Jump to content

ILOVEYOU

Page semi-protected
From Wikipedia, the free encyclopedia

This article is about the computer virus. For other uses, see I Love You, Love Bug, and Love letter.

ILOVEYOU
Email with an infected attachment
AliasLove Bug, Loveletter
TypeComputer worm
OriginManila, Philippines
AuthorsOnel de Guzman
Technical details
PlatformWindows 9x, Windows NT 4.0, Windows 2000
Size10,307 bytes
Written inVBScript
Discontinued5 May 2000

ILOVEYOU, sometimes referred to as the Love Bug or Loveletter, was a computer worm that infected over ten million Windows personal computers on and after 5 May 2000. It started spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.TXT.vbs."[1] At the time, Windows computers often hid the latter file extension ("VBS," a type of interpreted file) by default because it is an extension for a file type that Windows knows, leading unwitting users to think it was a normal text file. Opening the attachment activates the Visual Basic script. First, the worm inflicts damage on the local machine, overwriting random files (including Office files and image files; however, it hides MP3 files instead of deleting them), then, it copies itself to all addresses in the Windows Address Book used by Microsoft Outlook, allowing it to spread much faster than any other previous email worm.[2][3]

Onel de Guzman,[4] a then-24-year-old computer science student at AMA Computer College[5] and resident of Manila, Philippines, created the malware. Because there were no laws in the Philippines against making malware at the time of its creation, the Philippine Congress enacted Republic Act No. 8792, otherwise known as the E-Commerce Law, in July 2000 to discourage future iterations of such activity. However, the Constitution of the Philippines prohibits ex post facto laws, and as such de Guzman could not be prosecuted.[6]

Creation

De Guzman, who was poor and struggling to pay for Internet access at the time, created the computer worm intending to steal other users' passwords, which he could use to log in to their Internet accounts without needing to pay for the service. He justified his actions on his belief that Internet access is a human right and that he was not actually stealing.[5]

The worm used the same principles that de Guzman had described in his undergraduate thesis at AMA Computer College. He stated that the worm was very easy to create, thanks to a bug in Windows 95 that would run code in email attachments when the user clicked on them. Originally designing the worm to only work in Manila, he removed this geographic restriction out of curiosity, which allowed the worm to spread worldwide. De Guzman did not expect this worldwide spread.[5]

Architecture

De Guzman wrote ILOVEYOU in VBScript, and the Windows Script Host is utilized to run the code. ILOVEYOU was distributed through malicious email attachments. The worm was found in emails with the subject "ILOVEYOU" and a message of "Kindly check the attached love letter from me!" The attachment "LOVE-LETTER-FOR-YOU.TXT.vbs" contained the worm.[7]

Upon opening the file, the worm copies itself into relevant directories so it will be run upon reboot of the computer. Two of the three copies masquerade as legitimate Microsoft Windows library files, named "MSKernel32.vbs" and "Win32DLL.vbs". The other copy retains the original "LOVE-LETTER-FOR-YOU.TXT.vbs" name.[8]

The worm attempts to download a trojan horse named "WIN-BUGSFIX.exe". To achieve this, the victim's Internet Explorer homepage is set to a URL that downloads the trojan upon opening the browser. If the download is successful, the trojan is set to run upon reboot and the Internet Explorer homepage is set to a blank page. The trojan fulfils Guzman's primary aim by stealing passwords.[8]

The worm sends its trademark email to all contacts in the victim's address book. To prevent multiple emails being sent to one person from each successive run of the worm, a registry key is generated for each address book entry once an email has been sent. The worm will only send an email if the registry key is not present. This also allows for emails to be sent to new contacts placed in the address book. ILOVEYOU also has the capability to spread via Internet Relay Chat channels.[8]

The worm searches connected drives for files to modify. All VBScript files it finds (.vbs, .vbe) are overwritten with the worm's code. Files with extensions .jpg, .jpeg, .js, .jse, .css, .wsh, .sct, .doc and .hta are replaced with copies of the worm that have the same base file name but appended with the .vbs extension. Copies for .mp2 and .mp3 files are similarly produced, but the original files are hidden instead of removed.[8]

