ILOVEYOU

Last updated

ILOVEYOU
Common nameILOVEYOU
AliasesLove Bug, Loveletter
TypeComputer worm
Point of origin Manila, Philippines
Author(s)Onel de Guzman
Operating system(s) affected Windows 9x, Windows NT 4.0, Windows 2000
Filesize10,307 bytes
Written in VBScript
Discontinued5 May 2000

ILOVEYOU, sometimes referred to as the Love Bug or Loveletter, was a computer worm that infected over ten million Windows personal computers on and after May 5, 2000. It started spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.TXT.vbs." [1] At the time, Windows computers often hid the latter file extension ("VBS," a type of interpreted file) by default because it is an extension for a file type that Windows knows, leading unwitting users to think it was a normal text file. Opening the attachment activates the Visual Basic script. First, the worm inflicts damage on the local machine, overwriting random files (including Office files and image files; however, it hides MP3 files instead of deleting them), then, it copies itself to all addresses in the Windows Address Book used by Microsoft Outlook, allowing it to spread much faster than any other previous email worm. [2] [3]

Contents

Onel de Guzman, [4] a then-24-year-old resident of Manila, Philippines, created the malware. Because there were no laws in the Philippines against making malware at the time of its creation, the Philippine Congress enacted Republic Act No. 8792, otherwise known as the E-Commerce Law, in July 2000 to discourage future iterations of such activity. However, the Constitution of the Philippines prohibits ex post facto laws, and as such de Guzman could not be prosecuted. [5]

Creation

De Guzman, who was poor and struggling to pay for Internet access at the time, created the computer worm intending to steal other users' passwords, which he could use to log in to their Internet accounts without needing to pay for the service. He justified his actions on his belief that Internet access is a human right and that he was not actually stealing. [6]

The worm used the same principles that de Guzman had described in his undergraduate thesis at AMA Computer College. He stated that the worm was very easy to create, thanks to a bug in Windows 95 that would run code in email attachments when the user clicked on them. Originally designing the worm to only work in Manila, he removed this geographic restriction out of curiosity, which allowed the worm to spread worldwide. De Guzman did not expect this worldwide spread. [6]

Description

On the machine system level, ILOVEYOU relied on the scripting engine system setting (which runs scripting language files such as .vbs files) being enabled and took advantage of a feature in Windows that hid file extensions by default, which malware authors would use as an exploit. Windows would parse file names from right to left, stopping at the first period character, showing only those elements to the left of this. The attachment, which had two periods, could thus display the inner fake "TXT" file extension. True text files are considered to be innocuous as they are incapable of running arbitrary code. The worm used social engineering to entice users to open the attachment (out of actual desire to connect or simple curiosity) to ensure continued propagation. [7] Systemic weaknesses in the design of Microsoft Outlook and Microsoft Windows were exploited to allow malicious code capable of gaining complete access to the operating system, secondary storage, and system and user data in, simply through unwitting users clicking on an icon. [8]

Spread

Messages generated in the Philippines began to spread westwards through corporate email systems. Because the worm used mailing lists as its source of targets, the messages often appeared to come from acquaintances and were therefore often regarded as "safe" by their victims, providing further incentive to open them. Only a few users at each site had to access the attachment to generate millions more messages that crippled mail systems and overwrote millions of files on computers in each successive network. [9]

Impact

The worm originated in the Pandacan neighborhood of Manila in the Philippines on 4 May 2000, [10] thereafter following daybreak westward across the world as employees began their workday that Friday morning, moving first to Hong Kong, then to Europe, and finally the United States. [11] [12] The outbreak was later estimated to have caused US$5.5–8.7 billion in damages worldwide, [13] [14] [ better source needed ] and estimated to cost US$10–15 billion to remove the worm. [15] [16] Within ten days, over fifty million infections had been reported, [17] and it is estimated that 10% of Internet-connected computers in the world had been affected. [15] Damage cited was mostly the time and effort spent getting rid of the infection and recovering files from backups. To protect themselves, The Pentagon, CIA, the British Parliament and most large corporations decided to completely shut down their mail systems. [18] At the time, it was one of the world's most destructive computer related disasters ever. [19] [20] [21]

The events inspired the song "E-mail" on the Pet Shop Boys' UK top-ten album of 2002, Release , the lyrics of which play thematically on the human desires which enabled the mass destruction of this computer infection.[ citation needed ]

Architecture

De Guzman wrote the ILOVEYOU script (the attachment) in Microsoft Visual Basic Scripting (VBS), which ran in Microsoft Outlook and was enabled by default. The script adds Windows Registry data for automatic startup on system boot.

