Misplaced Pages

#608391

88-484: ILOVEYOU , sometimes referred to as the Love Bug or Loveletter , was a computer worm that infected over ten million Windows personal computers on and after 5 May 2000. It started spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.TXT.vbs". At the time, Windows computers often hid the latter file extension (" VBS ", a type of interpreted file ) by default because it

176-544: A Latin letter "+o"/"o"). On most networks, an operator can: There are also users who maintain elevated rights on their local server, or the entire network; these are called IRC operators, sometimes shortened to IRCops or Opers (not to be confused with channel operators). As the implementation of the IRCd varies, so do the privileges of the IRC operator on the given IRCd. RFC 1459 claims that IRC operators are "a necessary evil" to keep

264-732: A clean state of the network, and as such they need to be able to disconnect and reconnect servers. Additionally, to prevent malicious users or even harmful automated programs from entering IRC, IRC operators are usually allowed to disconnect clients and completely ban IP addresses or complete subnets. Networks that carry services (NickServ et al.) usually allow their IRC operators also to handle basic "ownership" matters. Further privileged rights may include overriding channel bans (being able to join channels they would not be allowed to join, if they were not opered), being able to op themselves on channels where they would not be able without being opered, being auto-opped on channels always and so forth. A hostmask

352-416: A common solution is to use IRCv3 "multi-prefix" extension. Many daemons and networks have added extra modes or modified the behavior of modes in the above list. A channel operator is a client on an IRC channel that manages the channel. IRC channel operators can be easily seen by the symbol or icon next to their name (varies by client implementation, commonly a "@" symbol prefix, a green circle, or

440-513: A keyboard. It could take days to kill a worm like that, and sometimes weeks." The second ever computer worm was devised to be an anti-virus software. Named Reaper , it was created by Ray Tomlinson to replicate itself across the ARPANET and delete the experimental Creeper program (the first computer worm, 1971). On November 2, 1988, Robert Tappan Morris , a Cornell University computer science graduate student, unleashed what became known as

528-457: A large number of vulnerabilities in the network. Any code designed to do more than spread the worm is typically referred to as the " payload ". Typical malicious payloads might delete files on a host system (e.g., the ExploreZip worm), encrypt files in a ransomware attack, or exfiltrate data such as confidential documents or passwords. Some worms may install a backdoor . This allows

616-524: A machine, then the majority of worms are unable to spread to it. If a vulnerability is disclosed before the security patch released by the vendor, a zero-day attack is possible. Users need to be wary of opening unexpected emails, and should not run attached files or programs, or visit web sites that are linked to such emails. However, as with the ILOVEYOU worm, and with the increased growth and efficiency of phishing attacks, it remains possible to trick

704-544: A mobile phone repair stall in Manila. De Guzman admitted to creating and releasing the virus. He claimed he had initially developed it to steal internet access passwords, since he could not afford to pay for access. He also stated that he created it alone, clearing the two others who had been accused of co-writing the worm. The events inspired the song "E-mail" on the Pet Shop Boys ' UK top-ten album of 2002, Release ,

792-420: A network of IRC servers is a tree . Messages are routed along only necessary branches of the tree but network state is sent to every server and there is generally a high degree of implicit trust between servers. However, this architecture has a number of problems. A misbehaving or malicious server can cause major damage to the network and any changes in structure, whether intentional or a result of conditions on

880-412: A server or the entire network), IRCop only communications: GlobOps, +H mode showing that an IRCop is a "helpop" etc. Much of DALnet's new functions were written in early 1995 by Brian "Morpher" Smith and allow users to own nicknames, control channels, send memos, and more. In July 1996, after months of flame wars and discussions on the mailing list, there was yet another split due to disagreement in how

968-504: A server use '&'. Other less common channel types include '+' channels—'modeless' channels without operators —and '!' channels, a form of timestamped channel on normally non-timestamped networks. Users and channels may have modes that are represented by individual case-sensitive letters and are set using the MODE command. User modes and channel modes are separate and can use the same letter to mean different things (e.g. user mode "i"

