ILOVEYOU | |
---|---|
![]() | |
Email with an infected attachment | |
Alias | Love Bug, Loveletter |
Type | Computer worm |
Origin | Manila, Philippines |
Authors | Onel de Guzman |
Technical details | |
Platform | Windows 9x, Windows NT 4.0, Windows 2000 |
Size | 10.31 kilobytes |
Written in | VBScript |
ILOVEYOU, sometimes referred to as the Love Bug or Loveletter, was a computer worm that infected over ten million Windows personal computers on and after 5 May 2000. It started spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.TXT.vbs". [1] At the time, Windows computers often hid the latter file extension ("VBS", a type of interpreted file) by default because it is an extension for a file type that Windows knows, leading unwitting users to think it was a normal text file. Opening the attachment activates the Visual Basic script. First, the worm inflicts damage on the local machine, overwriting random files (including Office files and image files; however, it hides MP3 files instead of deleting them), then, it copies itself to all addresses in the Windows Address Book used by Microsoft Outlook, allowing it to spread much faster than any other previous email worm. [2] [3]
Onel de Guzman, [4] a then-24-year-old computer science student at AMA Computer College [5] and resident of Manila, Philippines, created the malware. Because there were no laws in the Philippines against making malware at the time of its creation, the Philippine Congress enacted Republic Act No. 8792, otherwise known as the E-Commerce Law, in July 2000 to discourage future iterations of such activity. However, the Constitution of the Philippines prohibits ex post facto laws, and as such de Guzman could not be prosecuted. [6]
The ILOVEYOU worm was coded by Onel de Guzman, then a student at AMA Computer College of the Philippines. At the time of its creation, de Guzman was poor and struggling to pay for the country's dial-up internet access. [5] De Guzman believed that internet access was a human right, [5] and submitted an undergraduate thesis to the college which proposed the development of a trojan to steal internet login details. [7] He claimed that this would allow users to be able to afford an internet connection, arguing that those affected by it would experience no loss. [5] The proposal was rejected by the college, which remarked that his proposal was "illegal" and that "they did not produce burglars". [7] This led de Guzman to claim that his professors were closed-minded, [4] and he ultimately dropped out of the college and began development of the worm. [8]
De Guzman wrote ILOVEYOU in VBScript, and the Windows Script Host is utilized to run the code. ILOVEYOU was distributed through malicious email attachments. The worm was found in emails with the subject "ILOVEYOU" and a message of "Kindly check the attached love letter from me!" The attachment LOVE-LETTER-FOR-YOU.TXT.vbs
contained the worm. [9]
Upon opening the file, the worm copies itself into relevant directories so it will be run upon reboot of the computer. Two of the three copies masquerade as legitimate Microsoft Windows library files, named MSKernel32.vbs
and Win32DLL.vbs
. The other copy retains the original LOVE-LETTER-FOR-YOU.TXT.vbs
name. [10]
The worm attempts to download a trojan horse named WIN-BUGSFIX.exe
. To achieve this, the victim's Internet Explorer homepage is set to a URL that downloads the trojan upon opening the browser. If the download is successful, the trojan is set to run upon reboot and the Internet Explorer homepage is set to a blank page. The trojan fulfils Guzman's primary aim by stealing passwords. [10]
The worm sends its trademark email to all contacts in the victim's address book. To prevent multiple emails being sent to one person from each successive run of the worm, a registry key is generated for each address book entry once an email has been sent. The worm will only send an email if the registry key is not present. This also allows for emails to be sent to new contacts placed in the address book. ILOVEYOU also has the capability to spread via Internet Relay Chat channels. [10]
The worm searches connected drives for files to modify. All VBScript files it finds (.vbs, .vbe) are overwritten with the worm's code. Files with extensions .jpg, .jpeg, .js, .jse, .css, .wsh, .sct, .doc and .hta are replaced with copies of the worm that have the same base file name but appended with the .vbs extension. Copies for .mp2 and .mp3 files are similarly produced, but the original files are hidden instead of removed. [10]
The email format is considered to be one of the first examples of malware using social engineering, [11] by encouraging victims to open the attached file under the pretext they had a lover who was attempting to contact them. [12] This was exacerbated by the fact that emails appeared to come from close contacts as a result of the worm's use of its previous victim's contact lists. [13] The worm's subsequent success has resulted in the use of social engineering in many modern-day malware attacks. [11] The attachment exploited a feature of Microsoft Outlook where only one file extension would be displayed. As the file name was parsed from left to right, which would be stopped after the first period, to victims the attachment would appear to be an inconspicuous .txt file incapable of holding malware. The worm's real .vbs extension was hidden. [13] De Guzman also claimed that a bug in Windows 95, where code in email attachments was automatically run upon being clicked, contributed to the worm's success. [5]
The fact that the worm was written in VBScript allowed users to modify it. A user could easily change the worm to replace essential files and destroy the system, allowing more than 25 variations of ILOVEYOU to spread across the Internet, each doing different kinds of damage. [14] Most of the variations had to do with what file extensions were affected by the worm. Others modified the email subject to target a specific audience, like the variant "Cartolina" ("postcard") in Italian or "BabyPic" for adults. Some others only changed the credits to the author, which were initially included in the standard version of the virus, removing them entirely or referencing false authors. [14] Others overwrote "EXE" and "COM" files, and the user's computer would then be unbootable upon restarting.[ citation needed ]
Some mail messages sent by ILOVEYOU include:
Originally designing the worm to only work in Manila, De Guzman removed this geographic restriction out of curiosity, which allowed the worm to spread worldwide. De Guzman did not expect this worldwide spread. [5]