The worm searches connected drives and replaces files with extensions JPG, JPEG, VBS, VBE, JS, JSE, CSS, WSH, SCT, DOC, HTA, MP2, and MP3 with copies of itself, while appending the additional file extension VBS. However, MP3s and other sound-related files would be hidden rather than overwritten. [22]

The worm propagates itself by sending one copy of the payload to each entry in the Microsoft Outlook address book (Windows Address Book). It also downloads the Barok trojan renamed for the occasion as "WIN-BUGSFIX.EXE." [23]

The fact that the worm was written in VBS allowed users to modify it. A user could easily change the worm to replace essential files and destroy the system, allowing more than 25 variations of ILOVEYOU to spread across the Internet, each doing different kinds of damage. [24] Most of the variations had to do with what file extensions were affected by the worm. Others modified the email subject to target a specific audience, like the variant "Cartolina" in Italian or "BabyPic" for adults. Some others only changed the credits to the author, which were initially included in the standard version of the virus, removing them entirely or referencing false authors. [24] Still, others overwrote "EXE" and "COM" files.[ citation needed ] The user's computer would then be unbootable upon restarting.

Some mail messages sent by ILOVEYOU include:

Investigation

On 5 May 2000, de Guzman and another young Filipino programmer named Reonel Ramones became targets of a criminal investigation by agents of the Philippines' National Bureau of Investigation (NBI). [26] Local Internet service provider Sky Internet had reported receiving numerous contacts from European computer users alleging that malware (in the form of the "ILOVEYOU" worm) had been sent via the ISP's servers. [27]

De Guzman attempted to hide the evidence by removing his computer from his apartment, but he accidentally left some disks behind that contained the worm, as well as information that implicated a possible co-conspirator. [6]

After surveillance and investigation by Darwin Bawasanta of Sky Internet, the NBI traced a frequently appearing telephone number[ clarification needed ] to Ramones' apartment in Manila. His residence was searched and Ramones was arrested and placed under investigation by the Department of Justice (DOJ). De Guzman was also charged in absentia .[ citation needed ]

At that point, the NBI was unsure of what felony or crime would apply. [26] It was suggested they be charged with violating Republic Act 8484 (the Access Device Regulation Act), a law designed mainly to penalize credit card fraud, since both used pre-paid (if not stolen) Internet cards to purchase access to ISPs. Another idea was that they could be charged with malicious mischief, a felony (under the Philippines Revised Penal Code of 1932) involving damage to property. The drawback here was that one of its elements, aside from damage to property, was intent to damage, and de Guzman had claimed during custodial investigations that he might have unwittingly released the worm. [28] At a press conference organized by his lawyer on 11 May, he said "It is possible" when asked whether he might have done so. [6]

To show intent, the NBI investigated AMA Computer College, where de Guzman had dropped out at the very end of his final year. [26] They found that, for his undergraduate thesis, he had proposed the implementation of a trojan to steal Internet login passwords. [29] This, he claimed, would allow users to finally be able to afford an Internet connection. The proposal was rejected by the College of Computer Studies board, leading de Guzman to claim that his professors were closed-minded. [28]

Aftermath

Since there were no laws in the Philippines against writing malware at the time, both Ramones and de Guzman were released with all charges dropped by state prosecutors. [30] To address this legislative deficiency, [26] the Philippine Congress enacted Republic Act No. 8792, [31] otherwise known as the E-Commerce Law, in July 2000, months after the worm outbreak. [5]

In 2012, the Smithsonian Institution named ILOVEYOU one of the top ten most virulent computer viruses in history. [7]

De Guzman did not want public attention. His last known public appearance was at the 2000 press conference, where he obscured his face and allowed his lawyer to answer most questions; his whereabouts remained unknown for 20 years afterward. In May 2020, investigative journalist Geoff White revealed that while researching his cybercrime book Crime Dot Com, he had found Onel de Guzman working at a mobile phone repair stall in Manila. De Guzman admitted to creating and releasing the virus. [32] He claimed he had initially developed it to steal Internet access passwords, since he could not afford to pay for access. He also stated that he created it alone, clearing the two others who had been accused of co-writing the worm. [33] [34]

See also

Related Research Articles

<span class="mw-page-title-main">Computer worm</span> Self-replicating malware program

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on exploiting the advantages of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

In computing terminology, a macro virus is a virus that is written in a macro language: a programming language which is embedded inside a software application. Some applications, such as Microsoft Office, Excel, PowerPoint allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. This is one reason it can be dangerous to open unexpected attachments in e-mails. Many antivirus programs can detect macro viruses; however, the macro virus' behavior can still be difficult to detect.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Blaster (computer worm)</span> 2003 Windows computer worm

Blaster was a computer worm that spread on computers running operating systems Windows XP and Windows 2000 during August 2003.

The Sobig Worm was a computer worm that infected millions of Internet-connected, Microsoft Windows computers in August 2003.

