ILOVEYOU


 This article or section includes a list of references or external links, but its sources remain unclear because it lacks inline citations.
You can improve this article by introducing more precise citations where appropriate.
Screenshot of the e-mail worm in Portuguese. Image credit: Sergio Savarese
Screenshot of the e-mail worm in Portuguese. Image credit: Sergio Savarese

The ILOVEYOU virus, also known as VBS/Loveletter and Love Bug virus, is a computer virus written in VBScript.

Computer security portal

Contents

Description

Screenshot of the official ILOVEYOU virus from an American English website.
Screenshot of the official ILOVEYOU virus from an American English website.

The virus arrived in e-mail boxes on May 4, 2000, with the simple subject of "ILOVEYOU" and an attachment "LOVE-LETTER-FOR-YOU.TXT.vbs". Upon opening the attachment, the virus sent a copy of itself to everyone in the user's address list, posing as the user. It also made a number of malicious changes to the user's system.

Such propagation mechanism (though in IBM mainframe rather than MS Windows environment) has been well known and used already in the Christmas Tree EXEC of 1987, which brought down a large fraction of the world's mainframes at the time.

Two aspects of the virus made it effective:

  • It relied on social engineering to entice users to open the attachment and ensure its continued propagation.
  • It exploited the weakness of the email system design that an attached program could be run easily by simply opening the attachment; the underlying mechanism — VBScript — had not been exploited to such a degree previously to direct attention to its potential, thus the necessary layers of protection were not in place yet.

Spread

Its massive spread moved westward as workers arrived at their offices and encountered messages generated by people from the East. Because the virus used mailing lists as its source of targets, the messages often appeared to come from an acquaintance and so might be considered "safe", providing further incentive to open them. All it took was a few users at each site to access the VBS attachment to generate the thousands and thousands of e-mails that would cripple e-mail systems under their weight, not to mention overwrite thousands of files on workstations and accessible servers.

Effects

It began in the Philippines on May 4, 2000, and spread across the world in one day (traveling from Hong-Kong to Europe to the United States), infecting 10 percent of all computers connected to the Internet[1] and causing about $5.5 billion in damage.[2] Most of the "damage" was the labor of getting rid of the virus. The Pentagon, CIA, and the British Parliament had to shut down their e-mail systems to get rid of the virus, as did most large corporations.[3]

This particular malware caused widespread outrage, making it the most damaging virus ever. The virus overwrote important files, as well as music, multimedia and more, with a copy of itself. It also sent the virus to everyone on a user's contact list. Because it is run using MS-DOS this particular virus only affected computers running the Microsoft Windows operating system. While any computer accessing e-mail could receive an "ILOVEYOU" e-mail, only Microsoft Windows systems would be infected.

Detection

Narinnat Suksawat, a 25-year-old Thai software engineer, was the first person to write software that repaired the damage caused by the worm, releasing it to the public on May 5, 2000, 24 hours after the worm had spread. "Rational Killer", the program he created, removed virus files and restored the previously removed system files so they again functioned normally. Two months later, Narinnat was offered a senior consultant job at Sun Microsystems and worked there for two years. He resigned to start his own business. Today, Narinnat owns a software company named Moscii Systems, a system management software company in Thailand.[citation needed]

A Kenyan company opened the e-mail and got some explicit content when their anti-virus software, Skeptic, detected the attachment as malware, thus automatically protecting all of their customers. They gained widespread media coverage, appearing on BBC TV and in the mainstream UK press.

The first copy intercepted by them was stopped at 00:43:26 4 May 2000 UTC, and originated from an email address in the Philippines, going to an email address in the UK. It is likely that the email was from one of the first few rounds of replication of the virus.

Architecture of the Virus

The virus is written using Microsoft Visual Basic Scripting (VBS), and requires that the end-user run the script in order to deliver its payload. It will add a set of registry keys to the Windows registry that will allow the malware to start up at every boot.

