held in May 2000 in connection with the worm outbreak; and Michael Buenafe, a fellow student of de Guzman at AMA Computer College.^[6] Onel finally came forward but denied writing the worm, although he admitted he may have inadvertently been responsible for its release. As there were no laws in the Philippines against writing malware at the time, he was released and in August the prosecutors dropped all charges against him.

In Popular Culture

In 2009, Upper Deck Entertainment commemorated the ILoveYou worm as part of a 20th anniversary retrospective set of trading cards. The set was intended to chronicle major events in sports, politics, pop culture, technology and world history in the 20 years since Upper Deck had commenced business. ^{[7] [8]}

See also

Computer security portal

Wikinews has related news: Users insert virus source code into Wikipedia pages

• Code red worm
• Nimda worm
• Timeline of notable computer viruses and worms

References

External links

• The Love Bug - A Retrospect
• ILOVEYOU Virus Lessons Learned Report, Army Forces Command
• Radsoft: The ILOVEYOU Roundup
• Description page
• "No 'sorry' from Love Bug author" at The Register
• CERT Advisory CA-2000-04 Love Letter Worm