SECTION 10

#1732779629609

1056-644: A then-24-year-old computer science student at AMA Computer College and resident of Manila , Philippines , created the malware . Because there were no laws in the Philippines against making malware at the time of its creation, the Philippine Congress enacted Republic Act No. 8792, otherwise known as the E-Commerce Law, in July 2000 to discourage future iterations of such activity. However,

1144-477: A virus, the virus automatically resides in memory and waits to be triggered. There are also some worms that are combined with backdoor programs or Trojan horses , such as " Code Red ". Contagiousness Worms are more infectious than traditional viruses. They not only infect local computers, but also all servers and clients on the network based on the local computer. Worms can easily spread through shared folders , e-mails , malicious web pages, and servers with

1232-452: A worm is not limited by the host program, worms can take advantage of various operating system vulnerabilities to carry out active attacks. For example, the " Nimda " virus exploits vulnerabilities to attack. Complexity Some worms are combined with web page scripts, and are hidden in HTML pages using VBScript , ActiveX and other technologies. When a user accesses a webpage containing

1320-412: A worm with that tough a head or that long a tail!" "Then the answer dawned on him, and he almost laughed. Fluckner had resorted to one of the oldest tricks in the store and turned loose in the continental net a self-perpetuating tapeworm, probably headed by a denunciation group "borrowed" from a major corporation, which would shunt itself from one nexus to another every time his credit-code was punched into

1408-419: Is a unique identifier of an IRC client connected to an IRC server . IRC servers , services , and other clients, including bots , can use it to identify a specific IRC session. The format of a hostmask is nick!user@host . The hostmask looks similar to, but should not be confused with an e-mail address . The nick part is the nickname chosen by the user and may be changed while connected. The user part

1496-666: Is an extension for a file type that Windows knows, leading unwitting users to think it was a normal text file. Opening the attachment activates the Visual Basic script. First, the worm inflicts damage on the local machine, overwriting random files (including Office files and image files; however, it hides MP3 files instead of deleting them), then, it copies itself to all addresses in the Windows Address Book used by Microsoft Outlook , allowing it to spread much faster than any other previous email worm. Onel de Guzman,

1584-406: Is delivered in a fashion similar to multicast , meaning each message travels a network link exactly once. This is a strength in comparison to non-multicasting protocols such as Simple Mail Transfer Protocol (SMTP) or Extensible Messaging and Presence Protocol (XMPP) . An IRC daemon can be used on a local area network (LAN). IRC can thus be used to facilitate communication between people within

1672-541: Is implemented as an application layer protocol to facilitate communication in the form of text. The chat process works on a client–server networking model . Users connect, using a client—which may be a web app , a standalone desktop program , or embedded into part of a larger program—to an IRC server, which may be part of a larger IRC network. Examples of programs used to connect include Mibbit , IRCCloud , KiwiIRC , and mIRC . IRC usage has been declining steadily since 2003, losing 60 percent of its users. In April 2011,

1760-422: Is invisible mode while channel mode "i" is invite only. ) Modes are usually set and unset using the mode command that takes a target (user or channel), a set of modes to set (+) or unset (-) and any parameters the modes need. Some channel modes take parameters and other channel modes apply to a user on a channel or add or remove a mask (e.g. a ban mask) from a list associated with the channel rather than applying to

1848-590: Is possible" when asked whether he might have done so. To show intent, the NBI investigated AMA Computer College , where de Guzman had dropped out at the very end of his final year. Since there were no laws in the Philippines against writing malware at the time, both Ramones and de Guzman were released, with all charges dropped by state prosecutors. To address this legislative deficiency, the Philippine Congress enacted Republic Act No. 8792, otherwise known as

SECTION 20

#1732779629609

1936-477: Is the username reported by ident on the client. If ident is not available on the client, the username specified when the client connected is used after being prefixed with a tilde . The host part is the hostname the client is connecting from. If the IP address of the client cannot be resolved to a valid hostname by the server, it is used instead of the hostname. Because of the privacy implications of exposing

