Cary Byman FBCS recalls being infected by and ultimately defeating a worm that went on to own over 10 million PCs worldwide. He considers the lessons learned and why we should never forget.
It was the first morning of my new contract at a UK government organisation in London — the body responsible at the time for overseeing the national curriculum and qualifications. I’d joined as a senior software developer through my UK-registered limited company, part of a highly capable team selected to design and build a new internal platform. It was an ambitious project, still early in its analysis and development phase.
I’d been living and working in the UK as a Canadian since 1999. The role was exciting — the kind of contract where the phrase ‘cream of the crop’ had been used during interviews to describe the team. That morning, I arrived early, found my new desk near the back corner of the IT floor, and started the usual process: setting up my development environment, logging into a fresh Outlook account, and sifting through the standard onboarding emails.
The offices were located at 83 Piccadilly, a building some said was once home to MI5 — we were never quite sure. But between the thick walls and the view of Buckingham Palace from upstairs, it was easy to imagine more secretive uses. We used to joke that its bulletproofing and bomb-proofing left us without much of a phone signal. You could make a call if you stood in the right spot, but barely. It all added to the sense that anything could happen there — and that morning, something did.
The fatal email
One email stood out. The sender was a name I recognized from the org chart — someone senior, though I hadn’t met him yet. The subject line: ILOVEYOU. The attachment: LOVE-LETTER-FOR-YOU.TXT Windows, of course, hid the real file extension, so it appeared to be a simple text file. A little strange, but not impossible. First days are full of surprises.
I didn’t want to miss anything important. I opened it.
Nothing appeared. Just a moment of silence — then I noticed my CPU spiking. Outlook froze. The machine felt like it had hit a wall.
I quickly ended the Outlook process, then reopened it and saved the attachment to my local drive — revealing the hidden .vbs extension. I opened it in Notepad and scanned the code. Hundreds of lines — a VBScript file doing far more than displaying text. Within seconds I recognized that it was malicious. It was editing registry settings, manipulating files (including system files), and — most alarmingly — propagating itself by sending the same email to every contact in the user’s Windows Address Book.
This wasn’t just local damage. It was viral, and fast.
As I read and decoded, I heard others around me noticing issues. ‘My computer’s locked up’…’Is anyone else having problems?’ The development area — and increasingly the rest of the office — was waking up to the same problem.
Across the room, a cluster of figures had gathered near the window. I recognized our project manager and team lead, and a few I didn’t know — likely IT managers or senior stakeholders. From where I sat, I could hear discussions: trying to understand what was happening, what to do next, and how serious it might be.
I realised I might be one of the few in the room who fully understood what was going on — and more importantly, how we might fix it. Some of them knew who I was, but being new, I hadn’t been properly introduced to most.
Still, I raised my hand.
They turned. The room quieted. I said, ‘I think we can fix this.’ I gave a brief explanation — that I had looked at the code, understood what it was doing, and could build a countermeasure. I asked for permission to start working on a solution. They listened, and to their credit, they quickly said: ‘Go for it.’
Developing a solution
Back at my desk, my thoughts focused on two goals: stop the virus from spreading, and repair the damage already done. I knew the fastest way to create a working fix was to reuse parts of the virus itself — to take the author’s own VBScript structure and repurpose it. The idea was simple: undo what had been done. Restore registry settings. Repair manipulated files. Neutralise the script’s propagation.
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
Almost immediately, other developers offered to help. It was a rare kind of adrenaline. We split up tasks, working in furious tandem. Coding, debugging, testing. Everyone pulled their weight. But as computers continued to lock up across departments, many staff were preparing to go home. The pressure to respond quickly wasn’t just technical, it was operational. Occasionally, a manager would check in with a tap on my shoulder: ‘How much longer?’ I’d glance up. ‘Not long.’
We tested the fix on my machine first. It worked. We copied it to a floppy disk — the fastest option we had, given the circumstances — and handed it off to the IT admins, who disappeared quickly down the hall to begin deploying it.
They never returned to report back, as we’d somewhat expected with all the anticipation. But it quickly became clear: it was working.
By late-morning, the fix was being used across the organisation. I checked major antivirus vendors online. To my amazement, none had posted a solution yet. Somehow, in that quiet back corner, we’d gotten there first.
The aftermath
Soon after, we heard that the script was being shared with other government departments — and possibly beyond. In the following weeks, the response received informal recognition in internal circles.
One particularly memorable moment came when David Hargreaves, the organisation’s chief executive at the time, visited our department and warmly introduced himself to each member of the team. After our brief exchange, he asked me with a grin, ‘So, how do you know when you’ve cracked it?’ — punching the air with his fist as he said it. I wasn’t sure if he meant the virus specifically, but I answered honestly: ‘When I’ve met the requirements for whatever I’ve been given to do.’ The conversation was brief, but it stayed with me.
It reminded me that even modest, improvised efforts — made in the moment by developers responding under pressure — can ripple across systems far larger than we ever expect.
To our knowledge, this was the first working fix deployed in the UK, and quite possibly one of the first anywhere.
Globally, ILOVEYOU infected an estimated 45 million machines within days, causing billions in damages. It overwhelmed email servers, crippled government and corporate networks and prompted a widespread re-evaluation of email security. For attackers, it marked a shift toward socially engineered payloads. For defenders, it was a wake-up call — and a turning point in the urgency of real-time response, patch management and user awareness.
25 years later, the ILOVEYOU virus is remembered as one of the most widespread and destructive email attacks of its time. What’s often overlooked is how responses weren’t shaped by formal protocols or polished tools, but by individuals thinking on their feet — collaborating, improvising and acting fast.
It’s a rare thing to find yourself in exactly the right place, at exactly the wrong time — and to be able to do something about it.
