ILOVEYOU

An essay I've been meaning to publish on Valentine's for the last three years

Released on accident in 2000, The ILOVEYOU worm is one of the most famous pieces of malware in history. When opened, it scanned the computer, replaced files with copies of itself (but leaving their file names) and sent itself to the first 50 people in the address book. Often called “the love bug,” the worm is estimated to have infected 10% of the world’s computers at the time, thanks to exponential power: if all 50 people clicked on it for 6 rounds, the entire population of Earth would’ve been wormed almost three times over.

Onel de Guzman’s worm was a Virtual Basic Scripting file, which was a kind of code that ran in outlook. Most people would be reluctant to open a .vbs file without knowing what it was, but Windows hid filetypes by default. Guzman appended “.txt” to the end of the file’s name, so it looked like a harmless love note.

While the hidden file type allayed recipient’s suspicion, Guzman still needed a way to get them to click on it. His strategy was simple, as he later told journalist Geoff White, “I figured out that many people want a boyfriend, they want each other, they want love, so I called it that.” ILOVEYOU.txt was born. Two things struck me about this quote. The first is the loneliness he describes as a kind of universal desire. The second is the gendering of this desired companion as “him.”

Guzman had hacked in the past, largely as a way to acquire logins for internet service. Since access at the time was paid for by the hour, it could be prohibitively expensive. His strategy was to message with people in chat rooms and send them a file he claimed to be a picture of himself. When they opened the file, it would send their login information back to Guzman.

Between his chatroom heists and the worm in 2000, Guzman submitted a thesis proposal for his computer science degree at AMA University for a trojan horse program named “Email Password Sender Trojan.” It’s a similar design to his later worm but was lacking the exponential email propagation. His proposal includes a “reason for study,” and his answer is ignored in a lot of the secondary sources I’ve read about him. He wrote, “The researcher decided to develop this program because the researcher believes that it will be helpful to a lot of people specially Internet users to get Windows passwords such as Internet Accounts to spend more time on Internet without paying.” We see his desire for free internet access again here, for internet users writ large rather than just him self. Geoff White paraphrases Guzman’s view in his book: “the password holder would get no less access as a result of having their password unknowingly ‘shared.’”

Few of the sources I’ve read about the worm’s aftermath address the password-sharing aspect of the worm. Guzman’s ideal is an interesting one, however: that a piece of self-replicating malware could provide means to internet access for people who couldn’t otherwise afford it. White dismisses this with a blandly neoliberal point about the increased costs for service providers. He writes, “his logic conveniently ignored the fact that the internet access provider would have to serve two people for the price of one.” I don’t think Guzman was “ignoring” the additional cost to the service provider at all. It seems to be very much a part of his worldview that the denial of internet access to some is far more reprehensible than an ISP having to “serve two people for the price of one.”

It’s not clear what, if anything, Guzman did with the passwords that were logged by the love bug. Most sources focus on the costs of removing the virus and some don’t mention a password-stealing component of the worm at all. My guess is Guzman had far more passwords than he could ever meaningfully use, and I haven’t found anything in my research suggesting he shared them or gave them away.

The Philippine government eventually traced the trojan back to Guzman, but there were no laws at the time criminalizing malware. Prosecutors charged him with fraud, but the charge required prosecutors to prove ill-intent. Guzman’s defense successfully claimed that Guzman released the worm by accident. Most damage figures, ranging anywhere from 6-12 billion dollars globally. Those figures tend to include the work to remove the worm (costs set by corporations that provide those services) and lost productivity. Again, most of the reported harm done by the worm is to corporations and productivity rather than people, though individuals certainly would have lost important documents / data / photos etc. The US Army had over 2,000 computers infected, 12,000 “man-hours lost,” and meager estimated cost of $78,000.

There’s a strange poetry to some of the spam in my work email, and it rarely seems clear to me whether it’s a scam, annoying marketing, or something else. There’s Eliana trying to give away her “late husband’s Yamaha Baby Grand Piano GC1.” There’s my school’s dead founder claiming to be in a meeting and needing my phone number immediately (ma’am, I can’t help you). Someone trying, daily, to sell me pre-cut tennis balls in bulk to make sliding chairs less loud. I wonder how much of this now is just generated in a data center somewhere instead of crafted by some mad hacker rubbing their hands together, with dreams of a freer internet and an awareness of love.