ILOVEYOU
2000 computer worm written by Onel de Guzman
From Wikipedia, the free encyclopedia
ILOVEYOU, sometimes referred to as the Love Bug or Loveletter, was a computer worm that infected tens of millions of Windows computers following its release on 4 May 2000. The worm was mainly distributed through email attachments sent to contacts on an infected system's address book, and is an example of malware using social engineering to aid its spread. Once run, the worm overwrites files with its source code and attempts to spread to other computers.
| ILOVEYOU | |
|---|---|
Email with an attachment containing the worm | |
| Malware details | |
| Aliases | Love Bug, Loveletter |
| Type | Computer worm |
| Origin | Manila, Philippines |
| Author | Onel de Guzman |
| Technical details | |
| Platforms | |
| Size | 10.31 kilobytes |
| Written in | VBScript |
The worm was created by Onel de Guzman, a dropout of AMA Computer College in the Philippines, because of his belief that internet access was a human right; the worm attempts to download a computer trojan that steals dial-up Internet access credentials to fulfil this aim. Philippine prosecutors ultimately dropped all charges against de Guzman because of a lack of laws against hacking in the country. In response, President Joseph Estrada signed an e-commerce law to cover against similar activity.
Affecting an estimated 10% of internet-connected computers at the time, the ILOVEYOU worm is considered to be one of the most virulent examples in the history of malware. The worm caused an estimated US$10-15 billion worth of damages to numerous government agencies and corporations. It has inspired several creative works, including art installations, songs and films.
Background
The ILOVEYOU worm was coded by Onel de Guzman, a former student at AMA Computer College in the Philippines. At the time of its creation, de Guzman was poor[1][2] and struggling to pay for the country's dial-up internet access.[1] De Guzman believed that internet access was a human right,[1] and submitted an undergraduate thesis to the college which proposed the development of a trojan to steal internet login details.[3] He reasoned that this would allow users to afford an internet connection, arguing that those affected by it would experience no loss.[1] The proposal was rejected by the college, which remarked that his proposal was "illegal" and that "they did not produce burglars".[4][3] De Guzman later described his professors as close-minded,[5] and eventually dropped out of the college.[6]
Technical details
De Guzman wrote ILOVEYOU in the programming language VBScript. The Windows Script Host is used by Windows to run its code.[7][8] ILOVEYOU was distributed through malicious email attachments.[9] The worm was found in emails with the subject "ILOVEYOU" and a message of "kindly check the attached LOVELETTER coming from me." The attachment LOVE-LETTER-FOR-YOU.TXT.vbs contained the worm.[10]
Upon opening the file, the worm creates copies of itself that are run upon reboot of the computer. Two of the three copies masquerade as legitimate Microsoft Windows library files, named MSKernel32.vbs and Win32DLL.vbs. The other copy retains the original LOVE-LETTER-FOR-YOU.TXT.vbs name.[11] The worm also removes a 10-second timeout for scripts set in the Windows Registry, so it can continue to run without constraints.[8]
The worm attempts to download a trojan horse named WIN-BUGSFIX.exe. To achieve this, the victim's Internet Explorer homepage is set to a URL that downloads the trojan upon opening the browser. If the download is successful, the trojan is set to run upon reboot and the Internet Explorer homepage is set to a blank page. The trojan fulfils de Guzman's primary aim by stealing passwords.[11]
The worm sends its trademark email to all contacts in the victim's address book. The worm records which address book entries it has sent emails to, so only one email is sent to each contact even if the worm is run multiple times. This also allows for emails to be sent to new contacts placed in the address book. ILOVEYOU also has the capability to spread via Internet Relay Chat channels.[11]
The worm searches connected drives for files to modify. All VBScript files it finds, which have the file extensions .vbs and .vbe, are overwritten with the worm's code. Files with extensions .jpg, .jpeg, .js, .jse, .css, .wsh, .sct, and .hta are replaced with copies of the worm that have the same base file name but appended with the .vbs extension. Copies for .mp2 and .mp3 files are similarly produced, but the original files are hidden instead of removed.[11]
Deceptive methods
ILOVEYOU used social engineering to aid its spread,[12] encouraging potential victims to open the infected attachment by playing on their romantic desires.[13] By using each victim’s address book, emails sent by the worm appeared to come from close contacts. This further encouraged recipients to run the worm.[14] The worm's subsequent success demonstrated the capability of social engineering, which continues to be used in many modern-day malware attacks.[12]
The attachment used a file name that took advantage of a feature of Microsoft Windows, "Hide extensions for known file types", where only the base file name would be displayed. As such, to victims the attachment could appear to be an inconspicuous .txt file incapable of holding malware,[8] and the worm's real .vbs extension would be hidden.[14]
Variants
