|Home » News » Roundups » ILOVEYOU
How it works, what it does
May 4, 2000 3:00 PM UTC
We now have more details on this 'destructor'. It would seem that the company representing the 'affected' email client has been trying to keep its name out of the news. But it was only a matter of time. As it always is with their Internet software.
- It's a Visual Basic script (like we weren't prepared for that).
- It only works with Microsoft email clients (like we weren't prepared for that either).
- Once you open it, it will mail itself to everyone in your MS Outlook address book.
How it works, what it does:
It's an attachment with the VBS extension. According to CERT, the letter simply says:
kindly check the attached LOVELETTER coming from me.and the attachment is:
If you open the attachment, it will immediately copy itself to your system directory as:
And then copy itself to your Windows directory as:
And thereafter sneak into your Registry at:
And then look for a shortcut to the Internet Explorer home page (see a trend here?) with a download URL for 'WIN-BUGSFIX.exe'. This file, if downloaded, goes into the 'Run' keys as well.
And then create the HTML file 'LOVE-LETTER-FOR-YOU.HTM' in your system directory, to be sent through mIRC whenever you join an IRC chat channel.
The fun is only beginning. Now comes the online propagation: it goes through your entire Outlook address book and mails itself, just as you received it, to everyone.
Now comes the local propagation: it's going to sneak in everywhere on your system or any system you're connected to, systematically overwrite files everywhere, and then wait until you or someone else tries to open them. And then the whole cycle of disaster will start up all over again.
Files with the extensions CSS, HTA, JS, JSE, SCT, VBE, VBS, WSH, found either locally or remote, get overwritten, and the extension changed to VBS; files with the extensions JPEG, JPG, MP2, MP3 get overwritten, and the VBS extension is added. All of these files now contain the ILOVEYOU worm. As soon as any of these files are activated, the worm starts up all over again.
- It was first sighted in Hong Kong this morning (May 4).
- It probably originated in the Philippines.
- Somebody called 'Spyder' probably wrote it.
- It's not only the local destruction - it's the intensity of the propagation which makes it lethal.
- The header looks something like this:
rem barok -loveletter(vbe) <i hate go to school>So we would seem to have Spyder's email address and if we're lucky and he's dumb (not likely) his identity. But that's one of the reasons it's suspected to originate Manila way.
rem by: spyder / email@example.com / @GRAMMERSoft Group / Manila,Philippines
Companies hit so far:
Asian Wall Street Journal Hong Kong, AT&T, Central Intelligence Agency, Civil Air Patrol, Danish parliament, Danish TV2 TV Corporation, Dow Jones Newswires Hong Kong, Ford Motor Co., General Accounting Office, House of Commons London England, Investment banks in Singapore and Hong Kong, Jet Propulsion Laboratory, Johnson Space Center, Ordina Beheer NV IT Consultants Holland, Philips Customer Call Centers, Swedish Aviation Authority, Swedish parliament, Swedish TV4 TV Corporation, Swiss govt., Ticketmaster Citysearch, Time Warner, Trend Micro, US Coast Guard, US DoD, US FBI, US Federal Reserve, US House of Representatives, US Pentagon, US Senate, US State Dept., US White House, Vodafone AirTouch UK, Walt Disney