2024-507: The Constitution of the Philippines prohibits ex post facto laws , and as such de Guzman could not be prosecuted. The ILOVEYOU worm was coded by Onel de Guzman, then a student at AMA Computer College of the Philippines. At the time of its creation, de Guzman was poor and struggling to pay for the country's dial-up internet access . De Guzman believed that internet access was a human right , and submitted an undergraduate thesis to

2112-741: The Department of Labor and the Social Security Administration . Operations of the Department of Defence were significantly obstructed, with the Central Intelligence Agency additionally affected and the United States Army having 2258 infected workstations which cost approximately US$ 79,200 to recover. The Veterans Health Administration received 7,000,000 ILOVEYOU emails during the outbreak, requiring 240 man-hours of work to resolve

2200-550: The Ethernet principles on their network of Xerox Alto computers. Similarly, the Nachi family of worms tried to download and install patches from Microsoft's website to fix vulnerabilities in the host system by exploiting those same vulnerabilities. In practice, although this may have made these systems more secure, it generated considerable network traffic, rebooted the machine in the course of patching it, and did its work without

2288-674: The Morris worm , disrupting many computers then on the Internet, guessed at the time to be one tenth of all those connected. During the Morris appeal process, the U.S. Court of Appeals estimated the cost of removing the worm from each installation at between $ 200 and $ 53,000; this work prompted the formation of the CERT Coordination Center and Phage mailing list. Morris himself became the first person tried and convicted under

2376-514: The United States . Because the worm used mailing lists as its source of targets, the messages often appeared to come from acquaintances and were therefore often regarded as "safe" by their victims, providing further incentive to open them. Only a few users at each site had to access the attachment to generate millions more messages that crippled mail systems and overwrote millions of files on computers in each successive network . The outbreak

2464-454: The 1986 Computer Fraud and Abuse Act . Conficker , a computer worm discovered in 2008 that primarily targeted Microsoft Windows operating systems, is a worm that employs three different spreading strategies: local probing, neighborhood probing, and global probing. This worm was considered a hybrid epidemic and affected millions of computers. The term "hybrid epidemic" is used because of the three separate methods it employed to spread, which

2552-654: The E-Commerce Law, in July 2000, months after the worm outbreak. In 2012, the Smithsonian Institution named ILOVEYOU one of the top ten most virulent computer viruses in history. De Guzman did not want public attention. His last known public appearance was at the 2000 press conference, where he obscured his face and allowed his lawyer to answer most questions; his whereabouts remained unknown for 20 years afterward. In May 2020, investigative journalist Geoff White revealed that while researching his cybercrime book Crime Dot Com , he had found de Guzman working at

2640-825: The EFnet ircd version 2.8.10). It was meant to be just a test network to develop bots on but it quickly grew to a network "for friends and their friends". In Europe and Canada a separate new network was being worked on and in December the French servers connected to the Canadian ones, and by the end of the month, the French and Canadian network was connected to the US one, forming the network that later came to be called "The Undernet ". The "undernetters" wanted to take ircd further in an attempt to make it use less bandwidth and to try to sort out

2728-551: The Finnish network. They had obtained the program from one of Oikarinen's friends, Vijay Subramaniam—the first non-Finnish person to use IRC. IRC then grew larger and got used on the entire Finnish national network— FUNET —and then connected to Nordunet , the Scandinavian branch of the Internet. In November 1988, IRC had spread across the Internet and in the middle of 1989, there were some 40 servers worldwide. In August 1990,

ILOVEYOU - Misplaced Pages Continue

2816-535: The IP address or hostname of a client, some IRC daemons also provide privacy features, such as InspIRCd or UnrealIRCd's "+x" mode. This hashes a client IP address or masks part of a client's hostname, making it unreadable to users other than IRCops . Users may also have the option of requesting a "virtual host" (or "vhost"), to be displayed in the hostmask to allow further anonymity. Some IRC networks, such as Libera Chat or Freenode , use these as "cloaks" to indicate that

2904-475: The IRC command LIST , which lists all currently available channels that do not have the modes +s or +p set, on that particular network. Users can join a channel using the JOIN command, in most clients available as /join #channelname . Messages sent to the joined channels are then relayed to all other users. Channels that are available across an entire IRC network are prefixed with a '#', while those local to

