Authorities may be zeroing in on ILOVEYOU suspect

Philippine Internet provider expects warrant to be served soon

May 5, 2000
Web posted at: 9:10 p.m. EDT (0110 GMT)

In this story: Getting in through the back door 'He just wasn't that smart' Lots of copycats expected Malicious 'love letters RELATED STORIES, SITES

By D. Ian Hopper, CNN Interactive Technology Editor

(CNN) -- An Internet service provider in the Philippines linked to the "ILOVEYOU" computer virus expects a search-and-seizure warrant to be served soon on the virus's suspected author, according to a company spokesman.

Toby Ayre, spokesman for Sky Internet in Manila, says authorities told him a warrant will be served imminently in the international investigation to find the creator of the virus.

ALSO Love bug costs billions 'Mother's Day' virus plays on heart strings but does more damage Experts say more legislation will not deter computer hackers 'I Love You' virus sweeps the U.S. 'Love Bug' apparently flew out of Asia

VIDEO San Francisco Bureau Chief Greg Lefevre speaks with Network Associates president Peter Watkins about the 'ILOVEYOU' virus. Real 28K 80K Windows Media 28K 80K Technology Correspondent Ann Kellan shows what to do if you find the 'ILOVEYOU' virus in your e-mail. QuickTime Play Real 28K 80K Windows Media 28K 80K San Francisco Bureau Chief Greg Lefevre explains what the 'ILOVEYOU' virus does once it has been executed. QuickTime Play Real 28K 80K Windows Media 28K 80K Hong Kong Bureau Chief Mike Chinoy explains why Asia is the epicenter of the 'ILOVEYOU' virus. QuickTime Play Real 28K 80K Windows Media 28K 80K Justice Correspondent Pierre Thomas explains what authorities are doing to find the author of the 'ILOVEYOU' virus. QuickTime Play Real 28K 80K Windows Media 28K 80K

MESSAGE BOARD Insurgency

QUICKVOTE How many 'ILOVEYOU' e-mails did you get? None 0-20 20-40 More than 40 View Results

A representative of another Manila Internet provider, Super.Net, tells CNN that his company believes the author is a 23-year-old man from the Pandacan neighborhood of Manila.

Although law enforcement sources in Washington also said investigators believe the virus may have originated with a young man in Manila, they cautioned that address codes can be faked.

Manila police said they are checking on a possible suspect but have made no arrests.

The two e-mail addresses, spyder@super.net.ph and mailme@super.net.ph were the source of the virus, according to Manuel Bong, a spokesman for Access Net, which owns Super.Net.

The beginning of the virus code states the alias "spyder," and contains an anonymous e-mail address and a company name. It is also signed "Manila, Philippines," with the poorly worded phrase "i hate go to school."

The virus attempts to change a user's Microsoft Internet Explorer start page to one of four accounts at Sky Internet.

Ayre said that three of those accounts were suspended "quite a while ago" for nonpayment, although defunct customer accounts are not deleted. The fourth account belonged to an active subscriber who did not use it, Ayre said. The suspected virus author uploaded an executable file, called "WIN-BUGSFIX.exe," onto Sky Internet servers on April 28.

The ILOVEYOU virus was first reported in Hong Kong and spread gradually west as Thursday dawned, infecting government and business computers. Anti-virus companies in the United States fielded thousands of calls from corporate customers reporting widespread infections.

Ayre told CNN.com that the person behind the virus had been trying to break directly into Sky Internet for some time, but his phone number was blocked from the provider's servers on April 1.

Then the author did an end run, breaking into the servers of Impact, another Manila Internet provider, in order to hop over to Sky Internet's network and place the file.

Ayre said that Impact is cooperating with authorities, as is Sky Internet. The Philippine National Bureau of Investigation, Interpol, the FBI and the National Infrastructure Protection Center are working on the case.

The executable file was a second part of ILOVEYOU's attack. Although the first part of the virus e-mailed itself out and damaged files, it also tried to send users to the Sky Internet Web pages in order to download and run the executable file. That executable searches a user's hard drive for user name and password combinations, then sends them off to the e-mail address mailme@super.net.ph.

Sky Internet was tipped off, however, by a European Internet provider and discovered the executable file early in the virus's outbreak, about 4:30 a.m. EDT Thursday.

"By 4:30 we had removed the (executable file). It only attacked a couple hundred people in Europe," Ayre said.

