On May 5th, 2000, nearly every new OS installation would be damaged beyond repair. Over 13,000 pieces of malware were detected in just one workplace environment. Within hours, over $20 billion in damage took place across the world. These catastrophic events resulted from a new computer worm circulating the internet at the time. Commonly known as “I Love You” This short article will explain the timeline of this destructive worm’s pattern, and what happened.
Origins & Basics.
An ironic name, ILOVEYOU would disguise itself as a sort of love letter coming from a secret admirer. Ultimately, this worm would enter the Guinness Book of World Records as the most “virulent computer virus of all time.” ILOVEYOU originated in the Philippines and was created by two programmers. Onel De Guzman and his friend, Reonel Ramones. It was allegedly developed by taking other pieces of malware found online, and putting them all together. The success of the virus relied on Visual Basic Scripting. Commonly seen as a “.vbs” file, and the objective of non-tech savvy computer users, who used Windows’ new feature of hiding file extensions by default. Windows 2000, released in February, was the first noticeable version of Windows that implemented this change. The option to hide file extensions dates back to Windows 95. However, users had to voluntarily enable this setting. Microsoft made this change to increase convenience for its users. But as a result, created an opportunity for malware developers. This is something that can greatly be taken advantage of. Recipients of the ILOVEYOU worm would receive an email from one of their Outlook contact list. The email would read “kindly check the attached LOVELETTER coming from me” The actual worm was listed as an attachment and the name of the file shows how the developers carried this out. Although the file ends in “.vbs”, the extension shows that it is a .txt extension. This is added to deceive the user who received the email. When average Windows 2000 end-users downloaded this file, it would only appear as “.txt” on the desktop. This gives the impression that it was a genuine text file. This alone is why the virus mostly affected PCs running Windows 2000, but earlier versions of Windows such as ‘95 and ‘98 could still get infected. As those who did not hide file extensions and saw the “.vbs” likely ignored it.
When Running ILOVEYOU…
The moment the file was actually opened, ILOVEYOU would duplicate itself, hiding some worms in the directory, overriding personal files. Such as images and audio files. The virus would also make changes to Registry Keys, which can be found when running the Registry Editor, send itself to everyone in the infected user’s email client contact list, and download a file titled “WIN-BUGS-FIX.exe” which was designed to steal the infected user’s passwords.
The worm’s ability to cause mass destruction was also attributed to its mass design. Being a Visual Basic Script, it was easy for a user to access the Source Code and manipulate it to their liking. While ILOVEYOU was not the first email worm, it made changes from previous ones that would cause it to be the most recognized. A similar virus from a year prior known as Melissa, would also mail itself to the first 50 people in your contact list. ILOVEYOU however would send it to everyone, allowing it to spread exponentially.
Guzman and Ramones were arrested by authorities and promptly investigated by the Philippines’ National Bureau of Investigation. It was revealed that Guzman had been working on a program to steal passwords for his college thesis. When it was rejected, he dropped out. ILOVEYOU was very similar to this program and was likely created as a pastime project. As Guzman claimed he may have unintentionally released the worm. Since no anti-malware laws were around at the time, the charges against Guzman and Ramones were dropped. Antivirus laws were immediately passed after, allowing the nefarious doings of ILOVEYOU to remain a part of history. To view a video of ILOVEYOU in action, Danoct1 showcased its capabilities. To view the sources that were used in this article, click here to open Google Docs.