<span class="mw-page-title-main">Mydoom</span> Self-replicating malware program that spread by email

Mydoom was a computer worm that targeted computers running Microsoft Windows. It was first sighted on January 26, 2004. It became the fastest-spreading e-mail worm ever, exceeding previous records set by the Sobig worm and ILOVEYOU, a record which as of 2024 has yet to be surpassed.

Bagle was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

An email attachment is a computer file sent along with an email message. One or more files can be attached to any email message, and be sent along with it to the recipient. This is typically used as a simple method to share documents and images.

The Sober worm is a family of computer worms that was discovered on October 24, 2003. Like many worms, Sober sends itself as an e-mail attachment, fake webpages, fake pop-up ads, and fake advertisements.

Defensive computing is a form of practice for computer users to help reduce the risk of computing problems, by avoiding dangerous computing practices. The primary goal of this method of computing is to be able to anticipate and prepare for potentially problematic situations prior to their occurrence, despite any adverse conditions of a computer system or any mistakes made by other users. This can be achieved through adherence to a variety of general guidelines, as well as the practice of specific computing techniques.

W32.Navidad is a mass-mailing worm program or virus, discovered in December 2000 that ran on Windows 95, Windows 98, Windows NT, and Windows 2000 systems. It was designed to spread through email clients such as Microsoft Outlook while masquerading as an executable electronic Christmas card. Infected computers can be identified by blue eye icons which appear in the Windows system tray.

A zero-day is a vulnerability or security hole in a computer system unknown to its owners, developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or zero-day attack.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

<span class="mw-page-title-main">Happy99</span> Windows computer worm and early e-mail virus

Happy99 is a computer worm for Microsoft Windows. It first appeared in mid-January 1999, spreading through email and usenet. The worm installs itself and runs in the background of a victim's machine, without their knowledge. It is generally considered the first virus to propagate by email, and has served as a template for the creation of other self-propagating viruses. Happy99 has spread on multiple continents, including North America, Europe, and Asia.

Anna Kournikova was a computer virus that spread worldwide on the Internet in February 2001. The virus program was contained in an email attachment, purportedly an image of tennis player Anna Kournikova.

The Pikachu virus, sometimes referred to as Pokey or the Pokémon virus, was a computer worm believed to be the first malware geared at children due to its incorporation of Pikachu from the Pokémon series. It was released on June 28, 2000, and arrived in the form of an email titled "Pikachu Pokemon" [sic] with the body of the e-mail containing the text "Pikachu is your friend." Opening the attached executable shows users an image of Pikachu, along with a message stating: "Between millions of people around the world I found you. Don’t forget to remember this day every time MY FRIEND!" The worm itself appeared in the attachment to the email as a file named "PikachuPokemon.exe".

Here you have is a computer worm that successfully attacked tens of thousands of Windows computers in 2010 when it was sent as a link inside an email message with the text "Here you have" in the subject line. The worm arrived in email inboxes on and after September 9, 2010 with the simple subject of "Here you have". The final extension of the link was hidden by default, leading unsuspecting users to think it was a mere PDF file. Upon opening the attachment, the worm sent a copy of itself to everyone in the Windows Address Book.

Swen is a mass mailing computer worm written in C++. It sends an email which contains the installer for the virus, disguised as a Microsoft Windows update, although it also works on P2P filesharing networks, IRC and newsgroups' websites. It was first analyzed on September 18, 2003, however, it might have infected computers before then. It disables firewalls and antivirus programs.

PUM.bad.proxy is a form of malware known as a "registry hack", an unauthorized alteration to the Windows Registry file that specifically redirects LAN settings within Internet Explorer, the popular web browser commonly installed as the default web browser for Microsoft Windows. First spotted by users of Malwarebytes' Anti-Malware security software on 22 January 2011, it was reported to Malwarebytes Software over 200 times the first day alone.

