Loveletter: ILOVEYOU

May 4th, 2000

Happy anniversary, lovebug!

25 years ago, on this day, the worm known as 'Loveletter', 'Lovebug' or 'ILOVEYOU' was first released into the wild. One of the fastest spreading pieces of infectious code ever (not quite as fast as worms like the SQL Slammer, however the Slammer never saved itself into long-term storage), it would spread itself through E-mail and IRC channels. Had you been on any internet-connected computer at all on the following days, you would likely have received something similar to this in your mail inbox:

^{Collection of emails from the original ILOVEYOU strain. Variants included other titles, such as "VIRUS ALERT!!" or offers of nude pictures.}

By default, many versions of Windows at the time would hide the ".vbs" part of the file extension, making the attachment appear as a plain text file. Because the sender would likely be someone in your contacts list (maybe even someone you have a crush on?), you would probably not think long before being enticed by the curiosity and clicking the file. Once opened, it would seem to you nothing has happened; however, the virus would execute an intricate set of instructions in the background, embedding itself deep in your system and mass-mailing itself to all your Outlook contacts.

The infection and Payload

^{ILOVEYOU had an intricate infection method involving many steps. I won't be going into every technical detail of the infection, but I will do my best to give a quick overview - even then, this segment will still end up quite long.}

Once executed, Loveletter would make copies itself as "WIN32DLL.vbs" and "MSKERNEL32.vbs" in the /Windows_system and /Windows folders, disguising itself as legitimate system files. It would also make a third copy with the original "LOVE-LETTER-FOR-YOU.TXT.vbs" name, perhaps as a decoy to make you think you can purge the infection by simply deleting the obviously-named file. It would then create a key named "MSKernel32" under the Local Machine key used to run programs in your system, so it would run again every time you opened any program. Additionally, it also created another key named "Win32DLL" that ran along with computer startup, executing the virus on boot.

That was only the first step in the worm's infection. Next, it would attempt to download a trojan named "WIN-BUGSFIX.exe". It did this by changing your Internet Explorer homepage to a blank page with an automatic download for the trojan, along with setting another registry key that executed the trojan on system boot. Once the system restarts and WIN-BUGSFIX.exe successfully runs, it copies itself to /Windows as "WinFAT32.exe", switches your Internet Explorer homepage back to the default, and creates a registry key for executing WinFAT32.exe on startup. This file would harvest your personal information, such as usernames, passwords, IP address, computer name and information, etc and send it back to "mailme@super.net.ph", an email created by Onel de Guzman, the malware's creator. ^{more on that guy later}

Then, the worm would search the system for files to "infect". Instead of appending itself to the end of files as most viruses did, it would simply overwrite files with the target extension types with itself, while maintaining the original file name. Although the original strain avoided targeting system-critical filetypes, this led to loss of data in file types such as mp3, jpg, js, css, and others, which is where most of the damage caused by ILOVEYOU came from.

Additionally, the worm searched for mIRC-related files and generated a script that sent the LOVE-LETTER-FOR-YOU.TXT.HTM file privately to all users on an IRC channel, along with a comment saying to not edit the script because it would corrupt mIRC.

Finally, Lovebug would access your Outlook contact list and mail itself to every contact in it in the typical loveletter format. To avoid sending itself again every execution, it would use a list of registry keys and not mail addresses it had already sent itself to, a method that also gave it the ability to mail any newly added contacts.

Consequences, Damage report

Loveletter was one of the most damaging viruses in the history of malware, causing $750 million USD in damages in 24 hours after its initial appearance. The social engineering aspect, while simple, was novel at the time - leading to the infection of about 10% of all internet-connected computers within 10 days of it's appearance on May 4th, a total of more than 45 million computers worldwide. The volume of e-mails going around was so large that most mailing services stopped working. Millions of files had their data overwritten by ILOVEYOU. And because the virus copied itself in non-encrypted plaintext, the full source code was readily available, and anyone who knew a bit of VBS could make their own variant of it.

Variants of Lovebug with interesting differences range from different e-mail titles and bodies, such as an e-mail warning you against loveletter that ironically was infected with loveletter, to incredibly dangerous changes, such as changing the types of file the malware targets for overwriting to any extension type, which leads to complete loss of the system. One particularly interesting variant promised a naked picture of Jennifer Lopez, and carried a copy of the notorious CIH virus within it.

Damage estimates range around $5 billion and $10 billion USD over the worm's lifetime. The worm found its way into critical systems of many of the world's governments, including the US government, infecting computers at the Department of Defense, the Pentagon, the CIA, and NASA. It was also responsible for taking down the White House website and temporarily rendering several US Military bases inoperable. Everywhere the virus spread, it cost technicians hours to recover overwritten data from backups per computer, if they were even available.

Origins

Lovebug was created by Onel de Guzman, an ex-student at AMA Computer University in the Philippines. de Guzman believed access to the Internet should be free, and for his thesis he proposed the creation of a program that stole internet access credentials and distributed them freely - in his eyes, a crime with no victims. He left the university after his proposal was rejected as unethical, and subsequently created the malware on his own.

In an interview with the BBC in 2020, de Guzman said he had actually created the virus earlier than 2000, but before then it was used only for stealing internet service login information for personal use, since he was not able to afford paying for the service. In 2000, he updated the worm to use a bug in Windows 95 to mail itself to Outlook contacts, and came up with a message he thought would draw people's attention - the Loveletter.

Originally, it was going to be restricted to only spread inside Manila - since he only wanted to steal credentials he could actually use - but he removed the restriction out of curiosity. He said he sent it to an email in Singapore and went out drinking with his friends - and only learned of the chaos he had caused the next day, when he heard police were looking for a hacker in Manila.

Since there were no laws about cyber-crime in the Philippines at the time, de Guzman did not face prosecution, although new laws were created as a result of the event. Guzman also says he regrets having created the virus, and does not like the infamy it brings him. Nowadays, he works in a phone repair shop in downtown Manila, running a small business with one other employee.

^{Onel de Guzman appearing in court after being identified as the creator of Lovebug.}

Personal thoughts, Closing statement

This ended up being a longer article than I anticipated, and even then, I've only talked about a fraction of the event that was the Loveletter. Consequences reached far beyond a couple weeks of destruction, Guzman had exposed how vulnerable the whole internet was in general, an act which would change the face of the internet and cybersecurity forever. If you are interested, I heavily recommend you search more about it on your own. And if you think I missed something cool, tell me about it and I'll update this article!

About de Guzman's 'manifesto' - Personally, I think he was right about some things. While he was a bit of ahead of his time coming up with this in the year 2000, nowadays I think more and more people would agree the Internet is a resource that should be freely available to everyone, regardless of financial status. Of course, stealing access credentials and mass redistributing them isn't exactly the way to achieve that - and neither was unleashing a worm that shuts down half the world's goverments.

All in all, the internet was so vulnerable back then that if he hadn't caused the Lovebug disaster, sooner or later some script kiddie trying to top malware leaderboards would have caused something similar anyways - so I can't really blame him for the whole thing.

_{If you've read this far, thank you! ILOVEYOU - Ayim}