2992-417: The IRC network. Users access IRC networks by connecting a client to a server. There are many client implementations, such as mIRC , HexChat and irssi , and server implementations, e.g. the original IRCd . Most IRC servers do not require users to register an account but a nickname is required before being connected. IRC was originally a plain text protocol (although later extended), which on request

3080-401: The IRC protocol have been published, there is no official specification, as the protocol remains dynamic. Virtually no clients and very few servers rely strictly on the above RFCs as a reference. Microsoft made an extension for IRC in 1998 via the proprietary IRCX . They later stopped distributing software supporting IRCX, instead developing the proprietary MSNP . The standard structure of

3168-538: The Internet randomly, looking for vulnerable hosts to infect. In addition, machine learning techniques can be used to detect new worms, by analyzing the behavior of the suspected computer. A helpful worm or anti-worm is a worm designed to do something that its author feels is helpful, though not necessarily with the permission of the executing computer's owner. Beginning with the first research into worms at Xerox PARC , there have been attempts to create useful worms. Those worms allowed John Shoch and Jon Hupp to test

3256-463: The Internet. New server software has added a multitude of new features. As of 2016 , a new standardization effort is under way under a working group called IRCv3, which focuses on more advanced client features such as instant notifications, better history support and improved security. As of 2019 , no major IRC networks have fully adopted the proposed standard. As of June 2021, there are 481 different IRC networks known to be operating, of which

3344-508: The US side. Most (not all) of the IRCnet servers were in Europe, while most of the EFnet servers were in the US. This event is also known as "The Great Split" in many IRC societies. EFnet has since (as of August 1998) grown and passed the number of users it had then. In the (northern) autumn of the year 2000, EFnet had some 50,000 users and IRCnet 70,000. IRC has changed much over its life on

3432-465: The attached file under the pretext they had a lover who was attempting to contact them. This was exacerbated by the fact that emails appeared to come from close contacts as a result of the worm's use of its previous victim's contact lists. The worm's subsequent success has resulted in the use of social engineering in many modern-day malware attacks. The attachment exploited a feature of Microsoft Outlook where only one file extension would be displayed. As

3520-444: The channel as a whole. Modes that apply to users on a channel have an associated symbol that is used to represent the mode in names replies (sent to clients on first joining a channel and use of the names command) and in many clients also used to represent it in the client's displayed list of users in a channel or to display an own indicator for a user's modes. In order to correctly parse incoming mode messages and track channel state

3608-531: The channel chaos ( netsplits and takeovers ) that EFnet started to suffer from. For the latter purpose, the Undernet implemented timestamps, new routing and offered the CService—a program that allowed users to register channels and then attempted to protect them from troublemakers. The first server list presented, from 15 February 1993, includes servers from the U.S., Canada, France, Croatia and Japan. On 15 August,

ILOVEYOU - Misplaced Pages Continue

3696-418: The client does not recognize) passed directly to the server, possibly with some modification. Due to the nature of the protocol, automated systems cannot always correctly pair a sent command with its reply with full reliability and are subject to guessing. The basic means of communicating to a group of users in an established IRC session is through a channel . Channels on a network can be displayed using

3784-455: The client must know which mode is of which type and for the modes that apply to a user on a channel which symbol goes with which letter. In early implementations of IRC this had to be hard-coded in the client but there is now a de facto standard extension to the protocol called ISUPPORT that sends this information to the client at connect time using numeric 005. There is a small design fault in IRC regarding modes that apply to users on channels:

3872-541: The college and began development of the worm. De Guzman wrote ILOVEYOU in VBScript , and the Windows Script Host is utilized to run the code. ILOVEYOU was distributed through malicious email attachments . The worm was found in emails with the subject "ILOVEYOU" and a message of "Kindly check the attached love letter from me!" The attachment LOVE-LETTER-FOR-YOU.TXT.vbs contained the worm. Upon opening

