A Deep-Rooted Infestation: How the ILOVEYOU Bug Continues its Legacy in Modern Worms

A quarter century ago, a former computer science student from the Philippines accidentally unleashed one of the most destructive computer viruses in modern history.

With an email subject that’s hard to ignore — ILOVEYOU sans spaces — this piece of malware managed to affect millions of Microsoft Windows-powered machines worldwide, including those belonging to AT&T, Ford Motor Company, the Pentagon, the Central Intelligence Agency (CIA), and the National Aeronautics and Space Administration (NASA). The ILOVEYOU virus was so pervasive that it affected 10% of Internet-connected devices worldwide and inflicted damages that reportedly could have gone beyond a staggering $10 billion.

Now, with this malware thoroughly in our collective rear-view mirror, let’s conduct a technical analysis of the infamous ILOVEYOU worm and give a glimpse into how modern worms have evolved in the past 25 years. This article also provides tips on how organizations can stay protected against modern worms.

Under the Magnifying Glass: Comparing the Love Bug with Modern Worms

Motivation

The original motivation behind the ILOVEYOU bug, according to its creator, was to steal dial-up Internet credentials, which was how most people in the Philippines used to connect to the Internet in the 1990s and the early 2000s. In addition to dial-up details, it also stole email credentials. Interestingly, Onel de Guzman, the alleged person behind this notorious worm, didn’t get jail time. This was because cybercrime legislation was nonexistent in the Philippines at the time.

Although stealing Internet credentials is undeniably wrong and criminal, it’s less nefarious than newer worms’ intended use cases. For example, newer worms can be specially crafted to mine and steal cryptocurrency.

In February 2025, Red Canary reported on a threat actor’s use of a Visual Basic Script-based (VBScript) that deploys a cryptominer dubbed Tangerine Turkey. Tangerine Turkey uses a printui dynamic link library (DLL) hijacking technique to deliver cryptocurrency mining malware on infected devices. Some variants of Tangerine Turkey drop the XMRig miner, a popular open-source cryptocurrency miner, and the Zephyr Miner.

This sophisticated cryptoworm spreads to victims via an old yet still very effective manner: USB devices. In 2024, researchers discovered that users based in Turkey who have used their USB devices at certain Internet cafes and physical shops appear to have had their own machines infected with the Tangerine Turkey worm.

Aside from cryptomining, worms can also be used for other, more sinister cybercriminal activities. Back then, the ILOVEYOU virus inadvertently affected and disrupted the operations of major companies and government bodies, including the Pentagon and the parliaments of Denmark and the UK.

Today’s worms are used to specifically target large organizations and countries to steal information, perform cyberespionage, and conduct remote access activities.

In 2023, Check Point shared that the Russia-linked Gamaredon advanced persistent threat (APT) group started distributing the LitterDrifter worm to steal sensitive information from Ukraine, including reports concerning the deaths of Ukrainian military service members and arsenal inventories. According to researchers, the LitterDrifter worm was capable of automatically spreading via USB devices and communicating with a broad set of command-and-control (C2) channels.

Early in 2025, the Federal Bureau of Investigation (FBI) deleted the PlugX malware from over 4,200 computers in the US. The operators of PlugX, Mustang Panda, is a China-based threat actor that focuses on cyberespionage activities. Mustang Panda victims include European governments and shipping companies and Indo-Pacific governments, such as Japan, South Korea, India, and Thailand.

According to authorities, the PlugX malware variant that was removed from thousands of machines had a wormable component that enabled it to spread via removable USB devices. Unit 42 researchers shared that Mustang Panda used a free and open-source Windows debugging tool called X64dbg (“x64dbg.dll”) and “x32bridge.dll” to load PlugX.

The ILOVEYOU Attack Vector

The ILOVEYOU virus is one of the first malware types to show the world how the winning combination of malicious code and an irresistible social engineering lure – a love letter – can cause billions of dollars in damages.

The subject line was partnered with a succinct yet potent body message: “Kindly check the attached LOVELETTER coming from me.” Curious individuals who opened the attachment, a file named “LOVE-LETTER-FOR-YOU.TXT.VBS”, were then exposed to the virus.

Back then, when email communications were still relatively new to most people, this lure was powerful enough to entice victims to do as they were instructed. However, by today’s standards, the ILOVEYOU virus’ simple email subject line and body message are relatively easy to flag as malicious by users and even built-in email security filters.

To elevate their social engineering techniques, malicious actors are quick to abuse new technologies that become publicly available. Enter generative AI tools, which, in their proliferation and ease of use, have made social engineering lures quicker to whip up and even more efficacious.

Attack Chain

After the malicious email containing the VBScript-based worm is opened, the Love Bug behaves in this manner:

It writes itself in the Windows directory (2 copies) and system directory (1 copy). Afterward, it modifies the impacted machine’s registry keys to automatically start upon machine restart and to point the Microsoft Internet Explorer browser start page to one of four Sky Internet-hosted web pages. These web pages linked to a malicious executable that searched the infected device for dial-up connection passwords, which were then sent to a Philippine-based email address.

On top of automatically sending the malicious email to the victim’s address book, the ILOVEYOU bug’s malicious executable also created an HTML file on the machine’s hard drive to spread to other computers connected on Internet Relay Chat (IRC). The bug was also responsible for overwriting different file types, such as:

• JPEG
• MP2
• MP3
• VPOS
• JS
• JSE
• CSS
• WSH
• SCT
• HTA

With the exception of MP2 and MP3 files that were only hidden, the abovementioned files were corrupted and became difficult, if not impossible, to retrieve.

