Jump to content

ILOVEYOU

This is a good article. Click here for more information.
From Wikipedia, the free encyclopedia

This article is about the computer worm. For other uses, see I Love You (disambiguation), Love Bug (disambiguation), and Love letter (disambiguation).
ILOVEYOU
Picture of an email sent by the ILOVEYOU worm. The email has the subject "ILOVEYOU," a message of "Kindly check the attached love letter from me," and has an attachment LOVE-LETTER-FOR-YOU.TXT.vbs
Email with an attachment containing the worm
Malware details
AliasesLove Bug, Loveletter
TypeComputer worm
OriginManila, Philippines
AuthorOnel de Guzman
Technical details
Platforms
Size10.31 kilobytes
Written inVBScript

ILOVEYOU, sometimes referred to as the Love Bug or Loveletter, was a computer worm that infected tens of millions of Windows computers following its release on 4 May 2000. The worm was mainly distributed through email attachments sent to contacts on an infected system's address book, and is an example of malware using social engineering to aid its spread. Once run, the worm overwrites files with its source code and attempts to spread to other computers.

The worm was created by Onel de Guzman, a dropout of AMA Computer College in the Philippines, because of his belief that internet access was a human right; the worm attempts to download a computer trojan that steals dial-up Internet access credentials to fulfil this aim. Philippine prosecutors ultimately dropped all charges against de Guzman because of a lack of laws against hacking in the country. In response, President Joseph Estrada signed an e-commerce law to cover against similar activity.

Affecting an estimated 10% of internet-connected computers at the time, the ILOVEYOU worm is considered to be one of the most virulent examples in the history of malware. The worm caused approximately US$10 billion worth of damages to numerous government agencies and corporations. It has inspired several creative works, including art installations, songs and films.

Background

[edit]

The ILOVEYOU worm was coded by Onel de Guzman, a former student at AMA Computer College in the Philippines. At the time of its creation, de Guzman was poor[1][2] and struggling to pay for the country's dial-up internet access.[1] De Guzman believed that internet access was a human right,[1] and submitted an undergraduate thesis to the college which proposed the development of a trojan to steal internet login details.[3] He reasoned that this would allow users to afford an internet connection, arguing that those affected by it would experience no loss.[1] The proposal was rejected by the college, which remarked that his proposal was "illegal" and that "they did not produce burglars".[3][4] De Guzman later described his professors as close-minded,[5] and eventually dropped out of the college.[6]

Technical details

[edit]

De Guzman wrote ILOVEYOU in the programming language VBScript. The Windows Script Host is used by Windows to run its code.[7][8] ILOVEYOU was distributed through malicious email attachments.[9] The worm was found in emails with the subject "ILOVEYOU" and a message of "kindly check the attached LOVELETTER coming from me." The attachment LOVE-LETTER-FOR-YOU.TXT.vbs contained the worm.[10]

Upon opening the file, the worm creates copies of itself that are run upon reboot of the computer. Two of the three copies masquerade as legitimate Microsoft Windows library files, named MSKernel32.vbs and Win32DLL.vbs. The other copy retains the original LOVE-LETTER-FOR-YOU.TXT.vbs name.[11] The worm also removes a 10-second timeout for scripts set in the Windows Registry, so it can continue to run without constraints.[8]

The worm attempts to download a trojan horse named WIN-BUGSFIX.exe. To achieve this, the victim's Internet Explorer homepage is set to a URL that downloads the trojan upon opening the browser. If the download is successful, the trojan is set to run upon reboot and the Internet Explorer homepage is set to a blank page. The trojan fulfils de Guzman's primary aim by stealing passwords.[11]

The worm sends its trademark email to all contacts in the victim's address book. The worm records which address book entries it has sent emails to, so only one email is sent to each contact even if the worm is run multiple times. This also allows for emails to be sent to new contacts placed in the address book. ILOVEYOU also has the capability to spread via Internet Relay Chat channels.[11]

The worm searches connected drives for files to modify. All VBScript files it finds, which have the file extensions .vbs and .vbe, are overwritten with the worm's code. Files with extensions .jpg, .jpeg, .js, .jse, .css, .wsh, .sct, and .hta are replaced with copies of the worm that have the same base file name but appended with the .vbs extension. Copies for .mp2 and .mp3 files are similarly produced, but the original files are hidden instead of removed.[11]

