ILOVEYOU: The wrong kind of LoveLetter

It was partly through taking advantage of our emotional rather than technical vulnerabilities that VBS/LoveLetter – also known as the Love Bug virus – caused such a trail of destruction when it hit the inboxes of its first victims on the morning of May 5th, 2000.

“Kindly check the attached LOVELETTER coming from me.”

Displaying the title I LOVE YOU in the subject line, the email was immediately effective. It included the following body message: “Kindly check the attached LOVELETTER coming from me.” The attachment was a file, titled: LOVE-LETTER-FOR-YOU.TXT.VBS, which contained the virus’s code.

According to David Harley, Senior Research Fellow at ESET, much of the virus’s success was a result of “unusually successful social engineering”. He explains: “It was unusual enough to persuade a victim to open it out of curiosity or in the expectation of reading some kind of joke.”

As its victims would find out, there was very little to laugh about.

Write me a letter

Originating in the Philippines, the Love Bug was the brainchild of two computer programmers, Reonel Ramones and Onel de Guzman. Although they were arrested, they were never prosecuted due to a lack of anti-malware legislation in the country at the time.

From there, the virus spread to Hong Kong, to Europe and finally arrived reached the US just as offices were opening up in the morning, as Lysa Myers, Security Researcher at ESET, remembers:

“My day of the outbreak started at 5AM, when I was called in to help with the unprecedented number of reports we got from people who’d been affected. A huge variety of people wrote in with tales of woe; everyone from government offices whose email servers had been kneecapped by the load of virus-laden messages, to grandparents who were heartbroken to find that pictures of grandchildren had been irreparably destroyed by the virus.”

“Much of the virus’s success was a result of ‘unusually successful social engineering’.”

Adding to its seemingly innocent façade, the email appeared to come from a known contact – the worm would infiltrate a victim’s address book, sending replicas of itself to personal and business contacts.

In this way, LoveLetter was more harmful than its predecessor Melissa, which also took advantage of mass-mailing on its release in 1999.


One (double) click on the attachment was all it took. Once released, the virus began its attack by overwriting files within the computer system (as well as mailing itself to contacts).

And its damage was widespread: it is estimated to have infected over 55 million computers around the world, causing billions of dollars of damage, estimated between US $5 billion and $10 billion.

“Many of the same vulnerabilities are [exploited] by today’s ransomware, as those used by LoveLetter.”

To counter its spread, Chey Cobb, chief technical security officer for one of the first US government facilities to encounter the virus advised all US government agencies to “disconnect from the internet until the thing was contained”.

Many large corporations followed suit, with the British Parliament, the Pentagon and the CIA shutting down their internet connections to avoid damage to their systems.

Reach out

So, what came of this? For one, it did lead businesses to explore alternative ways of alerting users to potential inbox viruses. Some companies reverted to old fashioned methods and stuck paper notices on people’s doors; others left urgent voicemails; and, around the world, bosses did everything they could to ensure the first email in their employees’ inbox was a warning about LoveLetter.

Bruce P. Burrell, yet another Security Researcher at ESET, explains the importance of establishing contact via any medium available, in the instance of an inbox virus: “When one medium is bogged down [we need to] use whatever other channels available to reach people …  Today that would include using social media, putting up a blurb on the company home page, on the internal network, etc.”

Additionally, as Myers explains, it helped security professionals “refine policies and procedures that were put in place to help us respond quickly and consistently even in the most overwhelming emergencies”.

Finally, whilst both computer security and methods of infiltration have evolved, security systems are often only as effective as their human users – many of us still fail to protect our systems with security software or to back up our data.

This Valentine’s … back up your data

Rather than letting our emotions sway our decisions, as a general rule, the advisable precaution would be to always double-check attachments before opening them by (a) never opening attachments or clicking on links in unsolicited email (or in Facebook, IMs, etc), even when they appear to be from those you know and trust and (b) before opening, contact the purported sender to see if s/he actually did send you something, and if so, exactly what it is.

No matter how enticing the subject matter may seem, the risk is never worth it.

Source: WeLiveSecurity