Early in the morning of Friday, May 5th, 2000, we were starting yet another day of work at our office in the neighborhood of Olivos, north of Buenos Aires, Argentina.
Priorities are different for everyone. In my case, it was catching up with the tech news of the day. For others, it was opening their e-mail.
As I perused some news websites (I wasn’t using RSS feeds yet) I read the news of a virulent trojan with catastrophic consequences, making the headlines in Asia and Europe, and as we were waking up, in the Americas too. I learned that it targeted Windows machines (what else?) and that it was written in VBScript. That was the language we were using every day at work.
How did this worm work? The thing would automatically execute when you opened an attachment named
LOVE-LETTER-FOR-YOU.TXT.vbs (see the double extension?) and it would immediately overwrite some files of your home directory with copies of itself (those with extensions like JPG, CSS, or MP3), finally sending itself as an attachment to all of your contacts in your address book. Outlook Express and Active Scripting FTW.
Precisely as I was reading that article (I swear the timing couldn’t have been better) I hear one of my colleagues complain that her computer was not working properly and that all she saw was (and I quote, as I remember it vividly) “it says I love you everywhere!”
Seconds later the coin dropped in my head, jumped to her computer and unplugged its network cable. We then sent an e-mail to all our colleagues worldwide advising them not to open an e-mail with such a title and such an attachment. Thankfully nobody else (that we know of) had an issue with the worm, even though almost all of us received it in our inboxes.
I kept a copy of the file (which would trigger antivirus alerts for years to come) in some forgotten backup disk. It was so mind-bogglingly simple; start, overwrite the files, open the address book, and send itself to all contacts. That’s it. The whole power of ActiveX and COM components, the same programming language we were using in our Windows 2000 server-side ASP applications, was used in a completely different, horrendous way.
Update, 2023-12-29: Here’s a video showing this worm in action.