3960-465: The college which proposed the development of a trojan to steal internet login details. He claimed that this would allow users to be able to afford an internet connection, arguing that those affected by it would experience no loss. The proposal was rejected by the college, which remarked that his proposal was "illegal" and that "they did not produce burglars". This led de Guzman to claim that his professors were closed-minded, and he ultimately dropped out of

4048-488: The community nature of IRC there are a large number of other networks for users to choose from. Historically the "Big Four" were: IRC reached 6 million simultaneous users in 2001 and 10 million users in 2004–2005, dropping to around 350k in 2021. The top 100 IRC networks have around 230k users connected at peak hours. Timeline of major servers: IRC is an open protocol that uses TCP and, optionally, TLS . An IRC server can connect to other IRC servers to expand

4136-463: The computer to be remotely controlled by the worm author as a " zombie ". Networks of such machines are often referred to as botnets and are very commonly used for a range of malicious purposes, including sending spam or performing DoS attacks. Some special worms attack industrial systems in a targeted manner. Stuxnet was primarily transmitted through LANs and infected thumb-drives, as its targets were never connected to untrusted networks, like

4224-436: The consent of the computer's owner or user. Regardless of their payload or their writers' intentions, security experts regard all worms as malware . Another example of this approach is Roku OS patching a bug allowing for Roku OS to be rooted via an update to their screensaver channels, which the screensaver would attempt to connect to the telnet and patch the device. One study proposed the first computer worm that operates on

4312-516: The development of the ircd should evolve. Most notably, the "European" (most of those servers were in Europe) side that later named itself IRCnet argued for nick and channel delays whereas the EFnet side argued for timestamps. There were also disagreements about policies: the European side had started to establish a set of rules directing what IRCops could and could not do, a point of view opposed by

4400-508: The embedded programmable logic controllers of industrial machines. Although these systems operate independently from the network, if the operator inserts a virus-infected drive into the system's USB interface, the virus will be able to gain control of the system without any other operational requirements or prompts. Worms spread by exploiting vulnerabilities in operating systems. Vendors with security problems supply regular security updates (see " Patch Tuesday "), and if these are installed to

4488-551: The end-user into running malicious code. Anti-virus and anti-spyware software are helpful, but must be kept up-to-date with new pattern files at least every few days. The use of a firewall is also recommended. Users can minimize the threat posed by worms by keeping their computers' operating system and other software up to date, avoiding opening unrecognized or unexpected emails and running firewall and antivirus software. Mitigation techniques include: Infections can sometimes be detected by their behavior - typically scanning

SECTION 50

#1732779629609

4576-470: The file name was parsed from left to right, which would be stopped after the first period, to victims the attachment would appear to be an inconspicuous .txt file incapable of holding malware. The worm's real .vbs extension was hidden. De Guzman also claimed that a bug in Windows 95 , where code in email attachments was automatically run upon being clicked, contributed to the worm's success. The fact that

4664-407: The file, the worm copies itself into relevant directories so it will be run upon reboot of the computer. Two of the three copies masquerade as legitimate Microsoft Windows library files , named MSKernel32.vbs and Win32DLL.vbs . The other copy retains the original LOVE-LETTER-FOR-YOU.TXT.vbs name. The worm attempts to download a trojan horse named WIN-BUGSFIX.exe . To achieve this,

4752-399: The first major disagreement took place in the IRC world. The "A-net" (Anarchy net) included a server named eris.berkeley.edu. It was all open, required no passwords and had no limit on the number of connects. As Greg "wumpus" Lindahl explains: "it had a wildcard server line, so people were hooking up servers and nick-colliding everyone". The "Eris Free Network", EFnet , made the eris machine

4840-451: The first to be Q-lined (Q for quarantine) from IRC. In wumpus' words again: "Eris refused to remove that line, so I formed EFnet. It wasn't much of a fight; I got all the hubs to join, and almost everyone else got carried along." A-net was formed with the eris servers, while EFnet was formed with the non-eris servers. History showed most servers and users went with EFnet. Once A-net disbanded, the name EFnet became meaningless, and once again it