The virus will then search all drives which are connected to the infected computer and replace files with the extensions *.JPG, *.JPEG, *.VBS, *.VBE, *.JS, *.JSE, *.CSS, *.WSH, *.SCT, *.DOC *.HTA with copies of itself, while appending to the file name a .VBS. extension. The malware will also locate *.MP3 and *.MP2 files, and when found, make the files hidden, copy itself with the same filename and append a .VBS extension.

The virus propagates by sending out copies of itself to all entries in the Microsoft Outlook address book. It also has an additional component, in which it will download and execute an infected program called variously "WIN-BUGSFIX.EXE" or "Microsoftv25.exe". This is a password-stealing program which will e-mail cached passwords.

Variants

  1. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
    Subject Line: I LOVEYOU
    Message Body: kindly check the attached LOVE LETTER coming from me.
  2. Attachment: Very Funny.vbs
    Subject Line: fwd: Joke
    Message Body: empty
  3. Attachment: mothers day.vbs
    Subject Line: Mothers Day Order Confirmation
    Message Body: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place.Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com
  4. Attachment: virus_warning.jpg.vbs
    Subject Line: Dangerous Virus Warning
    Message Body: There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it.
  5. Attachment: protect.vbs
    Subject Line: Virus ALERT!!!
    Message Body: a long message regarding VBS.love letter.A
  6. Attachment: Important.TXT.vbs
    Subject Line: Important! Read carefully!!
    Message Body: Check the attached IMPORTANT coming from me!
  7. Attachment: Virus-Protection-Instructions.vbs
    Subject Line: How to protect yourself from the IL0VEYOU bug!
    Message Body: Here's the easy way to fix the love virus.
  8. Attachment: Kill EmAll.TXT.VBS
    Subject Line: I Cant Believe This!!!
    Message Body: I Cant Believe I have Just received This Hate Email .. Take A Look!
  9. Attachment: Arabian.TXT.vbs
    Subject Line: Thank You For Flying With Arab Airlines
    Message Body: Please check if the bill is correct, by opening the attached file
  10. Attachment: IMPORTANT.TXT.vbs
    Subject Line: Variant Test
    Message Body: This is a variant to the vbs virus.
  11. Attachment: Vir-Killer.vbs
    Subject Line: Yeah, Yeah another time to DEATH...
    Message Body: This is the Killer for VBS.LOVE-LETTER.WORM.
  12. Attachment: LOOK.vbs
    Subject Line: LOOK!
    Message Body: hehe...check this out.
  13. Attachment: BEWERBUNG.TXT.vbs
    Subject Line: Bewerbung Kreolina
    Message Body: Sehr geehrte Damien und Herr en!

  14. Subject Line: Is this you in this picture?
    Message Body: Is this you in this picture?

Legislative aftermath

As there were no laws in the Philippines against virus-writing at the time, on August 21, 2000, the prosecutors dropped all charges against Irene De Guzman (Reomel Lamores' - who had actually created the virus - Girlfriend) [4] in a resolution signed by Jovencito Zuno. The original charges brought up against de Guzman dealt with the illegal use of passwords for credit card and bank transactions. The Philippines E-Commerce Law (Republic Act No. 8792), passed on June 14, 2000, laid out penalties for cybercrime. Under the law, those who spread computer viruses or otherwise engage in cybercrime (including copyright infringement and software cracking) can be fined a minimum of 100,000 pesos (about USD$2,000), and a maximum commensurate with the damage caused, and imprisoned for six months to three years.

References

  1. ^ http://news.zdnet.com/2100-9595_22-520463.html TrendMicro HouseCall online web scanner found out that one-fifths of all HouseCall users infected
  2. ^ "ILOVEYOU". WHoWhatWhereWhenWhy.com.
  3. ^ http://news.zdnet.com/2100-9595_22-520435.html?legacy=zdnn British parliament shut down e-mail systems to prevent damage
  4. ^ http://www.theregister.co.uk/2005/05/11/love_bug_author/

See also

Wikinews has related news:

External links


! __







Why are we here?
All text is available under the terms of the GNU Free Documentation License
This page is cache of Wikipedia. History