Site icon Sophos News

ILOVEYOU: The Love Bug virus 20 years on – could it happen again?

Five years ago to the day, we wrote up our reminiscence of an infamous and globally troublesome computer pandemic from the turn of the century.
That makes the Love Bug computer virus 20 years old today, depending on your timezone and how early in the infection chain you were.
With apologies to The Beatles:

    It was 20 years ago today
     That the Love Bug virus came to play.
   It was written with a heap of guile
     And was guaranteed to kill your smile
   So may I introduce to you,
     The trick we've known for all these years,
   Files with two extensions at the end.

(We doubt this version is one you want to sing along to the Beatles’ tune, but if you aren’t familiar with the 1960s original, you can check out the album cover and listen to it online.)
The Love Bug virus was also known ILOVEYOU because it spewed itself out in emails with those three words, jammed together as one, in the subject line.
Intriguingly, the author mis-spelled the variable names mail and mailad (short for mail address) in the code as male and malead.
Whether that was simply a typo or a Freudian slip we shall probably never know:

As shown above, the code used Visual Basic automation to get the Outlook program to do the email sending, retrieving every entry in your address book, both individuals and groups, and spamming out emails that looked like this:

Then, as today, Windows suppressed file extensions by default, so few users would have seen that the innocent-looking TXT file in fact ended in .vbs and was therefore a Visual Basic Script in disguise.
Worse still, back then Outlook would run attached scripts right way if you double-clicked on them, without warning you that you were actively launching a program that could take over your computer instead of passively opening a file to take a look at it.
The fact that the virus would only generate its deluge of infectious spam if you had the Outlook email client installed and configured correctly didn’t really hamper its spread much back then.
Webmail was in its infancy in 2000 and despite the popularity of Hotmail (which is now, of course, Outlook), many home users still used the Outlook program to send and receive mail via their ISP and very many companies used Outlook via a Microsoft Exchange server on their own network.
This really was one of history’s “fast burner” virus outbreaks.


ILOVEYOU also replicated itself across computers and networks, finding and infecting files including any existing Visual Basic files (.VBS and .VBE) as well as Javacript, various web-related files, JPEG images and MP3 files:

Sadly for victims, infected files were blindy replaced with the Love Bug code, rather than being parasitically infected by having the virus inserted at the start.
In other words, the original content could not be extracted from infected files, so the after effects of a Love Bug attack were a bit like a ransomware attack today, but with no way to restore the originals except to reload a recent backup.
For reasons we can only imagine, infected MP3 files were marked hidden after infection, thus vanishing both literally by being overwitten and figuratively by dropping out of sight.
The virus also tried to spread via IRC, short for Internet Relay Chat, which was far and away the most popular instant messaging system back in 2000.

Whodunnit?

There were numerous hints in the code that implied it came from Manila in the Philippines, but given that all malware is, by definition, untrustworthy, text strings in the virus can’t blindly be believed:

rem  barok -loveletter(vbe)
rem by: spyder  /  [REDACTED]@mail.com  /  @GRAMMERSoft Group  /  Manila,Philippines

Barok, by the way, is a well-known comic book character in the Philippines; it’s also the name of a password-stealing Trojan that the Love Bug malware tried to download onto infected computers, using the curious but innocent-sounding name WIN-BUGSFIX.exe.
In this case, the malware author seemed to have been telling the truth about his whereabouts, because a suspect was soon identified: a college student in Manila by the name of Onel de Guzman.
He never finished his studies, bailing out of college after turning in a password stealing Trojan as an independent study project which he promoted as follows:

The importance of this study is to help other people most especially Windows users. We all know that when we connect to the internet […] we spend a lots of money to pay the accounts for only using a couple of hours. So this program is the main solution, use it to steal and and retrieve Internet accounts of the victim’s computer.

His lecturer did not take kindly to this, commenting “this is illegal” and noting that “we do not produce BURGLARS.”

What happened next?

Apparently, de Guzman’s lecturer got one detail wrong in his reponse: de Guzman may have been a burglar as far as the spirit of the law was concerned…
…but when it came to the letter of the law, the police couldn’t find a way to charge him under what would now probably be anti-hacking regulations or computer misuse laws.
It seems that what he’d done wasn’t illegal on its own in the Philippines at the time – we’re assuming that prosecutors would have to have proved that he’d actually acquired passwords and abused them for financial gain, therefore establishing that he’d broken laws that didn’t relate only to what we now call cybercrime.
The Philippines legislature quickly moved to change that, presumably fearing that without more teeth in the legal code, malware disseminators could continue to shrug their shoulders and get off.
So de Guzman may have brought about a modernisation of cybercrime regulations in The Philippines, but he himself slipped the knot and got off scot free.

Where is he now?

Malware disseminators in other countries, including the UK and the US, had already been convicted by the year 2000, and had been (or soon would be) sent to prison.
So although de Guzman’s college career came to an early end, he wasn’t convicted of a crime and didn’t end up paying a fine or going to jail.
We’ve often wondered what became of de Guzman after the Love Bug outbreak, and now, thanks to a BBC reporter’s digging, published over the weekend, we’ve found out.
According to reporter Geoff White, de Guzman, now 44, runs a mobile phone kiosk in a Manila shopping mall where White tracked him down recently.
As White tells it:

[De Guzman] created a title for the email attachment that would have global appeal, tempting people across the world to open it.
“I figured out that many people want a boyfriend, they want each other, they want love, so I called it that,” [de Guzman] said.

How right he was.

What to do?

The good news is that a virus outbreak coded in the style of Love Bug probably wouldn’t get very far these days.
Firstly, Outlook and other mail client software is much more cautious about launching script files sent in as attachments, so crooks need to take extra steps to persuade you to run them.
Secondly, far fewer users have Outlook installed, so the trivial mass-mailing code shown above wouldn’t be as effective.
Thirdly, viruses like Love Bug spread in a complete and self-contained way so that once they reached a victim’s computer, they didn’t need always-on internet access to continue spreading.
They also typically spread with enormous aggression whenever they got the chance, assuming – as was the rule back in 2000 – that most users went online only intermittently.
As a result, even though they often caused short term “fast burning” global computer pandemics, they also become widely known quickly, could often be analysed with completeness and certainty once a sample was acquired, and attracted the sort of attention needed to get sysamins everywhere on the case rapidly.
That’s the good news.
The bad news, of course, is that today’s malware attacks don’t need to use Love Bug’s crude and aggressive spreading techniques – indeed, they don’t need to be attention-drawing worms or viruses at all.
So a Love Bug style attack is unlikely in 2020 not only because our defences have got stronger but also because the crooks have purposefully chosen to launch and sustain more subtle attacks that don’t set off the all alarm bells at once.
Oh, there’s more bad news.
Windows still doesn’t show you file extensions by default, so files called LOVE-LETTER-FOR-YOU.TXT could still be just about anything, from images and videos to documents, scripts and programs.
But you can fix that!
Type file explorer in the search bar and launch the Windows File Explorer app; go to the View menu and check the box labelled File Name Extensions.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Exit mobile version