LLMpediaThe first transparent, open encyclopedia generated by LLMs

I Love You (computer worm)

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: US‑CERT Hop 4
Expansion Funnel Raw 99 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted99
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
I Love You (computer worm)
NameI Love You
ReleasedMay 2000
AuthorOnel de Guzman (attributed)
GenreComputer worm, email worm
Operating systemMicrosoft Windows

I Love You (computer worm) was a destructive computer worm that emerged in May 2000 and rapidly infected millions of systems worldwide, causing significant disruption to Microsoft Corporation, News Corporation, BBC, CNN, and numerous financial institutions. Conceived during the late 1990s dot-com bubble era amid widespread use of Microsoft Outlook and Windows 98, the worm exploited social engineering and scripting capabilities to propagate through corporate and public networks, prompting emergency responses from entities such as United States Department of Homeland Security, European Commission, Royal Canadian Mounted Police, Interpol and private cybersecurity firms like Symantec, McAfee, and Trend Micro.

Background and development

The worm was developed in the Philippines and is commonly attributed to Onel de Guzman, whose alleged involvement led to investigations by the Philippine National Police, National Bureau of Investigation (Philippines), and attention from international bodies including FBI and MI5. Its creation occurred against a backdrop of prior outbreaks such as Melissa (computer virus), Concept (macro virus), and LoveLetter-era scripting experimentation by students and hobbyists associated with institutions like Ateneo de Manila University, University of the Philippines, and De La Salle University. Responses and academic analyses were published by researchers affiliated with Carnegie Mellon University, Massachusetts Institute of Technology, Stanford University and cybersecurity conferences including DEF CON and Black Hat.

Infection vector and propagation

The worm arrived as an email attachment titled "I Love You" with filenames using double extensions to mimic innocuous files, exploiting users of Microsoft Outlook and file association behaviors in Windows 98 and Windows ME. It leveraged the Visual Basic Scripting Edition runtime and sent itself to contacts by harvesting address books from Microsoft Exchange Server, Lotus Notes, and personal Outlook Express stores, whereas compromised machines attempted to copy itself into shared network drives, Internet Service Provider mail relays, and World Wide Web servers. Network operators at companies like AT&T, British Telecom, Deutsche Telekom and hosting providers coordinated blocklists and filters while academic centers such as University of Cambridge and University of Oxford documented propagation patterns.

Technical characteristics and payload

Technically, the worm was a script written in VBScript that overwrote files with extensions such as .HTM, .HTML, .VBS, .JS and .JPE, replacing existing content and creating new executable copies; it exploited trust in attachments and weak default settings in Microsoft Windows and Outlook Express. Its payload included exfiltration routines that attempted to harvest password files, propagate via HyperText Transfer Protocol and Simple Mail Transfer Protocol actions, and drop blank copies of overwritten files while executing mass-mailing loops, causing mail servers at Yahoo!, AOL, Hotmail, America Online and enterprise systems to become overloaded. The worm's code exhibited techniques reminiscent of earlier threats like Melissa (computer virus) and later influenced defenses such as antivirus heuristics developed by Kaspersky Lab, ESET, and Cisco Systems.

Global impact and response

Economically and operationally, the outbreak disrupted corporations including Ernst & Young, PricewaterhouseCoopers, JPMorgan Chase, and government agencies including United States Postal Service, Australian Taxation Office, and New Zealand Department of Corrections, prompting shutdowns of email systems, emergency patches, and lost productivity measured in the billions by analysts at Gartner, Forrester Research, and IDC. International coordination involved law enforcement and industry groups such as CERT Coordination Center, FIRST, European Union Agency for Cybersecurity, and private incident response teams from IBM and Microsoft. Media coverage by The New York Times, The Guardian, The Washington Post, Reuters, and Associated Press fueled public awareness while legal and policy debates were raised in forums including United Nations General Assembly panels and hearings before legislative bodies like the United States Congress and the Philippine Senate.

Attribution efforts centered on Onel de Guzman and involved evidence collection by the Philippine National Police and coordination with the FBI and Interpol; however, legal prosecution was complicated by the absence of specific anti-hacking statutes in the Philippines at the time, leading prosecutors to drop criminal charges and sparking legislative reform efforts. The incident catalyzed enactment and revision of laws such as proposed amendments to electronic crime statutes in the Philippines and influenced cybercrime legislation discussions in jurisdictions including the United States, United Kingdom, Australia, and members of the European Union.

Prevention and legacy

In the aftermath, organizations adopted stricter email filtering, attachment blocking, macro and scripting restrictions in products like Microsoft Office and operating systems from Microsoft Corporation, deployment of intrusion detection systems from vendors such as Snort and Checkpoint Software Technologies, and wider use of security awareness training inspired by campaigns from SANS Institute, ISC2, and academic curricula at Harvard University and University of California, Berkeley. The worm's legacy includes acceleration of cybersecurity industries represented by firms like Palo Alto Networks, CrowdStrike, and FireEye, the establishment of incident response standards by ISO, and ongoing discourse in forums such as RSA Conference and ICANN about resilience, attribution, and international cooperation.

Category:Computer worms Category:2000 in computing