While the world today is fighting the COVID-19 virus, twenty years ago, it was staggering under the weight of an entirely different pandemic – that of a computer worm called ‘ILOVEYOU’, or ‘The Love Bug’. This bug, however, was aimed at Microsoft Windows systems, and while it caused no deaths, it caused untold damage. It started on May 4, 2000, when an email turned up in the Philippines with the subject line of ILOVEYOU. These were the days when email spam was not as prevalent as now, and users not as careful. So, a subject heading like that was sure to tempt anyone into opening the email. Inside was a message which directed the user to read the love letter in the attached document file. Of course, human curiosity being what it is, the person receiving the mail, couldn’t help but open it. And so began a disastrous global chain of infection that led to millions of files being damaged and costs of several billion dollars.
What ILOVEYOU Did
Most malware exploits a weakness in an operating system, such as Windows, and the ILOVEYOU bug was no exception. It took advantage of a Windows feature, still used today, that conceals file extensions by default. It works by reading the file name from right to left and hiding anything before the first dot. ILOVEYOU had the filename LOVE-LETTER-FOR-YOU.TXT.vbs, but once it passed through the Windows parsing system, it came out as LOVE-LETTER-FOR-YOU.TXT. In other words, to the casual observer, it looked just like a simple text file.1
Once the attachment was opened, it executed the Visual Basic script (vbs), and the ‘ILOVEYOU’ worm was set free to do its work. This consisted of stealing passwords and adding a registry entry so that it would start up again if the computer was rebooted. Files, such as Office files, image files, and audio files were overwritten. Strangely, as well as overwriting MP3 files, it also hid them. And, most damaging of all, it used the user’s Microsoft Outlook address book to send copies of itself to all of the victim’s contacts, with the same subject line. Of course, any recipients would see the mail as coming from someone they knew, and with a subject line so intriguing… well, you know how the rest of it goes! And it didn’t just spread via email – it would also infect any computer linked to the victim’s computer.
The worm spread like wildfire across the world, and within ten days had infected over 50 million computers.2 In the US, the Pentagon and CIA were forced to protectively close down their systems, as was the British Parliament. Security experts have since calculated that the cost of removing the worm and recovering deleted files was as much as $10 billion.3 And on top of this figure, you have to add the financial losses of lost business while computers were unable to operate.
Finding the Perpetrator
Despite its seeming sophistication (for the time, that is), the makers of ILOVEYOU made it fairly simple for the authorities to find them. The Philippine National Bureau of Investigation and the FBI’s investigations were able to trace the phone number connected to the virus (from the old dial-up internet connection) and also tracked the stolen passwords to an email address in Manila. In addition, the virus code mentioned GRAMMERsoft, which turned out to be an underground hacking group at Manila’s AMA Computer college. Within days, the authorities had enough evidence to arrest Onel de Guzman and fellow students Reonel Ramones and Michael Buen.
The Man behind ILOVEYOU
The whole idea seems to have started when de Guzman, a computer science student at the college, handed in his thesis proposal to his tutor. In it, he proposed a program that would steal passwords from other peoples’ internet accounts as it would be ‘helpful to a lot of people specially Internet users to get Windows passwords such as Internet Accounts to spend more time on Internet without paying.’4 Needless to say, his professor rejected the proposal, adding notes that said, ‘This is illegal,’ and ‘We do not produce burglars.’5 De Guzman dropped out of college, but this did not stop him from going ahead with his project.
Despite de Guzman and the others being arrested, the police were frustrated from pursuing the case further as there lacked sufficient legal rules governing computer crimes under Philippine law to bring charges. At that point, the country did not have any anti-hacking or computer misuse laws. Subsequently, the men were released without being prosecuted. On May 11, de Guzman stood before the world’s press, communicating through his lawyer. When asked whether he might have released the virus accidentally, he replied, ‘It is possible.’6
Aftermath
A day after the worm appeared, a solution to fix it was also released at no cost to the public. Narinnat Suksawat, a 25-year-old computer engineer from Thailand, successfully developed software, called ‘Rational Killer’ that wiped the worm from affected systems. Unfortunately though, it was unable to repair any damaged files.7 And in the Philippines, the law was quickly changed so that bad actors like de Guzman wouldn’t escape prosecution in the future.
In an interview with Forbes, Greg Day, the CSO at Palo Alto Networks, concluded that the ILOVEYOU email was a catalyst for changing the cyber threat landscape.8 It made education about social engineering techniques and phishing a crucial element of cybersecurity -both for corporate and private users of email. It also prompted Microsoft to fix the vulnerability by stopping any suspicious scripts (such as vbs) from being launched automatically.
Fast Forward 20 Years…
Investigative journalist, Geoff White, decided to try to locate de Guzman and see what he had to say about the incident twenty years later. In April 2019, he finally discovered him in a small phone repair booth in a market in Manila.9 Guzman admitted that he had created the ‘Love Bug’ in order to drop the Barok trojan to steal passwords – initially only from users in the Philippines. However, he later recoded it so that it could spread by itself. Ironically, he did this by reusing some code from the damaging Melissa virus of the year before.10 Speaking to Geoff White in an interview, he explained how he picked the subject line: ‘I figured out that many people want a boyfriend, they want each other, they want love, so I called it that.’11 He went on to say that he never intended it to cause the chaos that it did and that the first he knew of it was when his mother called him to tell him that police were looking for a hacker in the city.
It seems that, unlike many cybercriminals today, he never profited from his crime. In fact, he says that he now regrets writing the ILOVEYOU code. As for his accomplices, de Guzman insists that he was the only one responsible for the development and release of the worm. It seems that now he is content to lie low and try to forget his past.
What’s Love Got to Do with it?
So, could ILOVEYOU happen again today? Strictly speaking, no. But are people still clicking, opening attachments and not exercising good security awareness hygiene? Yes, in a major way. The sheer number of attacks that succeed due to human error and social engineering is staggering. What ILOVEYOU teaches is fundamental to the human condition: people are curious, trusting, habitual and respond to certain triggering emotions. What’s ironic is that there’s nothing actually wrong with these characteristics; it’s just malicious actors prey on these human elements to accomplish their goals.
While technically the coding used in the Love Bug was rather crude, and today’s mail clients tend not to automatically launch scripts included in attachments, attackers have become more versatile and sophisticated. Users, therefore, must be imbued with deep security awareness when using the internet. In a corporate environment you need the c-suite and boards to invest in cybersecurity-based awareness training. There needs to be a culture of security awareness. This entails regular and engaging video-based awareness training that is measurable and behavior altering. It is not solved by technology alone. Cybercriminals are sophisticated in detecting vulnerabilities and use social engineering to fool people. This is particularly evident during emotionally charged environments such as during a pandemic, where Covid-19 themed attacks have increased 30,000%.12 What we need is a global movement where investment dollars are put into awareness training for every man, woman and child.
- Paul Ducklin, ‘ILOVEYOU: The Love Bug Virus 20 Years On – Could It Happen Again?’ Naked Security, 05/04/2020, accessed at https://nakedsecurity.sophos.com/2020/05/04/iloveyou-the-love-bug-virus-20-years-on-could-it-happen-again/
- Davey Winder, ‘’This 20-Year-Old Virus Infected 50 Million Windows Computers In 10 Days: Why The ILOVEYOU Pandemic Matters in 2020,’ Forbes, 05/04/2020, accessed at https://www.forbes.com/sites/daveywinder/2020/05/04/this-20-year-old-virus-infected-50-million-windows-computers-in-10-days-why-the-iloveyou-pandemic-matters-in-2020/#4d6dd6bf3c7c
- Ibid.
- Paul Ducklin, ‘ILOVEYOU: The Love Bug Virus 20 Years On – Could It Happen Again?’ Naked Security, 05/04/2020, accessed at https://nakedsecurity.sophos.com/2020/05/04/iloveyou-the-love-bug-virus-20-years-on-could-it-happen-again/
- Ibid.
- Geoff White, ‘Revealed: The Man Behind the First Major Computer Virus Pandemic,’ Computer Weekly, 04/21/2020, accessed at https://www.computerweekly.com/news/252481937/Revealed-The-man-behind-the-first-major-computer-virus-pandemic
- Sandra Gyles, ‘The ILOVEYOU Computer, 20 Years On – What happened to Onle de Guzman?’ VPN Overview, 05/04/2020, accessed at https://vpnoverview.com/news/the-iloveyou-computer-virus-20-years-on-what-happened-to-onel-de-guzman/
- Davey Winder, ‘’This 20-Year-Old Virus Infected 50 Million Windows Computers In 10 Days: Why The ILOVEYOU Pandemic Matters in 2020,’ Forbes, 05/04/2020, accessed at https://www.forbes.com/sites/daveywinder/2020/05/04/this-20-year-old-virus-infected-50-million-windows-computers-in-10-days-why-the-iloveyou-pandemic-matters-in-2020/#4d6dd6bf3c7c
- Geoff White, ‘Revealed: The Man Behind the First Major Computer Virus Pandemic,’ Computer Weekly, 04/21/2020, accessed at https://www.computerweekly.com/news/252481937/Revealed-The-man-behind-the-first-major-computer-virus-pandemic
- Eugene Kaspersky, ‘ILOVEYOU – 20 Years Ago – to the Day!’ Eugene.Kaspersky, 05/05/2020, accessed at https://eugene.kaspersky.com/2020/05/05/iloveyou-20-years-ago-to-the-day/
- Geoff White, ‘Revealed: The Man Behind the First Major Computer Virus Pandemic,’ Computer Weekly, 04/21/2020, accessed at https://www.computerweekly.com/news/252481937/Revealed-The-man-behind-the-first-major-computer-virus-pandemic
- Deepen Desai, VP of Security Research, Zscaler, “30,000 Percent Increase in COVID-19-Themed Attacks”