ILOVEYOU, sometimes referred to as Love Letter, was a computer worm that attacked tens of millions of Windows personal computers on and after 4 May 2000 local time in the Philippines when it started spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.txt.vbs".
The latter file extension (in this case, VBS - a type of interpreted file) was most often hidden by default on Windows computers of the time, leading unwitting users to think it was a normal text file. Opening the attachment activated the Visual Basic script.
How the virus worked
The worm did damage on the local machine, overwriting random types of files (including Office files, image files, and audio files; however after overwriting MP3 files the virus would hide the file), and sent a copy of itself to all addresses in the Windows Address Book used by Microsoft Outlook. In contrast, the Melissa virus only sent copies to the first 50 contacts.
On the machine system level, ILOVEYOU relied on the scripting engine system setting (which runs scripting language files such as .vbs files) being enabled, and took advantage of a feature in Windows that hid file extensions by default, to which malware authors would use as an exploit; to do this, it parsed file names from right to left, stopping at the first period character. The attachment, which had two periods, could thus display the inner fake "txt" file extension.
Text files are considered to be innocuous, as they are normally incapable of running executable code. The worm also used social engineering to entice users to open the attachment (out of actual desire to connect or simple curiosity) to ensure continued propagation. Systemic weaknesses in the design of Microsoft Outlook and Microsoft Windows were exploited that allowed malicious code capable of complete access to the operating system, secondary storage, and system and user data simply by unwitting users clicking on an icon.
Spread
Messages generated in the Philippines began to spread westwards through corporate email systems. Because the worm used mailing lists as its source of targets, the messages often appeared to come from acquaintances and were therefore often regarded as "safe" by their victims, providing further incentive to open them. Only a few users at each site had to access the attachment to generate millions more messages that crippled mail systems and overwrote millions of files on computers in each successive network.
Damages & Impact
The malware originated in the Pandacan neighborhood of Manila in the Philippines on May 5, 2000, thereafter following daybreak westward across the world, moving first to Hong Kong, then to Europe, and finally the United States, as employees began their workday that Friday morning.
The outbreak was later estimated to have caused US $5.5-8.7 billion in damages worldwide, and estimated to cost the US $15 billion to remove the worm.
Within ten days, over fifty million infections had been reported,and it is estimated that 10% of internet-connected computers in the world had been affected. Damage cited was mostly the time and effort spent getting rid of the infection and recovering files from backups. To protect themselves, The Pentagon, CIA, the British Parliament and most large corporations decided to completely shut down their mail systems.This virus affected over 45 million computers and was one of the worlds most dangerous computer related disasters
How the worm worked
The ILOVEYOU Script (the attachment) was written in Microsoft Visual Basic Scripting (VBS) which runs in Microsoft Outlook and was enabled by default. The script added Windows Registry data for automatic startup on system boot.
The worm then searched connected drives and replaced files with extensions JPG, JPEG, VBS, VBE, JS, JSE, CSS, WSH, SCT, DOC, HTA, MP2, and MP3 with copies of itself, while appending the additional file extension VBS, making the users computer unbootable. However, the MP3 and sound related files are hidden and not overwritten.
The worm propagated itself by sending out one copy of the payload to each entry in the Microsoft Outlook address book (Windows Address Book). It also downloaded the Barok trojan renamed for the occasion as "WIN-BUGSFIX.EXE".
The fact that the virus was written in VBS provided users a way to modify the virus. A user could easily modify the virus to replace important files in the system, and destroy it. This allowed many variations of ILOVEYOU to spread across the internet, each one doing different kinds of damage.
Some mail messages sent by ILOVEYOU:
VIRUS ALERT!!
Important! Read Carefully!!
Investigations
On 5 May 2000, two young Filipino computer programmers named Reonel Ramones and Onel de Guzman became targets of a criminal investigation by agents of the Philippines National Bureau of Investigation (NBI)
Since there were no laws in the Philippines against writing malware at the time, both Ramones and de Guzman were released with all charges dropped by state prosecutors.
To address this legislative deficiency,the Philippine Congress enacted Republic Act No. 8792, otherwise known as the E-Commerce Law, in July 2000, just two months after the worm outbreak. In 2002, the ILOVEYOU virus obtained a world record for being the most virulent computer virus at the time.
References