The email format is considered to be one of the first examples of malware using social engineering,[9] by encouraging victims to open the attached file under the pretext they had a lover who was attempting to contact them.[10] This was exacerbated by the fact that emails appeared to come from close contacts as a result of the worm's use of its previous victim's contact lists.[11] The worm's subsequent success has resulted in the use of social engineering in many modern–day malware attacks.[9] The attachment exploited a feature of Microsoft Outlook where only one file extension would be displayed. As the file name was parsed from left to right, which would be stopped after the first period, to victims the attachment would appear to be an inconspicuous .txt file incapable of holding malware. The worm's real .vbs extension was hidden.[11]

The fact that the worm was written in VBS allowed users to modify it. A user could easily change the worm to replace essential files and destroy the system, allowing more than 25 variations of ILOVEYOU to spread across the Internet, each doing different kinds of damage.[12] Most of the variations had to do with what file extensions were affected by the worm. Others modified the email subject to target a specific audience, like the variant "Cartolina" in Italian or "BabyPic" for adults. Some others only changed the credits to the author, which were initially included in the standard version of the virus, removing them entirely or referencing false authors.[12] Still, others overwrote "EXE" and "COM" files.[citation needed] The user's computer would then be unbootable upon restarting.

Some mail messages sent by ILOVEYOU include:

  • VIRUS ALERT!![13]
  • Important! Read Carefully!![13]

Spread

Messages generated in the Philippines began to spread westwards through corporate email systems. Because the worm used mailing lists as its source of targets, the messages often appeared to come from acquaintances and were therefore often regarded as "safe" by their victims, providing further incentive to open them. Only a few users at each site had to access the attachment to generate millions more messages that crippled mail systems and overwrote millions of files on computers in each successive network.[14]

Impact

The worm originated in the Pandacan neighborhood of Manila in the Philippines on 4 May 2000,[15] thereafter following daybreak westward across the world as employees began their workday that Friday morning, moving first to Hong Kong, then to Europe, and finally the United States.[16][17] The outbreak was later estimated to have caused US$5.5–8.7 billion in damages worldwide,[18][19][better source needed] and estimated to cost US$10–15 billion to remove the worm.[20][21] Within ten days, over fifty million infections had been reported,[22] and it is estimated that 10% of Internet-connected computers in the world had been affected.[20] Damage cited was mostly the time and effort spent getting rid of the infection and recovering files from backups. To protect themselves, The Pentagon, CIA, the British Parliament and most large corporations decided to completely shut down their mail systems.[23] At the time, it was one of the world's most destructive computer related disasters ever.[24][25][26]

The events inspired the song "E-mail" on the Pet Shop Boys' UK top-ten album of 2002, Release, the lyrics of which play thematically on the human desires which enabled the mass destruction of this computer infection.[citation needed]

Investigation

On 5 May 2000, de Guzman and another young Filipino programmer named Reonel Ramones became targets of a criminal investigation by agents of the Philippines' National Bureau of Investigation (NBI).[27] Local Internet service provider Sky Internet had reported receiving numerous contacts from European computer users alleging that malware (in the form of the "ILOVEYOU" worm) had been sent via the ISP's servers.[28]

De Guzman attempted to hide the evidence by removing his computer from his apartment, but he accidentally left some disks behind that contained the worm, as well as information that implicated a possible co-conspirator.[5]

After surveillance and investigation by Darwin Bawasanta of Sky Internet, the NBI traced a frequently appearing telephone number[clarification needed] to Ramones' apartment in Manila. His residence was searched and Ramones was arrested and placed under investigation by the Department of Justice (DOJ). De Guzman was also charged in absentia.[citation needed]

