Govern and secure data or device transfer for your segmented and air-gapped network environments.
May 05, 2000. The ILOVEYOU virus comes in an e-mail note with 'I LOVE YOU' in the subject line and contains an attachment that, when opened, results in the message being re. Jun 26, 2009.
MetaDefender KioskMetaDefender VaultMetaDefender DriveSecure AccessSecure local or remote access to your cloud applications, internal networks and resources.
MetaAccess PlatformMetaAccess SDP Cloud Security for Salesforce File Upload SecurityPrevent malicious file upload that can compromise your networks.
MetaDefender ICAP ServerMetaDefender CoreMetaDefender CloudMetaDefender Core AMIFile Upload Security AssessmentMalware AnalysisAnalyze suspicious files or devices with our platform on-prem or in the cloud.
MetaDefender CoreMetaDefender CloudMetaDefender DriveEmail SecurityThe majority of malware continues to be initiated via email. OPSWAT Protects Your Organization Against Advanced Email Attacks.
MetaDefender Email Gateway SecurityNetwork Access ControlPrevent risky devices including BYOD and IoT from accessing your networks with full endpoint visibility.
SafeConnect NACStorage SecurityBoom2:volume boost & equalizer 1 6 2. Protect your on-prem or cloud storage services and maintain regulatory compliance.
MetaDefender for Secure StorageMetaDefender VaultFor DevelopersJoin hundreds of security vendors benefiting from OPSWAT’s industry-leading device and data security technologies.
MetaDefender CoreMetaDefender CloudMetaAccessOESIS FrameworkTrust no file. Trust no device.AcademyAcademyCIP Cybersecurity TrainingUse our on-demand courses to get trained and certified on cyber security concepts and best practices, critical infrastructure protection, and OPSWAT products and solution. Both introductory and advanced courses are available.
Courses and CertificationsThe OPSWAT Academy consists of subject matter courses designed for the learner to build up their expertise using a phased approach.
For current OPSWAT customers, the Academy also includes advanced training courses for greater ease-of-use efficiency when operating and maintaining all OPSWAT products and services.
Available Certifications
Certified Cyber-security AssociateCertified MetaDefender AssociateCertified MetaAccess AssociateCertified Secure Data Workflow AssociateCritical Infrastructure Protection AssociateCertification RenewalEach discipline certification is awarded for one year upon passing the exams on that discipline's courses in OPSWAT Academy.
In order to maintain active OCIPA Certification, make sure you stay current on all OPSWAT's individual discipline certifications.
OCIPA Certification RenewalTrust no file. Trust no device.PartnersPartnersAccess Control Certification ProgramA Service that verified compatibility and effectiveness of endpoint next-gen antimalware, antimalware and disk encryption products.
Platinum Level ProductsGold Level ProductsAll ProductsTechnology PartnersEnhance threat prevention by integrating OPSWAT technologies. OPSWAT partners with technology leaders offering best-of-breed solutions with the goal of building an ecosystem dedicated to data security and compliance using integrated solutions.
Categories
Technology Alliance PartnerMalware Sharing ProgramMetaDefender Core Engine SupplierMetaDefender Cloud Engine SupplierChannel PartnersOur partner program is aimed at providing the most effective and innovative products and tools to help accelerate your business.
Channel Partner ProgramChannel Partner Portal Channel Partner DirectoryI Love You Virus Creator
Trust no file. Trust no device.ServicesI Love You Virus Code
ServicesProfessional ServicesWork with our subject matter experts for cyber security consultation, implementation and integration guidance, ongoing maintenance and improvement, or complete managed services.
Security AssesmentsSolution ImplementationsCustom IntegrationsOngoing MaintenanceManaged ServicesSupportThe OPSWAT’s support team can provide you 24x7x365 coverage via phone, chat, or cases that you log with you.
Support PlansSupport Contact InfoOPSWAT Portal Create a Case Knowledge Center Online Documentation Training ServicesTake advantage of our instructor led training (ILT) courses or onsite “walk the floor” coaching to augment and expand on the training received through OPSWAT Academy courses.
Training Courses“Floor Walking” Q&AOPSWAT AcademyUse our on-demand courses to get trained and certified on cyber security concepts and best practices, critical infrastructure protection, and OPSWAT products and solution. Both introductory and advanced courses are available.
About AcademySignup / Log inRenewCommunityWe believe that our customers are great resource that provides us with much understanding and drives us forward. Join the conversation and learn from others at our Community site.
