NEWS FROM THE LAB - Tuesday, May 4, 2010

Loveletter 2000-2010 Posted by Mikko @ 12:56 GMT

One of the most important worm outbreaks in history happened ten years ago to the day.

loveletter Loveletter (aka ILOVEYOU or Lovebug) spread around the world in matter of minutes. When you got infected, the worm would send this e-mail from your system — posing as you — to all of your contacts:

   From: (your e-mail address)
   To: (one of your contacts)
   Subject: ILOVEYOU
   Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
   Message: kindly check the attached LOVELETTER coming from me.

This turned out to be very effective. People would be surprised by the message, open the attachment and spam all of their friends with the same message. In couple of hours, millions of users around the world were infected.

And we were in the middle of this. As far as I know, we were the first ones to discover this worm.

I remember working with the case with Katrin Tocheva (nowadays at Microsoft), Sami Rautiainen (nowadays at Stonesoft) and Alexey Podrezov (still here at F-Secure).

Here's the e-mail that we believe to be "patient zero", i.e. the first infected party that contacted an antivirus company for help. The e-mail is from John Schr�der who worked for our Norwegian partner at the time:


   Date: Thu, 4 May 2000 09:41:08 +0200
   From: John Schr�der
   To: samples@F-Secure.com
   Subject: Can you check this out
   Importance: high
   I got the attached vbs script from client here in Norway.
   They say that this
   'Love Letter' has spread to 100.000 machines in the
   client network in Europe.
   ASAP please
   Attachment: pd000504.pgp


Katrin was the analyst in charge of the shift when Loveletter struck, and she's the one that entered our company into emergency mode:


   Date: Thu, 04 May 2000 10:21:13 +0300
   To: all-employees
   From: Katrin Tocheva
   Subject: IMPORTANT: New worm extremly in the wild
   Hi all,
   There is a new Script worm that is extremely in the wild since this
   morning. Many big companies in Europe are already infected. I already
   spoke with our IT guys and all Outlook users are now protected internally
   but just in case Do Not open any attachments.
   The worm spreads via Outlook in a message with a
    subject: ILOVEYOU
    Body: 'kindly check the attachedLOVELETTER coming from me'
   We will be entering EMERGENCY MODE, effective *NOW*
   Please be careful!


Emergency Mode meant various things, including canceling all in-house meetings, calling in extra people to answer phones at the switchboard and so on. It also meant that lab staff would not be allowed to leave for lunch. Instead, company would bring in pizzas for them automatically. We even had an intranet system where you would select your "emergency pizza" flavor.

Here's another example from my e-mail archives. First sample or the worm via industry sample exchange — in this case, from MessageLabs ("this is a big one guys...").


   Date: Thu, 4 May 2000 10:23:38 +0100
   From: Alex at MessageLabs
   To: samples@f-secure.com
   Subject: URGENT HEADS UP - LoveBug virus sample
   This is a big one guys. 600 copies in the last hour.
   Call me for details
   Alex Shipp


I remember working on the case all day from 07:41 GMT when it started until midnight, then going to bed only to be woken up at 3am by calls from USA.

I also remember exiting a phone conference with CERTs and other security vendors. When I hung up my phone and looked at the screen, it showed that I had received and missed 40+ phone calls during that 30-minute conference call. All those calls were coming in from partners, vendors & media. Everybody wanted to know what was happening and how to fight the outbreak.

10 years ago, virus outbreaks were mainstream news. Here's the front page of CNN from the time. This screenshot also nicely illustrates how hard it is to try to predict how bad a particular outbreak might become.

CNN Loveletter

Signing off,