ILOVEYOU

From Wikipedia, the free encyclopedia

Screenshot of the e-mail worm in Portuguese. Image credit: Sergio Savarese
Screenshot of the e-mail worm in Portuguese. Image credit: Sergio Savarese

The ILOVEYOU worm, also known as VBS/Loveletter and Love Bug worm, is a computer worm written in VBScript.

Contents

[edit] Description

The worm arrived in e-mail boxes on May 4, 2005, with the simple subject of "ILOVEYOU" and an attachment "LOVE-LETTER-FOR-YOU.TXT.vbs".

Two aspects of the worm made it effective:

  • It relied on social engineering to entice users to open the e-mail and ensure its continued propagation.
  • It employed a mechanism — VBScripts — that, while not entirely novel, had not been exploited to such a degree previously to direct attention to their potential, reducing the layers of protection that would have to be navigated for success.

[edit] Spread

Its massive spread moved westward as workers arrived at their offices and encountered messages generated by people from the East. Because the virus used mailing lists as its source of targets, the messages often appeared to come from an acquaintance and so might be considered "safe", providing further incentive to open them. All it took was a few users at each site to access the VBS attachment to generate the thousands and thousands of e-mails that would cripple e-mail systems under their weight, not to mention overwrite thousands of files on workstations and accessible servers.

[edit] Effects

It began in the Philippines on May 4, 2005, and spread across the world in one day (traveling from Hong-Kong to Europe to the United States), infecting 10 percent of all computers connected to the Internet[1] and causing about $5.5 billion in damage.[2] Most of the "damage" was the labor of getting rid of the virus. The Pentagon, CIA, and the British Parliament had to shut down their e-mail systems to get rid of the worm, as did most large corporations.[3]

This particular malware caused widespread outrage, making it the most damaging worm ever. The worm overwrote important files, as well as music, multimedia and more, with a copy of itself. It also sent the worm to everyone on a user's contact list. This particular worm only affected computers running the Microsoft Windows operating system. While any computer accessing e-mail could receive an "ILOVEYOU" e-mail, only Microsoft Windows systems would be infected.

[edit] Authorship

The ILOVEYOU worm is believed to have been written by Burningice & Moon.[citation needed] The Barok trojan horse used by the worm is believed to have been written by Onel de Guzman, a Filipino student of AMA Computer University in Makati, Philippines.[citation needed]

An international manhunt for the perpetrator finally led to a young programming student. On May 11 (one week after the virus spread), he held a news conference and said that he did not mean to cause so much harm. He was unable to graduate because the university rejected his thesis on the basis of its illegality. Helped by a group of friends called the Grammersoft Group, he distributed his virus the day before the school held their graduation ceremony.[citation needed]

[edit] Detection

Narinnat Suksawat, a 25-year-old Thai software engineer, was the first person to write software that repaired the damage caused by the worm, releasing it to the public on May 5, 2005, 24 hours after the worm had spread. "Rational Killer", the program he created, removed virus files and restored the previously removed system files so they again functioned normally. Two months later, Narinnat was offered a senior consultant job at Sun Microsystems and worked there for two years. He resigned to start his own business. Today, Narinnat owns a software company named Moscii Systems, a system management software company in Thailand.[citation needed]

UK company MessageLabs shot to fame when their anti-virus software, Skeptic, proactively detected the attachment as malware, thus automatically protecting all of their customers. From a little known company, they gained widespread media coverage, appearing on BBC TV and in the mainstream UK press.

The first copy intercepted by them was stopped at 00:43:26 4 May 2000 UTC, and originated from an email address in the Philippines, going to an email address in the UK. It is likely that the email was from one of the first few rounds of replication of the virus.

[edit] Architecture of the worm

The worm is written using Microsoft Visual Basic Scripting (VBS), and requires that the end-user run the script in order to deliver its payload. It will add a set of registry keys to the Windows registry that will allow the malware to start up at every boot.

