ILOVEYOU

ILOVEYOU
Common name Love Letter
Type Computer worm
Operating system(s) affected Microsoft Windows
Written in VBScript

ILOVEYOU, sometimes referred to as Love Letter, was a computer worm that attacked tens of millions of Windows personal computers on and after 5 May 2000 local time in the Philippines when it started spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.txt.". The first file extension 'VBS' was most often hidden by default on Windows computers of the time, leading unwitting users to think it was a normal text file. Opening the attachment activated the Visual Basic script. The worm did damage on the local machine, overwriting image files, and sent a copy of itself to the first 50 addresses in the Windows Address Book used by Microsoft Outlook.

Four things led to the success of ILOVEYOU.

Contents

Spread

Messages generated in the Philippines began to spread westwards through corporate email systems. Because the worm used mailing lists as its source of targets, the messages often appeared to come from acquaintances and were therefore often regarded as considered "safe" by their victims, providing further incentive to open them. Only a few users at each site had to access the attachment in order to generate millions more messages that crippled mail systems and overwrote millions of files on computers in each successive network.

Impact

The worm is believed to have originated near Manila in the Philippines on 5 May 2000 local time and to thereafter have spread westward across the world, moving first to Hong Kong, then to Europe, and finally the US as people reported to their offices that Friday morning.[1] The outbreak was later estimated to have caused US $5.5 billion in damages worldwide.[2] Already ten days later 50 million infections had been reported.[3] Most of the damage cited was the time and effort spent getting rid of the infection and recovering damaged files from backup. In order to protect themselves, The Pentagon, CIA, the British Parliament, and most large corporations were forced to completely shut down their mail systems.[4]

Architecture of the Worm

The ILOVEYOU script (the attachment) was written in Microsoft Visual Basic Scripting (VBS) which ran in Microsoft Outlook and was enabled by default. The script added Registry data for automatic startup on system boot.

The worm then searched connected drives and replaced files with extensions JPG, JPEG, VBS, VBE, JS, JSE, CSS, WSH, SCT, DOC, HTA, MP2, and MP3 with copies of itself, whilst appending the additional file extension VBS.

The worm propagated itself by sending out copies of the payload to the first 50 entries in the Microsoft Outlook address book (Windows Address Book). It also downloaded the Barok trojan renamed for the occasion as "WIN-BUGSFIX.EXE".

Developments

On 5 May 2000 two young Filipino computer programming students named Reomel Ramores and Onel de Guzman became the target of a criminal investigation by the Philippines' National Bureau of Investigation (NBI) agents.[5] The NBI received a complaint from Sky Internet, a local Internet service provider (ISP). The ISP claimed that they have received numerous calls from European computer users, complaining that malware in the form of an "ILOVEYOU" worm was sent to their computers through the said ISP.

After several days of surveillance and investigation spearheaded by Darwin Bawasanta, systems development manager of Sky Internet, the NBI was able to trace a frequently appearing telephone number which turned out to be that of Ramores' apartment in Manila. His residence was searched by the NBI and Ramores was consequently arrested and placed on inquest investigation before the Department of Justice (DOJ). Onel de Guzman was likewise arrested in absentia. At that point, the NBI were at a loss as to what felony or crime to charge them with.[5] There were some agents who suggested they might be charged with violation of Republic Act 8484 or the Access Device Regulation Act, a law designed mainly to penalise credit card fraud, the reason supposedly being that both used, if not stole, pre-paid Internet cards which enabled them to use several ISPs. Another school of thought within the NBI suggested Ramores and de Guzman could be charged with malicious mischief, a felony involving damage to property under the Philippines Revised Penal Code enacted in 1932. But the drawback with a charge of malicious mischief is that one of its elements, aside from damage to property, was intent to damage, and de Guzman and Igi Gando claimed during custodial investigation that de Guzman may have merely unwittingly released the worm.[6]

To show intent, the NBI investigated AMA Computer College where de Guzman dropped out at the very end of his final year.[5] They found that de Guzman was not only quite familiar with computer viruses but had in fact proposed to use one. For his undergraduate thesis, de Guzman proposed the implementation of a trojan to steal Internet login passwords.[7] de Guzman proposed that users would finally be able to afford an Internet connection. The proposal was rejected by the College of Computer Studies board,[6] prompting de Guzman to cancel his studies the day before graduation.

Legislative aftermath

Since there were no laws in the Philippines against writing malware at the time, both Ramores and de Guzman and Igi Gando were released with all charges dropped by state prosecutors.[8] To address this legislative deficiency,[5] the Philippine Congress enacted Republic Act No. 8792,[9] otherwise known as the E-Commerce Law, in July 2000, just two months after the worm outbreak. In 2002, the ILOVEYOU virus obtained a world record for being the most virulent computer virus then.

See also

References

  1. ^ News.Zdnet.com "'ILOVEYOU' e-mail worm invades PCs". 4 May 2000. Archived from the original on 2008-12-27. http://replay.web.archive.org/20081227123742/http://news.zdnet.com/2100-9595_22-107318.html?legacy=zdnn News.Zdnet.com. 
  2. ^ "ILOVEYOU". WHoWhatWhereWhenWhy.com. http://www.catalogs.com/info/travel-vacations/top-10-worst-computer-viruses.html. Retrieved 2008-05-26. 
  3. ^ Gary Barker (14 May 2000). "Microsoft May Have Been Target of Lovebug". The Age. 
  4. ^ British parliament shut down their mail systems to prevent damage
  5. ^ a b c d "PROSECUTION OF CYBER CRIMES THROUGH APPROPRIATE CYBER LEGISLATION IN THE REPUBLIC OF THE PHILIPPINES". Archived from the original on 2008-02-06. http://web.archive.org/web/20080206114348/http://www.acpf.org/WC8th/AgendaItem2/I2%20Pp%20Gana,Phillipine.html. 
  6. ^ a b Landler, Mark (2000-10-21). "A Filipino Linked to 'Love Bug' Talks About His License to Hack". The New York Times. http://www.nytimes.com/2000/10/21/business/a-filipino-linked-to-love-bug-talks-about-his-license-to-hack.html. Retrieved 2010-05-05. 
  7. ^ "Computerbytesman.com". Computerbytesman.com. http://www.computerbytesman.com/lovebug/thesis.htm. Retrieved 2010-12-05. 
  8. ^ Arnold, Wayne (2000-08-22). "Technology; Philippines to Drop Charges on E-Mail Virus". The New York Times. http://www.nytimes.com/2000/08/22/business/technology-philippines-to-drop-charges-on-e-mail-virus.html. Retrieved 2010-05-05. 
  9. ^ Joselito Guianan Chan, Managing Partner, Chan Robles & Associates Law Firm (2001-08-01). "Chanrobles.com". Chanrobles.com. http://www.chanrobles.com/republicactno8792.htm. Retrieved 2010-12-05. 

External links