Skip to content

Latest commit

 

History

History
46 lines (27 loc) · 2.68 KB

2000_ILOUVEYOU.md

File metadata and controls

46 lines (27 loc) · 2.68 KB

ILOVEYOU

Malware profile by Marzell Arwed Wittmaack

Classification

Virus Worm Trojan Ransomware Botnet Other
✔️

Facts & Figures

  • Year: 2000 [1, 2]
  • Author: Onel A. De Guzman [3]
  • Language: VBS [1, 2, 3]
  • Infections: 500.000 [3]
  • Damage: 15.000.000.000$ [3]

Description

[...]

Messages which were generated in the Philippines began to spread westwards through corporate email systems. Because the worm used mailing lists as its source of targets, the messages often appeared to come from acquaintances and were therefore often regarded as "safe" by their victims, providing further incentive to open them. [...]

The virus arrives in an email with the subject line of "ILOVEYOU" with an attachment "LOVE-LETTER-FOR-YOU.TXT.vbs" that people were encouraged to open, since the ".vbs" suffix was not visible, thus seeing the ".TXT" suffix. The message body is "kindly check the attached LOVELETTER coming from me." The sender line will be the address it was sent from. The user must download and execute the worm by clicking on it.

[...]

Internet Explorer security settings do not allow scripts to access disk files and will display a warning when they try to. To work around this, the worm displays a fake message telling the user to give ActiveX control to the .htm file. If the user clicks on "Yes", the worm will infect the system. If the user clicks on "No", the worm reloads the message in an infinite loop until the user clicks on "Yes" to allow it to infect the system.

[...]

When the worm is executed, it copies itself as the files LOVE-LETTER-FOR-YOU.TXT.VBS and MSKERNEL32.VBS in the Windows_system_folder and WIN32DLL.VBS in the Windows directory. It creates its own key named MSKernel32 under the Local machine registry key that causes programs to run and adds the value MSKERNEL32.VBS to it. It also creates a new Local Machine RunServices key named Win32DLL and adds WIN32DLL.VBS as a value to it, so it will run when the system boots, before the user even logs on.

[...]

Loveletter searches for files to modify, mostly by replacing those files with a copy of itself.

[...]

[3]

Footnotes

  1. https://www.heise.de/security/meldung/l-f-Liebesbrief-Wurm-ILOVEYOU-feiert-15-Geburtstag-2632341.html 2

  2. https://searchsecurity.techtarget.com/definition/ILOVEYOU-virus 2

  3. http://malware.wikia.com/wiki/ILoveYou 2 3 4 5