ILOVEYOU

ILOVEYOU

Common name	Love Letter
Type	Computer worm
Operating system(s) affected	Microsoft Windows
Written in	VBScript

ILOVEYOU, also known as Love Letter, is a computer worm that successfully attacked tens of millions of computers in 2000 when it was sent as an attachment to a user with the text "ILOVEYOU" in the subject line. The worm arrived e-mail on and after May 4, 2000 with the simple subject of "ILOVEYOU" and an attachment "LOVE-LETTER-FOR-YOU.". The file extension was hidden by default, leading unsuspecting users to think it was a normal text file. Upon opening the attachment, the worm sent a copy of itself to everyone in the Windows Address Book and with the user's sender address. It also made a number of malicious changes to the user's system.

Such propagation mechanism had been known (though in IBM mainframe rather than in the MS Windows environment) and used already in the Christmas Tree EXEC of 1987 which brought down a number of the world's mainframes at the time.

Four aspects of the worm made it effective:

• It relied on the scripting engine system setting being enabled. The engine had not been known to have ever been used previously and Microsoft received scathing criticism for leaving such a powerful (and dangerous) tool enabled by default with no one aware of its existence.
• It took advantage of a Microsoft algorithm for hiding file extensions. Windows had begun hiding extensions by default; the algorithm parsed file names from right to left, stopping at the first 'period' ('dot'). In this way the exploit could display the inner file extension 'TXT' as the real extension; text files are considered to be innocuous as they can't contain executable code.
• It utilized social engineering to entice users to open the attachment and ensure its continued propagation.
• It exploited the weakness of the email system design that an attached program could be run easily by simply opening the attachment to gain complete access to the file system and the Registry.

Spread

Messages generated in the Philippines began to spread westwards through corporate email systems. Because the worm used mailing lists as its source of targets, the messages often appeared to come from acquaintances and would therefore be considered "safe", providing further incentive to open the attachments. Only a few users at each site had to access the attachment in order to generate the millions of messages that crippled POP systems under their weight and release the worm that overwrote millions of files on workstations and accessible servers.

Impact

The worm originated in Manila, Philippines on 4 May 2000 and spread across the world in one day, moving on to Hong Kong and then to Europe and the US,^[1] causing an estimated $5.5 billion in damage.^[2] By 13 May 2000, 50 million infections had been reported.^[3] Most of the damage cited was the time and effort spent getting rid of the worm. In order to free themselves, The Pentagon, CIA, and the British Parliament had to shut down their mail systems; as did most large corporations.^[4]

This particular malware caused widespread damage. The worm overwrote important files — music files, multimedia files, and more — with a copy of itself. It also sent the worm to the first fifty people in the Windows Address Book, the system contact list. Because it was written in Visual Basic Script and interfaced with the Outlook Windows Address Book, this particular worm only affected computers running the Microsoft Windows operating system. While any computer could receive the "ILOVEYOU" message, only Microsoft Windows systems were vulnerable.

Architecture of the Worm

The worm is written using Microsoft Visual Basic Scripting (VBS), and requires that the user run the script in order to deliver the payload. It adds a number of registry keys so the worm is initialized on system boot.

The worm will then search all drives which are connected to the infected computer and replace files with the extensions *.JPG, *.JPEG, *.VBS, *.VBE, *.JS, *.JSE, *.CSS, *.WSH, *.SCT, *.DOC *.HTA with copies of itself, while appending to the file name a .VBS. extension. The worm will also locate *.MP3 and *.MP2 files, and when found, make the files hidden, copy itself with the same filename and append a .VBS extension.

The worm propagates by sending out copies of itself to all entries in the Microsoft Outlook address book. It also adds registry keys that direct the Windows operating system to download and execute a password-stealing trojan variously called "WIN-BUGSFIX.EXE" or "Microsoftv25.exe".

Origins

On May 5, 2000, two young Filipino computer programming students named Reomel Lamores^{[dubious – discuss]} and Onel de Guzman became the target of a criminal investigation by the Philippines' National Bureau of Investigation (NBI) agents.^[5] The NBI received a complaint from Sky Internet, a local Internet service provider (ISP). The ISP claimed that they have received numerous calls from European computer users, complaining that malware in the form of an "ILOVEYOU" worm was sent to their computers through the said ISP.

