provocativo_
back to archive
// post-mortem··WormGlobal

ILOVEYOU

A four-line subject changed how the world thought about email attachments.

Worm · 2000ILOVEYOU
Source code of the ILOVEYOU worm, written in Visual Basic Script.
Source code of the ILOVEYOU worm, written in Visual Basic Script.Image: Wikimedia Commons (public domain)

// overview

What happened

Just before dawn in Hong Kong on May 4, 2000, recipients began receiving an email with the subject 'ILOVEYOU' and a single attachment named LOVE-LETTER-FOR-YOU.TXT.vbs. Windows hid the .vbs extension by default, so the file appeared to be a harmless text file.

On open, the script harvested every contact from the user's Outlook address book and emailed itself to all of them, simultaneously overwriting local image, audio, and document files with copies of itself. Each new infection became a new spam source within seconds.

Within ten hours the worm had jumped from Asia to Europe to North America. Government agencies, news outlets, and Fortune 500 companies disconnected their internal mail servers to contain it. Estimates of total damage range from $5.5 billion to $15 billion, making it one of the most financially destructive single pieces of malware ever written.

Investigators traced the worm to two computer science students in Manila. Onel de Guzman admitted he wrote it as a thesis project to demonstrate password theft. At the time, the Philippines had no law against creating malware, so all charges were dropped — but the country's parliament passed the E-Commerce Act of 2000 (RA 8792) within months in direct response.

// timeline

How it unfolded

  1. May 4, 2000 — early AM (HKT)

    First wave of ILOVEYOU emails sent from a Philippine ISP.

  2. May 4, 2000 — by midday GMT

    European corporate and government mail systems overwhelmed.

  3. May 4, 2000 — afternoon ET

    Pentagon, CIA, and major US media outlets pull mail servers offline.

  4. May 5, 2000

    Antivirus signatures distributed; Filipino police identify suspects.

  5. Aug 2000

    Charges dropped — no applicable law in the Philippines at the time.

  6. Sep 2000

    Philippines enacts the Electronic Commerce Act (RA 8792).

// damage

Impact and scale

The worm hit roughly 10 percent of all internet-connected computers within a single day. The Pentagon, CIA, and UK Parliament shut down their mail systems. Onel de Guzman could not be prosecuted because the Philippines had no laws against writing malware at the time, which prompted the country to pass its E-Commerce Act within weeks.

// affected

Who was hit

  • US Department of Defense and CIA mail systems
  • UK House of Commons
  • Ford Motor Company, AT&T, and Microsoft internally
  • An estimated 45 million end users worldwide

// lessons

Key takeaways

  • Hidden file extensions are a security boundary, not a UX nicety — Windows hiding .vbs made the attack work.
  • Address books are weapons: any client-side scripting with mail access can weaponise an entire user base in minutes.
  • Jurisdictional gaps in cybercrime law leave attackers untouchable; international harmonisation matters.
  • Macro and script execution from email attachments should be opt-in and scoped, not the default.

// references

// continue reading

Worm · 1988The Morris Worm
Floppy disk containing the source code of the Morris Worm, on display at the Computer History Museum.
·WormGlobal

The Morris Worm

The first internet worm — and the wake-up call that birthed the security industry.

read post-mortem →
Nation-state · 2010Stuxnet
Diagram showing how Stuxnet intercepts Step7 communications to modify Siemens PLC code while reporting normal status to operators.
·Nation-stateCatastrophic

Stuxnet

The malware that crossed the line from data theft into physical sabotage.

read post-mortem →
Wiper · 2014Sony Pictures Hack
Sony Pictures Plaza building in Culver City, California — the corporate headquarters of Sony Pictures Entertainment.
·WiperNational

Sony Pictures Hack

A hermit-kingdom intelligence agency took down a Hollywood studio over a comedy film.

read post-mortem →