Very similar to the Melissa virus from 1999. This virus appears to have started on May 4, 2000. Sending itself to 100% of people in a person's Outlook address book. It is extremely widespread and has gone world wide in a matter of hours. Initial reports are that it originated from Asia, maybe the Middle East.

Just another example of why Outlook sucks. And makes every person that has been using e-mail from pre-outlook days wonder why Microsoft had to force this vile program onto the masses.

If you haven't heard of it yet, you soon will. I'm sure The Media will have a field day with this. It will probably be all we hear about for the next 48 hours. Oh Boy, I can hardly wait.

More info: it apparently has a nasty payload too. It messes with MIRC to replicate itself further. It traverses your drives and copies itself over any JPEGs, MP3s, javascript files, and more.

Even more: It copies itself to your system directory and to your windows (or winNT) directory. It then adds entries into the registry to start these up when you reboot. It then attempts to download the file WIN-BUGSFIX.exe from one of 4 random places if you have the file WinFAT32.exe. It copies itself over any vbs, vbe, js, jse, css, wsh, sct, or hta files changes the extenstion to vbs if it wasn't already. It also overwrites any jpg or jpeg files and renames them to the same thing appending the extenstion vbs. If it finds any mp3 files it creates a new file by the same name with a vbs extenstion, this new file is a copy of itself. If you have MIRC it modifies the script.ini file to send itself to people. It appears that when you join a channel it will send itself to anybody in that channel. It also does some other things with the registary that I'm not to sure about. Kurt "The Pope" has a writeup on it, but his website was /.ed before I could read it. Also the source code is now widely available since the programmer didn't do anything to try to hide it. Acording to the first 2 lines of it this virus came from Manila, Philippines by somebody going by the nick spyder.

I know this is an incomplete description I do not know VBScript nor MIRC very well.

DoN'T rEAD +H15 N0d3!!!

Here's what nate told me (he hacked into my computer, connected a sound card and speakers, and spoke aloud (square brackets and all!), much like God did for Cecille B. DeMille): "The ILOVEYOU node contains a deadly virus that is so frighteningly dangerous that it makes the Good Times virus live up to its name. It will rip the Pentium out of your live computer and smash it to bits under a freight train. I beg you: don't visit this node!"; with that, he emailed me a $3 bill and returned control of my computer

Then dem bones dialed #91 and spoke to me through the dial of my phone. "Please," he begged me (ever notice how small the noding vocabulary really is?), "add a writeup to that node; then people will be able to save themselves from certain immediate irrefutable irreversible indelible extinction by voting it up and cooling it."

I have but complied with the wishes of the Everything Gods.

I bring a quote from the BBC website:

"I have no idea how it got through the firewall," Ms Ghesquiere said. "It's supposed to be protected."

I don't see how a firewall can protect from something it's not been told about. Are there any firewalls or virus detectors around that would guess that this payload was a virus by its activity?

This worm sounds very pernicious (from what I've read). However, any scripting language could have been used on any platform to much the same effect. (Convince the user to launch you, find out what platform you're running on, find a nearby LDAP server, send out copies, install in startup (user login under *nix - no need to mess with inaccessible system files). I can certainly visualise how I'd do it on Linux...) M$' dominant position has, again, cost a large number of companies a large amount of money.

  • User sees attached wibble.doc and opens it in StarOffice/WordPerfect/??
  • Virus is lucky and has a compatible payload - DocOpen event is triggered and the script runs.
  • Virus is lucky and the script environment actually supports the ability to run other programs.
  • Virus checks out the platform it's running on (OS, desktop environment, wordprocessor, network access, etc) and decides on best way of replicating.
  • Virus constructs new virus based on this information.
  • Virus searches for regexs that look like mail addresses in files under $HOME and mails the new virus out.
  • Virus dumps some nice, quiet start up scripts in the user's rc files. These start very quiet background processes that poll for access to the internet and open an IRC connection if possible. Ideally the virus can use PERL for this...
  • Virus forks and does whatever else it fancies to the user's files...

Evidence exists that the virus actually started on Everything..!
I gotta hand it to whoever wrote this, he came up with a good subject. If you got an e-mail that said "I love you" in the subject line, you'd probably be interested, right? Spammers could learn from him.

Although, the guy's obviously a dumbass script kiddie (see my comment in the ILOVEYOU script node, which also has the source code). I should also note that he gives his e-mail address within the code and states that he lives in Manila, Philippines. someone should teach this kiddie a thing or two about case statements and indentation.
When I got the first email, I asked my cubemate who the sender was. She looked over at the subject and said "he's cute... open it!"

I know vbs worms from irc, traditionally they're sent out as HOTSEX.vbs.jpg and MYDICK.jpg.vbs and I knew better than to open the attachment.

I really am disappointed in how it was dealt with. I got over 300 ILOVEYOU emails from people I don't know this afternoon and that fucking Microsoft DING that nobody thinks about shutting off DINGED 300 times on every PC on our floor. I was becoming quite irritated until a genius sysadmin remembered he could make a kill file on the subject lines going through the mail server so they could work on a remedy for the problem instead of worrying about the server crashing.

Yay, MCSE!

Ya know, once upon a time, viruses and worms and other forms of life had to be written in nice, tight, assembler code. They exploited strange holes in security. They were difficult stuff.

