I made this writeup for another site, mainly just for fun, but I figured I'd go ahead and post it here as my first post.
On May 4th, 2000, a new and devastating worm surfaced and began terrorizing the world wide web - the Loveletter worm, also known as the ILOVEYOU worm. While not a new concept in and of itself, the worm's use of social engineering tricked people into allowing it to spread all over the world in a matter of hours.
The file would arrive in an email, in the first variant this file was named LOVE-LETTER-FOR-YOU.TXT.vbs. However, there has been a major security "flaw" that has been neglected by Microsoft and always enabled by default.
With the extensions for known file types hidden, the dangerous double extension of .txt.vbs became a seemingly innocent and simple .txt. Many people believed this could be trusted.
However, upon disabling the file extension hiding feature, the danger soon becomes apparent. This is not something that you'd expect a friend to send you through email.
The Loveletter worm was best at spreading rapidly, but also carried dangerous payloads as well. It would find and destroy and and all .jpg, .jpeg, .hta, .js, and many other file types on all local and network drives. It accomplished this by overwriting the file with its own code, then deleting the original, as seen below.
These few lines of code, along with other similar lines, would easily corrupt many of your favorite files, and rather quickly too, as the files were lost mere seconds after execution. Desktops could go from this:
To this, in a matter of seconds:
After damaging as many files as it could, Loveletter began to spread itself. To do this, it enumerated all of the Outlook contacts it could find. As long as the person had more than one contact in their list, Loveletter would begin its spreading routine.
Every contact on the victim's Outlook contact list would be sent a copy of the worm, all with the same subject, message body, and attachment.
Many users upon receiving this would simply open the file straight from the email, ignoring the dangers of the double extension (not widely known at that time), further spreading the worm and causing more and more damage globally.
At the time the worm was launched, it also changed the Microsoft Internet Explorer homepage with several registry keys, causing the worm to download and execute a keylogger hosted on a website. After this, the worm would set the homepage to about:blank, frustrating many users attempting to go to their homepage. The keylogger was taken down very quickly after the worm was released, leading to less damage than potentially could have been caused.
In addition to spreading through email, Loveletter also used several other methods that were not widely used by worms at the time. It exploited mIRC by sending users a link to its own file. It also displayed infected ActiveX pages that, when run, would transfer and execute the worm. Doing all of this allowed the worm to achieve a league of its own in terms of widespread distribution and total destructive damage.
The Loveletter worm and its many variants ended up causing over 5.5 billion dollars worth of damage in cleanup and lost productivity. Antivirus vendors were kept round the clock to produce definitions to catch this worm, and it set the precedent for many different worms to come. Since the source code was so easily viewable, many variants were made, each more destructive than the last. It was very easy to find the file overwriting payload and change .jpg or another extension to .exe, rendering an infected computer unusable until the Operating System is restored.
On May 4th, 2000, a new and devastating worm surfaced and began terrorizing the world wide web - the Loveletter worm, also known as the ILOVEYOU worm. While not a new concept in and of itself, the worm's use of social engineering tricked people into allowing it to spread all over the world in a matter of hours.
The file would arrive in an email, in the first variant this file was named LOVE-LETTER-FOR-YOU.TXT.vbs. However, there has been a major security "flaw" that has been neglected by Microsoft and always enabled by default.
With the extensions for known file types hidden, the dangerous double extension of .txt.vbs became a seemingly innocent and simple .txt. Many people believed this could be trusted.
However, upon disabling the file extension hiding feature, the danger soon becomes apparent. This is not something that you'd expect a friend to send you through email.
The Loveletter worm was best at spreading rapidly, but also carried dangerous payloads as well. It would find and destroy and and all .jpg, .jpeg, .hta, .js, and many other file types on all local and network drives. It accomplished this by overwriting the file with its own code, then deleting the original, as seen below.
These few lines of code, along with other similar lines, would easily corrupt many of your favorite files, and rather quickly too, as the files were lost mere seconds after execution. Desktops could go from this:
To this, in a matter of seconds:
After damaging as many files as it could, Loveletter began to spread itself. To do this, it enumerated all of the Outlook contacts it could find. As long as the person had more than one contact in their list, Loveletter would begin its spreading routine.
Every contact on the victim's Outlook contact list would be sent a copy of the worm, all with the same subject, message body, and attachment.
Many users upon receiving this would simply open the file straight from the email, ignoring the dangers of the double extension (not widely known at that time), further spreading the worm and causing more and more damage globally.
At the time the worm was launched, it also changed the Microsoft Internet Explorer homepage with several registry keys, causing the worm to download and execute a keylogger hosted on a website. After this, the worm would set the homepage to about:blank, frustrating many users attempting to go to their homepage. The keylogger was taken down very quickly after the worm was released, leading to less damage than potentially could have been caused.
In addition to spreading through email, Loveletter also used several other methods that were not widely used by worms at the time. It exploited mIRC by sending users a link to its own file. It also displayed infected ActiveX pages that, when run, would transfer and execute the worm. Doing all of this allowed the worm to achieve a league of its own in terms of widespread distribution and total destructive damage.
The Loveletter worm and its many variants ended up causing over 5.5 billion dollars worth of damage in cleanup and lost productivity. Antivirus vendors were kept round the clock to produce definitions to catch this worm, and it set the precedent for many different worms to come. Since the source code was so easily viewable, many variants were made, each more destructive than the last. It was very easy to find the file overwriting payload and change .jpg or another extension to .exe, rendering an infected computer unusable until the Operating System is restored.
