ILOVEYOU
Encyclopedia
ILOVEYOU, also known as Love Letter, is a computer worm
that successfully attacked tens of millions of computers in 2000 when it was sent as an attachment to a user with the text "ILOVEYOU" in the subject line. The worm arrived e-mail on and after May 4, 2000 with the simple subject of "ILOVEYOU" and an attachment "LOVE-LETTER-FOR-YOU.". The file extension was hidden by default, leading unsuspecting users to think it was a normal text file. Upon opening the attachment, the worm sent a copy of itself to everyone in the Windows Address Book
and with the user's sender address. It also made a number of malicious changes to the user's system.
Such propagation mechanism had been known (though in IBM
mainframe
rather than in the MS Windows environment) and used already in the Christmas Tree EXEC
of 1987 which brought down a number of the world's mainframes at the time.
Four aspects of the worm made it effective:
, Philippines
on 4 May 2000 and spread across the world in one day, moving on to Hong Kong and then to Europe and the US, causing an estimated $5.5 billion in damage. By 13 May 2000, 50 million infections had been reported. Most of the damage cited was the time and effort spent getting rid of the worm. In order to free themselves, The Pentagon
, CIA, and the British Parliament had to shut down their mail systems; as did most large corporations.
This particular malware
caused widespread damage. The worm overwrote important files — music files, multimedia files, and more — with a copy of itself. It also sent the worm to the first fifty people in the Windows Address Book
, the system contact list
. Because it was written in Visual Basic Script and interfaced with the Outlook Windows Address Book, this particular worm only affected computers running the Microsoft Windows
operating system
. While any computer could receive the "ILOVEYOU" message, only Microsoft Windows systems were vulnerable.
Visual Basic Scripting (VBS), and requires that the user run the script in order to deliver the payload. It adds a number of registry keys so the worm is initialized on system boot.
The worm will then search all drives which are connected to the infected computer and replace files with the extensions *.JPG, *.JPEG, *.VBS, *.VBE, *.JS, *.JSE, *.CSS, *.WSH, *.SCT, *.DOC *.HTA with copies of itself, while appending to the file name a .VBS. extension. The worm will also locate *.MP3 and *.MP2 files, and when found, make the files hidden, copy itself with the same filename and append a .VBS extension.
The worm propagates by sending out copies of itself to all entries in the Microsoft Outlook
address book. It also adds registry keys that direct the Windows operating system to download and execute a password-stealing trojan variously called "WIN-BUGSFIX.EXE" or "Microsoftv25.exe".
(NBI) agents. The NBI received a complaint from Sky Internet, a local Internet service provider (ISP). The ISP claimed that they have received numerous calls from European computer users, complaining that malware
in the form of an "ILOVEYOU" worm was sent to their computers through the said ISP.
After several days of surveillance and investigation spearheaded by Darwin Bawasanta, systems development manager of Sky Internet, the NBI was able to trace a frequently appearing telephone number, which turned out to be that of Mr. Ramores' apartment in Manila, Philippines. His residence was searched by the NBI and Mr. Ramores was consequently arrested and placed on inquest investigation before the Department of Justice (DOJ)
. Onel de Guzman was likewise arrested in Manila. At that point, the NBI was at a loss as to what felony
or crime
to charge the two with in court. There were some agents who theorized that they may be charged with violation of Republic Act No. 8484 or the Access Device Regulation Act, a law designed mainly to penalize credit card fraud
. The reason supposedly being that both used, if not stole, pre-paid Internet cards which enabled them to use several ISPs. Another school of thought within the NBI opened that Ramores and de Guzman could be charged with malicious mischief, a felony involving damage to property under the Philippines' Revised Penal Code, which was enacted in 1932. However, the problem with malicious mischief is that one of its elements, aside from damage to property, was intent to damage. In this case, Mr. de Guzman claimed during custodial investigation that he merely unwittingly released the virus.
To show his intent, the NBI investigated AMA Computer University
where de Guzman dropped out on his senior year. There, it was found that de Guzman was not only quite familiar with computer viruses, he had in fact, proposed to create one. For his undergraduate thesis, he proposed the commercialization of a Trojan virus, one that innocently enters another computer but would later steal passwords, addresses, and files, much like the Trojan Horse. He contended that through the Trojan virus, the user would be able to save on, if not totally make do without, prepaid Internet usage cards since passwords could be obtained by the virus. The thesis proposal was rejected by the College of Computer Studies board, forcing him to drop out.
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
that successfully attacked tens of millions of computers in 2000 when it was sent as an attachment to a user with the text "ILOVEYOU" in the subject line. The worm arrived e-mail on and after May 4, 2000 with the simple subject of "ILOVEYOU" and an attachment "LOVE-LETTER-FOR-YOU.". The file extension was hidden by default, leading unsuspecting users to think it was a normal text file. Upon opening the attachment, the worm sent a copy of itself to everyone in the Windows Address Book
Windows Address Book
Windows Address Book is a component of Microsoft Windows that lets users keep a single list of contacts that can be shared by multiple programs. It is most commonly used by Outlook Express. It was introduced with Internet Explorer 3 in 1996 and improved in subsequent versions. The Windows Address...
and with the user's sender address. It also made a number of malicious changes to the user's system.