Deceptive methods

[edit]

ILOVEYOU used social engineering to aid its spread,[12] encouraging potential victims to open the infected attachment by playing on their romantic desires.[13] By using each victim’s address book, emails sent by the worm appeared to come from close contacts. This further encouraged recipients to run the worm.[14] The worm's subsequent success demonstrated the capability of social engineering, which continues to be used in many modern-day malware attacks.[12]

The attachment used a file name that took advantage of a feature of Microsoft Windows, "Hide extensions for known file types", where only the base file name would be displayed. As such, to victims the attachment could appear to be an inconspicuous .txt file incapable of holding malware,[8] and the worm's real .vbs extension would be hidden.[14]

Variants

[edit]

Since ILOVEYOU was coded in VBScript, it was relatively easy to modify the worm’s code and change its behaviour.[15][16] Over 25 variants of the ILOVEYOU worm have been recorded.[17] Variants of ILOVEYOU differed from the original worm in many aspects, such as changing which file extensions were affected,[18] and modifying the worm's email subject and body to target specific audiences.[11][19]

Computer worm NewLove, which spread in a similar fashion to ILOVEYOU, was especially destructive since it targeted every file on the victim's hard drive until their computer stopped working[20] and evaded antivirus software.[20][21][22] Despite widespread coverage of this worm by media outlets, it failed to cause significant damage.[21]

Spread

[edit]

De Guzman designed ILOVEYOU to only work in Manila. He later removed this restriction, which allowed for the worldwide spread of the worm.[1] The worm's spread began on 4 May 2000,[23] moving westward through corporate email systems as employees began their workday – first to Hong Kong, then to Europe, and finally the United States.[10][24] One user opening an attachment was enough to compromise entire networks.[25]

ILOVEYOU disrupted the operations of many companies.[26] Email systems had to be shut down due to the volume of incoming mail sent by the worm.[10] Data was lost due to the worm overwriting files with its code.[27] The worm affected numerous financial institutions, including the banking system of Belgium.[26]

The worm disrupted government agencies in numerous countries. In the United Kingdom, the worm reached the email servers of the House of Commons on 4 May.[3] The servers were shut down for two hours in response.[10] In the United States, the worm affected most federal government agencies, including the Department of Justice, the Department of Labor and the Social Security Administration.[26] Operations of the Central Intelligence Agency[10] and the Department of Defense were affected,[26] with the United States Army having 2,258 infected workstations which cost the agency an estimated US$79,200.[28] The Veterans Health Administration received 7,000,000 ILOVEYOU emails during the outbreak, requiring 240 man-hours of work to resolve the problems created.[26] Files at the National Aeronautics and Space Administration were damaged, and in some cases unrecoverable from backups.[26]

Investigations

[edit]

Local internet service provider Sky Internet took down web pages delivering the WIN-BUGSFIX.exe trojan.[29] ISPs also linked ILOVEYOU to a phone line registered to an apartment associated with de Guzman.[30][31] De Guzman's mother warned him of the worm's public attention and hid his computer,[1][32] but left behind floppy disks that unintentionally implicated other students from AMA Computer College.[33] A police raid on 8 May 2000 led to the seizure of these disks and the arrest of de Guzman's sister's boyfriend.[30] Authorities initially presented him and de Guzman’s sister as their main suspects; however, they later released him due to insufficient evidence.[34][35]

The Philippines' National Bureau of Investigation was unsure of what felonies could apply[36] since there were no specific laws against hacking in the Philippines at the time.[1] Ultimately, de Guzman was charged under the Access Device Regulation Act, a law designed mainly to penalise credit card fraud, and malicious mischief, a felony involving damage to property.[37] All charges against de Guzman were later dropped by prosecutors, since the evidence collected did not support what had been filed.[38][39]

Later whereabouts and admission of de Guzman

[edit]

