The ILOVEYOU worm, also known as VBS/Loveletter and Love Bug worm, is a computer worm written in VBScript.

The worm, first discovered in Hong Kong in May 2000, arrived in e-mail boxes on May 3, 2000 with the simple subject of "ILOVEYOU" with an attachment "LOVE-LETTER-FOR-YOU.TXT.vbs" that people were encouraged to open. This worm program was written by Onel A. de Guzman a student of AMA Computer University in Makati, Philippines. This particular malware caused widespread e-mail outages, an estimated $10 billion in economic damage, making it the most damaging worm ever in terms of cost to corporations. The worm was responsible for a Denial of Service attack on the official White House website. The worm overwrote important files with a copy of itself, as well as music, multimedia and more. It also sent the worm to everyone on a user's contacts list . This particular worm did not infect Macintosh computers.

Two aspects of the worm made it effective:

1. it employed a mechanism -- VBScripts -- that, while not entirely novel, had not been exploited to a degree previously to direct attention to their potential, reducing the layers of protections that would have to navigated for success.
2. It used the right psychological button to entice users to open the e-mail and ensure its continued propagation. The prospect of love is a powerful motivation.

It was the latter factor that no doubt contributed to its massive spread, moving westward with the sun as workers arrived at their offices and encountered messages generated by people to the east. Because the virus used mailing lists as its source of targets, the messages often appeared to come from an acquaintance and so might be considered "safe", providing further incentive to open them. All it took was a few users at each site to access the VBS attachment to generate the thousands and thousands of e-mails that would cripple e-mail systems under their weight, not to mention overwrite thousands of files on workstations and accessible servers.

Architecture of the Worm

The author of the worm had conceded that he may have released the malware by "accident." The worm is written using Microsoft Visual Basic Scripting (VBS) and requires that the end user run the script in order to deliver its payload. It will add a set of registry keys to the Windows registry that will allow the malware to start up at every boot.

The worm will then search all drives which are connected to the infected computer and replace *.JPG, *.JPEG, *.VBS, *.VBE, *.JS, *.JSE, *.CSS, *.WSH, *.SCT, *.HTA files with copies of itself while appending the file name with a .VBS. extension. The malware will also locate *.MP3 and *.MP2 files and when found, makes the files hidden, copies itself with the same filename and append a .VBS.

The worm propagates by sending out copies of itself to all entries in the Microsoft Outlook address book. It also has an additional component that it will download and execute on an infected system called "WIN-BUGSFIX.EXE" which is a password stealing program which will e-mail cached passwords.

Variants

1. Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Subject Line: ILOVEYOU Message Body: kindly check the attached LOVELETTER coming from me.

2. Attachment: Very Funny.vbs Subject Line: fwd: Joke Message Body: empty

3. Attachment: mothersday.vbs Subject Line: Mothers Day Order Confirmation Message Body: We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place.Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com

4. Attachment: virus_warning.jpg.vbs Subject Line: Dangerous Virus Warning Message Body: There is a dangerous virus circulating. Please click attached picture to view it and learn to avoid it.

5. Attachment: protect.vbs Subject Line: Virus ALERT!!! Message Body: a long message regarding VBS.LoveLetter.A

6. Attachment: Important.TXT.vbs Subject Line: Important! Read carefully!! Message Body: Check the attached IMPORTANT coming from me!

7. Attachment: Virus-Protection-Instructions.vbs Subject Line: How to protect yourself from the IL0VEY0U bug! Message Body: Here's the easy way to fix the love virus.

8. Attachment: KillEmAll.TXT.VBS Subject Line: I Cant Believe This!!! Message Body: I Cant Believe I have Just Recieved[sic] This Hate Email .. Take A Look!

9. Attachment: ArabAir.TXT.vbs Subject Line: Thank You For Flying With Arab Airlines Message Body: Please check if the bill is correct, by opening the attached file

10. Attachment: IMPORTANT.TXT.vbs Subject Line: Variant Test Message Body: This is a variant to the vbs virus.

11. Attachment: Vir-Killer.vbs Subject Line: Yeah, Yeah another time to DEATH... Message Body: This is the Killer for VBS.LOVE-LETTER.WORM.

12. Attachment: LOOK.vbs Subject Line: LOOK! Message Body: hehe...check this out.

13. Attachment: BEWERBUNG.TXT.vbs Subject Line: Bewerbung Kreolina Message Body: Sehr geehrte Damen und Herren!

Conclusion

On August 21, 2000 the Philippines dropped all charges against Onel A. de Guzman in a resolution signed by Jovencito Zuno. The original charges brought up against de Guzman dealt with the illegal use of passwords for credit card and bank transactions. New legislation has since been passed that deals with cybercrime on June 14, 2000. Under the new law hackers and those who spread computer viruses can be fined a minimum of $2,350 and a maximum commensurate with the damage caused, and can be imprisoned for up to three years.

External links

• http://www.microtech.doe.gov/assist/news/loveletter.html
• http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=9024