X
Tech

Inside the 'ILOVEYOU' worm

It was simple, but very destructive. The 'Love' bug used a gimmick to get victims to open it -- and it worked.
Written by Robert Lemos, Contributor
In less than six hours Thursday, Love spread worldwide.

The ILOVEYOU worm struck hundreds of thousands of computers in Asia, Europe and the United States as workers clicked on an e-mail attachment called LOVE-LETTER-FOR-YOU.TXT.vbs.

Late Thursday, the worm had turned. Some users reported receiving the same nasty e-mail, but one that substituted "I love you" wording with "very funny joke."

But no one was laughing. The Computer Emergency Response Team at Carnegie-Mellon University reported 270,000 computers affected. Computer security firm Network Associates estimated that 1,500 clients -- potentially tens of thousands of computers -- were hit by the wildfire infection, topping by half the number of clients hit by the massive Melissa virus last year.

For all that, the worm amounted to not much more than a glorified Melissa virus with a sprinkling of several other virus "technologies" that have afflicted users in the past 12 months, said David Chess, staff research member of IBM Corp.'s (ibm) T.J. Watson Research Center.

"It's certainly not a tour-de-force of programming," he said. "It just sort of shows how simple it is to write these sorts of things."

Richard M. Smith, the programmer who helped nab the author of the 1999 Melissa virus, said he was amazed by how fast the ILOVEYOU e-mail worm was spreading.

"It's so enticing. You get a message that says, 'I love you' and you really want to open up that attachment to see what's going on."

Simple but effective. Free e-mailbox provider MailZone.net found more than 11,000 infected e-mails Thursday after it started scanning for the virus in messages entering its system.

Trend Micro's HouseCall Web-based virus scanner found more than one-fifth of all computers that used the service -- more than 1,000 machines -- had copies of the worm, with each PC having an average of 600 infected files.

With a year's worth of experience, the public should know better than to click on unknown attached files, said David Perry, spokesman for anti-virus software maker Trend Micro Inc. (tmic) "Why did people vote for Nixon twice? Or Clinton? They just don't learn," he said.

But clicking on such attachments is not always an unreasonable choice. Just ask Steven McGhie.

The director of Internet business development for Talk2.com of Salt Lake City, McGhie used Microsoft Outlook from a San Francisco hotel room on Thursday to get his morning e-mail. Among the handful of messages was one from his brother with "ILOVEYOU" in the subject line.

'I opened it and immediately my system started chugging'|Steven McGhie "He sends me a lot of humor, so I opened it and immediately my system started chugging," said McGhie.

Initially, the businessman wondered what was going on. Within moments, however, he received several duplicate messages from his brother. There was also a message from one of Talk2.com's system administrators about the virus.

By then, McGhie's computer was already generating messages to everyone in his contact list. He phoned the system admininstrator, who told him to immediately unplug his phone line.

Only three minutes had passed since he'd logged on, but the virus had generated close to 600 e-mails. Most of them were sitting in his outbox when McGhie pulled the plug, but roughly 50 had been sent.

McGhie said he had no idea how his brother had received the e-mail worm.

PCs infected with the worm receive a double whammy.

First, as soon as a user opens the worm file (usually by double-clicking), the malicious code accesses the Outlook address book and sends a copy of itself to every entry. As McGhie witnessed, generating an extreme number of messages takes almost no time.

Second, the worm copies itself into every script file and several multimedia files as well, essentially deleting their previous contents.

Images (jpg and jpeg),Visual Basic scripts (vbs and vbe) and Java (je and jse) will all be deleted by the file. Music files (mp3 and mp2) are hidden and a file of the same name -- containing the worm's script and a .vbs file extension -- put in its place.

The worm also infects files on networked and mapped drives as well as sending itself to people who join a chat room with an infected member.

Finally, the virus will attempt to contact one of four Web sites in the Philippines that have a file called WIN-BUGSFIX.exe prepared for download. Those sites have since been taken offline by the Internet service provider who inadvertently hosted them.

The key to ILOVEYOU is a macro language for the Windows operating system known as Visual Basic Script.

For computers that have the scripting language turned on -- the default Microsoft setting for Windows 98 -- VBS can allow access to almost any system function: Copying, deleting and changing files are all possible.

Rob Rosenberger, editor of the Computer Virus Myths Homepage, believes Microsoft (msft) should have taken the ability to run such scripts out of Outlook a long time ago. "Why should people need to run scripts in e-mail?" he asked, exasperated. "This should have been dealt with a long time ago.

Virus hunter Smith agreed with such simple changes to Microsoft software.

"I think we need to de-tune Windows and make it not so powerful," he said. "Most people don't need VB scripting and never use it. What it seems to be used for most is writing computer viruses."

Users, who want to take matters into their own hands and disable the scripting host, can do so by going to Control Panels > Add/Remove Programs > Windows Settings > Accessories and unchecking the selection of the same name.

Not that Smith blames Microsoft. "It's sort of a corporate culture issue. When you're making hammers, everything looks like a nail. Programmers think everything in the world needs to be programmable."

Microsoft has been reluctant to make any changes to its software, he added. "Macro viruses in Word were discovered in 1995. In Word 2000, there was finally a solution to eliminate the problem, but it took four years. I think that's too long when we're all connected on the Internet."

Marilynn Wheeler contributed to this report

Editorial standards