This thing here, it just walks through the totally open front door, and fucks the system every which way.
This tells you two things:

  1. Users are fucking stupid creatures
  2. Microsoft's design is even more fucking stupid
Or, more seriously (let me wear my RISKS hat):
  1. The first mistake in design is that a mail client allows you to execute a random piece of code that you got from the net.
    The designers should have asked themselves: Is this really a typical user activity ? or Is this a security hole that someone will exploit ? which basically means "Should this be made convenient like renaming a file or inconvenient like formatting a hard disk ?" - my take would obviously be "inconvenient as hell, and maybe more".
  2. The second mistake is in user interface design: the interface should make forcefully clear that what you are going to do is FUCKING DANGEROUS. The mild mannered Windows warning dialog, with its lengthy chat, just does not cut it.
  3. The third mistake lies in user training. It is assumed that users will understand what they do, but in reality they do not. I see it all the time: the project I work in has some fairly large mailing lists, used by absolute beginners.
    They get a Word document from someone who has just graduated from chalk+blackboard to a keyboard, and cheerfully open and run the macros. And then forward the infected documents to the rest of the list.
This combination of bad design, bad UI and bad training is the niche where the virus thrives.

Consider a virus that is a Linux x86 executable: I could uuencode it, and mail it to my buddies. And it would never survive, because my buddies have the training not to run an executable coming from an unknown source (point 3), and because many tipical Unix mail clients (pine, mutt, ...) do not give you any facility for one-touch uudecoding and running of random crap of unknown origin (point 1).

To answer asqui: The problem is one of expectations. An end user does usually not expect actions taken in his mail user agent to be dangerous, and thus is not expecting his 'Preview mail' to actually result in mail bombing everybody in his contact list, replacement of all his mp3s and JPEGs with viral code, or all of his data being stolen.

Making this happen by default in order to support an operation that should be uncommon (executing non-authenticated code recieved through e-mail, the equivalent of lending your machine to a stranger for a day, without supervision) is in my opinion bad user interface design.

Guns are commonly designed with safety catches; if we were selecting a gun to give to everybody, I assume we would pick one with a safety catch, even though the catches aren't strictly necessary if the user is careful. We should go to at least the same level of protection for MUAs; though the consequences usually are less severe with a mailer mishap, guns are, after all, designed to kill, while this is (hopefully) not a common design goal for MUAs. Thus, we can expect people to be somewhat more careful around guns than they would be around MUAs.

If I was to support executing content directly from the MUA at all, I would have done the following things to restrict damage:

  • Default to not running executable content on double-click, instead displaying a requester telling about the dangers of executing code on your machine, about the ease of forging e-mail, that firewalls will not protect you against this, and of where the user can change the preferences to allow execution.
  • Allow execution with or without a warning each time execution is attempted (after the above option has been changed to allow it at all.) I'd probably do this by allowing execution of the executable that triggered the last warning before enabling of execution, but coming up with a warning (with a disable button) each time afterwards (until the user disable the requester.)
  • Allow execution in a sandbox, where the executing program does not get write access or access to create outbound network connections, and the output from the program is displayed in a controlled fashion, avoiding spoofing for passwords and similar.
  • (If possible) Allow execution with other types of lowered access, e.g. popping up a requester before allowing writes to proceed.

This isn't enough to give perfect security, but it creates a much safer environment, and one where users are automatically taught about the dangers of their actions. The cost is at two levels - the user that actually know what she is doing lose 30 seconds disabling the protection, and the implementor of the program lose time implementing the security features.

I think this is a reasonable cost, and that not taking it is irresponsible.

Folks, this is going to be my stock response to ILOVEYOU's I'm still receiving. It's kind of funny to watch them fall on the deaf ears of my non-sucky OS and my not-so-sucky email client. The only thing I've changed are the email addresses, to protect the guilty.
Date: Wed, 10 May 2000 19:07:34 -0400 (EDT)
From: XXXX XXXXXX XXXXX 
To: XXXXXX X XXXXX 
Cc: geekhumor@umich.edu
Subject: Re: ILOVEYOU

Sorry, the user of this machine is infected by the IMNOTREADYFORACOMMITMENT
virus, and is therefore incapable of responding appropriately to your
thoughtful message. Unlike software viruses, IMNOTREADYFORACOMMITMENT is a
wetware virus, transmitted by the Y chromosome. Those stricken by the dreaded
IMNOTREADYFORACOMMITMENT virus cannot be helped by standard interventions such
as anti-virus software. Completely reformatting these hapless individuals
might work, but unfortunately there are no safe, reliable methods for doing so
at this time. There is some evidence that the IMNOTREADYFORACOMMINTMENT virus
might go into remission after 10 to 60 years of torturing its host. Good bye,
good luck disinfecting your computer, and be thankful that you do not carry
the dreadful Y chromosome!

On Wed, 10 May 2000, XXXXXX X XXXXXX wrote:

>
> kindly check the attached LOVELETTER coming from me.

Update: some of the virus specialists at my site read the copy of this I cc-ed to geekhumor@umich.edu and wanted my permission to reproduce it on the Virus Humor webpage... though they were a little worried some m0r0n would read it and write in asking how to protect themselves against IMNOTREADYFORACOMMITMENT. My advice with respect to protection against this sort of thing is to scan a guy carefully before you insert him.
this "virus" is very simple to counteract, assuming you are running a pattern matching capable MTA (Mail Transmission Authority). in your mail delivery program like sendmail, postfix or whatever you need to point it to use procmail by default to filter all messages. once you have done that, add this line to /etc/procmailrc:
:0
* ^Subject: ILOVEYOU$
EXITCODE=67

this will bounce anything sent through that mail server, both incoming and outgoing messages.
hasta la vista, stupid macro virus!

Log in or registerto write something here or to contact authors.