4928-575: The form of the "ILOVEYOU" worm) had been sent via the ISP's servers. De Guzman attempted to hide the evidence by removing his computer from his apartment, but he accidentally left some disks behind that contained the worm, as well as information that implicated a possible co-conspirator. After surveillance and investigation by Darwin Bawasanta of Sky Internet, the NBI traced a frequently appearing telephone number to Ramones' apartment in Manila. His residence

5016-579: The internet. This virus can destroy the core production control computer software used by chemical, power generation and power transmission companies in various countries around the world - in Stuxnet's case, Iran, Indonesia and India were hardest hit - it was used to "issue orders" to other equipment in the factory, and to hide those commands from being detected. Stuxnet used multiple vulnerabilities and four different zero-day exploits (e.g.: [1] ) in Windows systems and Siemens SIMATICWinCC systems to attack

5104-405: The local area network (internal communication). IRC has a line-based structure. Clients send single-line messages to the server, receive replies to those messages and receive copies of some messages sent by other clients. In most clients, users can enter commands by prefixing them with a '/'. Depending on the command, these may either be handled entirely by the client, or (generally for commands

5192-435: The lyrics of which play thematically on the human desires which enabled the mass destruction of this computer infection. Computer worm Many worms are designed only to spread, and do not attempt to change the systems they pass through. However, as the Morris worm and Mydoom showed, even these "payload-free" worms can cause major disruption by increasing network traffic and other unintended effects. The term "worm"

5280-402: The names message used to establish initial channel state can only send one such mode per user on the channel, but multiple such modes can be set on a single user. For example, if a user holds both operator status (+o) and voice status (+v) on a channel, a new client will be unable to see the mode with less priority (i.e. voice). Workarounds for this are possible on both the client and server side;

5368-474: The new user count record was set to 57 users. In May 1993, RFC 1459 was published and details a simple protocol for client/server operation, channels, one-to-one and one-to-many conversations. A significant number of extensions like CTCP, colors and formats are not included in the protocol specifications, nor is character encoding, which led various implementations of servers and clients to diverge. Software implementation varied significantly from one network to

SECTION 60

#1732779629609

5456-577: The open source Libera Chat , founded in May 2021, has the most users, with 20,374 channels on 26 servers; between them, the top 100 IRC networks share over 100 thousand channels operating on about one thousand servers. After its golden era during the 1990s and early 2000s (240,000 users on QuakeNet in 2004), IRC has seen a significant decline, losing around 60% of users between 2003 and 2012, with users moving to social media platforms such as Facebook or Twitter , but also to open platforms such as XMPP which

5544-538: The other, each network implementing their own policies and standards in their own code bases. During the summer of 1994, the Undernet was itself forked. The new network was called DALnet (named after its founder: dalvenjah), formed for better user service and more user and channel protections. One of the more significant changes in DALnet was use of longer nicknames (the original ircd limit being 9 letters). DALnet ircd modifications were made by Alexei "Lefler" Kosut. DALnet

5632-488: The performance of massive scale ephemeral artworks. It turns the infected computers into nodes that contribute to the artwork. Internet Relay Chat IRC ( Internet Relay Chat ) is a text-based chat system for instant messaging . IRC is designed for group communication in discussion forums, called channels , but also allows one-on-one communication via private messages as well as chat and data transfer , including file sharing . Internet Relay Chat

5720-561: The problems created. Files at the National Aeronautics and Space Administration were damaged, and in some cases unrecoverable from backups . On 5 May 2000, de Guzman and another young Filipino programmer named Reonel Ramones became targets of a criminal investigation by agents of the Philippines' National Bureau of Investigation (NBI). Local Internet service provider Sky Internet had reported receiving numerous contacts from European computer users alleging that malware (in

5808-504: The protocol implemented in the irc2.4.0 version of the IRC2 server, and documented in RFC 1459. Since RFC 1459 was published, the new features in the irc2.10 implementation led to the publication of several revised protocol documents (RFC 2810, RFC 2811, RFC 2812 and RFC 2813); however, these protocol changes have not been widely adopted among other implementations. Although many specifications on