At that point, the NBI was unsure of what felony or crime would apply.[27] It was suggested they be charged with violating Republic Act 8484 (the Access Device Regulation Act), a law designed mainly to penalize credit card fraud, since both used pre-paid (if not stolen) Internet cards to purchase access to ISPs. Another idea was that they could be charged with malicious mischief, a felony (under the Philippines Revised Penal Code of 1932) involving damage to property. The drawback here was that one of its elements, aside from damage to property, was intent to damage, and de Guzman had claimed during custodial investigations that he might have unwittingly released the worm.[29] At a press conference organized by his lawyer on 11 May, he said "It is possible" when asked whether he might have done so.[5]

To show intent, the NBI investigated AMA Computer College, where de Guzman had dropped out at the very end of his final year.[27] They found that, for his undergraduate thesis, he had proposed the implementation of a trojan to steal Internet login passwords.[30] This, he claimed, would allow users to finally be able to afford an Internet connection. The proposal was rejected by the College of Computer Studies board, leading de Guzman to claim that his professors were closed-minded.[29]

Aftermath

Since there were no laws in the Philippines against writing malware at the time, both Ramones and de Guzman were released with all charges dropped by state prosecutors.[31] To address this legislative deficiency,[27] the Philippine Congress enacted Republic Act No. 8792,[32] otherwise known as the E-Commerce Law, in July 2000, months after the worm outbreak.[6]

In 2012, the Smithsonian Institution named ILOVEYOU one of the top ten most virulent computer viruses in history.[33]

De Guzman did not want public attention. His last known public appearance was at the 2000 press conference, where he obscured his face and allowed his lawyer to answer most questions; his whereabouts remained unknown for 20 years afterward. In May 2020, investigative journalist Geoff White revealed that while researching his cybercrime book Crime Dot Com, he had found Onel de Guzman working at a mobile phone repair stall in Manila. De Guzman admitted to creating and releasing the virus.[34] He claimed he had initially developed it to steal Internet access passwords, since he could not afford to pay for access. He also stated that he created it alone, clearing the two others who had been accused of co-writing the worm.[35][36]

