How ILOVEYOU worm became the first global computer virus pandemic

Reading Time: 6 Minutes

Almost two months after the .com bubble burst, on May 5, 2000, many users using Windows machines received an email with the subject “ILOVEYOU”.

The email contained a malicious attachment, and ten days later, around 50 million infections were reported. The number of infections represented 10% of the global internet-connected computers in the world at the time.

Just like the ongoing Covid-19 pandemic, the spread of the infection accelerated rapidly due to the simple reason that the victims were not suspicious about the threat it posed initially and were not ready/unaware to face such a threat.

Most of the internet users ignored the experts’ warnings years before “ILOVEYOU” dominated the news headlines globally.

How ILOVEYOU became the first global computer virus pandemic

ILOVEOU payload

“ILOVEYOU” or “Love Bug at the time, it’s a computer worm. Unlike the common viruses, that require a “host-file” to be activated for the infection to take place, worms are stand-alone malicious programs that can self-replicate and propagate independently as soon as they have been in a computer system. They do not require activation or any human intervention to execute or spread their code.

Worms can propagate by spreading multiple copies of themselves across the network or through an internet connection. These copies will infect any inadequately protected computer system on the network or internet.

The infection started on May 5, 2000, and was first discovered in Hong Kong and the Philippines.

Messages which were generated in the Philippines began spreading in the west through corporate email systems.

The subject line of the email was ILOVEYOU, along with body text instructions (The message body is “kindly check the attached LOVELETTER coming from me.”) encouraging users to open the attachment “LOVE-LETTER-FOR-YOU.TXT.vbs”, which was supposedly a love letter from the sender.

The Subject:          ILOVEYOU

Message body:         kindly check the attached LOVELETTER coming from me.

Attached file name:   LOVE-LETTER-FOR-YOU.TXT.vbs

The suffix .vbs was not visible to the users by default on Windows machines, and in this case, the attachment appeared to be a normal text file as the last file extension wasn’t displayed.

Spreading

The attachment was a Visual Basic script file, and by opening it, the worm was activated. It will then gain access to the Microsoft Outlook Windows address book of the user and send a copy of itself to all the contacts listed in the address book of the infected victim and also overwrite a random set of files from documents, to images/music files.

Replaces Files with Copies of the Worm

When the worm is executed, the malicious worm copies itself in the Windows directory as a WIN32DLL.VBS file, and in the Windows system directory as LOVE-LETTER-FOR-YOU.TXT.VBS and MSKERNEL32.VBS.

These files are then registered in the Windows auto-run section in the system registry.

• HKLMSoftwareMicrosoftWindowsCurrentVersionRunMSKernel32 = MSKERNEL32.VBS
• HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesWin32DLL = Win32DLL.VBS

As a result, the worm is re-activated each time the system boots up.

HTM dropper – Downloading a Trojan

The worm also creates an HTM dropper in the Windows system directory to use while spreading to mIRC channels.

In order for the Trojan to be installed, the worm modifies the URL of the Internet Explorer start page and points to a Website that forces the Explorer to download a .exe file. The .exe file is the trojan file with the name WIN-BUGSFIX.EXE.

The Trojan files eventually get control of the system and copy themselves to the Windows system directory as WINFAT32.exe.

The trojan installed is actually a password-stealing Trojan that obtains the local machine name, network logins, passwords, etc., and sends them to the Trojan host.

IRC channels spread

Another feature of the malware was the spreading through the IRC channels.  It will also scan the local drives for files such as MIRC32.EXE, MLINK32.EXE, MIRC.INI, SCRIPT.INI, etc.

If it finds any of the files, it will drop a new SCRIPT.INI file that contains mIRC instructions that send a copy of the worm to all the users that joined the infected IRC channel.

When an IRC user received the infected HTML, it will be copied to an IRC download directory and it will be activated if the user clicks on it.

The worm was even able to work around the security settings of the Internet Explorer that didn’t allow scripts to access disk files by displaying a warning when they try to. The workaround involved a fake message which prompt the user to give ActiveX control to the .htm file.

If the user clicks “Yes”, the worm infects the system, if the user clicks on “No”, then, an infinite loop that reloads the message will appear until the user clicks on “Yes”, allowing the infection to take place.

Destructive actions

The worm also scans the subdirectories on all available local and mapped drives on the infected system and lists all the files there.

It will then perform certain actions depending on the filename extension such as:

Mp2, Mp3: The worm will create a new file with a .vbs extension and write its code there while setting the file attribute as hidden for the original file.

Vbs, Vbe: It overwrites all files with its .vbs body.

Css, Wsh, Sct, Ht, Js, Jse: It deletes the original file and creates a new file with the original filename plus the .vbs extension. e.g. from hello.css to hello.vbs

Jpg, Jpeg: It also deletes the original files, but adds the .vbs extension to the full file name. e.g. from hello.jpg to hello.jpg.vbs.

Who was behind ILOVEYOU

The worm was written by two computer programmers named Reonel Ramones and Onel de Guzma, students at AMA computer University in Makati, Philippines.

On May 5, 2000, the authors of the worm became targets of a criminal investigation by the Philippines National Bureau of Investigation after the local ISP, Sky Internet, had reported receiving complaints from European computer users, alleging that the worm had been sent via the ISP’s servers.

The Philippines NBI traced a telephone number to Ramones’ apartment in Manila, and he was arrested for further investigation along with Onel de Guzman.

The authors of the worm said to the authorities that he may have released the malware by “accident”.  Guzman dropped out at the very end of the final year of his AMA computer college and it was found that for his undergraduate thesis, he proposed the implementation of a trojan to steal internet login passwords so a user would be able to afford an Internet connection, the trojan he proposed was a part of the ILOVEYOU worm.

Since there were no laws in the Philippines at the time for writing malware, both Ramones and Guzman were released with all the charges dropped by the state prosecutors. To address this legislative deficiency, the Philippine authorities enacted the E-Commerce Law, in July of the same year.

20 years later, in 2020, De Guzman admitted that he created and release the virus to the investigative journalist Geoff White while he was researching for his cybercrime book Crime Dot Com.

Impact

The ILOVEYOUJ worm caused global email outages and affected more than 50 million computers around the world.

Many industries were affected including media, stock brokerages, food companies, auto, and technology giants, as well as government agencies, medical institutions, and universities.

CNET News published a partial list of the affected companies and organizations like the Pentagon, the Motion Picture Association of America, Federal Reserve, and also it was also reported that the White House website suffered a dos attack as a result of the worm.

The damages were estimated to be 5.5-8.7 billion dollars worldwide.

The shift in the cyber security landscape

The shift in the cyber security landscape was enormous, just like the consequences that the ILOVEYOU worm caused, it was the first wake-up call in the cybersecurity landscape.

The need for user education on how to defend against social engineering attacks and not to get tricked became the number one priority in all the major corporations and government agencies around the world after the attack.

20 years on, to this day, the simple way to drop an email with a .vbs attachment is still optional on a lot of systems while the business case for allowing a .vbs file attachment is rare to non-existent.

Today, user training is still the key to defending these kinds of attacks as the cybercriminals’ abilities and methods evolved. Just by taking a look into the history we can learn and be prepared for the next computer virus pandemic.