• PC World
• » Security

The swiftness with which the LoveLetter virus spread in May 2000 was a headache to system administrators scrambling to contain it, but its speed was actually a boon to investigators trying to track its source; it meant that the virus trail was still hot. In the early days of viruses, it would take months or years for malicious code to spread and make itself known, so by the time investigators attempted to trace the virus, its trail was gone. In the case of LoveLetter, timeliness and other factors led to the quick capture of a suspect. Here's a snapshot of the virus outbreak and the subsequent investigation. (All times and dates are EDT.)

Wednesday, May 3, 2000: An electronic virus appears in computers in Asia and Europe. Among those hit are the European offices of Lucent Technologies, Credit Suisse, and the German subsidiary of Microsoft.

Thursday, May 4, 4:12 a.m.: The European offices of antivirus companies receive the first calls from clients who have been infected by the bug. By 5 a.m., researchers have begun to analyze the virus code for clues about how it works. (See "Renamed Love Letter Worm Still Spreads.")

Initial analysis reveals that the virus is a Visual Basic code that comes as an e-mail attachment named LOVE-LETTER-FOR-YOU.TXT.vbs. Because Windows' default settings hide file extensions, many users don't see the .vbs on their screen. (VBS stands for Visual Basic Script, the most common language in which viruses are written.) When recipients click on the attachment, the virus uses Microsoft Outlook to send itself to everyone in the user's address book, then contacts one of four Web pages hosted on Sky Internet, an Internet service provider in the Philippines. From these pages, the virus downloads a Trojan horse named WIN-BUGSFIX.exe, which collects usernames and passwords stored on the user's system and sends them to an e-mail address--mailme@super.net.ph--in the Philippines.

7 a.m.: Antivirus vendors begin to distribute a definition for the virus to their clients, but it's already too late for companies on the U.S. East Coast, where love-starved workers are opening their e-mail. In Melbourne, Australia, at the office of travel guide publisher Lonely Planet, a worker clicks on the attachment and within minutes the virus mails itself to more than 100 guidebook authors spread throughout the world. One author later remarks, "I should have suspected something was wrong the minute I saw that it was a love letter from my editor." To avoid further infection, the company sends workers home while it cleans out the mail system. (See "I Was Bitten by the Love Bug.")

1 p.m.: Amorous words are on everyone's lips as the virus spreads from mailbox to mailbox in the United States, including those at the Pentagon and the CIA. The FBI's National Infrastructure Protection Center (NIPC) launches an investigation to track down the distributor of the virus. If caught on American soil, the perpetrator will be charged under the federal Computer Fraud and Abuse Act.

4 p.m.: The first LoveLetter variant appears, with "Very Funny Joke" replacing "I Love You" in the subject line.

6:40 p.m.: Antivirus companies begin posting definitions for LoveLetter to their Web sites for general users to download. By the end of the day, some 20 countries have reported infections. (See "Love Letter's Fallout Continues.")

Friday, May 5: Nine more variants of the virus appear, including the Mother's Day variant (timely, since Mother's Day is nine days away). It informs recipients that $326.92 has been charged to their credit card for a "mother's day diamond" order, and includes a note to see the attached invoice. When users click on the attachment, the virus destroys system files necessary for booting. Another variant comes disguised as a message from Symantec's tech support office. Click on the attachment, it says, and receive an I Love You update to your Norton antivirus software. (See "Virus Spreads to New Digital Envelopes.")

Tuesday, May 9: Reports of virus infections begin to subside. (See "Recovery From Love (Bug) Sickness.")

Wednesday, May 10: To date, 29 variants of the virus are reported, and first estimates place the number of infected machines at about half a million worldwide. (See "'Love Bug' Spawns a New Friend.")

Thursday, May 18: Just as the outbreak begins to subside, NewLove appears, which seems to be a variant of LoveLetter but is much more destructive. A polymorphic worm, NewLove alters its code each time it moves to another machine, making detection difficult. The virus, which appears to have originated in Israel, overwrites any files on the hard disk that are not in use at the time of infection. While NewLove's reach doesn't match LoveLetter's--a bug in the program causes it to kill the host computer before it can spread itself through e-mail--it does destroy the hard drives on thousands of computers, mostly in the United States. (See "Love Letter's Legacy.")

• See more like this:
• investigation,
• love,
• melissa,
• loveletter,
• r33t,
• l33t,
• 31337