De Guzman's last known public appearance was at a press conference on 11 May 2000, where he obscured his face and allowed his lawyer to answer most questions; his whereabouts remained mostly unknown afterward.[1] In April 2019, investigative journalist Geoff White visited the Quiapo Market in Manila to look for de Guzman, following a tip-off from an internet forum.[1][32] He discovered de Guzman working at a mobile phone repair stall elsewhere in Manila.[33] De Guzman admitted to creating and releasing the worm, and cleared all others who had been accused of co-authoring it.[1] White later published his findings in his cybercrime book, Crime Dot Com (2020).[1]

Aftermath

[edit]

ILOVEYOU has repeatedly been named as one of the most destructive and virulent pieces of malware in history.[3][13][40] Within ten days of the first reported cases, tens of millions of infections had been reported, and it is estimated that 10% of Internet-connected computers in the world were eventually affected.[14] The damage caused by ILOVEYOU is difficult to quantify,[25] but estimates in the 2020s place it at approximately US$10 billion.[3][14][41]

To address legislative deficiencies against computer hacking, Philippine President Joseph Estrada signed an e-commerce law in June 2000.[42][43] Since this law was passed after the worm's release, de Guzman could not be prosecuted retroactively under it.[3][42] His actions received mixed reactions: some believed he had evaded justice, while others viewed him as a hero and he was offered (but ultimately turned down) jobs at computer companies.[3][44]

Cultural impact

[edit]

ILOVEYOU has led to the creation of several creative works. It inspired the song "E-mail" by the English pop duo Pet Shop Boys,[45] included in their top-ten[46] album Release.[47] The 2011 movie Subject: I Love You, starring Jericho Rosales and Briana Evigan,[48] was also based off the worm.[49] Multiple art installations reference the worm, including the 2006 exhibition "I love you [rev.eng]"[50] and a 2019 email exhibition entitled "How to Prevent Hair Loss".[51][52] The Persistence of Chaos, a laptop infected with notable malware including ILOVEYOU, was sold at auction in 2019 by Chinese artist Guo O Dong.[53]

See also

[edit]