5896-509: The same deficiencies exploited by the Blaster worm , Welchia infected computers and automatically began downloading Microsoft security updates for Windows without the users' consent. Welchia automatically reboots the computers it infects after installing the updates. One of these updates was the patch that fixed the exploit. Other examples of helpful worms are "Den_Zuko", "Cheeze", "CodeGreen", and "Millenium". Art worms support artists in

5984-527: The second layer of the OSI model (Data link Layer), utilizing topology information such as Content-addressable memory (CAM) tables and Spanning Tree information stored in switches to propagate and probe for vulnerable nodes until the enterprise network is covered. Anti-worms have been used to combat the effects of the Code Red , Blaster , and Santy worms. Welchia is an example of a helpful worm. Utilizing

6072-532: The time, it was one of the world's most destructive computer related disasters ever. In the United Kingdom , the worm reached the email servers of the House of Commons on 4 May. The servers were shut down for two hours in response. The worm affected the banking system of Belgium . The worm affected most federal government agencies and caused disruption to multiple, including the Department of Justice ,

6160-813: The top 100 IRC networks served more than 200,000 users at a time. IRC was created by Jarkko Oikarinen in August 1988 to replace a program called MUT (MultiUser Talk) on a BBS called OuluBox at the University of Oulu in Finland , where he was working at the Department of Information Processing Science. Jarkko intended to extend the BBS software he administered, to allow news in the Usenet style, real time discussions and similar BBS features. The first part he implemented

6248-403: The underlying network, require a net-split and net-join. This results in a lot of network traffic and spurious quit/join messages to users and temporary loss of communication to users on the splitting servers. Adding a server to a large network means a large background bandwidth load on the network and a large memory load on the server. Once established, however, each message to multiple recipients

6336-485: The variant " Cartolina " ("postcard") in Italian or "BabyPic" for adults. Some others only changed the credits to the author, which were initially included in the standard version of the virus, removing them entirely or referencing false authors. Others overwrote " EXE " and " COM " files, and the user's computer would then be unbootable upon restarting. Some mail messages sent by ILOVEYOU include: Originally designing

6424-532: The victim's Internet Explorer homepage is set to a URL that downloads the trojan upon opening the browser. If the download is successful, the trojan is set to run upon reboot and the Internet Explorer homepage is set to a blank page . The trojan fulfils Guzman's primary aim by stealing passwords. The worm sends its trademark email to all contacts in the victim's address book. To prevent multiple emails being sent to one person from each successive run of

6512-567: The worm to only work in Manila , De Guzman removed this geographic restriction out of curiosity, which allowed the worm to spread worldwide. De Guzman did not expect this worldwide spread. The worm originated in the Pandacan neighborhood of Manila in the Philippines on 4 May 2000, thereafter moving westward through corporate email systems as employees began their workday that Friday morning – moving first to Hong Kong , then to Europe , and finally

6600-473: The worm was written in VBScript allowed users to modify it. A user could easily change the worm to replace essential files and destroy the system, allowing more than 25 variations of ILOVEYOU to spread across the Internet, each doing different kinds of damage. Most of the variations had to do with what file extensions were affected by the worm. Others modified the email subject to target a specific audience, like

6688-465: The worm's code. Files with extensions .jpg , .jpeg , .js , .jse, .css , .wsh , .sct, .doc and .hta are replaced with copies of the worm that have the same base file name but appended with the .vbs extension. Copies for .mp2 and .mp3 files are similarly produced, but the original files are hidden instead of removed. The email format is considered to be one of the first examples of malware using social engineering , by encouraging victims to open

6776-445: The worm, a registry key is generated for each address book entry once an email has been sent. The worm will only send an email if the registry key is not present. This also allows for emails to be sent to new contacts placed in the address book. ILOVEYOU also has the capability to spread via Internet Relay Chat channels. The worm searches connected drives for files to modify. All VBScript files it finds (.vbs, .vbe) are overwritten with

6864-595: Was assigned port 194/TCP by IANA . However, the de facto standard has always been to run IRC on 6667/TCP and nearby port numbers (for example TCP ports 6660–6669, 7000) to avoid having to run the IRCd software with root privileges . The protocol specified that characters were 8-bit but did not specify the character encoding the text was supposed to use. This can cause problems when users using different clients and/or different platforms want to converse. All client-to-server IRC protocols in use today are descended from

