Skip to main content
ad info

 
CNN.com technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  

 

  Search
 
 

 
TECHNOLOGY
TOP STORIES

Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent

(MORE)

TOP STORIES

More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections

(MORE)

MARKETS
4:30pm ET, 4/16
144.70
8257.60
3.71
1394.72
10.90
879.91
 


WORLD

U.S.

POLITICS

LAW

ENTERTAINMENT

HEALTH

TRAVEL

FOOD

ARTS & STYLE



(MORE HEADLINES)
*
 
CNN Websites
Networks image


Internet provider says Caller ID foiled 'Love Bug' author

i love you
 

May 8, 2000
Web posted at: 8:22 p.m. EDT (0022 GMT)


In this story:

Girlfriend to be questioned

A free-Internet scam

Trapped by Caller ID

Lack of computer-crimes law

Provider tries to regain subscribers

RELATED STORIES, SITES icon



MANILA, Philippines (CNN) -- Philippine investigators on Monday were questioning a man whose apartment in Manila's lower middle-class Pandacan neighborhood they suspect to be the source of the "ILOVEYOU" virus.

The investigators searched the apartment after linking it to the virus through a rather basic invention: Caller ID.

 VIDEO
VideoJakarta Bureau Chief Maria Ressa reports on the detention of a man suspected of creating the 'ILOVEYOU' virus.
Real 28K 80K
Windows Media 28K 80K
 
  ALSO
 
  QUICKVOTE
How many 'ILOVEYOU' e-mails did you get?

None
0-20
20-40
More than 40
View Results
 
MESSAGE BOARDS
 

Agents of the Philippines' National Bureau of Investigation said Reomel Ramones , 27, was "invited" to answer questions Monday; officers did not have arrest warrants for him.

The NBI's head of the computer crimes unit, Nelson Bartolome, said Ramones "opted to remain silent."

The person convicted of releasing the virus could face between six and 20 years in prison.

Girlfriend to be questioned

Ramones' girlfriend and owner of the apartment, Irene de Guzman, 23, also was making arrangements to make herself available for questioning.

NBI officers raided the couple's apartment after obtaining a search warrant to look for the machine they believed was used to create the virus -- a self-replicating "worm" that invaded millions of computers worldwide and caused uncounted millions in damage.

Toby Ayre, a spokesman for Sky Internet, the Philippines Internet provider that unknowingly carried a password-stealing second phase of the virus, said investigators didn't find a computer in the apartment but did find significant paper documentation.

Gil Alnas, the elected leader of the neighborhood, said the investigators took away a box with 17 items, including computer magazines, telephones, diskettes, wires and cassette tapes.

Officials said the woman who lived at the apartment was the owner of the computer, but that anyone using the machine could have created and released the virus.

At least three people had accounts on the machine, they said, also cautioning that evidence could have been removed from the machine.

Reomel Ramores
Authorities can detain Reomel Ramones, pictured above, for up to 36 hours  

A free-Internet scam

Investigators now theorize the virus, which has also come to be known as the "Love Bug," was actually a scam designed to get the originator free Internet access.

When the virus was activated, in addition to destroying files and replicating itself, it accessed a program that would search out login names and passwords, then mail them back to the Love Bug's author. Armed with that information, the perpetrator could use any victim's Internet account to surf for free.

That part of the virus had been uploaded onto the servers of Internet Service Provider Sky Internet, according to Ayre, a technical consultant to the company, and ultimately led to the suspects in the Philippines.

"Within 12 hours of the virus release, we knew whodunit," Ayre told CNN.com.

Trapped by Caller ID

Ayre said the virus was uploaded to Sky Internet's servers via another ISP, Impact, in two parts beginning April 28, and that the phone numbers used to upload the virus matched a number banned from Sky Internet on April 1 for hacking into their servers. The phone numbers were traced back to the apartment using Caller ID.

"We can conclusively trace (the break-ins) to that number," Ayre said. He also says that phone records at Sky Internet and Impact "matched up perfectly" to point to raided apartment.

Ayre said a European ISP notified Sky Internet of the virus, and it was quickly disabled. That portion of the virus affected only about 2,000 people worldwide, mostly in Europe and Asia, he said, and the company is in the process of notifying all of those victims.

"If he was smart," Ayre said, "he could have used one of the smaller ISPs that didn't have Caller ID."

Lack of computer-crimes law

The Love Bug, which replicated itself and forwarded copies to addresses in computer users' e-mail address books, swept around the world with surprising speed last week. Millions of unsuspecting victims opened the e-mail, which bore the subject line "ILOVEYOU" and often came from someone known to the user.

The virus also corrupted some files stored on hard drives, particular picture .jpg files and sound .mp3 files. But a second part of the virus, disabled before it could do widespread damage, would have been far more damaging.

The first two lines of computer code for the virus indicated that the author was called "Spyder" and was in Manila. That part of the code also revealed that Spyder belongs to the GRAMMERSoft Group, a virus-writing club.

The "Spyder" nickname is used in an ICQ (an Internet messaging service) account associated with the e-mail address spyder@super.net.ph. The owner of Philippines ISP Super.Net confirmed it belonged to a resident of the Pandacan neighborhood of the capital. The same person owns another e-mail account on the same system, mailme@super.net.ph. The password-stealing second part of the virus attempts to e-mail a user's passwords to this e-mail address. Both of the "Spyder" addresses have now been frozen.

Investigators were hampered by the lack of a Philippine law that specifically addresses computer crimes. The warrant was finally sought under the "Access Device Act."

The Access Devices Regulation Act of 1998 is written chiefly to target credit card fraud but also covers the use of any unauthorized access device in order to obtain goods or services, according to the Chan Robles Virtual Law Library. With stolen user names and passwords, the virus author could have gained access to a multitude of computers. The penalties could range between fines of 10,000 Filipino pesos or twice the value obtained by the offense, and anywhere from six to 20 years in prison, dependent upon the portion of the act under which a suspect is charged.

A new regulation, known as the "Electronic Commerce Act," would prohibit hacking and other computer crimes but has not yet been passed by the Filipino congress.

Provider tries to regain subscribers

Now that Ayre is confident that authorities have found the source of the virus, he is focused on more practical concerns.

"We're relieved," he said, "but now the big challenge is not to let our business go under."

When system administrators around the world found that the virus was trying to get to Sky Internet in order to download a password-stealing program, their first response was to block the ISP. As a result, the many customers of one of the largest ISPs in the Philippines are finding themselves banned from every other computer on the Internet.

"Now we're trying to get them to change their minds," Ayre said.

Manila Correspondent Maria Ressa and Interactive Writer K.C. Wildmoon contributed to this report.



RELATED STORIES:
Clues lead to ILOVEYOU writer's older, cruder work
May 6, 2000
Authorities may be zeroing in on ILOVEYOU suspect
May 5, 2000
Copycat viruses following 'ILOVEYOU' computer bug are no joke
May 4, 2000
Government computers: The ultimate hackers' proving ground
March 23, 2000
'Melting Worm' slithers into the wild
March 17, 2000
Viruses boom on the Net
January 18, 2000

RELATED SITES:
Federal Bureau of Investigation
F-Secure Web - Main index
   • F-Secure Virus Info Center
Symantec Worldwide Homepage
   • Symantec AntiVirus Research Center
Norman
National Infrastructure Protection Center
CERT Coordination Center
Trend Micro
Symantec
Network Associates

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

 Search   

Back to the top  © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.