After several days of surveillance and investigation spearheaded by Darwin Bawasanta, systems development manager of Sky Internet, the NBI was able to trace a frequently appearing telephone number, which turned out to be that of Mr. Lamores' apartment in Manila, Philippines. His residence was searched by the NBI and Mr. Lamores was consequently arrested and placed on inquest investigation before the Department of Justice (DOJ). Onel de Guzman was likewise arrested in Manila. At that point, the NBI was at a loss as to what felony or crime to charge the two with in court.^[5] There were some agents who theorized that they may be charged with violation of Republic Act No. 8484 or the Access Device Regulation Act, a law designed mainly to penalize credit card fraud. The reason supposedly being that both used, if not stole, pre-paid Internet cards which enabled them to use several ISPs. Another school of thought within the NBI opened that Lamores and de Guzman could be charged with malicious mischief, a felony involving damage to property under the Philippines' Revised Penal Code, which was enacted in 1932. However, the problem with malicious mischief is that one of its elements, aside from damage to property, was intent to damage. In this case, Mr. de Guzman claimed during custodial investigation that he merely unwittingly released the virus.^[6]

To show his intent, the NBI investigated AMA Computer University where de Guzman dropped out on his senior year.^[5] There, it was found that de Guzman was not only quite familiar with computer viruses, he had in fact, proposed to create one. For his undergraduate thesis, he proposed the commercialization of a Trojan virus, one that innocently enters another computer but would later steal passwords, addresses, and files, much like the Trojan Horse.^[7] He contended that through the Trojan virus, the user would be able to save on, if not totally make do without, prepaid Internet usage cards since passwords could be obtained by the virus. The thesis proposal was rejected by the College of Computer Studies board,^[6] forcing him to drop out.

Legislative aftermath

Since there were no laws in the Philippines against writing malware at the time, both Lamores and de Guzman were released with all charges dropped by state prosecutors.^[8] To address this legislative deficiency,^[5] the Philippine Congress enacted Republic Act No. 8792,^[9] otherwise known as the E-Commerce Law, in July 2000, just two months after the worm outbreak. In 2002, the ILOVEYOU virus obtained a world record for being the most virulent computer virus then.

• Code Red worm
• Nimda worm
• Timeline of notable computer viruses and worms

References

1. ^ News.Zdnet.com
2. ^ "ILOVEYOU". WHoWhatWhereWhenWhy.com. http://www.catalogs.com/info/travel-vacations/top-10-worst-computer-viruses.html. Retrieved 2008-05-26. 
3. ^ Gary Barker (May 13, 2000). "Microsoft May Have Been Target of Lovebug". The Age. 
4. ^ British parliament shut down their mail systems to prevent damage^{[dead link]}
5. ^ ^{a b c d} ACPF.org^{[dead link]}
6. ^ ^{a b} Landler, Mark (2000-10-21). "A Filipino Linked to 'Love Bug' Talks About His License to Hack". The New York Times. http://www.nytimes.com/2000/10/21/business/a-filipino-linked-to-love-bug-talks-about-his-license-to-hack.html. Retrieved 2010-05-05. 
7. ^ "Computerbytesman.com". Computerbytesman.com. http://www.computerbytesman.com/lovebug/thesis.htm. Retrieved 2010-12-05. 
8. ^ Arnold, Wayne (2000-08-22). "Technology; Philippines to Drop Charges on E-Mail Virus". The New York Times. http://www.nytimes.com/2000/08/22/business/technology-philippines-to-drop-charges-on-e-mail-virus.html. Retrieved 2010-05-05. 
9. ^ Joselito Guianan Chan, Managing Partner, Chan Robles & Associates Law Firm (2001-08-01). "Chanrobles.com". Chanrobles.com. http://www.chanrobles.com/republicactno8792.htm. Retrieved 2010-12-05. 

External links

• The Love Bug - A Retrospect
• ILOVEYOU Virus Lessons Learned Report, Army Forces Command
• Radsoft: The ILOVEYOU Roundup
• Description page
• "No 'sorry' from Love Bug author" at The Register
• CERT Advisory CA-2000-04 Love Letter Worm
• Subject "I Love You"