The worm originated in the Pandacan neighborhood of Manila in the Philippines on 4 May 2000, [16] thereafter moving westward through corporate email systems as employees began their workday that Friday morning – moving first to Hong Kong, then to Europe, and finally the United States. [17] [18] Because the worm used mailing lists as its source of targets, the messages often appeared to come from acquaintances and were therefore often regarded as "safe" by their victims, providing further incentive to open them. Only a few users at each site had to access the attachment to generate millions more messages that crippled mail systems and overwrote millions of files on computers in each successive network. [19]
The outbreak was estimated to have caused US$5.5–8.7 billion in damages worldwide, [20] [21] [ better source needed ] and estimated to cost US$10–15 billion to remove the worm. [22] [23] Within ten days, over fifty million infections had been reported, [24] and it is estimated that 10% of Internet-connected computers in the world had been affected. [22] Damage cited was mostly the time and effort spent getting rid of the infection and recovering files from backups. At the time, it was one of the world's most destructive computer related disasters ever. [25] [26] [27]
In the United Kingdom, the worm reached the email servers of the House of Commons on 4 May. [7] The servers were shut down for two hours in response. [17] The worm affected the banking system of Belgium. [28]
The worm affected most federal government agencies and caused disruption to multiple, including the Department of Justice, the Department of Labor and the Social Security Administration. [28] Operations of the Department of Defence were significantly obstructed, [28] with the Central Intelligence Agency additionally affected [17] and the United States Army having 2258 infected workstations which cost approximately US$79,200 to recover. [29] The Veterans Health Administration received 7,000,000 ILOVEYOU emails during the outbreak, requiring 240 man-hours of work to resolve the problems created. [28] Files at the National Aeronautics and Space Administration were damaged, and in some cases unrecoverable from backups. [28]
The events inspired the song "E-mail" on the Pet Shop Boys' UK top-ten album of 2002, Release , the lyrics of which play thematically on the human desires which enabled the mass destruction of this computer infection.[ citation needed ]
"I love you [rev.eng]" exhibited in July 2006 is a revamped and expanded version of an exhibition shown in June 2002 in the Museum for Applied Art in Frankfurt, in February 2003 at transmediale in Berlin, in August 2004 at the Watson Institute of the Brown University USA and in October 2004 at the Museum for Communication Copenhagen, Denmark. [30] In 2009, Kiat Kiat Projects curated an email exhibition entitled "How to Prevent Hair Loss" inspired by ILOVEYOU. [31] [32]
The worm inspired the 2011 movie Subject: I Love You starring Jericho Rosales and Briana Evigan. [33] In 2019, The Persistence of Chaos, a laptop infected with six viruses including ILOVEYOU was sold at auction by Chinese artist Guo O Dong. [34] In November 2024, The Museum of Malware Art in Helsinki, Finland included a sculpture about ILOVEYOU. [35]
On 5 May 2000, de Guzman and another young Filipino programmer named Reonel Ramones became targets of a criminal investigation by agents of the Philippines' National Bureau of Investigation (NBI). [36] Local Internet service provider Sky Internet had reported receiving numerous contacts from European computer users alleging that malware (in the form of the "ILOVEYOU" worm) had been sent via the ISP's servers. [37]
De Guzman attempted to hide the evidence by removing his computer from his apartment, but he accidentally left some disks behind that contained the worm, as well as information that implicated a possible co-conspirator. [5]
After surveillance and investigation by Darwin Bawasanta of Sky Internet, the NBI traced a frequently appearing telephone number[ clarification needed ] to Ramones' apartment in Manila. His residence was searched and Ramones was arrested and placed under investigation by the Department of Justice (DOJ). De Guzman was also charged in absentia .[ citation needed ]
At that point, the NBI was unsure of what felony or crime would apply. [36] It was suggested they be charged with violating Republic Act 8484 (the Access Device Regulation Act), a law designed mainly to penalize credit card fraud, since both used pre-paid (if not stolen) Internet cards to purchase access to ISPs. Another idea was that they could be charged with malicious mischief, a felony (under the Philippines Revised Penal Code of 1932) involving damage to property. The drawback here was that one of its elements, aside from damage to property, was intent to damage, and de Guzman had claimed during custodial investigations that he might have unwittingly released the worm. [4] At a press conference organized by his lawyer on 11 May, he said "It is possible" when asked whether he might have done so. [5]
To show intent, the NBI investigated AMA Computer College, where de Guzman had dropped out at the very end of his final year. [36]
Since there were no laws in the Philippines against writing malware at the time, both Ramones and de Guzman were released, with all charges dropped by state prosecutors. [38] To address this legislative deficiency, [36] the Philippine Congress enacted Republic Act No. 8792, [39] otherwise known as the E-Commerce Law, in July 2000, months after the worm outbreak. [6]
In 2012, the Smithsonian Institution named ILOVEYOU one of the top ten most virulent computer viruses in history. [12]
De Guzman did not want public attention. His last known public appearance was at the 2000 press conference, where he obscured his face and allowed his lawyer to answer most questions; his whereabouts remained unknown for 20 years afterward. In May 2020, investigative journalist Geoff White revealed that while researching his cybercrime book Crime Dot Com, he had found de Guzman working at a mobile phone repair stall in Manila. De Guzman admitted to creating and releasing the virus. [40] He claimed he had initially developed it to steal internet access passwords, since he could not afford to pay for access. He also stated that he created it alone, clearing the two others who had been accused of co-writing the worm. [41] [42]
A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on exploiting the advantages of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.