References

[edit]
  1. ^ a b c d e f g h i j k White, Geoff (12 September 2020). "The 20-Year Hunt for the Man Behind the Love Bug Virus". Wired. ISSN 1059-1028. Archived from the original on 15 September 2020. Retrieved 15 September 2020.
  2. ^ Frank, Robert; Hookway, James (15 May 2000). "'Love Bug' Virus Investigation Highlights Filipino Hackers". The Wall Street Journal. ISSN 0099-9660. Retrieved 6 May 2026.
  3. ^ a b c d e f g Griffiths, James (3 May 2020). "How a badly-coded computer virus caused billions in damage | CNN Business". CNN. Archived from the original on 27 July 2024. Retrieved 29 June 2024.
  4. ^ Cohen, Adam (22 May 2000). "School for Hackers". TIME. Retrieved 6 May 2026.
  5. ^ Landler, Mark (21 October 2000). "A Filipino Linked to 'Love Bug' Talks About His License to Hack". The New York Times. Archived from the original on 23 March 2010. Retrieved 5 May 2010.
  6. ^ "Virus Charges Dropped". The New York Times. 6 September 2000. Archived from the original on 20 January 2025. Retrieved 4 January 2025.
  7. ^ Lambert, John (September 2002). SOFTWARE RESTRICTION POLICIES IN WINDOWS XP (PDF). Virus Bulletin. p. 5.
  8. ^ a b c Gleick, James (10 May 2000). "Love, Microsoft". Slate. ISSN 1091-2339. Retrieved 29 April 2026.
  9. ^ Meek, James (5 May 2000). "Love bug virus creates worldwide chaos". The Guardian. ISSN 0261-3077. Retrieved 10 June 2024.
  10. ^ a b c d e Kane, Margaret (3 May 2000). "'ILOVEYOU' e-mail worm invades PCs". ZDNET. Archived from the original on 30 June 2024. Retrieved 29 June 2024.
  11. ^ a b c d e Bishop, Matt. (2000). Analysis of the ILOVEYOU Worm.
  12. ^ a b Speed, Richard (5 May 2020). "It has been 20 years since cybercrims woke up to social engineering with an intriguing little email titled 'ILOVEYOU'". The Register. Archived from the original on 10 June 2024. Retrieved 10 June 2024.
  13. ^ a b Poulsen, Kevin (3 May 2010). "Top Ten Most-Destructive Computer Viruses". Smithsonian Magazine. Archived from the original on 17 May 2014. Retrieved 10 June 2024.
  14. ^ a b c d Winder, Davey (4 May 2020). "This 20-Year-Old Virus Infected 50 Million Windows Computers In 10 Days: Why The ILOVEYOU Pandemic Matters In 2020". Forbes. Archived from the original on 24 October 2020. Retrieved 10 June 2024.
  15. ^ Hopper, D. Ian (5 May 2000). "'Mother's Day' virus plays on heart strings but does more damage". CNN. Retrieved 29 April 2026.
  16. ^ Kennedy, Mark (September 2000). SCRIPT-BASED MOBILE THREATS (PDF). Virus Bulletin. pp. 2–3 – via Portland State University.
  17. ^ Bentley, Peter (20 December 2020). "Could computers get a virus that's as contagious and difficult to eliminate as the coronavirus?". BBC Science Focus Magazine. Retrieved 1 May 2026.
  18. ^ Vamosi, Robert (10 May 2000). "More ILOVEYOU variants surface". ZDNET. Retrieved 3 May 2026.
  19. ^ Bain, Charles; Faatz, Donald; Fayad, Amgad; Williams, Douglas (2002), Gertz, Michael; Guldentops, Erik; Strous, Leon (eds.), "Diversity as a Defense Strategy in Information Systems", Integrity, Internal Control and Security in Information Systems: Connecting Governance and Technology, Boston, MA: Springer US, pp. 77–93, doi:10.1007/978-0-387-35583-2_5, ISBN 978-0-387-35583-2, retrieved 3 May 2026{{citation}}: CS1 maint: work parameter with ISBN (link)
  20. ^ a b Hopper, Ian; Lockridge, Rick; Young, Steve (19 May 2000). "New computer virus more destructive, but appears less infectious". CNN. Archived from the original on 3 June 2004. Retrieved 17 March 2026.
  21. ^ a b ""NewLove" warnings spread faster than virus itself". CNET. 19 May 2000. Retrieved 10 April 2026.{{cite web}}: CS1 maint: url-status (link)
  22. ^ Markoff, John (20 May 2000). "Experts Warn Of New Virus Hitting PC's". The New York Times. ISSN 0362-4331. Retrieved 11 May 2026.
  23. ^ "No excuse for virus toll, warns MessageLabs". MessageLabs. 10 May 2000. Archived from the original on 14 December 2000.
  24. ^ "'Love bug' hacker is Pandacan man, 23". The Philippine Star. 6 May 2000. Archived from the original on 3 February 2014. Retrieved 23 August 2013.
  25. ^ a b Heiney, James (2023). "ILOVEYOU Virus Attacks Computers | Computer Science | Research Starters | EBSCO Research". EBSCO. Retrieved 14 March 2026.
  26. ^ a b c d e f Brock Jr., Jack (18 May 2000). Critical Infrastructure Protection: "ILOVEYOU" Computer Virus Highlights Need for Improved Alert and Coordination Capabilities (PDF) (Report). United States General Accounting Office. Retrieved 30 June 2024.
