Skip to main content
ad info

 
CNN.com technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  

 

  Search
 
 

 
TECHNOLOGY
TOP STORIES

Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent

(MORE)

TOP STORIES

More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections

(MORE)

MARKETS
4:30pm ET, 4/16
144.70
8257.60
3.71
1394.72
10.90
879.91
 


WORLD

U.S.

POLITICS

LAW

ENTERTAINMENT

HEALTH

TRAVEL

FOOD

ARTS & STYLE



(MORE HEADLINES)
*
 
CNN Websites
Networks image


Internet provider in Philippines homes in on virus author

May 5, 2000
Web posted at: 10:15 a.m. EDT (1415 GMT)

Destructive 'ILOVEYOU' computer virus strikes worldwide
 

In this story:

Worldwide virus

FBI on trail of virus author

'LOVE' already costing much

Senate has no love for 'LOVE'

History nearly lost

How it works

'It's very clever'

RELATED STORIES, SITES icon



(CNN) -- An Internet service provider in Manila, Philippines, has confirmed to CNN.com that a 23-year-old male from the Pandacan area of Manila has two e-mail addresses through its service and is believed to be the author of the "ILOVEYOU" virus.

The two e-mail addresses, spyder@super.net.ph and mailme@super.net.ph were the source of the virus, according to Manuel Bong, a spokesperson for Access Net, which owns Super Net.

 VIDEO
VideoSan Francisco Bureau Chief Greg Lefevre speaks with Network Associates president Peter Watkins about the 'ILOVEYOU' virus.
QuickTime Play
Real 28K 80K
Windows Media 28K 80K

VideoTechnology Correspondent Ann Kellan shows what to do if you find the 'ILOVEYOU' virus in your e-mail.
QuickTime Play
Real 28K 80K
Windows Media 28K 80K

VideoSan Francisco Bureau Chief Greg Lefevre explains what the 'ILOVEYOU' virus does once it has been executed.
QuickTime Play
Real 28K 80K
Windows Media 28K 80K
 
  ALSO
 
  MESSAGE BOARD
 
  QUICKVOTE
How many 'ILOVEYOU' e-mails did you get?

None
0-20
20-40
More than 40
View Results
 

The beginning of the virus code states, in comments, the alias "spyder," and contains an anonymous e-mail address and a company name. It is also signed "Manila, Philippines," and with the comment, "i hate go to school."

Additionally, the virus tries to set the user's Internet Explorer start page to a Web site registered in Quezon, Philippines. It attempts to trigger a program called "WIN-BUGSFIX.exe" on one of four user accounts through the same site. The site belongs to one of the largest Internet Service Providers in the Philippines.

Bong could not give the name of man who owns the account, but logs could identify him quickly.

Comments in the code of the virus state that the virus is "By: spyder," and also mention the city of Manila.

The virus also attempts to set the infected computer's Internet Explorer start page to one of four Web sites at Sky Internet, another ISP in the Philippines.

Worldwide virus

Millions of computer systems around the world have been affected by a bug known as the "ILOVEYOU" virus, which has affected systems from the Pentagon to the British Parliament, and put Asian governments on alert.

As a protective measure, Britain's House of Commons shut down its e-mail system for about two hours to prevent infiltration by the virus.

Hours after the self-propagating and destructive "ILOVEYOU" virus destroyed critical files and jammed countless electronic mail systems, computer network administrators battled at least one copycat virus dubbed "very funny."

The new variants can elude anti-virus software designed to block the "ILOVEYOU" bug and could potentially cause the same damage.

"We predict at least a dozen copycats within the next 24 hours," said computer security expert Peter Tibbett, who works for ICSA.net of Reston, Virginia, which measures the frequency and cost of viruses on 1 million machines per year.

"There'll be hundreds of these" in the coming days, he said, "maybe thousands."

He said he didn't expect the copycats to cause the widespread damage that Thursday's "ILOVEYOU" virus did -- which is estimated at tens of millions of dollars in damage worldwide and could reach $1 billion by Monday.

However, Tibbett said the copycats should not be underestimated.

The latest copycat virus comes via e-mail with "fwd:joke" on the subject line and an attachment "very funny.vbs." The copycat first appeared Thursday afternoon.

It is believed to have been re-sent from the earlier "ILOVEYOU" virus, rather than that virus written to rename itself.

Tibbett urges computers users and companies to block all e-mails that have attachments as a precaution, or if they can, simply block attachments with .vbs files.

"Quarantine or block anything coming into your organization with an attachment," he said.

Experts estimated that 60 percent to 80 percent of U.S. companies were infected by the "ILOVEYOU" virus. Additionally, several U.S. government agencies and the Senate were hit, as well as more than 100,000 servers in Europe.

