At the time of its outbreak, the ILOVEYOU virus was the fastest-spreading, most-damaging computer virus ever seen, and the damage it did prompted changes in government response to such viruses. It also raised awareness about the need to educate casual computer users about malware and pushed organizations to retool their strategies for dealing with such outbreaks in the future.
The concept of a self-replicating computer program first arose in 1949. The first actual computer virus did not appear until 1981, on the Apple platform. Since then, many computer viruses have been created. Some have been relatively harmless, whereas others have carried destructive payloads that destroyed data and made computers unusable until the viruses were removed. One of the first incidents of widespread so-called malware (a fusion of the words “malicious” and “software”) was the Morris worm, which appeared in 1988 and infected more than six thousand UNIX computers—roughly 15 percent of the computers connected to the Internet at the time. Later years brought increased bandwidth and more advanced virus techniques that allowed for more pervasive viruses.
On May 4, 2000, the ILOVEYOU virus started spreading in the Far East during business hours. It spread through Asia and Europe with remarkable speed. By mid-morning in Western Europe, the impact of the virus was becoming drastically evident. Morning in the United States saw major carriers closing their e-mail gateways in an attempt to combat the spread of the virus. The Computer Emergency Response Team
ILOVEYOU was initially transmitted via e-mail and originated in the Philippines. It required Microsoft Outlook and a Microsoft Windows operating system for infection to occur. ILOVEYOU spread rapidly for many reasons, one of which is that it was both a virus and a worm. A virus requires a host such as a file, program, or boot sector to spread. A worm can spread over a network by searching for open connections and copying itself to another machine. It took only a single user on a network opening the e-mail to which ILOVEYOU was attached to infect the entire network. Once a machine was infected, the virus sent itself to all the addresses in the user’s address book. Each infected message appeared to be from a valid sender and contained the attachment LOVE-LETTER-FOR-YOU.TXT.vbs; spread of the virus relied on the probability that most recipients would want to read a “love letter.” The “vbs” extension signified that the attachment was a Microsoft Visual Basic Script file, but the default installation of Windows was configured so that most users did not see the extension. Many user’s who did see the extension opened the attachment anyway, as few knew what a Visual Basic Script was at the time.
Microsoft Outlook relied heavily on Visual Basic. The company had opted to choose functionality over security. Once the attachment was run, it easily accessed the user’s address book and sent copies of itself without any interaction from the victim. The virus then made three copies of itself on the host machine and made the appropriate entries on the computer to ensure that the virus ran every time the machine was restarted or reset. It then tried to connect to the Internet to download a separate Trojan horse, or Trojan
The virus also found other scripts on a computer and overwrote them with copies of itself. This tactic was highly effective on Web servers, which would then push the virus to visitors to the infected Web site. Picture files with “jpg” and “jpeg” extensions were overwritten and replaced with the virus. Music files with the extension “mp2” or “mp3” were marked hidden, and a copy of the virus was put in the original file’s place. The final action of the virus was that it searched for Internet Relay Chat (IRC) files on the computer and, if found, altered them so that when someone joined a chat channel with an infected user, that person was sent a LOVE-LETTER-FOR-YOU.HTM message that would further spread the virus if opened.
A computer screen shows an e-mail inbox to which the ILOVEYOU virus has been sent.
Methods of containment in the early stages of the outbreak consisted of shutting down mail gateways to try to contain the virus and having mail administrators filter e-mail based on the subject line. The latter method inhibited warnings about the viruses and did not address the issue of later versions that had differing subject lines. Virus patterns were created quickly by the major antivirus companies, but the Internet was so congested from the volume of e-mail and the demand was so high for the updated patterns that it was often days before a person could obtain the needed patch that would fix the problem. Microsoft released a patch for Outlook eighteen days after the outbreak.
The estimates for the damage that the virus caused range from three to fifteen billion dollars. Most of the damage estimate was for labor cost for virus removal—which is one of the reasons it is so difficult to assess the precise amount. It took days for infected organizations to recover from the virus. Some of the files damaged by the virus were recovered but many were lost.
The hunt for the originator of the virus led to the Philippines, where the Trojan was hosted. After looking into the virus’s code, an e-mail account was discovered. Reomel Lamores, believed to have been the owner of the account, was taken in for questioning when a disk containing a virus similar to ILOVEYOU was found in his apartment. His girlfriend, Irene de Guzman, was also questioned. Both were released, and eventually Irene’s brother, Onel de Guzman, was questioned. He admitted that he may have accidentally released the virus, but no charges were ever pressed since at the time there was no law in the Philippines against hacking.
Although the ILOVEYOU attachment file was relatively small in size, its effects were far-ranging and hit hard around the world. It became the first virus to receive widespread media coverage, from drive-time radio announcements to the lead story on major news networks. It was the fastest-spreading virus to date and also the most expensive, with the average estimate of damage somewhere around seven billion dollars. Most of the loss was due to intangible labor costs, but some of the data that were lost were irreplaceable.
In response to the failure to prosecute anyone for the case, the Philippine government passed a law against hacking so that future cases could be successfully brought to trial. A movement was made by employers to educate all users about malicious code threats from e-mail and the Internet so that at the very least, an organization’s own employees would not contribute to the spread of viruses. Antivirus vendors made changes to their virus pattern distribution. Centralizing the patches on their own servers created too much congestion, so they moved to allow organizations to download the updates to one of their own servers and distribute it internally. Also, the virus prompted congressional investigations into why the virus caused so much damage and spread so quickly through government agencies. The investigation created a more streamlined, coordinated response for future malware attacks.
-
Caldwell, Wilma R., ed. Computer Security Sourcebook. Detroit: Omnigraphics, 2003. Provides information about computer, Internet, and e-mail security to assist the consumer. -
Erbschloe, Michael. Trojans, Worms, and Spyware: A Computer Security Professional’s Guide to Malicious Code. Burlington, Mass.: Butterworth-Heinemann, 2005. Provides definitions and a history of various computer attacks and steps that can be taken to combat them. -
Furnell, Steven. Cybercrime: Vandalizing the Information Society. Boston: Addison-Wesley, 2002. Covers the origin, extent, and future of cybercrime, including hacking, viruses, and other forms of malware.
Electronic Technology Creates the Possibility of Telecommuting
Microsoft Releases the Windows Operating System
IBM and Apple Agree to Make Compatible Computers
Release of Netscape Navigator 1.0
Rise of the Internet and the World Wide Web
Arrest of Hacker Kevin Mitnick
Y2K “Crisis”