  27. ^ Grossman, Lev (14 May 2000). "Attack Of The Love Bug". TIME. Retrieved 28 April 2026.
  28. ^ "ILOVEYOU" Virus: Lessons Learned Report (Report). United States Army. 29 April 2003. Archived from the original on 13 June 2025. Retrieved 30 June 2024.
  29. ^ Festa, Paul (4 May 2000). "Philippine ISP cooperating with FBI in virus probe". CNET. Retrieved 28 April 2026.
  30. ^ a b "Love Bug Suspect Off The Hook". CBS News. 21 August 2000. Retrieved 14 March 2026.
  31. ^ Hopper, Ian (8 May 2000). "Internet provider says Caller ID foiled 'Love Bug' author". CNN. Retrieved 15 May 2026.
  32. ^ a b White, Geoff (2 May 2020). "Love Bug's creator tracked down to repair shop in Manila". BBC News. Archived from the original on 3 May 2020. Retrieved 3 May 2020.
  33. ^ a b White, Geoff (21 April 2020). "Revealed: The man behind the first major computer virus pandemic". Computer Weekly. Archived from the original on 19 November 2024. Retrieved 3 May 2020.
  34. ^ "Suspect Freed; Lack of Evidence". WIRED. 9 May 2000. ISSN 1059-1028. Retrieved 28 April 2026.
  35. ^ Burke, Lynn (9 May 2000). "Still Searching for Worm Culprit". WIRED. ISSN 1059-1028. Retrieved 28 April 2026.
  36. ^ Gana Jr., Severino. "Prosecution Of Cyber Crimes Through Appropriate Cyber Legislation In The Republic Of The Philippines". Asia Crime Prevention Foundation. Archived from the original on 6 February 2008.
  37. ^ "Virus Suspect to Be Charged". Reuters. 15 June 2000. Retrieved 28 April 2026 – via The New York Times.
  38. ^ Arnold, Wayne (22 August 2000). "Technology; Philippines to Drop Charges on E-Mail Virus". The New York Times. Archived from the original on 9 February 2011. Retrieved 5 May 2010.
  39. ^ "Charges dropped against Love Bug suspect". CBC News. 21 August 2000. Retrieved 28 April 2026.
  40. ^ Byman, Cary (25 June 2025). "25 years ago: The ILOVEYOU worm". ITNOW. Vol. 67, no. 3. pp. 36–37. doi:10.1093/itnow/bwaf084. Archived from the original on 8 April 2026. Retrieved 7 April 2026.
  41. ^ Kelly, Ross (5 May 2025). "'ILOVEYOU': The virus that rocked the world, 25 years on". TechRadar. Archived from the original on 5 January 2026. Retrieved 15 March 2026.
  42. ^ a b "Philippine Dropout to Be Charged for 'Love Bug'". Reuters. 15 June 2000. Retrieved 8 April 2026 – via The New York Times.
  43. ^ "Philippine President Signs Law to Punish Computer Crimes". The New York Times. 15 June 2000. ISSN 0362-4331. Retrieved 28 April 2026.
  44. ^ Wayne, Arnold (22 August 2000). "Philippines to Drop Charges on E-Mail Virus". The New York Times. Retrieved 8 April 2026.
  45. ^ Kuhn, Thomas (24 April 2020). "Iloveyou: Ein Liebesschwur mit Langzeitwirkung". Wirtschaftswoche (in German). Archived from the original on 23 February 2024. Retrieved 10 March 2026.
  46. ^ Jones, Alan (13 April 2002). "Chart Commentary" (PDF). Music Week. London. p. 17. Retrieved 15 May 2026 – via World Radio History.
  47. ^ Paoletta, Michael (27 April 2002). "Pet Shop Boys Find 'Release' on Sanctuary" (PDF). Billboard. New York. p. 80. Retrieved 15 May 2026 – via World Radio History.
  48. ^ "Premiere of Jericho Rosales' international film Subject: I Love You at Newport Beach Film Festival sold out". SPOT.PH. 3 May 2011. Archived from the original on 26 January 2025. Retrieved 15 December 2024.
  49. ^ Cluley, Graham (26 April 2011). "I LOVE YOU - Virus-inspired movie trailer and world premiere". grahamcluley.com. Retrieved 19 May 2026.
  50. ^ "I Love You [Rev.Eng] • Digicult | Digital Art, Design and Culture". Digicult | Digital Art, Design and Culture. 20 July 2006. Archived from the original on 15 December 2024. Retrieved 15 December 2024.
  51. ^ "How to Prevent Hair Loss, Kiat Kiat Projects - NECSUS". necsus-ejms.org. 11 December 2023. Archived from the original on 15 December 2024. Retrieved 15 December 2024.
  52. ^ "ArtAsiaPacific: Alternative Toolkits: Interview with Kiat Kiat Projects". ArtAsiaPacific. Archived from the original on 15 December 2024. Retrieved 15 December 2024.
  53. ^ Solly, Meilan (30 May 2019). "A Laptop Infected With the World's Most Dangerous Viruses Sold for $1.3 Million". Smithsonian Magazine. Retrieved 15 December 2024.
[edit]
Retrieved from "https://en.wikipedia.org/w/index.php?title=ILOVEYOU&oldid=1356009109"