Loveletter
| Loveletter | |
|---|---|
| Surname | Loveletter |
| Aliases | Ich liebe dich |
| Known since | 2000 |
| origin | Philippines |
| Type | Email worm |
| Other classes | Network worm, script worm |
| Authors | Onel de Guzman |
| File size | 10 KByte |
| Memory resident | No |
| distribution | Email, network services, IRC |
| system | Windows 9x, NT, 2000 |
| programming language | Visual Basic |
In Loveletter is a computer worm , which exploded on 4 May 2000 and the following days by email widespread. The subject line was "ILOVEYOU". It was the first computer worm to be reported in the mass media around the world.
The worm caused damage estimated at $ 10 billion worldwide. Loveletter has thus caused the third highest malware damage of all time after MyDoom and Sobig.F (as of August 2020).
Aliases
Loveletter was often referred to as I-love-you in the press and the general public . The worm was often referred to as the I-Love-You virus.
Versions and derivatives
Since the worm consists of a script file that can be edited with any common editor, there are more than 100 variants. Often these are just small changes, such as an alternative email or IRC text or other file names. Some of these free riders were found and arrested.
function
distribution
In addition to the curiosity-arousing subject, "ILOVEYOU" tried specifically to lull the recipient into a false sense of security - he sent himself to entries in the personal address book, so that the recommendation "Do not open any e-mail attachments from strangers" did not apply. In addition, the attachment was named LOVE-LETTER-FOR-YOU.TXT.vbs, so that many recipients remembered “.txt files are harmless” because the correct .vbs extension is not displayed in a standard Windows installation.
While Loveletter can be received and executed with any e-mail program, it needs Microsoft Outlook to send e-mails , which it controls remotely via OLE automation. As a result, it could not be recognized by personal firewalls for a long time, because they only registered the communication between Outlook and the mail server.
Furthermore, it replaces files of certain types on the hard drive of the infected computer and in the Microsoft network environment with a copy of itself. If this file was then executed from another computer, this PC was also infected.
Finally, it was able to spread via the IRC network via DCC . To do this, he searched the hard drive for the IRC client mIRC and overwritten the script.ini file. It contains a script that Loveletter is supposed to send to everyone who joins a channel in which the already infected user is.
Due to its exponential distribution, it overloaded many mail servers in the first few hours. The following calculation illustrates this: Assuming that every infected user has 20 entries in his address book and half of the recipients open the attachment:
| level | newly infected | newly sent mails |
|---|---|---|
| 1 | 1 | 20th |
| 2 | 10 | 200 |
| 3 | 100 | 2,000 |
| 4th | 1,000 | 20,000 |
| 5 | 10,000 | 200,000 |
Payload
The worm deleted all files with the file extensions .jpg, .jpeg, .vbs, .vbe, .js, .jse, .css, .wsh, .sct and .hta on infected computers and made a copy of the same name with the .Vbs file extension. In addition, all files with the extensions .mp2 and .mp3 were marked as hidden and a copy of the same name of the worm with the extension .vbs was created.
author
The author, Onel Guzman, was not convicted.
There was a "unique" comment on the first two lines of the script:
rem barok -loveletter(vbe) <i hate go to school> rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila, Philippines
Guzman could not be brought to trial under Philippine law from 2000. Cybercrime laws did not yet exist and property damage was only punishable with intent. Guzman stated in court that he accidentally released the worm, and all charges were dropped. Just two months later, a law against programming malware was passed. In 2019, Guzman admitted that at the time he had definitely had it in mind to steal passwords.
Public reaction
Due to its rapid and widespread distribution and the amount of damage caused, the topic was picked up by the mass media and brought into public awareness. In this way, many computer users in Europe were warned long before the antivirus manufacturers updated their signatures.
Individual evidence
- ↑ a b http://www.spiegel.de/netzwelt/web/a-89973.html I love you! -Process - Onel de Guzman is free !, Spiegel Online, August 21, 2000
- ↑ http://hoax-info.tubit.tu-berlin.de/virus/loveletter.shtml Information about variants
- ↑ Lower Austrians arrested for spreading the Loveletter variant