|Editions | myCNN | Video | Audio | Headline News Brief | Feedback||
Authorities may be zeroing in on ILOVEYOU suspect
Philippine Internet provider expects warrant to be served soon
(CNN) -- An Internet service provider in the Philippines linked to the "ILOVEYOU" computer virus expects a search-and-seizure warrant to be served soon on the virus's suspected author, according to a company spokesman.
Toby Ayre, spokesman for Sky Internet in Manila, says authorities told him a warrant will be served imminently in the international investigation to find the creator of the virus.
A representative of another Manila Internet provider, Super.Net, tells CNN that his company believes the author is a 23-year-old man from the Pandacan neighborhood of Manila.
Although law enforcement sources in Washington also said investigators believe the virus may have originated with a young man in Manila, they cautioned that address codes can be faked.
Manila police said they are checking on a possible suspect but have made no arrests.
The two e-mail addresses, email@example.com and firstname.lastname@example.org were the source of the virus, according to Manuel Bong, a spokesman for Access Net, which owns Super.Net.
The beginning of the virus code states the alias "spyder," and contains an anonymous e-mail address and a company name. It is also signed "Manila, Philippines," with the poorly worded phrase "i hate go to school."
The virus attempts to change a user's Microsoft Internet Explorer start page to one of four accounts at Sky Internet.
Ayre said that three of those accounts were suspended "quite a while ago" for nonpayment, although defunct customer accounts are not deleted. The fourth account belonged to an active subscriber who did not use it, Ayre said. The suspected virus author uploaded an executable file, called "WIN-BUGSFIX.exe," onto Sky Internet servers on April 28.
The ILOVEYOU virus was first reported in Hong Kong and spread gradually west as Thursday dawned, infecting government and business computers. Anti-virus companies in the United States fielded thousands of calls from corporate customers reporting widespread infections.
Getting in through the back door
Ayre told CNN.com that the person behind the virus had been trying to break directly into Sky Internet for some time, but his phone number was blocked from the provider's servers on April 1.
Then the author did an end run, breaking into the servers of Impact, another Manila Internet provider, in order to hop over to Sky Internet's network and place the file.
Ayre said that Impact is cooperating with authorities, as is Sky Internet. The Philippine National Bureau of Investigation, Interpol, the FBI and the National Infrastructure Protection Center are working on the case.
The executable file was a second part of ILOVEYOU's attack. Although the first part of the virus e-mailed itself out and damaged files, it also tried to send users to the Sky Internet Web pages in order to download and run the executable file. That executable searches a user's hard drive for user name and password combinations, then sends them off to the e-mail address email@example.com.
Sky Internet was tipped off, however, by a European Internet provider and discovered the executable file early in the virus's outbreak, about 4:30 a.m. EDT Thursday.
"By 4:30 we had removed the (executable file). It only attacked a couple hundred people in Europe," Ayre said.
If that portion of the attack had reached more people, the results could have been catastrophic for computer users around the globe.
"I'm just happy the second part didn't hit the world," Ayre said. "It would have been extremely pathetic with 40 million people trying to change their passwords. Every password from every infected computer would have to be changed."
'He just wasn't that smart'
The simplicity of the e-mailed virus, written in plain code, made detection and removal easier.
"By making the virus more adaptable, he could have made it much more difficult to stop," Ayre said. "He wasn't being nice to us, he just wasn't that smart."
The remaining active Sky Internet Web site referenced in the e-mail virus has been changed to display a page warning users that their computers have been infected.
Michael Vatis, head of the federal National Infrastructure Protection Center based in Washington, told CNN why it is more difficult to track down the culprit in computer virus cases than in cases of computer hacking or Web page invasions.
"Typically in an intrusion case where somebody's broken into a system, we trace it back, we go from the victim's site to an Internet provider, or another site that it came from ,and we go there and get logs and keep tracing it backwards," Vitas said.
Millions of computer systems around the world have been infected by the ILOVEYOU virus, which hit systems from the Pentagon to the British Parliament, and put Asian governments on alert.As a protective measure, Britain's House of Commons shut down its e-mail system for about two hours to prevent infiltration.
Lots of copycats expected
Hours after the self-propagating and destructive virus destroyed critical files and jammed countless electronic mail systems Thursday, computer network administrators battled at least one copycat virus dubbed "Very Funny."
The new variants can elude anti-virus software designed to block the ILOVEYOU bug and could potentially cause the same damage.
Computer security expert Peter Tibbett said that in the coming days "there'll be hundreds of these (viruses), maybe thousands."
Tibbett said he didn't expect the copycats to cause the widespread damage that Thursday's ILOVEYOU virus did -- which is estimated at tens of millions of dollars in damage worldwide and could reach $1 billion by Monday.
However, Tibbett said the copycats should not be underestimated.
The latest copycat virus comes via e-mail with "fwd:joke" on the subject line and an attachment "Very Funny.vbs." The copycat first appeared Thursday afternoon.
Tibbett urges computer users and companies to block all e-mails that have attachments as a precaution, or if they can, simply block attachments with .vbs files.
Experts estimated that 60 percent to 80 percent of U.S. companies were infected by ILOVEYOU. Additionally, several U.S. government agencies and the Senate were hit, as well as more than 100,000 servers in Europe.
Several anti-virus companies have developed "virus definition" files for ILOVEYOU, which spreads through the Microsoft Outlook e-mail program and through a popular Internet Relay Chat program. Those files have so-called "fingerprints" for the virus, allowing those programs to detect and eliminate it.The malicious code is a hybrid virus and worm. Like the Melissa and Explore.Zip worms, it propagates itself through networks -- in this case, e-mail. But unlike those two, it also destroys and replicates itself by manipulating files, in this case JPEG and MP3 files on a user's hard drive, like a traditional virus.
Malicious 'love letters'
Security experts at F-Secure have analyzed the ILOVEYOU virus thoroughly. Users usually get an e-mail, sometimes from someone they know, asking them to check the attached "Love Letter."
That file is a VisualBasic script, which contains the virus payload. As long as the user deletes the e-mail without opening the attachment, his or her computer is safe from harm. Once a computer is infected, the virus transmits itself through e-mail using Outlook's address book.
The virus can also travel through the Internet Relay Chat client mIRC, according to F-Secure, which has analyzed the malicious code.
Unlike the Melissa virus, which traveled in a similar fashion, ILOVEYOU, also known as the Love Letter worm, is more destructive. First, it copies itself to two critical system directories and adds triggers in the Windows registry. This ensures that it's running every time the computer reboots.
The virus then starts affecting data files. Files associated with Web development, including ".js" and ".css" files, will be overwritten with a file in the VisualBasic programming language. The original file is deleted. It also goes after multimedia files, affecting JPEGs and MP3s. Again, it deletes the original file and overwrites it with a VisualBasic file with a similar name.
Since it affects popular file types, there is a chance that re-infection could occur by overlooking those replaced files.
Morton Overbye of CNN Norway, Justice Correspondent Pierre Thomas, and correspondent Maria Ressa contributed to this report.
Government computers: The ultimate hackers' proving ground
F-Secure Web - Main index
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.