Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

ILOVEYOU

ILOVEYOU, also known as VBS/Loveletter and the Love Bug worm, was a mass-mailing worm active in 2000 that infected millions of Windows computers worldwide within hours of release; one source in the content states it infected more than 10 million systems. It spread by email as a purported love-letter file and, when opened, sent itself to the victim’s contacts, making it wormable and one of the defining early-2000s email worms. The content consistently places it among the major “great worms” that drove widespread cybersecurity disruption between 1998 and 2005, alongside Melissa, Nimda, Slammer, Sobig, Code Red, Mydoom, and Conficker. It is referenced as a historical example of insecure email-driven malware propagation and user-execution-based infection. The content also notes reporting that the worm originated in the Philippines and that it was created by a Filipino student for a thesis. High-confidence aliases directly mentioned are VBS/Loveletter and Love Bug worm.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1587.001MalwareEvidence1

Вируси (Viruses) и Червеи (Worms) Тъй като повечето хакери имат програмистки умения, те могат да сами да създават вируси и червеи, който да служат за техните цели.

Initial Access

1 technique
T1566PhishingEvidence2

The ability to send email, download programs, and run coded scripts gave hackers the chance to infect and steal data from anywhere in the world without needing physical access to systems.

Execution

1 technique
T1203Exploitation for Client ExecutionEvidence1

If the target opened it, it would overwrite and corrupt some files on the person’s computer...

Collection

1 technique
T1114Email CollectionEvidence1

...and then send itself to all their contacts.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence3

And cybersecurity from 1998 to 2005 was driven by the “great worms” like ILOVEYOU, Melissa, Nimda, Slammer, and Sobig, which caused astounding levels of disruption.

Impact

1 technique
T1485Data DestructionEvidence1

If the target opened it, it would overwrite and corrupt some files on the person’s computer...

ACTIVITY FEED

Recent activity

26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

26 SOURCESView more in app
lawfare mediaNews
May 6, 2026
A First Step to Unpacking Cyber, Deception, and Intelligence Contests | Lawfare

A major worm cited as part of the early 2000s 'great worms' that caused significant disruption.

Read more
upwind blogNews
Apr 22, 2026
Why AI Security Is Repeating Every 1990s Mistake - Upwind

A historically significant email-borne worm/virus cited as an example of early internet-era malware that taught costly security lessons.

Read more
techcrunch com securityNews
Apr 4, 2026
After fighting malware for decades, this cybersecurity veteran is now hacking drones | TechCrunch

A wormable email-borne virus that arrived as a purported love letter text file; when opened, it overwrote and corrupted files and sent itself to all contacts, infecting over 10 million Windows computers.

Read more
talos intelligence blogNews
Feb 26, 2026
Henry IV, Hotspur, Hal, and hallucinations

The ILOVEYOU virus walked so that MyDoom could run.

Read more
+22 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.