Such propagation mechanism had been known (though in IBM
IBM
International Business Machines Corporation or IBM is an American multinational technology and consulting corporation headquartered in Armonk, New York, United States. IBM manufactures and sells computer hardware and software, and it offers infrastructure, hosting and consulting services in areas...
mainframe
Mainframe computer
Mainframes are powerful computers used primarily by corporate and governmental organizations for critical applications, bulk data processing such as census, industry and consumer statistics, enterprise resource planning, and financial transaction processing.The term originally referred to the...
rather than in the MS Windows environment) and used already in the Christmas Tree EXEC
Christmas Tree EXEC
Christmas Tree EXEC was the first widely disruptive computer worm, which paralyzed several international computer networks in December 1987.Written by a student at the Clausthal University of Technology in the REXX scripting language, it drew a crude Christmas tree as text graphics, then sent...
of 1987 which brought down a number of the world's mainframes at the time.
Four aspects of the worm made it effective:
- It relied on the scripting engine system setting being enabled. The engine had not been known to have ever been used previously and Microsoft received scathing criticism for leaving such a powerful (and dangerous) tool enabled by default with no one aware of its existence.
- It took advantage of a Microsoft algorithm for hiding file extensions. Windows had begun hiding extensions by default; the algorithm parsed file names from right to left, stopping at the first 'period' ('dot'). In this way the exploit could display the inner file extension 'TXT' as the real extension; text files are considered to be innocuous as they can't contain executable code.
- It utilized social engineeringSocial engineering (security)Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information...
to entice users to open the attachment and ensure its continued propagation. - It exploited the weakness of the email system design that an attached program could be run easily by simply opening the attachment to gain complete access to the file system and the Registry.
Spread
Messages generated in the Philippines began to spread westwards through corporate email systems. Because the worm used mailing lists as its source of targets, the messages often appeared to come from acquaintances and would therefore be considered "safe", providing further incentive to open the attachments. Only a few users at each site had to access the attachment in order to generate the millions of messages that crippled POP systems under their weight and release the worm that overwrote millions of files on workstations and accessible servers.Impact
The worm originated in ManilaManila
Manila is the capital of the Philippines. It is one of the sixteen cities forming Metro Manila.Manila is located on the eastern shores of Manila Bay and is bordered by Navotas and Caloocan to the north, Quezon City to the northeast, San Juan and Mandaluyong to the east, Makati on the southeast,...
, Philippines
Philippines
The Philippines , officially known as the Republic of the Philippines , is a country in Southeast Asia in the western Pacific Ocean. To its north across the Luzon Strait lies Taiwan. West across the South China Sea sits Vietnam...
on 4 May 2000 and spread across the world in one day, moving on to Hong Kong and then to Europe and the US, causing an estimated $5.5 billion in damage. By 13 May 2000, 50 million infections had been reported. Most of the damage cited was the time and effort spent getting rid of the worm. In order to free themselves, The Pentagon
The Pentagon
The Pentagon is the headquarters of the United States Department of Defense, located in Arlington County, Virginia. As a symbol of the U.S. military, "the Pentagon" is often used metonymically to refer to the Department of Defense rather than the building itself.Designed by the American architect...
, CIA, and the British Parliament had to shut down their mail systems; as did most large corporations.
This particular malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
caused widespread damage. The worm overwrote important files — music files, multimedia files, and more — with a copy of itself. It also sent the worm to the first fifty people in the Windows Address Book
Windows Address Book
Windows Address Book is a component of Microsoft Windows that lets users keep a single list of contacts that can be shared by multiple programs. It is most commonly used by Outlook Express. It was introduced with Internet Explorer 3 in 1996 and improved in subsequent versions. The Windows Address...
, the system contact list
Contact list
A contact list is a collection of screen names in an instant messaging or e-mail program or online game or mobile phone. It has various trademarked and proprietary names in different contexts....
. Because it was written in Visual Basic Script and interfaced with the Outlook Windows Address Book, this particular worm only affected computers running the Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
. While any computer could receive the "ILOVEYOU" message, only Microsoft Windows systems were vulnerable.
Architecture of the Worm
The worm is written using MicrosoftMicrosoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
Visual Basic Scripting (VBS), and requires that the user run the script in order to deliver the payload. It adds a number of registry keys so the worm is initialized on system boot.
The worm will then search all drives which are connected to the infected computer and replace files with the extensions *.JPG, *.JPEG, *.VBS, *.VBE, *.JS, *.JSE, *.CSS, *.WSH, *.SCT, *.DOC *.HTA with copies of itself, while appending to the file name a .VBS. extension. The worm will also locate *.MP3 and *.MP2 files, and when found, make the files hidden, copy itself with the same filename and append a .VBS extension.