If that portion of the attack had reached more people, the results could have been catastrophic for computer users around the globe.

"I'm just happy the second part didn't hit the world," Ayre said. "It would have been extremely pathetic with 40 million people trying to change their passwords. Every password from every infected computer would have to be changed."

The simplicity of the e-mailed virus, written in plain code, made detection and removal easier.

"By making the virus more adaptable, he could have made it much more difficult to stop," Ayre said. "He wasn't being nice to us, he just wasn't that smart."

The remaining active Sky Internet Web site referenced in the e-mail virus has been changed to display a page warning users that their computers have been infected.

Michael Vatis, head of the federal National Infrastructure Protection Center based in Washington, told CNN why it is more difficult to track down the culprit in computer virus cases than in cases of computer hacking or Web page invasions.

"Typically in an intrusion case where somebody's broken into a system, we trace it back, we go from the victim's site to an Internet provider, or another site that it came from ,and we go there and get logs and keep tracing it backwards," Vitas said.

Millions of computer systems around the world have been infected by the ILOVEYOU virus, which hit systems from the Pentagon to the British Parliament, and put Asian governments on alert.

The virus is activated by opening the 'LOVELETTER' attachment

Hours after the self-propagating and destructive virus destroyed critical files and jammed countless electronic mail systems Thursday, computer network administrators battled at least one copycat virus dubbed "Very Funny."

The new variants can elude anti-virus software designed to block the ILOVEYOU bug and could potentially cause the same damage.

Computer security expert Peter Tibbett said that in the coming days "there'll be hundreds of these (viruses), maybe thousands."

Tibbett said he didn't expect the copycats to cause the widespread damage that Thursday's ILOVEYOU virus did -- which is estimated at tens of millions of dollars in damage worldwide and could reach $1 billion by Monday.

However, Tibbett said the copycats should not be underestimated.

The latest copycat virus comes via e-mail with "fwd:joke" on the subject line and an attachment "Very Funny.vbs." The copycat first appeared Thursday afternoon.

Tibbett urges computer users and companies to block all e-mails that have attachments as a precaution, or if they can, simply block attachments with .vbs files.

Experts estimated that 60 percent to 80 percent of U.S. companies were infected by ILOVEYOU. Additionally, several U.S. government agencies and the Senate were hit, as well as more than 100,000 servers in Europe.

Several anti-virus companies have developed "virus definition" files for ILOVEYOU, which spreads through the Microsoft Outlook e-mail program and through a popular Internet Relay Chat program. Those files have so-called "fingerprints" for the virus, allowing those programs to detect and eliminate it.

Security experts at F-Secure have analyzed the ILOVEYOU virus thoroughly. Users usually get an e-mail, sometimes from someone they know, asking them to check the attached "Love Letter."

That file is a VisualBasic script, which contains the virus payload. As long as the user deletes the e-mail without opening the attachment, his or her computer is safe from harm. Once a computer is infected, the virus transmits itself through e-mail using Outlook's address book.

The virus can also travel through the Internet Relay Chat client mIRC, according to F-Secure, which has analyzed the malicious code.

Unlike the Melissa virus, which traveled in a similar fashion, ILOVEYOU, also known as the Love Letter worm, is more destructive. First, it copies itself to two critical system directories and adds triggers in the Windows registry. This ensures that it's running every time the computer reboots.

The virus then starts affecting data files. Files associated with Web development, including ".js" and ".css" files, will be overwritten with a file in the VisualBasic programming language. The original file is deleted. It also goes after multimedia files, affecting JPEGs and MP3s. Again, it deletes the original file and overwrites it with a VisualBasic file with a similar name.

Since it affects popular file types, there is a chance that re-infection could occur by overlooking those replaced files.

Morton Overbye of CNN Norway, Justice Correspondent Pierre Thomas, and correspondent Maria Ressa contributed to this report.

Government computers: The ultimate hackers' proving ground
March 23, 2000
'Melting Worm' slithers into the wild
March 17, 2000
Viruses boom on the Net
January 18, 2000
Protect against Trojan Horses
January 17, 2000
Viruses anew pop up post-Y2K
January 5, 2000

F-Secure Web - Main index
   •F-Secure Virus Info Center
Symantec Worldwide Homepage
   •Symantec AntiVirus Research Center
Norman

Note: Pages will open in a new browser window

External sites are not endorsed by CNN Interactive.