6952-444: Was developed in 1999. Certain networks such as Freenode have not followed the overall trend and have more than quadrupled in size during the same period. However, Freenode, which in 2016 had around 90,000 users, has since declined to about 9,300 users. The largest IRC networks have traditionally been grouped as the "Big Four" —a designation for networks that top the statistics. The Big Four networks change periodically, but due to

7040-489: Was discovered through code analysis. Independence Computer viruses generally require a host program. The virus writes its own code into the host program. When the program runs, the written virus program is executed first, causing infection and damage. A worm does not need a host program, as it is an independent program or code chunk. Therefore, it is not restricted by the host program , but can run independently and actively carry out attacks. Exploit attacks Because

7128-404: Was estimated to have caused US$ 5.5–8.7 billion in damages worldwide, and estimated to cost US$ 10–15 billion to remove the worm. Within ten days, over fifty million infections had been reported, and it is estimated that 10% of Internet-connected computers in the world had been affected. Damage cited was mostly the time and effort spent getting rid of the infection and recovering files from backups. At

7216-469: Was first used in this sense in John Brunner 's 1975 novel, The Shockwave Rider . In the novel, Nichlas Haflinger designs and sets off a data-gathering worm in an act of revenge against the powerful men who run a national electronic information web that induces mass conformity. "You have the biggest-ever worm loose in the net, and it automatically sabotages any attempt to monitor it. There's never been

7304-560: Was searched and Ramones was arrested and placed under investigation by the Department of Justice (DOJ). De Guzman was also charged in absentia . At that point, the NBI was unsure of what felony or crime would apply. It was suggested they be charged with violating Republic Act 8484 (the Access Device Regulation Act), a law designed mainly to penalize credit card fraud , since both used pre-paid (if not stolen) Internet cards to purchase access to ISPs. Another idea

7392-510: Was that they could be charged with malicious mischief , a felony (under the Philippines Revised Penal Code of 1932) involving damage to property. The drawback here was that one of its elements, aside from damage to property, was intent to damage, and de Guzman had claimed during custodial investigations that he might have unwittingly released the worm. At a press conference organized by his lawyer on 11 May, he said "It

7480-558: Was the chat part, which he did with borrowed parts written by his friends Jyrki Kuoppala and Jukka Pihl. The first IRC network was running on a single server named tolsun.oulu.fi. Oikarinen found inspiration in a chat system known as Bitnet Relay , which operated on the BITNET . Jyrki Kuoppala pushed Oikarinen to ask Oulu University to free the IRC code so that it also could be run outside of Oulu, and after they finally got it released, Jyrki Kuoppala immediately installed another server. This

7568-570: Was the first "IRC network". Oikarinen got some friends at the Helsinki University of Technology and Tampere University of Technology to start running IRC servers when his number of users increased and other universities soon followed. At this time Oikarinen realized that the rest of the BBS features probably would not fit in his program. Oikarinen contacted people at the University of Denver and Oregon State University . They had their own IRC network running and wanted to connect to

7656-611: Was the one and only IRC network. Around that time IRC was used to report on the 1991 Soviet coup d'état attempt throughout a media blackout . It was previously used in a similar fashion during the Gulf War . Chat logs of these and other events are kept in the ibiblio archive. Another fork effort, the first that made a lasting difference, was initiated by "Wildthang" in the United States in October 1992. (It forked off

7744-499: Was thus based on the Undernet ircd server, although the DALnet pioneers were EFnet abandoners. According to James Ng, the initial DALnet people were "ops in #StarTrek sick from the constant splits/lags/takeovers/etc". DALnet quickly offered global WallOps (IRCop messages that can be seen by users who are +w (/mode NickName +w)), longer nicknames, Q:Lined nicknames (nicknames that cannot be used i.e. ChanServ, IRCop, NickServ, etc.), global K:Lines (ban of one person or an entire domain from

#608391