Computer Security Wiki
  • Email-Worm.VBS.LoveLetter (Kaspersky Lab)
  • VBS/Generic@MM (McAfee)
  • IRC.Worm.gen (Symantec)
  • VBS/Lovelet-AY (Sophos)
  • VBS/MassMail.gen* (RAV)
  • VBS_GENERIC.001 (Trend Micro)
  • MIRC/LoveLetter (Avira)
  • VBS/Loveletter (FRISK)
  • VBS/Iloveyou (AVG)
  • VBS.Mailtest.A (SOFTWIN)
  • Worm.LoveLetter.AX (ClamAV)
  • VBS/Loveletter.AQ (Panda)
  • mIRC/LoveLetter.A (Eset)


Type Worm
Affected platform/s Microsoft Windows

Onel de Guzman

Smallwikipedialogo.png Most of this page uses content from Wikipedia. The original article was at ILOVEYOU.
The list of authors can be seen in the page history. As with Computer Security Wiki, the text of Wikipedia is available under the GNU Free Documentation License.
Remove this template when most of the Wikipedia content has been removed or the Wikipedia information is outnumbered by non-Wikipedia information.

ILOVEYOU is a worm that arrived in e-mail boxes on May 4, 2000. Upon opening the attachment, the virus sent a copy of itself to everyone in the user's address list, posing as the user. It also made a number of malicious changes to the user's system. The worm originated in Manila, Philippines. It had wide-spread distribution, and infected millions of computers.[1]

Two aspects of the virus made it effective:

  • It relied on social engineering to entice users to open the attachment and ensure its continued propagation.
  • It exploited the weakness of the email system design that an attached program could be run easily by simply opening the attachment; the underlying mechanism – VBScript – had not been exploited to such a degree previously to direct attention to its potential, thus the necessary layers of protection were not in place yet.


Because the virus used mailing lists as its source of targets, the messages often appeared to come from an acquaintance and so might it be considered "safe", providing further incentive to open them. All it took was a few users at each site to access the VBS attachment to generate the thousands and thousands of e-mails that would cripple e-mail systems under their weight, not to mention overwrite thousands of files on workstations and accessible servers.


The virus began in the Philippines on May 4, 2000, and spread across the world in one day (traveling from Hong Kong to Europe to the United States), infecting 10 percent of all computers connected to the Internet[2] and causing about $5.5 billion in damage. [3] Most of the "damage" was the labor of getting rid of the virus. The Pentagon, CIA, and the British Parliament had to shut down their e-mail systems to get rid of the virus, as did most large corporations.[4]

The virus overwrote important files, except .mp2 and .mp3 files (which were hidden instead, see Architecture below), with a copy of itself.[1] It also sent the virus to everyone on a user's contact list. Because it was written in Visual Basic Script, this particular virus only affected computers running the Microsoft Windows operating system. While any computer accessing e-mail could receive an "ILOVEYOU" e-mail, only Microsoft Windows systems would be infected.


Narinnat Suksawat, a 25-year-old Thai software engineer, was the first person to write software that repaired the damage caused by the worm, releasing it to the public on May 5, 2000, 24 hours after the worm had spread. "Rational Killer", the program he created, removed virus files and restored the previously removed system files so they again functioned normally. Two months later, Narinnat was offered a senior consultant job at Sun Microsystems and worked there for two years.


The virus is written using Microsoft Visual Basic Scripting (VBS), and requires that the end-user run the script in order to deliver its payload. It will add a set of registry keys to the Windows registry that will allow the malware to start up at every boot.

The virus will then search all drives which are connected to the infected computer and replace files with the extensions *.JPG, *.JPEG, *.VBS, *.VBE, *.JS, *.JSE, *.CSS, *.WSH, *.SCT, *.DOC *.HTA with copies of itself, while appending to the file name a .VBS. extension. The malware will also locate *.MP3 and *.MP2 files, and when found, make the files hidden, copy itself with the same filename and append a .VBS extension.

The virus propagates by sending out copies of itself to all entries in the Microsoft Outlook address book. It also has an additional component, in which it will download and execute an infected program called variously "WIN-BUGSFIX.EXE" or "Microsoftv25.exe". This is a password-stealing program which will e-mail cached passwords.


The alleged authors of the virus, include Irene de Guzman from Manila, Philippines, her brother Onel de Guzman[5] and her boyfriend Reomel Lamores who was briefly held in May 2000 in connection with the virus outbreak.[6] He denied writing the virus, later he claimed the release of the code had been accidental. As there were no laws in the Philippines against virus-writing at the time, he was released and in August the prosecutors dropped all charges against Irene De Guzman, her boyfriend and owner of the PC which was the source of the infection. The original charges brought up against her dealt with the illegal use of passwords for credit card and bank transactions.


External links[]