ILOVEYOU: Difference between revisions

ILOVEYOU, also known as LoveLetter, is a computer worm that successfully attacked tens of millions of Windows computers in 2000 when it was sent as an attachment to an email message with the text "ILOVEYOU" in the subject line. The worm arrived in email inboxes on and after May 4, 2000 with the simple subject of "ILOVEYOU" and an attachment "LOVE-LETTER-FOR-YOU.TXT.vbs". The final 'vbs' extension was hidden by default, leading unsuspecting users to think it was a mere text file. Upon opening the attachment, the worm sent a copy of itself to everyone in the Windows Address Book and with the user's sender address. It also made a number of malicious changes to the user's system.

Such propagation mechanism had been known (though in IBM mainframe rather than in the MS Windows environment) and used already in the Christmas Tree EXEC of 1987 which brought down a number of the world's mainframes at the time.^{[citation needed]}

Four aspects of the worm made it effective:

• It relied on social engineering to entice users to open the attachment and ensure its continued propagation.
• It relied on a flawed Microsoft algorithm for hiding file extensions. Windows had begun hiding extensions by default; the algorithm parsed file names from right to left, stopping at the first 'period' ('dot'). In this way the exploit could display the inner file extension 'TXT' as the real extension; text files are considered to be innocuous as they can't contain executable code.
• It relied on the scripting engine being enabled. This was actually a system setting; the engine had not been known to have been ever used previously; Microsoft received scathing criticism for leaving such a powerful (and dangerous) tool enabled by default with no one the wiser for its existence.
• It exploited the weakness of the email system design that an attached program could be run easily by simply opening the attachment to gain complete access to the file system and the Registry.

Messages generated in the Philippines began to spread westwards through corporate email systems. Because the worm used mailing lists as its source of targets, the messages often appeared to come from acquaintances and would therefore be considered "safe", providing further incentive to open the attachments. Only a few users at each site had to access the attachment in order to generate the millions of messages that crippled POP systems under their weight and release the worm that overwrote millions of files on workstations and accessible servers.

The worm originated in the Philippines on 4 May 2000 and spread across the world in one day, moving on to Hong Kong and then to Europe and the US,^[1] causing an estimated $5.5 billion in damage.^[2] By 13 May 2000, 50 million infections had been reported.^[3] Most of the damage cited was the time and effort spent getting rid of the worm. In order to free themselves, The Pentagon, CIA, and the British Parliament had to shut down their mail systems; as did most large corporations.^[4]

This particular malware caused widespread damage. The worm overwrote important files — music files, multimedia files, and more — with a copy of itself. It also sent the worm to the first fifty people in the Windows Address Book, the system contact list. Because it was written in Visual Basic Script and interfaced with the Outlook Windows Address Book, this particular worm only affected computers running the Microsoft Windows operating system. While any computer could receive the "ILOVEYOU" message, only Microsoft Windows systems were vulnerable.

The worm is written using Microsoft Visual Basic Scripting (VBS), and requires that the user run the script in order to deliver the payload. It adds a number of registry keys so the worm is initialized on system boot.

The worm will then search all drives which are connected to the infected computer and replace files with the extensions *.JPG, *.JPEG, *.VBS, *.VBE, *.JS, *.JSE, *.CSS, *.WSH, *.SCT, *.DOC *.HTA with copies of itself, while appending to the file name a .VBS. extension. The worm will also locate *.MP3 and *.MP2 files, and when found, make the files hidden, copy itself with the same filename and append a .VBS extension.

The worm propagates by sending out copies of itself to all entries in the Microsoft Outlook address book. It also adds registry keys that direct the Windows operating system to download and execute a password-stealing program variously called "WIN-BUGSFIX.EXE" or "Microsoftv25.exe."

This article may need to be rewritten to comply with Wikipedia's quality standards. You can help. The talk page may contain suggestions. (May 2010)

On May 5, 2000, two young Filipino computer programming students became the target of a criminal investigation by the Philippines' National Bureau of Investigation (NBI) agents.^[5] The NBI received a complaint from Sky Internet, a local Internet service provider (ISP). The ISP claimed that they have received numerous calls from European computer users, complaining that malware in the form of an "ILOVEYOU" worm was sent to their computers through the said ISP.

After several days of surveillance and investigation of ISPs that the virus used, the NBI was able to trace a frequently appearing telephone number, which turned out to be that of Mr. Ramones' apartment in Manila, Philippines. His residence was searched by the NBI and Mr. Ramones was consequently arrested and placed on inquest investigation before the Department of Justice (DOJ). Mr. de Guzman was likewise arrested in Manila. At that point, the NBI was at a loss as to what felony or crime to charge the two with in court.^[5] There were some agents who theorized that they may be charged with violation of Republic Act No. 8484 or the Access Device Regulation Act, a law designed mainly to penalize credit card fraud. The reason supposedly being that both used, if not stole, pre-paid Internet cards which enabled them to use several ISPs. Another school of thought within the NBI opened that Ramones and de Guzman could be charged with malicious mischief, a felony involving damage to property under the Philippines' Revised Penal Code, which was enacted in 1932. However, the problem with malicious mischief is that one of its elements, aside from damage to property, was intent to damage. In this case, Mr. de Guzman claimed during custodial investigation that he merely unwittingly released the virus.^[6]

To show his intent, the NBI investigated AMA Computer University where de Guzman dropped out on his senior year.^[5] There, it was found that de Guzman was not only quite familiar with computer viruses, he had in fact, proposed to create one. For his undergraduate thesis, he proposed the commercialization of a Trojan virus, one that innocently enters another computer but would later steal passwords, addresses, and files, much like the Trojan Horse.^[7] He contended that through the Trojan virus, the user would be able to save on, if not totally make do without, prepaid Internet usage cards since passwords could be obtained by the virus. The thesis proposal was rejected by the College of Computer Studies board,^[6] forcing him to drop out.

Since there were no laws in the Philippines against writing malware at the time, both Ramones and de Guzman were released with all charges dropped by state prosecutors.^[8] To address this legislative deficiency^[5] the Philippine Congress enacted Republic Act No. 8792,^[9] otherwise known as the E-Commerce Law, in July 2000, just three months after the worm outbreak.

Wikinews has related news:

• Users insert virus source code into Wikipedia pages

• Code Red worm
• Nimda worm
• Timeline of notable computer viruses and worms

• The Love Bug - A Retrospect
• ILOVEYOU Virus Lessons Learned Report, Army Forces Command
• Radsoft: The ILOVEYOU Roundup
• Description page
• "No 'sorry' from Love Bug author" at The Register
• CERT Advisory CA-2000-04 Love Letter Worm