When contrasting the ILOVEYOU virus’s attack chain to that of the CMoon, a .NET-based worm that emerged in July 2024, we can see how modern worms have evolved to become more targeted and sophisticated.

For one, instead of propagating via email, the CMoon worm is hosted on a compromised website that provides gasification and gas supply services for a Russian city. Malicious actors have replaced legitimate regulatory document links with malicious executables that contain a self-extracting archive with the CMoon worm. This shows how the actors behind CMoon are refining their targets to the high-value visitors of this compromised site and not relying on spray-and-pray tactics.

Once it’s successfully downloaded onto a victim’s machine, CMoon creates a folder named after whichever antivirus software it detects on the machine and copies itself there. Otherwise, it creates and copies itself into a folder that resembles a system folder. Like the ILOVEYOU worm, CMoon also restarts upon system startup.

CMoon was specifically crafted to steal information, including cryptocurrency wallets as well as data in web browsers, messenger apps, FTP and SSH clients, and document files that contain words such as “secret”, “service”, or “password.” The worm also siphons off account credentials in files with the following extensions:

• .pfx
• .p12
• .kdb
• .lastpass
• .psafe3
• .key
• .private
• .asc
• .gpg
• .ovpn
• .log

Aside from stealing information, CMoon can also be used to download and deploy additional malware, take screenshots, gather information from network resources, and launch distributed denial-of-service (DDoS) attacks.

Platform

Back then, Windows was the primary operating system used by personal users and large organizations alike. It came bundled with Outlook, which ultimately became the most popular email client at the time. Aside from compromising high-value websites as in the case of CMoon, malware authors have also expanded their targets to include Internet of Things (IoT) devices, cloud environments, and generative AI platforms.

In 2023, Kaspersky published a report about the Mirai-powered RapperBot, a worm that was made to launch DDoS attacks by infecting IoT devices.

Upon analysis, researchers found RapperBot exhibited a unique brute-forcing tactic: it doesn’t attempt to go over a huge list of credentials for brute forcing. Instead, it first checks the prompt to determine which credentials are apt to use against the targeted IoT device, which is far more efficient than typical brute-force processes.

P2PInfect, a Rust-based cross-platform worm that spreads via Redis and, at a limited capacity, SSH. P2PInfect initially showed benign behaviors and only sniffed out cloud instances that were vulnerable to CVE-2022-0543. However, it evolved to drop cryptominer and ransomware payloads, as observed by Cado Security researchers last year.

Meanwhile, in 2024, researchers discovered a worm that targets generative AI apps they called “Morris II” by means of self-replicating prompts that enable infected generative AI agents to drop malicious payloads to others.

Upon infecting a GenAI app, Morris II is stored in the retrieval augmented generation (RAG) framework, allowing it to propagate to other apps without any user intervention. According to researchers, Morris II can be used to steal personal data and distribute malware.

Exfiltration

The ILOVEYOU virus sent stolen credentials to a server hosted by Sky Internet, a Philippine-based Internet service provider (ISP). This server was swiftly taken offline, and the malware creator wasn’t able to retrieve any of the exfiltrated data.

Modern worms have upped the ante when it comes to data exfiltration. This is what was observed in the Raspberry Robin worm, which previously did not exhibit signs of post-infection actions but later on became one of the largest malware distributors in the wild.

Raspberry Robin uses a C2 infrastructure composed of compromised QNAP network attached storage (NAS) systems with hijacked DNS settings, and even other compromised IoT devices.

Obfuscation

The ILOVEYOU worm was poorly coded and gave each of its millions of victims a copy of its source code. Modern threat actors have become more sophisticated, understanding the importance of obfuscating their malware for greater stealth and effectiveness.

For example, researchers from Trend Micro discovered the Raspberry Robin worm, which distributes malware to victims, heavily obfuscates its code to make analysis even more challenging, and drops fake malware to throw off researchers. Upon detecting that it’s being run in sandboxes and debuggers, this worm also drops a fake payload.

Meanwhile, SSH-Snake, an open-source network mapping tool that was being abused in malicious attacks, also exhibits unique obfuscation tactics. To effectively evade detection, the SSH-Snake worm modifies itself by removing unnecessary functions and whitespaces from its code to make itself smaller when running in a compromised system for the first time.

Security Recommendations

The ILOVEYOU virus was not the first, and it certainly wasn’t the last, worm to steal sensitive information and disrupt operations. Organizations can benefit from adopting the following security recommendations to stop worms from spreading in their environments:

• Conduct Effective Security Awareness Training Sessions: Organizations are responsible for making employees understand the vital part they play in keeping the organization secure. To keep employees informed of security risks and threats, companies must develop and regularly implement effective, relevant, and manageable security awareness training sessions.
• Implement Phishing Simulations: Email is still a popular attack vector that threat actors use to distribute worms and other malware types. Conducting phishing simulations can enhance employees’ security awareness with real-world examples and give organizations a better understanding of their employees’ ability to recognize security risks.
• Perform Regular Security Audits: Companies must identify and address vulnerabilities through frequent penetration testing and vulnerability assessments to keep their environments safe.
• Invest in AI-Powered, Multilayered Email Security Solutions: To keep employees from falling for malware-laden phishing emails, organizations need to invest in robust email security solutions. A secure email gateway is never a bad idea.