ILOVEYOU: Wikis

  
  

Note: Many of our articles have direct quotes from sources you can cite, within the Wikipedia article! This article doesn't yet, but we're working on it! See more info or our list of citable articles.

Encyclopedia

From Wikipedia, the free encyclopedia

ILOVEYOU
LoveLetterVBS screenshot website 06-17-09.png
Aliases The Love Bug, Loveletter
Written in VBScript

ILOVEYOU or LOVELETTER is a computer worm that successfully attacked tens of millions of Windows computers in 2000 when it was sent as an attachment to an email message with the text "ILOVEYOU" in the subject line. The worm arrived in email inboxes on and after May 5, 2000 with the simple subject of "ILOVEYOU" and an attachment "LOVE-LETTER-FOR-YOU.TXT.vbs". The final 'vbs' extension was hidden by default, leading unsuspecting users to think it was a mere text file. Upon opening the attachment, the worm sent a copy of itself to everyone in the Windows Address Book and with the user's sender address. It also made a number of malicious changes to the user's system.

Such propagation mechanism had been known (though in IBM mainframe rather than in the MS Windows environment) and used already in the Christmas Tree EXEC of 1987 which brought down a number of the world's mainframes at the time.[citation needed]

Four aspects of the worm made it effective:

  • It relied on social engineering to entice users to open the attachment and ensure its continued propagation.
  • It relied on a flawed Microsoft algorithm for hiding file extensions. Windows had begun hiding extensions by default; the algorithm parsed file names from right to left, stopping at the first 'period' ('dot'). In this way the exploit could insert the second file extension 'TXT' which to the user appeared to be the real extension; text files were presumed to be innocuous.
  • It relied on the scripting engine being enabled. This was actually a system setting; the engine had not been known to have been ever used before this; Microsoft received scathing criticism for leaving such a powerful (and dangerous) tool enabled by default with no one the wiser for its existence.
  • It exploited the weakness of the email system design that an attached program could be run easily by simply opening the attachment and gain complete access to the file system and the Registry.

Contents

Spread

Its massive spread moved westward as workers arrived at their offices and encountered messages generated in the Philippines. Because the worm used mailing lists as its source of targets, the messages often appeared to come from acquaintances and would therefore be considered "safe", providing further incentive to open the attachments. All it took was a few users at each site to access the attachment to generate the millions of messages that crippled POP systems under their weight, not to mention the fact the worm overwrote millions of files on workstations and accessible servers.

Impact

The worm began in the Philippines on 5 May 2000 and spread across the world in one day, moving inexorably on to Hong Kong and then to Europe and the US,[1] causing an estimated $5.5 billion in damage.[2] By 13 May 2000, 50 million infections had been reported.[3] Most of the damage cited was the labour of getting rid of the worm. The Pentagon, CIA, and the British Parliament had to shut down their mail systems to get rid of it, as did most large corporations.[4]

This particular malware caused widespread damage. The worm overwrote important files - music files, multimedia files, and more - with a copy of itself. It also sent the worm to everyone on a user's contact list. Because it was written in Visual Basic Script and interfaced with the Outlook Windows Address Book, this particular worm only affected computers running the Microsoft Windows operating system. While any other computer accessing e-mail could receive an "ILOVEYOU" e-mail, only Microsoft Windows systems would be infected.

Architecture of the Worm

The virus is written using Microsoft Visual Basic Scripting (VBS), and requires that the user run the script in order to deliver the payload. It adds a number of Registry keys so the worm is initialized on system boot.

The worm will then search all drives which are connected to the infected computer and replace files with the extensions *.JPG, *.JPEG, *.VBS, *.VBE, *.JS, *.JSE, *.CSS, *.WSH, *.SCT, *.DOC *.HTA with copies of itself, while appending to the file name a .VBS. extension. The worm will also locate *.MP3 and *.MP2 files, and when found, make the files hidden, copy itself with the same filename and append a .VBS extension.

The worm propagates by sending out copies of itself to all entries in the Microsoft Outlook address book. It also adds registry keys that direct the Windows operating system to download and execute a password-stealing program variously called "WIN-BUGSFIX.EXE" or "Microsoftv25.exe."

Origins

On May 5, 2000, two young Filipino computer programming students named Reomel Ramones and Onel de Guzman, became the target of a criminal investigation by the Philippines' National Bureau of Investigation (NBI) agents.[5] The NBI received a complaint from Sky Internet, a local Internet service provider (ISP). The ISP claimed that they have received numerous calls from European computer users, complaining that malware denominated as "ILOVEU" virus was sent to their computers through the said ISP.

After several days of surveillance and investigation of ISPs that the virus used, the NBI was able to trace a frequently appearing telephone number, which turned out to be that of Mr. Ramones' apartment in Manila, Philippines. His residence was searched by the NBI and Mr. Ramones was consequently arrested and placed on inquest investigation before the Department of Justice (DOJ). Mr. De Guzman was likewise arrested in Manila. At that point, the NBI was at a loss as to what felony or crime to charge the two with in court.[6] There were some agents who theorized that they may be charged with violation of Republic Act No. 8484 or the Access Device Regulation Act, a law designed mainly to penalize credit card fraud. The reason supposedly being that both used, if not stole, pre-paid Internet cards which enabled them to use several ISPs. Another school of thought within the NBI opined that Ramones and de Guzman could be charged with malicious mischief, a felony involving damage to property under the Philippines' Revised Penal Code, which was enacted in 1932. However, the problem with malicious mischief is that one of its elements, aside from damage to property, was intent to damage. In this case, Mr. De Guzman claimed during custodial investigation that he merely unwittingly released the virus.[7]

To show his intent, the NBI investigated the AMA Computer College, the programming school in Manila where Mr. De Guzman dropped out on his senior year.[8] There, it was found that not only was Mr. De Guzman quite familiar with computer viruses, he, in fact, proposed to create one. For his undergraduate thesis, he proposed the commercialization of a Trojan virus, one that innocently enters another computer but would later steal passwords, addresses, and files, much like the Trojan Horse.[9] He contended that through the Trojan virus, the user would be able to save on, if not totally make do without, prepaid Internet usage cards since passwords could be obtained by the virus. The thesis proposal was rejected by school administrators,[10] forcing him to drop out.

Legislative aftermath

Since there were no laws in the Philippines against writing malware at the time, both Ramones and de Guzman were released, with all charges dropped by state prosecutors.[11] To address this legislative deficiency[12] the Philippine Congress enacted Republic Act No. 8792,[13] otherwise known as the E-Commerce Law, in July 2000, just three months after the worm outbreak.

In Popular Culture

In 2009, Upper Deck Entertainment commemorated the ILoveYou worm as part of a 20th anniversary retrospective set of trading cards. The set was intended to chronicle major events in sports, politics, pop culture, technology and world history in the 20 years since Upper Deck had commenced business. [14] [15]

See also

References

External links








Got something to say? Make a comment.
Your name
Your email address
Message