ILOVEYOU Virus Screenshot in Windows 9x
|Aliases||Love Bug, Love Letter, fake love|
|Point of origin||Philippines|
|Author(s)||Reonel Ramones, Onel de Guzman|
|Operating system(s) affected||Windows 9x, Windows NT 4.0, Windows 2000|
ILOVEYOU, sometimes referred to as Love Bug or Love Letter for you or fake love/fake love letter, is a computer worm that infected over ten million Windows personal computers on and after 4 May 2000 when it started spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.txt.vbs". The latter file extension ('vbs', a type of interpreted file) was most often hidden by default on Windows computers of the time (as it is an extension for a file type that is known by Windows), leading unwitting users to think it was a normal text file. Opening the attachment activates the Visual Basic script. The worm inflicts damage on the local machine, overwriting random types of files (including Office files, image files, and audio files; however after overwriting MP3 files the virus hides the file), and sends a copy of itself to all addresses in the Windows Address Book used by Microsoft Outlook. This made it spread much faster than any other previous email worm.
ILOVEYOU was created by Onel de Guzman, who was a college student in Manila, Philippines at the time. De Guzman created the worm alone and had no accomplices. De Guzman was poor and struggled to pay for internet access at the time. His purpose for creating the computer worm was to steal passwords that he could use to log in to other users' internet accounts without needing to pay for the service. He justified his actions on his belief that internet access is a human right, and his belief that he wasn't actually stealing.
The worm used the same principles that de Guzman had described in his undergraduate thesis at AMA Computer College. He stated that the worm was very easy to create, thanks to a bug in Windows 95 that would run code in email attachments when the user clicked on them. Originally designing the worm to only work in Manila, out of curiosity, he removed this geographic restriction, which allowed the worm to spread worldwide. De Guzman did not expect this worldwide spread.
On the machine system level, ILOVEYOU relied on the scripting engine system setting (which runs scripting language files such as .vbs files) being enabled, and took advantage of a feature in Windows that hid file extensions by default, which malware authors would use as an exploit. Windows would parse file names from right to left, stopping at the first period character, showing only those elements to the left of this. The attachment, which had two periods, could thus display the inner fake "txt" file extension. True text files are considered to be innocuous as they are incapable of running executable code. The worm used social engineering to entice users to open the attachment (out of actual desire to connect or simple curiosity) to ensure continued propagation. Systemic weaknesses in the design of Microsoft Outlook and Microsoft Windows were exploited that allowed malicious code capable of complete access to the operating system, secondary storage, and system and user data simply by unwitting users clicking on an icon.
Messages generated in the Philippines began to spread westwards through corporate email systems. Because the worm used mailing lists as its source of targets, the messages often appeared to come from acquaintances and were therefore often regarded as "safe" by their victims, providing further incentive to open them. Only a few users at each site had to access the attachment to generate millions more messages that crippled mail systems and overwrote millions of files on computers in each successive network.
The worm originated in the Pandacan neighborhood of Manila in the Philippines on May 4, 2000, thereafter following daybreak westward across the world as employees began their workday that Friday morning, moving first to Hong Kong, then to Europe, and finally the United States. The outbreak was later estimated to have caused US$5.5–8.7 billion in damages worldwide,[better source needed] and estimated to cost US$15 billion to remove the worm. Within ten days, over fifty million infections had been reported, and it is estimated that 10% of internet-connected computers in the world had been affected.[better source needed] Damage cited was mostly the time and effort spent getting rid of the infection and recovering files from backups. To protect themselves, The Pentagon, CIA, the British Parliament and most large corporations decided to completely shut down their mail systems. The ILOVEYOU worm infected computers all over the world. At the time it was one of the world's most destructive computer related disasters ever.
The events inspired the song "E-mail" on the Pet Shop Boys' UK top-ten album of 2002, Release, the lyrics of which play thematically on the human desires which enabled the mass destruction of this computer infection.
The ILOVEYOU Script (the attachment) was written in Microsoft Visual Basic Scripting (VBS) which runs in Microsoft Outlook and was enabled by default. The script adds Windows Registry data for automatic startup on system boot.
The worm searches connected drives and replaces files with extensions JPG, JPEG, VBS, VBE, JS, JSE, CSS, WSH, SCT, DOC, HTA, MP2, and MP3 with copies of itself, while appending the additional file extension VBS, making the user's computer unbootable. However, MP3s and other sound-related files would be hidden rather than overwritten.
The worm propagates itself by sending out one copy of the payload to each entry in the Microsoft Outlook address book (Windows Address Book). It also downloads the Barok trojan renamed for the occasion as "WIN-BUGSFIX.EXE".
The fact that the worm was written in VBS provided users a way to modify it. A user could easily modify the worm to replace important files in the system, and destroy it. This allowed more than twenty five variations of ILOVEYOU to spread across the internet, each one doing different kinds of damage. Most of the variations had to do with what file extensions were affected by the worm. Others simply modified the email subject in order to make it targeted towards a specific audience, like variant "Cartolina" in Italian, or variant "BabyPic" for adults. Some others only modified the credits to the author, which were originally included in the standard version of the virus, removing them completely or referencing false authors.