Search for AnswersSign inTrust no file. Trust no device.CompanyCompanyAbout OPSWAT provides Critical Infrastructure Protection solutions to protect against cyberattacks.
Management TeamContact UsCompliance and CertificationsCustomersOver 1,500 customers worldwide trust OPSWAT to protect their digital assets and keep their data flows secure.
CustomersCase StudiesCareersOPSWAT teams are filled with smart, curious and innovative people who are passionate about keeping the world safer. Join us, unleash your talent and help protect worldwide Critical Infrastructure.
Build your Career with OPSWATOpen PositionsEvents and WebinarsLearn how OPSWAT cybersecurity solutions can protect your organization against cyberattacks by visiting with us at conferences and attending webinars
EventsWebinarsNews & Media CenterOPSWAT news, media coverage, and brand resources.
BlogPress ReleasesBrand ResourcesResourcesResources to learn about critical infrastructure protection and OPSWAT products.
DatasheetsMarket Share ReportsOPSWAT Research CenterVideosWhite PapersTrust no file. Trust no device.Trust no file.Trust no device.May 04, 2015 | published by Yiyi Miao
Where were you when the ILOVEYOU bug started spreading on May 4th, 2000? Was your computer one of the tens of millions of PCs the Love Letter attacked?
Exactly fifteen years ago to the day, email messages with the subject line 'ILoveYou' and the message 'Kindly check the attached LOVELETTER coming from me' started propagating to millions of inboxes. The malware-laced attachment was named LOVE-LETTER-FOR-YOU.txt.vbs. Since the vbs extension was hidden by default, it seemed to recipients that the attachment was a harmless txt file. Once the attachment was opened, a VBS script would overwrite image files and send the LoveLetter email to all contacts in the victim's Outlook address book. The computer worm also tried to download and install a Trojan horse designed to intercept passwords and send them back to the perpetrators in the Philippines and then rendered the machine unbootable.
Itubedownloader 6 3 3 – video downloader free.
ILOVEYOU Bug Email - Image Source: SOPHOS
Because the email was spread by infected machines and sent to known contacts in address books, recipients thought the email was sent by people they knew. Within ten days, over fifty million infections had been reported, and it is estimated that 10% of internet-connected computers in the world had been affected. The outbreak is said to have caused $10 billion in damages worldwide.
![I love you virus facts I love you virus facts](https://www.kadvacorp.com/wp-content/uploads/2016/03/i-love-you-virus.jpg)
ILoveYou Bug — Then and Now
Fifteen years ago, the ILoveYou bug was very successful in terms of number of infections and inflicted damage. Would it have been as successful now? What has changed in the malware threat landscape in the last fifteen years?
1. Malware Awareness Has Come a Long Way
People are no longer as easily fooled. By now, most consumers know that malware can look like it is being sent from someone you know. Even though the attachment can look innocuous, it can still be malware. Attackers now need to put more effort into social engineering in order to make potential victims fall into the trap.
2. End of the Prank Malware Era
The ILoveYou bug was designed to steal passwords and was part of a new variation of malware that was not sent simply as a prank but to provide financial gain for the attackers. Today's malware attacks are often executed by sophisticated criminals who are after financial gains, or by state sponsored actors with political motives.
3. Attacks Have Become More Targeted
The ILoveYou bug was spread to anyone who was misfortunate enough to be listed as a contact in an infected computer's Outlook Address Book. In short, the attack was not very targeted. Attackers have changed their strategy in that they are now not so much going for quantity, but for quality. They will stake out their victims carefully with a clear intent toward the data they want to get their hands on. Since most corporations have valuable data, attackers are targeting specific individuals within companies and are using social engineering, such as gleaning personal information from the internet, to make their victims take the bait.
4. Email Filters Can Intercept Spoofed Attachments
Part of the success of the ILoveYou bug was because the email attachment's real extension was hidden, making it look like a harmless txt file. Email filters can now block dangerous files such as executables and .vbs files. Advanced email filters can also perform file type verification to ensure that email attachment extensions that have been spoofed, such as an exe file that is disguised as a txt file, will not be allowed through.
