|Editions | myCNN | Video | Audio | Headline News Brief | Feedback||
Internet provider says Caller ID foiled 'Love Bug' author
MANILA, Philippines (CNN) -- Philippine investigators on Monday were questioning a man whose apartment in Manila's lower middle-class Pandacan neighborhood they suspect to be the source of the "ILOVEYOU" virus.
The investigators searched the apartment after linking it to the virus through a rather basic invention: Caller ID.
Agents of the Philippines' National Bureau of Investigation said Reomel Ramones , 27, was "invited" to answer questions Monday; officers did not have arrest warrants for him.
The NBI's head of the computer crimes unit, Nelson Bartolome, said Ramones "opted to remain silent."
The person convicted of releasing the virus could face between six and 20 years in prison.
Girlfriend to be questioned
Ramones' girlfriend and owner of the apartment, Irene de Guzman, 23, also was making arrangements to make herself available for questioning.
NBI officers raided the couple's apartment after obtaining a search warrant to look for the machine they believed was used to create the virus -- a self-replicating "worm" that invaded millions of computers worldwide and caused uncounted millions in damage.
Toby Ayre, a spokesman for Sky Internet, the Philippines Internet provider that unknowingly carried a password-stealing second phase of the virus, said investigators didn't find a computer in the apartment but did find significant paper documentation.
Gil Alnas, the elected leader of the neighborhood, said the investigators took away a box with 17 items, including computer magazines, telephones, diskettes, wires and cassette tapes.
Officials said the woman who lived at the apartment was the owner of the computer, but that anyone using the machine could have created and released the virus.
At least three people had accounts on the machine, they said, also cautioning that evidence could have been removed from the machine.
A free-Internet scam
Investigators now theorize the virus, which has also come to be known as the "Love Bug," was actually a scam designed to get the originator free Internet access.
When the virus was activated, in addition to destroying files and replicating itself, it accessed a program that would search out login names and passwords, then mail them back to the Love Bug's author. Armed with that information, the perpetrator could use any victim's Internet account to surf for free.
That part of the virus had been uploaded onto the servers of Internet Service Provider Sky Internet, according to Ayre, a technical consultant to the company, and ultimately led to the suspects in the Philippines.
"Within 12 hours of the virus release, we knew whodunit," Ayre told CNN.com.
Trapped by Caller ID
Ayre said the virus was uploaded to Sky Internet's servers via another ISP, Impact, in two parts beginning April 28, and that the phone numbers used to upload the virus matched a number banned from Sky Internet on April 1 for hacking into their servers. The phone numbers were traced back to the apartment using Caller ID.
"We can conclusively trace (the break-ins) to that number," Ayre said. He also says that phone records at Sky Internet and Impact "matched up perfectly" to point to raided apartment.
Ayre said a European ISP notified Sky Internet of the virus, and it was quickly disabled. That portion of the virus affected only about 2,000 people worldwide, mostly in Europe and Asia, he said, and the company is in the process of notifying all of those victims.
"If he was smart," Ayre said, "he could have used one of the smaller ISPs that didn't have Caller ID."
Lack of computer-crimes law
The Love Bug, which replicated itself and forwarded copies to addresses in computer users' e-mail address books, swept around the world with surprising speed last week. Millions of unsuspecting victims opened the e-mail, which bore the subject line "ILOVEYOU" and often came from someone known to the user.
The virus also corrupted some files stored on hard drives, particular picture .jpg files and sound .mp3 files. But a second part of the virus, disabled before it could do widespread damage, would have been far more damaging.
The first two lines of computer code for the virus indicated that the author was called "Spyder" and was in Manila. That part of the code also revealed that Spyder belongs to the GRAMMERSoft Group, a virus-writing club.
The "Spyder" nickname is used in an ICQ (an Internet messaging service) account associated with the e-mail address firstname.lastname@example.org. The owner of Philippines ISP Super.Net confirmed it belonged to a resident of the Pandacan neighborhood of the capital. The same person owns another e-mail account on the same system, email@example.com. The password-stealing second part of the virus attempts to e-mail a user's passwords to this e-mail address. Both of the "Spyder" addresses have now been frozen.
Investigators were hampered by the lack of a Philippine law that specifically addresses computer crimes. The warrant was finally sought under the "Access Device Act."
The Access Devices Regulation Act of 1998 is written chiefly to target credit card fraud but also covers the use of any unauthorized access device in order to obtain goods or services, according to the Chan Robles Virtual Law Library. With stolen user names and passwords, the virus author could have gained access to a multitude of computers. The penalties could range between fines of 10,000 Filipino pesos or twice the value obtained by the offense, and anywhere from six to 20 years in prison, dependent upon the portion of the act under which a suspect is charged.
A new regulation, known as the "Electronic Commerce Act," would prohibit hacking and other computer crimes but has not yet been passed by the Filipino congress.
Provider tries to regain subscribers
Now that Ayre is confident that authorities have found the source of the virus, he is focused on more practical concerns.
"We're relieved," he said, "but now the big challenge is not to let our business go under."
When system administrators around the world found that the virus was trying to get to Sky Internet in order to download a password-stealing program, their first response was to block the ISP. As a result, the many customers of one of the largest ISPs in the Philippines are finding themselves banned from every other computer on the Internet.
"Now we're trying to get them to change their minds," Ayre said.
Manila Correspondent Maria Ressa and Interactive Writer K.C. Wildmoon contributed to this report.
Clues lead to ILOVEYOU writer's older, cruder work
Federal Bureau of Investigation
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.