Since ILOVEYOU was coded in VBScript, it was relatively easy to modify the worm’s code and change its behaviour.[15][16] Over 25 variants of the ILOVEYOU worm have been recorded.[17] Variants of ILOVEYOU differed from the original worm in many aspects, such as changing which file extensions were affected,[18] and modifying the worm's email subject and body to target specific audiences.[11][19]
Computer worm NewLove, which spread in a similar fashion to ILOVEYOU, was especially destructive since it targeted every file on the victim's hard drive until their computer stopped working[20] and evaded antivirus software.[20][21][22] Despite widespread coverage of this worm by media outlets, it failed to cause significant damage.[21]
Spread
De Guzman designed ILOVEYOU to only work in Manila. He later removed this restriction, which allowed for the worldwide spread of the worm.[1] The worm's spread began on 4 May 2000,[23] moving westward through corporate email systems as employees began their workday – first to Hong Kong, then to Europe, and finally the United States.[10][24] One user opening an attachment was enough to compromise entire networks.[25]
ILOVEYOU disrupted the operations of many companies.[26] Email systems had to be shut down due to the volume of incoming mail sent by the worm.[10] Data was lost due to the worm overwriting files with its code.[27] The worm affected numerous financial institutions, including the banking system of Belgium.[26]
The worm disrupted government agencies in numerous countries. In the United Kingdom, the worm reached the email servers of the House of Commons on 4 May.[3] The servers were shut down for two hours in response.[10] In the United States, the worm affected most federal government agencies, including the Department of Justice, the Department of Labor and the Social Security Administration.[26] Operations of the Central Intelligence Agency[10] and the Department of Defense were affected,[26] with the United States Army having 2,258 infected workstations which cost the agency an estimated US$79,200.[28] The Veterans Health Administration received 7,000,000 ILOVEYOU emails during the outbreak, requiring 240 man-hours of work to resolve the problems created.[26] Files at the National Aeronautics and Space Administration were damaged, and in some cases unrecoverable from backups.[26]
Investigations
Local internet service provider Sky Internet took down web pages delivering the WIN-BUGSFIX.exe trojan.[29] ISPs also linked ILOVEYOU to a phone line registered to an apartment associated with de Guzman.[30][31] De Guzman's mother warned him of the worm's public attention and hid his computer,[1][32] but left behind floppy disks that unintentionally implicated other students from AMA Computer College.[33] A police raid on 8 May 2000 led to the seizure of these disks and the arrest of de Guzman's sister's boyfriend.[30] Authorities initially presented him and de Guzman’s sister as their main suspects; however, they later released him due to insufficient evidence.[34][35]
The Philippines' National Bureau of Investigation was unsure of what felonies could apply[36] since there were no specific laws against hacking in the Philippines at the time.[1] Ultimately, de Guzman was charged under the Access Device Regulation Act, a law designed mainly to penalize credit card fraud, and malicious mischief, a felony involving damage to property.[37] All charges against De Guzman were later dropped by prosecutors, since the evidence collected did not support what had been filed.[38][39]
Later whereabouts and admission of de Guzman
De Guzman's last known public appearance was at a press conference on 11 May 2000, where he obscured his face and allowed his lawyer to answer most questions; his whereabouts remained mostly unknown afterward.[1] In April 2019, investigative journalist Geoff White visited the Quiapo Market in Manila to look for de Guzman, following a tip-off from an internet forum.[1][32] He discovered de Guzman working at a mobile phone repair stall elsewhere in Manila.[33] De Guzman admitted to creating and releasing the worm, and cleared all others who had been accused of co-authoring it.[1] White later published his findings in his cybercrime book, Crime Dot Com (2020).[1]
Aftermath
ILOVEYOU has repeatedly been named as one of the most destructive and virulent pieces of malware in history.[3][13][40] Within ten days of the first reported cases, tens of millions of infections had been reported, and it is estimated that 10% of Internet-connected computers in the world were eventually affected.[14] The damage caused by ILOVEYOU is difficult to quantify,[25] but estimates in the 2020s place it at approximately US$10 billion.[3][14][41]
To address legislative deficiencies against computer hacking, Philippine President Joseph Estrada signed an e-commerce law in June 2000.[42][43] Since this law was passed after the worm's release, de Guzman could not be prosecuted retroactively under it.[3][42] His actions received mixed reactions: some believed he had evaded justice, while others viewed him as a hero and he was offered (but ultimately turned down) jobs at computer companies.[3][44]
Cultural impact
ILOVEYOU has led to the creation of several creative works. The events inspired the song "E-mail" by the English pop duo Pet Shop Boys,[45] included in their top-ten[46] album Release.[47] The 2011 movie Subject: I Love You, starring Jericho Rosales and Briana Evigan,[48] was also based off the worm.[49] Multiple art installations reference the worm, including the 2006 exhibition "I love you [rev.eng]"[50] and a 2019 email exhibition entitled "How to Prevent Hair Loss".[51][52] The Persistence of Chaos, a laptop infected with notable malware including ILOVEYOU, was sold at auction in 2019 by Chinese artist Guo O Dong.[53]