I LOVE YOU VIRUS

ATTACK
PRESENTED BY:
PRESENTED TO: Aditi Gupta BM-018009
Alpana Tyagi BM-018030
Dr. Vishal Gupta
Aman Goel BM-018031
Archit Goel BM-018052
Megha Saxena BM-018378
A8 <The I LOVE YOU Worm- Matt Bishop> 1
 WHAT HAPPEN?
• The virus arrived in email boxes on May 4, 2000, in
Philippines with the simple subject of “ILOVEYOU” and an
attachment “LOVE-LETTER-FOR-YOU.TXT.vbs”.
• Upon opening an attachment, the virus sent a copy of itself to
everyone in the user’s address list, posing as the user. It also
made the number of malicious changes to the user’s system.
• The worm spread throughout the world very quickly, affecting
the British Parliament, the U.S. Congress, the U.S. Air Force
and innumerable businesses and organizations.
• Filter to block the mail were quickly developed and installed,
but the spate of copy cat worms in the next few days evaded
the filter
A8 <The I LOVE YOU Worm- Matt Bishop> 2
 THE CREATOR
The supposed creator of the virus was a man by
the name of Onel A. de Guzman, a college
dropout who was 24 at the time of virus’s
widespread destruction.
• Guzman did not face any charges for the
creation of the virus, on two accounts:
1. There was insufficient evidence against him.
2. There wasn’t strong computer laws in
Philippines, where he lived (There are laws
now because of this virus).

A8 <The I LOVE YOU Worm- Matt Bishop> 3

 I LOVE YOU WORM

A8 <The I LOVE YOU Worm- Matt Bishop> 4

 LOVE-LETTER-FOR-
YOU.TXT.VBS
The “ILOVEYOU” virus was also known as the Love Letter
virus, considering that’s what it initially disguised itself as.
• The virus spread itself through taking advantage of a flaw in
many computers; the fact that file extension was hidden by
default.
• When run, it would overwrite files on the hard drive, such as
pictures, music, documents, etc and even copy itself into the
system.
• Running infected files would cause itself to run again, causing
even more damage.

A8 <The I LOVE YOU Worm- Matt Bishop> 5

 LOVE-LETTER-FOR-
YOU.TXT.VBS
• The bug would spread through your email once your computer
was infected.
• It would take you first 50 address book contacts and send this
message, along with the virus attached:
Subject:
ILOVEYOU
Body:
Kindly check the attached LOVELETTER coming from me.
Attachment:
LOVE-LETTER-FOR-YOU-TXT.VBS

A8 <The I LOVE YOU Worm- Matt Bishop> 6

A8 <The I LOVE YOU Worm- Matt Bishop> 7
 WHY IT SPREAD SO
QUICKLY?
This virus is seen as the first “socially engineered” virus,
meaning it spread so quickly because it played on a common
human weakness, the desire to be loved, as well as curiosity. This
was played upon even more considering it would have appeared
to come from somebody you would have known.

A8 <The I LOVE YOU Worm- Matt Bishop> 8

 HOW IT WORKED AGAIN!
• It massive spread happens because the virus use the mailing
lists as its source of targets, the message often come from
acquaintance and so it might be considered “safe”, providing
further incentive to open them.
• All it took was a few users at each site to access the VBS
attachment to generate the thousands and thousands of e-mails
that would cripple e-mail systems under their weight, not to
mention overwrite thousands of files on workstation and
accessible servers.
• The G-DANG spread across the world in one day, infecting
10% of total computers connected to Internet. The virus
overwrote important files and it also sent the virus to
everyone’s on user contact list.

A8 <The I LOVE YOU Worm- Matt Bishop> 9

 HOW IT WAS CURED
• Narinnat Suksawat, a 25 year old
Thai software engineer, was the first
person to write software that repaired
the damage caused by the worm,
releasing it to public on May 5, 2000,
24 hours after the worm had spread.
• The virus will then search all the
drives which are connected to the
infected computer and replace files
with the extensions *.JPG, *.JPEG
etc. with copies of itself, while
appending the file name a .VBS
extension.
A8 <The I LOVE YOU Worm- Matt Bishop> 10
 SYSTEM REQUIREMENTS
• The worm makes certain assumptions about the system on which
it will run:
1. The user can write to the root and system folders.
2. They system supports registry keys.
3. They registry can hold at least m+n+4 more registry keys,
where n is the number of unique address list entries and m is the
number of address lists.
4. The worm can arrange to be executed at system boot time.
5. The system runs Internet Explorer.
6. The system runs Outlook.
7. The system runs mIRC.
8. The system runs Visual Basis.
A8 <The I LOVE YOU Worm- Matt Bishop> 11
 CONCLUSION
•The virulence of the ILOVEYOU worm should not have been
surprising. It did not apply any new techniques, and could have
done far more damage. However, that it had such a damaging
effect and spread so rapidly indicates the vulnerability of systems
to attacks that depend upon nave users.
1) In future, a tool or software developed can include the
significant finding obtained in our Decision tree to classify the
malware.
2) Moreover the tools may be attached with the knowledge base,
so that less skilled user can also use the toolkit for forensic
analysis.
3) Last but not least the task of first detecting, analyzing &
generating cures for unknown & malicious files is itself an
individual research topic.
A8 <The I LOVE YOU Worm- Matt Bishop> 12
 THANK YOU

<The I LOVE YOU Worm- Matt Bishop>

A8 13