Some mail messages sent by ILOVEYOU:
On 5 May 2000, two young Filipino programmers named Reonel Ramones and Onel de Guzman became targets of a criminal investigation by agents of the Philippines' National Bureau of Investigation (NBI). Local Internet service provider Sky Internet had reported receiving numerous contacts from European computer users alleging that malware (in the form of the "ILOVEYOU" worm) had been sent via the ISP's servers.
De Guzman attempted to hide the evidence by removing his computer from his apartment, but he accidentally left some disks behind that contained the worm, as well as information that implicated Michael Buen as a possible co-conspirator.
After surveillance and investigation by Darwin Bawasanta of Sky Internet, the NBI traced a frequently appearing telephone number[clarification needed] to Ramones' apartment in Manila. His residence was searched and Ramones was arrested and placed under investigation by the Department of Justice (DOJ). Onel de Guzman was also charged in absentia.
At that point, the NBI were unsure what felony or crime would apply. It was suggested they be charged with violating Republic Act 8484 (the Access Device Regulation Act), a law designed mainly to penalise credit card fraud, since both used pre-paid (if not stolen) Internet cards to purchase access to ISPs. Another idea was that they be charged with malicious mischief, a felony (under the Philippines Revised Penal Code of 1932) involving damage to property. The drawback here was that one of its elements, aside from damage to property, was intent to damage, and de Guzman had claimed during custodial investigations that he might have unwittingly released the worm. At a press conference organised by his lawyer on 11 May, he said "It is possible" when asked whether he might have done so.
To show intent, the NBI investigated AMA Computer College, where de Guzman had dropped out at the very end of his final year. They found that, for his undergraduate thesis, de Guzman had proposed the implementation of a trojan to steal Internet login passwords. This way, he proposed, users would finally be able to afford an Internet connection. The proposal was rejected by the College of Computer Studies board, prompting de Guzman to cancel his studies the day before graduation.
Since there were no laws in the Philippines against writing malware at the time, both Ramones and de Guzman were released with all charges dropped by state prosecutors. To address this legislative deficiency, the Philippine Congress enacted Republic Act No. 8792, otherwise known as the E-Commerce Law, in July 2000, just two months after the worm outbreak.
De Guzman did not want public attention. His last known public appearance was at the 2000 press conference, where he obscured his face and allowed his lawyer to answer most questions, and his whereabouts remained unknown for 20 years afterward. In May 2020, it was revealed that while researching his cybercrime book Crime Dot Com, investigative journalist Geoff White had found Onel de Guzman working at a mobile phone repair stall in Manila. De Guzman admitted creating and releasing the virus. He claimed he had initially developed it to steal Internet access passwords, since he could not afford to pay for access. He also stated that he created it alone, clearing the two others who had been accused of co-writing the worm.
- Michael Buen
- Christmas Tree EXEC
- Code Red worm
- Computer virus
- Nimda (computer worm)
- Timeline of notable computer viruses and worms
- Kane, Margaret (4 May 2000). "'ILOVEYOU' e-mail worm invades PCs". ZDNet News. Archived from the original on 2008-12-27.
- "The 20-Year Hunt for the Man Behind the Love Bug Virus". Wired. ISSN 1059-1028. Retrieved 2020-09-15.
- "Top Ten Most-Destructive Computer Viruses". The Smithsonian. 2012-03-20. Retrieved 2013-10-25.
- "No excuse for virus toll, warns MessageLabs". MessageLabs. 10 May 2000. Archived from the original on 2000-12-14.
- "'Love bug' hacker is Pandacan man, 23". The Philippine Star.
- Garza, George. "Top 10 worst computer viruses". Catalogs.com. Retrieved 2008-05-26.
- Buckland, Jason. "The 'love' bug — 10 worst cybercrimes of the decade". tech.ca.msn.com. Archived from the original on 2011-10-27.
- Barker, Gary (14 May 2000). "Microsoft May Have Been Target of Lovebug". The Age.
- Kane, Margaret (May 4, 2000). "British parliament shut down their mail systems to prevent damage". ZDNet News. Archived from the original on September 23, 2007.
- "I LOVE YOU Virus Help". Computer Hope. Retrieved 11 February 2013.
- "Symantec detects all known new variants of VBS.LoveLetter.A worm". Symantec. Retrieved 8 February 2013.
- Gana, Severino H. Jr. "Prosecution Of Cyber Crimes Through Appropriate Cyber Legislation In The Republic Of The Philippines". Archived from the original on 2008-02-06.
- Landler, Mark (2000-10-21). "A Filipino Linked to 'Love Bug' Talks About His License to Hack". The New York Times. Retrieved 2010-05-05.
- "Onel de Guzman's rejected thesis proposal at AMA Computer College". ComputerBytesMan.com. Archived from the original on 2010-04-26. Retrieved 2010-12-05.
- Arnold, Wayne (2000-08-22). "Technology; Philippines to Drop Charges on E-Mail Virus". The New York Times. Retrieved 2010-05-05.
- "Republic Act No. 8792 — An Act Providing For The Recognition And Use Of Electronic Commercial And Non-Commercial Transactions And Documents, Penalties For Unlawful Use Thereof And For Other Purposes". 2001-08-01. Retrieved 2010-12-05 – via ChanRobles.com.
- White, Geoff (2 May 2020). "Love Bug's creator tracked down to repair shop in Manila". BBC News.
- White, Geoff (21 April 2020). "Revealed: The man behind the first major computer virus pandemic". Computer Weekly.