The worm propagates by sending out copies of itself to all entries in the Microsoft Outlook
Microsoft Outlook
Microsoft Outlook is a personal information manager from Microsoft, available both as a separate application as well as a part of the Microsoft Office suite...
address book. It also adds registry keys that direct the Windows operating system to download and execute a password-stealing trojan variously called "WIN-BUGSFIX.EXE" or "Microsoftv25.exe".
Origins
On May 5, 2000, two young Filipino computer programming students named Reomel Ramores and Onel de Guzman became the target of a criminal investigation by the Philippines' National Bureau of InvestigationNational Bureau of Investigation
The National Bureau of Investigation , is an agency of the Philippine government under the Department of Justice, responsible for handling and solving major high profile cases that are in the interest of the nation.-Organization and Jurisdiction:The NBI is a government entity that is civilian in...
(NBI) agents. The NBI received a complaint from Sky Internet, a local Internet service provider (ISP). The ISP claimed that they have received numerous calls from European computer users, complaining that malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
in the form of an "ILOVEYOU" worm was sent to their computers through the said ISP.
After several days of surveillance and investigation spearheaded by Darwin Bawasanta, systems development manager of Sky Internet, the NBI was able to trace a frequently appearing telephone number, which turned out to be that of Mr. Ramores' apartment in Manila, Philippines. His residence was searched by the NBI and Mr. Ramores was consequently arrested and placed on inquest investigation before the Department of Justice (DOJ)
Department of Justice (Philippines)
The Department of Justice , abbreviated as DOJ, is the executive department of the Philippine government responsible for upholding the rule of law in the Philippines...
. Onel de Guzman was likewise arrested in Manila. At that point, the NBI was at a loss as to what felony
Felony
A felony is a serious crime in the common law countries. The term originates from English common law where felonies were originally crimes which involved the confiscation of a convicted person's land and goods; other crimes were called misdemeanors...
or crime
Crime
Crime is the breach of rules or laws for which some governing authority can ultimately prescribe a conviction...
to charge the two with in court. There were some agents who theorized that they may be charged with violation of Republic Act No. 8484 or the Access Device Regulation Act, a law designed mainly to penalize credit card fraud
Credit card fraud
Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also...
. The reason supposedly being that both used, if not stole, pre-paid Internet cards which enabled them to use several ISPs. Another school of thought within the NBI opened that Ramores and de Guzman could be charged with malicious mischief, a felony involving damage to property under the Philippines' Revised Penal Code, which was enacted in 1932. However, the problem with malicious mischief is that one of its elements, aside from damage to property, was intent to damage. In this case, Mr. de Guzman claimed during custodial investigation that he merely unwittingly released the virus.
To show his intent, the NBI investigated AMA Computer University
AMA Computer University
AMA Computer University , formerly AMA Computer College, was the first ICT University in Asia. The University serves as the flagship brand of the AMA Education System....
where de Guzman dropped out on his senior year. There, it was found that de Guzman was not only quite familiar with computer viruses, he had in fact, proposed to create one. For his undergraduate thesis, he proposed the commercialization of a Trojan virus, one that innocently enters another computer but would later steal passwords, addresses, and files, much like the Trojan Horse. He contended that through the Trojan virus, the user would be able to save on, if not totally make do without, prepaid Internet usage cards since passwords could be obtained by the virus. The thesis proposal was rejected by the College of Computer Studies board, forcing him to drop out.
Legislative aftermath
Since there were no laws in the Philippines against writing malware at the time, both Ramores and de Guzman were released with all charges dropped by state prosecutors. To address this legislative deficiency, the Philippine Congress enacted Republic Act No. 8792, otherwise known as the E-Commerce Law, in July 2000, just two months after the worm outbreak. In 2002, the ILOVEYOU virus obtained a world record for being the most virulent computer virus then.See also
- Code Red wormCode Red (computer worm)The Code Red worm was a computer worm observed on the Internet on July 13, 2001. It attacked computers running Microsoft's IIS web server.The Code Red worm was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh...
- Nimda worm
- Timeline of notable computer viruses and wormsTimeline of notable computer viruses and wormsThis is a timeline of noteworthy computer viruses, worms and Trojan horses.- 1966 :* The work of John von Neumann on the "Theory of self-reproducing automata" is published...
External links
- The Love Bug - A Retrospect
- ILOVEYOU Virus Lessons Learned Report, Army Forces Command
- Radsoft: The ILOVEYOU Roundup
- Description page
- "No 'sorry' from Love Bug author" at The RegisterThe RegisterThe Register is a British technology news and opinion website. It was founded by John Lettice, Mike Magee and Ross Alderson in 1994 as a newsletter called "Chip Connection", initially as an email service...
- CERT Advisory CA-2000-04 Love Letter Worm
- Subject "I Love You"