In computing terminology, a macro virus is a virus that is written in a macro language: a programming language which is embedded inside a software application. Some applications, such as Microsoft Office, Excel, PowerPoint allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. This is one reason it can be dangerous to open unexpected attachments in e-mails. Many antivirus programs can detect macro viruses; however, the macro virus' behavior can still be difficult to detect.
This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.
The Sobig Worm was a computer worm that infected millions of Internet-connected, Microsoft Windows computers in August 2003.
Mydoom was a computer worm that targeted computers running Microsoft Windows. It was first sighted on January 26, 2004. It became the fastest-spreading e-mail worm ever, exceeding previous records set by the Sobig worm and ILOVEYOU, a record which as of 2024 has yet to be surpassed.
Bagle was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.
An email attachment is a computer file sent along with an email message. One or more files can be attached to any email message, and be sent along with it to the recipient. This is typically used as a simple method to share documents and images.
The Nimda virus is a malicious file-infecting computer worm.
CTX is a computer virus created in Spain in 1999. CTX was initially discovered as part of the Cholera worm, with which the author intentionally infected with CTX. Although the Cholera worm had the capability to send itself via email, the CTX worm quickly surpassed it in prevalence. Cholera is now considered obsolete, while CTX remains in the field, albeit with only rare discoveries.
Defensive computing is a form of practice for computer users to help reduce the risk of computing problems, by avoiding dangerous computing practices. The primary goal of this method of computing is to be able to anticipate and prepare for potentially problematic situations prior to their occurrence, despite any adverse conditions of a computer system or any mistakes made by other users. This can be achieved through adherence to a variety of general guidelines, as well as the practice of specific computing techniques.
W32.Navidad is a mass-mailing worm program or virus, discovered in December 2000 that ran on Windows 95, Windows 98, Windows NT, and Windows 2000 systems. It was designed to spread through email clients such as Microsoft Outlook while masquerading as an executable electronic Christmas card. Depending on the variant, infected computers can be identified by blue eye icons or ICQ logos which appear in the Windows system tray.
The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:
A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.
Happy99 is a computer worm for Microsoft Windows. It first appeared in mid-January 1999, spreading through email and usenet. The worm installs itself and runs in the background of a victim's machine, without their knowledge. It is generally considered the first virus to propagate by email, and has served as a template for the creation of other self-propagating viruses. Happy99 has spread on multiple continents, including North America, Europe, and Asia.
Anna Kournikova was a computer virus that spread worldwide on the Internet in February 2001. The virus program was contained in an email attachment, purportedly an image of tennis player Anna Kournikova.
NewLove is a computer virus that infects Windows 95, Windows 98, and Windows 2000 users running Internet Explorer 5.0. The virus spreads by e-mail and takes the name of a recently accessed file on a user's computer and uses that name. NewLove targets every single file on a user's hard drive until the computer stops working. The virus causes more damage than ILOVEYOU because it eludes virus scanners. In 2000, many media outlets updated Americans on the virus, but the virus did not cause as much damage as people expected.
The Pikachu virus, also referred to as Pokey or the Pokémon virus, was a computer worm believed to be the first malware geared at children, due to its incorporation of Pikachu, the mascot species of the Pokémon media franchise. It was considered similar to the Love Bug, albeit slower in its spread and less dangerous.
Swen is a mass mailing computer worm written in C++. It sends an email which contains the installer for the virus, disguised as a Microsoft Windows update, although it also works on P2P filesharing networks, IRC and newsgroups' websites. It was first analyzed on September 18, 2003, however, it might have infected computers before then. It disables firewalls and antivirus programs.
The Persistence of Chaos is a work of art consisting of a laptop that contains six computer viruses, worms, and pieces of malware that have caused major damage. The artwork was created in 2019 by artist Guo O Dong and the collective MSCHF, and sold at auction for $1,345,000 in May 2019. Guo O Dong described it as a bestiary for historical malware, and expressed concern about the high price for which it sold, stating that he would either spend the money on another project or burn it.