Police arrest 'ILOVEYOU' suspect

Police arrest 'ILOVEYOU' suspect

Summary: Philippine police took away a man in handcuffs following a search of the suspected 'ILOVEYOU' author's home.

SHARE:
MANILA -- The Philippine National Bureau of Investigation arrested a 27-year-old bank employee Monday in connection with the "ILOVEYOU" worm.

Police identified Romel Lamores of Pandacan, Manila, an employee of China Bank, as the suspected author of the virus that penetrated computers worldwide last week, including those of the Pentagon, CIA and British Parliament.

A young woman said to be his girlfriend will turn herself in later Monday, authorities said.

Ramon Abad, executive vice president of the local AMA Computer College, said the school is cooperating with the NBI's investigation into the virus' origin. The NBI reportedly gave the college a set of names to check against its student list, and two names were a match: One was a former student who dropped out, and the other was a graduate. Neither was female.

NBI Chief Federico Opinion said agents obtained a search warrant for Lamores' apartment after working three days to seize evidence that might point to the source of the virus.

Gil Alnas, chairman of the local residents' council, told reporters outside the home that criminal investigators had seized 17 items -- none of them a computer.

NBI officials said a search warrant was issued under the Access Device Act, which governs use of codes, account numbers and passwords giving access to different types of devices. The law provides for a maximum punishment of 20 years in jail.

A woman identified as Lamores' 23-year-old live-in girlfriend, also being sought by Philippine authorities, will turn herself in, police said Monday. "She will be coming," Opinion told reporters. He said she had sent a message through legal counsel that she would turn herself in either later on Monday or on Tuesday.

Historically, women have not been part of the virus-exchange scene. IBM researcher Sarah Gordon, whose has compiled profiles of virus writers, found hardly any women participating in virus creation or distribution.

"In conversations with dozens of individuals involved in the virus writing culture, we have found only two instances of 'direct' female involvement," Gordon wrote in a 1994 paper that profiled the "generic" virus writer.

The "Love Bug" is the most virulent computer virus ever created.

It was quickly traced back to the Philippines, and the NBI began surveillance of the suspect -- identified as a young computer student from a middle-class family -- on Saturday.

But authorities were unable to obtain a search warrant until Monday because under its laws computer hacking is not a crime.

Newspapers said it was the first time the NBI had investigated a case of computer crime and that a lack of experience may have hamstrung detectives.

Earlier, detectives said it was possible the female suspect might not be responsible for the computer attack but that her computer had been used.

"It was only (her) computer used to launch the virus that was traced, but anybody could use that computer," an official said. "The user here is invisible; it could be anybody. The difference is that the person we have identified is the registered owner of that computer."

The official also said that, given the massive international publicity over the case, the author of the virus could have erased any incriminating evidence by now.

The Washington Post reported that the FBI traced the virus to the Philippines through a fairly obvious electronic trail and was ready to seize computers used in the attack once it got permission.

FBI agents were assisting Philippine authorities in the investigation, said Nelson Bartolome, head of the NBI's anti-fraud and computer crimes division.

"They are providing us with technical expertise on computers. They will help analyze the seized evidence, if ever we get it," Bartolome told Reuters.

The evidence tracked by investigators most likely involve six pieces of information included in the ILOVEYOU worm and its downloadable component -- the password-sniffing Trojan, WIN-BUGSFIX.exe:

The apparent alias of the writer: "spyder."

An e-mail address in the worm: ispyder@mail.com.

An e-mail used by the Trojan as a destination for sniffed passwords: mailme@super.net.ph.

A name: "Barok."

A phrase: "i hate go to school."

A group's name: GRAMMERSoft.

Spyder is assumed to be the author of the worm. While little is known about him or her, a hacker known as Spyder released a program named Barok 2.1 on the Internet in January. The function of the Barok program resembles the downloadable component of the worm, known as WIN-BUGSFIX.exe. A look at the object code of that component reveals that it contains the phrase:

"barok... i hate to go to school suck - by spyder @Copyright (c) 2000 GRAMMERSoft Group-Manila, Phils"

The same phrase can be found in Barok 2.1 as well. In fact, the WIN-BUGSFIX.exe program and the remote component of Barok 2.1 -- known as the server -- differ by 4 bytes. That almost proves beyond a doubt that the author of Barok 2.1 and the ILOVEYOU virus are one and the same: spyder.

Barok 2.1 seems to have been created expressly for the virus. A previous version released in January, Barok 2.0, has another line within the "server" code:

"BAROK -- student of amacc mkt. phils - by: spyder @Copyright (c) 2000 GRAMMERSoft Group"

In Sweden, a computer expert said on Saturday he believed an 18-year-old German exchange student in Australia was responsible for the virus. Australian Federal Police said Sunday they had been given no firm evidence to back up the allegation.

Rob Lemos of ZDNet News and Reuters contributed to this report.

Topics: Malware, Banking, Security, Servers, Philippines

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion