1

<The I LOVE YOU Worm- Matt Bishop> A8

2 WHAT HAPPEN?
 The virus arrived in email boxes on May 4, 2000,
in Philippines with the simple subject of
“ILOVEYOU” and an attachment “LOVE-
LETTER-FOR-YOU.TXT.vbs”.
 Upon opening an attachment, the virus sent a copy
of itself to everyone in the user’s address list,
posing as the user. It also made the number of
malicious changes to the user’s system.
 The worm spread throughout the world very
quickly, affecting the British Parliament, the U.S.
Congress, the U.S. Air Force and innumerable
businesses and organizations.
 Filter to block the mail were quickly developed
<The I LOVE YOU Worm- Matt Bishop> A8
and installed, but the spate of copy cat worms in
the next few days evaded the filter.
 3 THE CREATOR
The supposed creator of the virus was a man by
the name of Onel A. de Guzman, a college
dropout who was 24 at the time of virus’s
widespread destruction.
 Guzman did not face any charges for the
creation of the virus, on two accounts:
1. There was insufficient evidence against him.
2. There wasn’t strong computer laws in
Philippines, where he lived (There are laws
now because of this virus).

<The I LOVE YOU Worm- Matt Bishop> A8

4 I LOVE YOU WORM

<The I LOVE YOU Worm- Matt Bishop> A8

5 LOVE-LETTER-FOR-
YOU.TXT.VBS
The “ILOVEYOU” virus was also known as the Love
Letter virus, considering that’s what it initially
disguised itself as.
 The virus spread itself through taking advantage of a
flaw in many computers; the fact that file extension
was hidden by default.
 When run, it would overwrite files on the hard drive,
such as pictures, music, documents, etc and even
copy itself into the system.
 Running infected files would cause itself to run again,
causing even more damage.

<The I LOVE YOU Worm- Matt Bishop> A8

6 LOVE-LETTER-FOR-
YOU.TXT.VBS
 The bug would spread through your email once your
computer was infected.
 It would take you first 50 address book contacts and send
this message, along with the virus attached:
Subject:
ILOVEYOU
Body:
Kindly check the attached LOVELETTER coming from me.
Attachment:
LOVE-LETTER-FOR-YOU-TXT.VBS

<The I LOVE YOU Worm- Matt Bishop> A8

7

<The I LOVE YOU Worm- Matt Bishop> A8

 8 WHY IT SPREAD SO
QUICKLY?
This virus is seen as the first “socially engineered” virus,
meaning it spread so quickly because it played on a common
human weakness, the desire to be loved, as well as curiosity. This
was played upon even more considering it would have appeared
to come from somebody you would have known.

<The I LOVE YOU Worm- Matt Bishop> A8

 9 HOW IT WORKED AGAIN!
 It massive spread happens because the virus use the mailing
lists as its source of targets, the message often come from
acquaintance and so it might be considered “safe”, providing
further incentive to open them.
 All it took was a few users at each site to access the VBS
attachment to generate the thousands and thousands of e-mails
that would cripple e-mail systems under their weight, not to
mention overwrite thousands of files on workstation and
accessible servers.
 The G-DANG spread across the world in one day, infecting
10% of total computers connected to Internet. The virus
overwrote important files and it also sent the virus to
everyone’s on user contact list.
<The I LOVE YOU Worm- Matt Bishop> A8
 10 HOW IT WAS CURED
 Narinnat Suksawat, a 25 year old
Thai software engineer, was the first
person to write software that repaired
the damage caused by the worm,
releasing it to public on May 5, 2000,
24 hours after the worm had spread.
 The virus will then search all the
drives which are connected to the
infected computer and replace files
with the extensions *.JPG, *.JPEG
etc. with copies of itself, while
appending the file name a .VBS
extension.<The I LOVE YOU Worm- Matt Bishop> A8
 11 SYSTEM REQUIREMENTS
 The worm makes certain assumptions about the system on which
it will run:
1. The user can write to the root and system folders.
2. They system supports registry keys.
3. They registry can hold at least m+n+4 more registry keys,
where n is the number of unique address list entries and m is the
number of address lists.
4. The worm can arrange to be executed at system boot time.
5. The system runs Internet Explorer.
6. The system runs Outlook.
7. The system rums mIRC.
<The I LOVE YOU Worm- Matt Bishop> A8
8. The system runs Visual Basis.
 CONCLUSION
12
The virulence of the ILOVEYOU worm should not have been
surprising. It did not apply any new techniques, and could have
done far more damage. However, that it had such a damaging
effect and spread so rapidly indicates the vulnerability of systems
to attacks that depend upon nave users.
1) In future, a tool or software developed can include the
significant finding obtained in our Decision tree to classify the
malware.
2) Moreover the tools may be attached with the knowledge base,
so that less skilled user can also use the toolkit for forensic
analysis.
3) Last but not least the task of first detecting, analyzing &
generating cures for unknown & malicious files is itself an
individual research topic.
<The I LOVE YOU Worm- Matt Bishop> A8