5. Malware Now Tries to Avoid Detection
In the ILoveYou bug era, attackers did not attempt to hide the infection on your machine. As soon as the computer became infected, files would be overwritten, pop-up messages would appear, and browsers or applications would be blocked from use, making the infection obvious. In recent years we have seen the rise of more sophisticated Advanced Persistent Threats (APTs) that operate in stealth and try to avoid detection, in order to siphon off as much data as possible before being detected.
Fifteen years after the ILoveYou bug, malware is still a major problem and is not going anywhere anytime soon. How can businesses protect themselves against malware attacks? Even though malware threats are increasingly sophisticated, there is still a lot that companies can do to protect themselves. By maintaining proper security practices, such as centrally monitoring devices to ensure that they are safe and patched, deploying multi-scanning with multiple antivirus engines on servers, web proxies, clients and email servers, and educating employees in cyber security, organizations can greatly decrease their exposure.
I Love You Virus Notepad
- RSS
- Academy9
- Advanced Threat Prevention51
- CEO's Blog20
- Certification21
- Company Announcements22
- CTO's Blog23
- CVEs163
- Deep CDR39
- Email Threat Prevention19
- Kiosk & USB Security30
- Product Announcements148
- Reports28
- Secure Access21
- Technology Partnerships35
- Vulnerabilities19
- OPSWAT Released a New Advanced Email Security Comparison Guide
- File Upload Protection – 10 Best Practices for Preventing Threats
- Infographic: File Upload Security – A Mission Against Malware
- Can You Spot the Social Engineering Techniques in a Phishing Email?
- Vulnerabilities: CVEs, Hashes, Application Installers Report January 22-29, 2018
- 6 Potential Security Gaps in File Transfer Process for Critical Infrastructure
- Police Handing Out Malware-Infected USBs Is Not an Isolated Incident
- 10 Things to Include in Your Employee Cyber Security Policy
- 11 of the Largest Data Breaches of All Time (Updated)
I Love You Virus Source Code
Get information and insight from the leaders in advanced threat prevention.This website stores cookies on your computer. These cookies are used to improve the usability of this website and provide more personalized experience for you, both on this website and through other websites. To find out more about the cookies we use, see our Cookie Notice Policy.
X
This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.
This Knowledge Base document is divided into the following sections:
What is the ILOVEYOU worm?
VBS/LoveLetter is a VBScriptworm. It spreadsthrough email as a chain letter, using the Outlook emailapplication. ILOVEYOU is also an overwriting VBS virus, andit spreads itself using the mIRC (Internet Relay Chat) client as well.
What does ILOVEYOU do?
- When it is executed, ILOVEYOU first copies itself to the Windows
system
directory asMSKernel32.vbs
andLOVE-LETTER-FOR-YOU.TXT.vbs
. It also copies itself to thewindows
directory asWin32DLL.vbs
. - Then it adds itself to the registry, so it will beexecuted when the system is restarted. The registry keys that it addsare:
- Next, the worm replaces the Microsoft Internet Explorerhome page with a link that points to an executable program called
WIN-BUGSFIX.exe
. If the file is downloaded, the worm addsthis to the registry as well, causing the program to execute when yourestart your system.The executable part that the ILOVEYOU worm downloads from theweb is a password-stealing Trojan horse. On startup, theTrojan tries to find a hidden window namedBAROK..
. If it is present, the Trojan exitsimmediately; if not, the main routine takes control. The Trojan checksfor the 'WinFAT32' subkey in the following registry key:If the 'WinFAT32' subkey key is not found, the Trojan creates it,copies itself to theWindowsSystem
directory asWINFAT32.EXE
, and then runs the file from thatlocation. The above registry key modification makes the Trojan becomeactive every time Windows starts. - Next, the Trojan sets the Internet Explorer startup page to'about:blank'. After that, the Trojan tries to find and deletethe following keys:
- Then the Trojan registers a new window class, creates a hiddenwindow titled
BAROK..