FBI on trail of virus author

The "ILOVEYOU" virus was first reported in Hong Kong and spread gradually west as Thursday dawned, infecting government and business computers. Anti-virus companies in the United States fielded thousands of calls from corporate customers reporting widespread infections.

Several anti-virus companies have developed "virus definition" files for the "ILOVEYOU" virus, which is currently known to spread through the Microsoft Outlook e-mail program and through a popular Internet Relay Chat program. Those files have so-called "fingerprints" for the virus, allowing those programs to detect and eliminate it.

The malicious code is a hybrid virus and worm. Like the Melissa and Explore.Zip worms, it propagates itself through networks -- in this case, e-mail. But unlike those two, it also destroys and replicates itself by manipulating files, in this case JPEG and MP3 files on a user's hard drive, like a traditional virus.

"This is fairly big time," Tibbett said of the "ILOVEYOU" virus.

The FBI has begun investigating the "ILOVEYOU" virus. Officials at the National Infrastructure Protection Center were meeting Thursday to discuss the attack's impact. Clues within the virus code indicate that it may have originated in the Philippines.

A spokesman for Super.Net in Manila said, "We were taken by surprise, all this started on Tuesday when some of our workstations were infected by a virus and one of the virus that affected us was 'Michael learns to hack' and then there was the 'I love you virus', at that time we were not aware that the authors of the virus which is supposedly in the Philippines had used one of our e-mail cards to create an anonymous address. When we got reports that the virus had been traced to it on this we disabled the e-mail addresses, spyder@super.net.ph and mailme@super.net.ph."

Super.Net provides Internet access by selling pre-paid cards. Users buy a pre-paid card and then use the user name and password on the card to reach the Internet for a specified amount of time.

The Super.Net official said that because a pre-paid card was used, it will be extremely difficult to trace who bought the card.

'LOVE' already costing much

Tibbett estimated $100 million in software damage and lost commerce had been caused by 9 a.m. Thursday in North America alone and predicted the price tag would exceed $1 billion by Monday morning.

ICSA.net has 200,000 clients, among them financial institutions, government agencies and corporations, Tibbett said. The Department of Justice used the company's estimates for damage caused by last year's Melissa virus, he said.

"This beats Melissa hands down," Tibbett said.

According to ICSA.net, the Melissa virus infected 20 percent of North American companies' computer systems. "We anticipate this'll exceed 50 percent of North American companies by Monday," Tibbett said.

Senate has no love for 'LOVE'

The "ILOVEYOU" virus is "widespread" at the U.S. Senate computer system, according to Elizabeth McAlhany of the Senate Sergeant At Arms office. Every Senate office has been paged to alert them to the virus. The Senate's internal e-mail system was shut down.

Effects were minimal at the U.S. House of Representatives, although "hundreds of thousands" of copies of the virus were deleted, according to the Committee on House Administration, which is overseeing the defense efforts.

"By all looks, it doesn't appear to be too bad," committee spokesman Jason Poblete told CNN. "No one knew it was coming. But we won't know about permanent technical damage until it's over," he said. The House e-mail system is still operating, Poblete said.

The White House and federal agencies reported minimal effects.

Britain's House of Commons was also hobbled by the virus.

"I have to tell you that, sadly, this affectionate greeting contains a virus which has immobilized the House's internal communication system," said House leader Margaret Beckett.

In Hong Kong the "ILOVEYOU" virus appeared late in the afternoon, and is reported to have hit public relations firms and investment firms particularly hard. Dow Jones Newswires and the Asian Wall Street Journal were among the victims.

In Europe, the "ILOVEYOU" virus reached European parliaments, big companies and financial traders early Thursday. Officials at the Norwegian anti-virus company Norman said they first heard of the virus around 10 p.m. Central Europe Time (CET) Wednesday.

"The virus first showed up on my desk one hour ago", virus analyst Snorre Fagerland at Norman told CNN Norway. "Usually we get a few days notice until the virus reaches us, thus this virus seems to be very aggressive."

In Denmark, the TV2 channel, the telecom company Tele Danmark and the Danish Parliament were all victims.

"More than 100,000 mail servers in Europe have been taken down or stuck out by the virus," virus specialist Stein Mollerhaug in Compaq Norway told CNN Norway. "And the servers with anti-virus programs have huge problems. Millions of people are trying to get the latest anti-virus programs," he says.

Compaq first noticed the "ILOVEYOU" virus Thursday at 7:30 a.m. CET. "One of our employees then received the virus from one of our partners in Malaysia. We knew we had a problem when he received 200 more copies of the same mail within minutes," Mollerhaug said.

Mollerhaug fears copycats will start a new wave of the virus in Asia and Europe.