See also

References

  1. ^ Poulsen, Kevin (3 May 2010). "May 4, 2000: Tainted 'Love' Infects Computers". Wired. ISSN 1059-1028. Retrieved 28 July 2021.
  2. ^ "What is the ILOVEYOU worm, what does it do, and how do I detect and remove it?". University Information Technology Services. 18 January 2018. Retrieved 28 July 2021.
  3. ^ Mezquita, Ty (3 February 2020). "ILOVEYOU Virus". CyberHoot. Retrieved 28 July 2021.
  4. ^ Landler, Mark (21 October 2000). "A Filipino Linked to 'Love Bug' Talks About His License to Hack". The New York Times. ISSN 0362-4331. Retrieved 31 December 2022.
  5. ^ a b c d e White, Geoff (12 September 2020). "The 20-Year Hunt for the Man Behind the Love Bug Virus". Wired. ISSN 1059-1028. Retrieved 15 September 2020.
  6. ^ a b Caña, Paul John (4 May 2020). "Filipino Creator of the 'I Love You' Virus Just Did It So He Could Get Free Internet". Esquire Philippines. Archived from the original on 7 June 2020. Retrieved 19 January 2021.
  7. ^ Meek, James (5 May 2000). "Love bug virus creates worldwide chaos". The Guardian. ISSN 0261-3077. Retrieved 10 June 2024.
  8. ^ a b c d Bishop, Matt. (2000). Analysis of the ILOVEYOU Worm.
  9. ^ a b Speed, Richard (5 May 2020). "It has been 20 years since cybercrims woke up to social engineering with an intriguing little email titled 'ILOVEYOU'". The Register. Retrieved 10 June 2024.
  10. ^ Poulsen, Kevin (3 May 2010). "Top Ten Most-Destructive Computer Viruses". Smithsonian Magazine. Retrieved 10 June 2024.
  11. ^ a b Winder, Davey (4 May 2020). "This 20-Year-Old Virus Infected 50 Million Windows Computers In 10 Days: Why The ILOVEYOU Pandemic Matters In 2020". Forbes. Retrieved 10 June 2024.
  12. ^ a b "I LOVE YOU Virus Help". Computer Hope. Retrieved 11 February 2013.
  13. ^ a b "Symantec detects all known new variants of VBS.LoveLetter.A worm". Symantec. 6 May 2000. Archived from the original on 16 March 2014. Retrieved 8 February 2013.
  14. ^ Mersch, Amy; Nealis, Ellen. "6 Common Types of Malware". blog.totalprosource.com. Retrieved 28 July 2021.
  15. ^ "No excuse for virus toll, warns MessageLabs". MessageLabs. 10 May 2000. Archived from the original on 14 December 2000.
  16. ^ Kane, Margaret (4 May 2000). "'ILOVEYOU' e-mail worm invades PCs". ZDNet News. Archived from the original on 27 December 2008.
  17. ^ "'Love bug' hacker is Pandacan man, 23". The Philippine Star.
  18. ^ Garza, George. "Top 10 worst computer viruses". Catalogs.com. Retrieved 26 May 2008.
  19. ^ "Język angielski i niemiecki" (PDF). Gazeta Edukacja (in Polish). April 2008. Archived from the original (PDF) on 9 December 2008.
  20. ^ a b Winder, Davey (4 May 2020). "This 20-Year-Old Virus Infected 50 Million Windows Computers In 10 Days: Why The ILOVEYOU Pandemic Matters In 2020". Forbes. Retrieved 22 February 2021.
  21. ^ Buckland, Jason. "The 'love' bug — 10 worst cybercrimes of the decade". tech.ca.msn.com. Archived from the original on 27 October 2011.
  22. ^ Barker, Gary (14 May 2000). "Microsoft May Have Been Target of Lovebug". The Age.
  23. ^ Kane, Margaret (4 May 2000). "British parliament shut down their mail systems to prevent damage". ZDNet News. Archived from the original on 23 September 2007.
  24. ^ "5 most dangerous computer viruses of all time". in.news.yahoo.com. Retrieved 28 July 2021.
  25. ^ "10 Deadliest Computer Viruses of All Time". Hongkiat. 10 July 2021. Retrieved 28 July 2021.
  26. ^ "Top 10 Most Destructive Computer Viruses of All Time | Advanced Computer Consulting". www.advancedcpc.com. 24 September 2018. Retrieved 28 July 2021.
  27. ^ a b c d Gana, Severino H. Jr. "Prosecution Of Cyber Crimes Through Appropriate Cyber Legislation In The Republic Of The Philippines". www.acpf.org. Archived from the original on 6 February 2008.
  28. ^ "ILOVEYOU: The wrong kind of LoveLetter". WeLiveSecurity. 14 February 2017. Retrieved 28 July 2021.
  29. ^ a b Landler, Mark (21 October 2000). "A Filipino Linked to 'Love Bug' Talks About His License to Hack". The New York Times. Retrieved 5 May 2010.
  30. ^ "Onel de Guzman's rejected thesis proposal at AMA Computer College". ComputerBytesMan.com. Archived from the original on 26 April 2010. Retrieved 5 December 2010.
  31. ^ Arnold, Wayne (22 August 2000). "Technology; Philippines to Drop Charges on E-Mail Virus". The New York Times. Retrieved 5 May 2010.
  32. ^ "Republic Act No. 8792 — An Act Providing For The Recognition And Use Of Electronic Commercial And Non-Commercial Transactions And Documents, Penalties For Unlawful Use Thereof And For Other Purposes". 1 August 2001. Retrieved 5 December 2010 – via ChanRobles.com.
  33. ^ "Top Ten Most-Destructive Computer Viruses". Smithsonian Magazine. 19 March 2012. Retrieved 20 December 2021.
  34. ^ Tyagi, Sachin (6 August 2022). "What is The First Computer Virus in The Philippines? (2022)". Retrieved 16 August 2022.
  35. ^ White, Geoff (2 May 2020). "Love Bug's creator tracked down to repair shop in Manila". BBC News.
  36. ^ White, Geoff (21 April 2020). "Revealed: The man behind the first major computer virus pandemic". Computer Weekly.

External links

Retrieved from "https://en.wikipedia.org/w/index.php?title=ILOVEYOU&oldid=1228344935"