, and remains resident inWindows memory as a hidden application.Immediately after startup and when timer counters reach certainvalues, the Trojan loads theMPR.DLL
library, calls theWNetEnumCashedPasswords function and sends stolen RAS passwords andall cached Windows passwords to[email protected]
, an email address thatmost likely belongs to the Trojan's author. The Trojan uses thesmtp.super.net.ph
mail server to send emailmessages. The email message's subject line is'Barok.. email.passwords.sender.trojan'.The author's copyright message appears inside the Trojan's body:'barok ..i hate go to school suck ->by:spyder @Copyright (c) 2000GRAMMERSoft Group >Manila,Phils'
There are also some encrypted text messages in the Trojan's body usedfor its internal purposes. - After that, the worm creates an HTML file called
LOVE-LETTER-FOR-YOU.HTM
in the Windowssystem
directory. This file contains the worm, and itwill be sent using mIRC whenever the user joins an IRCchannel. - Then the worm will use Outlook to mass mail itself to everyone ineach address book. The message that it sends will have a 'Subject:'line of 'ILOVEYOU', the body will say 'kindly check the attachedLOVELETTER coming from me.', and an attachment called
LOVE-LETTER-FOR-YOU.TXT.vbs
.ILOVEYOU sends the message once to each recipient. After a message hasbeen sent, it adds a marker to the registry and does not mass mailitself any more. - The virus then searches for certain file types on all folders onall local and remote drives and overwrites them with its own code. Thefiles that are overwritten have either
.vbs
or.vbe
extensions.The virus will create a new file with the same name but using a.vbs
extension and delete the original for all files withthe following extensions:.js
,.jse
,.css
,.wsh
,.sct
, and.hta
. - Next, the virus adds a new file next to, and deletes the originalof, all files with the following extensions:
.jpg
,.jpeg
,.mp3
, and.mp2
. As anexample, for a picture namedpic.jpg
, the virus willcreate a new file calledpic.jpg.vbs
and delete theoriginal.
ILOVEYOU was found globally in the wild on May 4, 2000, and appearsto be of Philippine origin. At the beginning of the code, the viruscontains the following text:
You can find this information on the F-Secure Corporation web site at:
Detecting ILOVEYOU
Current Norton/Symantec AntiVirus definitions will protect your systemfrom all of the known variants (82 as of May 31, 2001) of the ILOVEYOUworm. For more information, see the following Knowledge Basedocuments:
How do I remove the ILOVEYOU virus?
UITS recommends that you disinfect your computer using thefix developed by Symantec, which isthe first option listed below. Only manually remove the virus if youare computer savvy, or do not have access to the Symantec tool.
Symantec's tool
You may access a tool provided by Symantec that willdetect and remove this worm and most of its variants at:
Follow the instructions on the page. Note that this tool will havelimited effectiveness if you have been infected with the variant VBS.NewLove.A.
Manual removal
To manually remove the ILOVEYOU virus, follow these directions:
This contains instructions for editing the registry. If you make any error while editing the registry, you can potentially cause Windows to fail or be unable to boot, requiring you to reinstall Windows. Edit the registry at your own risk. Always back up the registry before making any changes. If you do not feel comfortable editing the registry, do not attempt these instructions. Instead, seek the help of a computing support provider.
- Delete these registry entries:
- If your Windows
system
directory contains the fileWinFAT32.exe
, delete the following registry entries: - Delete
LOVE-LETTER-FOR-YOU.HTM
andLOVE-LETTER-FOR-YOU.TXT
.Note: Search all non-removable drives (hard disks andnetwork drives) for the filesLOVE-LETTER-FOR-YOU.HTM
andLOVE-LETTER-FOR-YOU.TXT
, and delete alloccurrences. Do not open these files. - Look for the following files:If your computer contains any of the above files, the virus willcreate a file called
script.ini
in the folder of thatfile. Delete all occurrences ofscript.ini
in thesefolders. - The virus will overwrite all files with the following extensionsso that they contain the virus file's content:The MS-DOS name of the files has been changed so that the file isassociated with the Windows scripting host. This means that if youdouble-click or in any other way activate these files, the virus willrun again. You will not be able to recreate the original contents ofthe files (at least not through Windows). You could try to contact adisk rescue company to help you before proceeding.If you do not choose disk rescuing measures, this leaves you withlittle choice but to delete all of the files of the type listedabove. Possibly, you may be able to reinstall the affectedapplications; however, the effect on your computer could be severe.Note: In addition to your hard disk, remember tocheck the network drives to which your computer hasaccess. Check files before you delete them. Affectedfiles will have extension
.vbs
and be 11K in size. Youcan also use the file date as an indication, comparing it to when youreceived the virus. - The virus changes the Internet Explorer start page to:You must change the Internet Explorer registry key to:Note: If you go to that site, the virus will belaunched again. You must reset this back to your original startingpage.
More information about ILOVEYOU
You can find more information about the ILOVEYOU worm atthe following sites: Sqlpro studio 1 0 154 – powerful database manager download.