The worm will then search all drives which are connected to the infected computer and replace files with the extensions *.JPG, *.JPEG, *.VBS, *.VBE, *.JS, *.JSE, *.CSS, *.WSH, *.SCT, *.DOC *.HTA with copies of itself, while appending to the file name a .VBS. extension. The malware will also locate *.MP3 and *.MP2 files, and when found, make the files hidden, copy itself with the same filename and append a .VBS extension.

The worm propagates by sending out copies of itself to all entries in the Microsoft Outlook address book. It also has an additional component, in which it will download and execute an infected program called variously "WIN-BUGSFIX.EXE" or "Microsoftv25.exe". This is a password-stealing program which will e-mail cached passwords.

[edit] Variants

  1. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
    Subject Line: I LOVEYOU
    Message Body: kindly check the attached LOVE LETTER coming from me.
  2. Attachment: Very Funny.vbs
    Subject Line: fwd: Joke
    Message Body: empty
  3. Attachment: mothers day.vbs
    Subject Line: Mothers Day Order Confirmation
    Message Body: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place.Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com
  4. Attachment: virus_warning.jpg.vbs
    Subject Line: Dangerous Virus Warning
    Message Body: There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it.
  5. Attachment: protect.vbs
    Subject Line: Virus ALERT!!!
    Message Body: a long message regarding VBS.love letter.A
  6. Attachment: Important.TXT.vbs
    Subject Line: Important! Read carefully!!
    Message Body: Check the attached IMPORTANT coming from me!
  7. Attachment: Virus-Protection-Instructions.vbs
    Subject Line: How to protect yourself from the IL0VEYOU bug!
    Message Body: Here's the easy way to fix the love virus.
  8. Attachment: Kill EmAll.TXT.VBS
    Subject Line: I Cant Believe This!!!
    Message Body: I Cant Believe I have Just received This Hate Email .. Take A Look!
  9. Attachment: Arabian.TXT.vbs
    Subject Line: Thank You For Flying With Arab Airlines
    Message Body: Please check if the bill is correct, by opening the attached file
  10. Attachment: IMPORTANT.TXT.vbs
    Subject Line: Variant Test
    Message Body: This is a variant to the vbs virus.
  11. Attachment: Vir-Killer.vbs
    Subject Line: Yeah, Yeah another time to DEATH...
    Message Body: This is the Killer for VBS.LOVE-LETTER.WORM.
  12. Attachment: LOOK.vbs
    Subject Line: LOOK!
    Message Body: hehe...check this out.
  13. Attachment: BEWERBUNG.TXT.vbs
    Subject Line: Bewerbung Kreolina
    Message Body: Sehr geehrte Damien und Herr en!

  14. Subject Line: Is this you in this picture?
    Message Body: Is this you in this picture?

[edit] Legislative aftermath

As there were no laws in the Philippines against virus-writing at the time, on August 21, 2005, the prosecutors dropped all charges against Onel A. de Guzman in a resolution signed by Jovencito Zuno. The original charges brought up against de Guzman dealt with the illegal use of passwords for credit card and bank transactions. The Philippines E-Commerce Law (Republic Act No. 8792), passed on June 14, 2005, laid out penalties for cybercrime. Under the law, those who spread computer viruses or otherwise engage in cybercrime (including copyright infringement and software cracking) can be fined a minimum of 100,000 pesos (about USD$2,000), and a maximum commensurate with the damage caused, and imprisoned for six months to three years.

[edit] References

  1. ^ http://news.zdnet.com/2100-9595_22-520463.html TrendMicro HouseCall online web scanner found out that one-fifths of all HouseCall users infected
  2. ^ cite web | url = http://www.catalogs.com/info/travel-vacations/top-10-worst-computer-viruses.html | publisher = WHoWhatWhereWhenWhy.com | title = ILOVEYOU | access date = 5-26-2008
  3. ^ http://news.zdnet.com/2100-9595_22-520435.html?legacy=zdnn British parliament shut down e-mail systems to prevent damage

[edit] See also

[edit] External links