References

  1. Poulsen, Kevin (May 3, 2010). "May 4, 2000: Tainted 'Love' Infects Computers". Wired. ISSN   1059-1028 . Retrieved 2021-07-28.
  2. "What is the ILOVEYOU worm, what does it do, and how do I detect and remove it?". University Information Technology Services. 2018-01-18. Retrieved 2021-07-28.
  3. Mezquita, Ty (2020-02-03). "ILOVEYOU Virus". CyberHoot. Retrieved 2021-07-28.
  4. Landler, Mark (2000-10-21). "A Filipino Linked to 'Love Bug' Talks About His License to Hack". The New York Times. ISSN   0362-4331 . Retrieved 2022-12-31.
  5. 1 2 Caña, Paul John (4 May 2020). "Filipino Creator of the 'I Love You' Virus Just Did It So He Could Get Free Internet". Esquire Philippines. Archived from the original on 7 June 2020. Retrieved 19 January 2021.
  6. 1 2 3 4 White, Geoff (September 12, 2020). "The 20-Year Hunt for the Man Behind the Love Bug Virus". Wired. ISSN   1059-1028 . Retrieved 2020-09-15.
  7. 1 2 "Top Ten Most-Destructive Computer Viruses". Smithsonian Magazine. 19 March 2012. Retrieved 20 December 2021.
  8. Parker, Rob (2018-12-13). "ILOVEYOU!". Medium. Retrieved 2021-07-28.
  9. Mersch, Amy; Nealis, Ellen. "6 Common Types of Malware". blog.totalprosource.com. Retrieved 2021-07-28.
  10. "No excuse for virus toll, warns MessageLabs". MessageLabs. 10 May 2000. Archived from the original on 2000-12-14.
  11. Kane, Margaret (4 May 2000). "'ILOVEYOU' e-mail worm invades PCs". ZDNet News . Archived from the original on 2008-12-27.
  12. "'Love bug' hacker is Pandacan man, 23". The Philippine Star.
  13. Garza, George. "Top 10 worst computer viruses". Catalogs.com. Retrieved 2008-05-26.
  14. "Język angielski i niemiecki" (PDF). Gazeta Edukacja (in Polish). April 2008. Archived from the original (PDF) on December 9, 2008.
  15. 1 2 Winder, Davey (4 May 2020). "This 20-Year-Old Virus Infected 50 Million Windows Computers In 10 Days: Why The ILOVEYOU Pandemic Matters In 2020". Forbes. Retrieved 22 February 2021.
  16. Buckland, Jason. "The 'love' bug — 10 worst cybercrimes of the decade". tech.ca.msn.com. Archived from the original on 2011-10-27.
  17. Barker, Gary (14 May 2000). "Microsoft May Have Been Target of Lovebug". The Age.
  18. Kane, Margaret (May 4, 2000). "British parliament shut down their mail systems to prevent damage". ZDNet News . Archived from the original on September 23, 2007.
  19. "5 most dangerous computer viruses of all time". in.news.yahoo.com. Retrieved 2021-07-28.
  20. "10 Deadliest Computer Viruses of All Time". Hongkiat. 2021-07-10. Retrieved 2021-07-28.
  21. "Top 10 Most Destructive Computer Viruses of All Time | Advanced Computer Consulting". www.advancedcpc.com. Retrieved 2021-07-28.
  22. "[Review] What Is the ILOVEYOU Virus & Tips to Avoid Virus". MiniTool. 2021-02-25. Retrieved 2021-07-28.
  23. Institutions., United States. Congress. Senate. Committee on Banking, Housing, and Urban Affairs. Subcommittee on Financial (2000). The "ILOVEYOU" virus and its impact on the U.S. financial services industry : hearing before the Subcommittee on Financial Institutions of the Committee on Banking, Housing, and Urban Affairs, United States Senate, One Hundred Sixth Congress, second session ... May 18, 2000. U.S. G.P.O. ISBN   0-16-061219-5. OCLC   1008551280.{{cite book}}: CS1 maint: multiple names: authors list (link)
  24. 1 2 "I LOVE YOU Virus Help". Computer Hope. Retrieved 11 February 2013.
  25. 1 2 "Symantec detects all known new variants of VBS.LoveLetter.A worm". Symantec. May 6, 2000. Archived from the original on March 16, 2014. Retrieved 8 February 2013.
  26. 1 2 3 4 Gana, Severino H. Jr. "Prosecution Of Cyber Crimes Through Appropriate Cyber Legislation In The Republic Of The Philippines". www.acpf.org. Archived from the original on 2008-02-06.
  27. "ILOVEYOU: The wrong kind of LoveLetter". WeLiveSecurity. 2017-02-14. Retrieved 2021-07-28.
  28. 1 2 Landler, Mark (2000-10-21). "A Filipino Linked to 'Love Bug' Talks About His License to Hack". The New York Times. Retrieved 2010-05-05.
  29. "Onel de Guzman's rejected thesis proposal at AMA Computer College". ComputerBytesMan.com. Archived from the original on 2010-04-26. Retrieved 2010-12-05.
  30. Arnold, Wayne (2000-08-22). "Technology; Philippines to Drop Charges on E-Mail Virus". The New York Times. Retrieved 2010-05-05.
  31. "Republic Act No. 8792 — An Act Providing For The Recognition And Use Of Electronic Commercial And Non-Commercial Transactions And Documents, Penalties For Unlawful Use Thereof And For Other Purposes". 2001-08-01. Retrieved 2010-12-05 via ChanRobles.com.
  32. Tyagi, Sachin (2022-08-06). "What is The First Computer Virus in The Philippines? (2022)" . Retrieved 2022-08-16.
  33. White, Geoff (2 May 2020). "Love Bug's creator tracked down to repair shop in Manila". BBC News.
  34. White, Geoff (21 April 2020). "Revealed: The man behind the first major computer virus pandemic". Computer Weekly.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.