History nearly lost

The Norwegian photo agency ScanPix lost some 4,500 photos. Had the "ILOVEYOU" virus struck three days earlier, photos from the Norwegian war archives would have been lost.

"Between 6,000 and 6,500 photos was deleted by the virus, and we only managed to rescue 1,500 of them. The rest seem to be lost," ScanPix managing editor Tore Sannum told CNN Norway.

The agency has between 700,000 and 800,000 photos in their archives, but good backup routines saved most of the photos. The deleted photos were in a transit database for the latest incoming photos to the agency.

The war archive was gathered by Norway's exile government in London during World War II. ScanPix has been working on the archive -- which is a part of the Norwegian national archives -- for more than two years.

"Just a few days ago, we burnt the latest photos from this archive on CD's. Otherwise, they would have been lost forever", Sannum said.

Among the deleted photos, Sannum feared wedding photos from Norway's native Lapp population might be lost. One of the agency's photographers had been working with the photos for several weeks.

"She took some fantastic photos," Sannum said. "Now I fear they might be gone. We are trying to reach her to see if she had any copies."

LOVELETTER virus
The virus is activated by opening the 'LOVELETTER' attachment  

How it works

Security experts at F-Secure have analyzed the "ILOVEYOU" virus thoroughly. Users usually get an e-mail, sometimes from someone they know, asking them to check the attached "Love Letter." That file is a VisualBasic script, which contains the virus payload. As long as the user deletes the e-mail without opening the attachment, their computer is safe from harm. Once a computer is infected, the virus transmit itself through e-mail using Outlook's address book.

"What makes this virus so much more aggressive than Melissa is that this virus sends copies to all the addresses, whilst Melissa only sent copies to the first 50 addresses," Fagerland said.

The virus can also travel through the Internet Relay Chat client mIRC, according to F-Secure, which has analyzed the malicious code.

Unlike the "Melissa" virus, which traveled in a similar fashion, "ILOVEYOU," also known as the Love Letter worm, is more destructive. First, it copies itself to two critical system directories and adds triggers in the Windows registry. This ensures that it's running every time the computer reboots.

The virus then starts affecting data files. Files associated with Web development, including ".js" and ".css" files, will be overwritten with a file in the VisualBasic programming language. The original file is deleted. It also goes after multimedia files, affecting JPEGs and MP3s. Again, it deletes the original file and overwrites it with a VisualBasic file with a similar name.

'It's very clever'

Since it affects popular file types, there is a chance that re-infection could occur by overlooking those replaced files.

"If you don't do a full scan," said Carey Nachenberg, chief researcher at the Symantec Anti-Virus Research Center, "you'll click on one of those things, and whammo! You'll infect everybody again. It's very clever."

Nachenberg called the "ILOVEYOU" virus a "corporate-flavored" worm, because it affects scripting files common to company networks. It also only affects Windows 98 and NT operating systems. Windows 95 users are susceptible if Windows Scripting Host is installed. Researchers are also checking whether it affects Outlook Express, the consumer version of Microsoft Outlook, to see how vulnerable end users could be.

Richard M. Smith, the Internet consultant who tracked down the author of the "Melissa" virus, said the best hope in tracking down the "ILOVEYOU" author is through the e-mail address left on the virus code.

"Even if the person gave false information, if (the free, Web-based mail company) recorded the IP address, then they'd know if it came from the Philippines," he said. Smith also predicts some copycats, since the virus code is so easily found and manipulated.

A spokesperson for the mail company, Mail.com, refused to divulge account information, or even whether the account ever existed.

"We have investigated the matter thoroughly, and we have determined that there's no evidence that the virus originated from any of Mail.com's e-mail accounts," company spokesperson Kathy Holms Robb said. Robb would not comment on if the company was working with the FBI.

Taking a lighter view of the "ILOVEYOU" virus, British Commons leader Beckett said she did not know whether to be "sorry or pleased that as far as I'm aware, I have not received an e-mail saying 'I love you.'"

Technology Editor D. Ian Hopper, Morton Overbye of CNN Norway, CNN producer Ted Barrett and Congressional Correspondent Frank Black contributed to this report.



RELATED STORIES:
Government computers: The ultimate hackers' proving ground
March 23, 2000
'Melting Worm' slithers into the wild
March 17, 2000
Viruses boom on the Net
January 18, 2000
Protect against Trojan Horses
January 17, 2000
Viruses anew pop up post-Y2K
January 5, 2000

RELATED SITES:
F-Secure Web - Main index
   •F-Secure Virus Info Center
Symantec Worldwide Homepage
   •Symantec AntiVirus Research Center
Norman

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

 Search   

Back to the top  © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.