E-mail in 'ILOVEYOU' worm a dead end

Philippine-based Access Net aiding hunt for author but has little hope of success.
Written by Robert Lemos on
Philippine-based Internet provider Access Net Inc. has turned over all information regarding the owner of an e-mail account contained in the ILOVEYOU worm to a joint task force of Philippine law enforcement officers and U.S. embassy officials, a company executive said Thursday.

The Internet service provider (ISP) is connected to the worm through an e-mail address: mailme@super.net.ph. That's the address to which the worm sends passwords it captures from infected PCs and that corresponds to a free account provided by Super.Net, a subsidiary of Access Net, which sells Internet service through prepaid cards.

"Being a free account, the writer(s) obviously capitalized on the anonymity that he/she could maintain," said Jose O. Carlotta, chief operating officer for the Pasig City, Philippines, company, in an e-mail interview. "We do not require any information from the card buyer to create his/her e-mail account. Future access to the e-mail account (can) be done by access through another card or through another service provider."

Yet, the fact that a prepaid card had to be bought to establish the account ties the virus's author much more strongly to the Philippines. "Our cards are very popular and widely distributed in Metro Manila," said Carlotta.

However, Carlotta added a caveat. "The culprit could have ... hacked the password of this account," he said. "(That's) something he has done with impunity with accounts belonging to other post-paid service providers with whom the needed registration information is more stringent."

The author of the Melissa virus, David L. Smith, employed just that tactic, co-opting one user's America Online account and using it to initially spread the virus.

Sky Internet Inc., the Quezon City, Philippines, ISP that inadvertently hosted some of the ILOVEYOU worm code, said late Thursday that the company had tracked the user's account to another hosting service, but its efforts have apparently stopped there.

Ronald Eociario, a system administrator for the ISP, said he used log files to track the account's users to another ISP in the Philippines, but "we're not sure whether they're the (originating) host." Eociario could not confirm whether Super.Net hosted the suspected source account.

The worm, which is officially called W95.ILOVEYOU.bin.worm and VBS_Loveletter-o, contacts one of four Web pages hosted on Sky Internet to download malicious code, in addition to its e-mail-spamming and infection components. Researchers have determined that the code copies system passwords and forwards them on to an e-mail address based in the Philippines. Sky Internet has since taken the file -- called WIN-BUGSFIX.exe -- offline.

While the worm writer could have obfuscated his identity by passing through several accounts before creating the four accounts that contained the code -- a common practice among traditional network attackers -- the new information from Super.Net means that the worm's creator more than likely resides in the Philippines.

Beyond that, however, his -- or her -- identity remains a mystery. "We have done as much as we can from our end, and we are no closer to identifying a person or group of persons," said Access Net's Carlotta. "What we have learned is that quite a number of other accounts -- belonging to ISPs -- have been used as well for this purpose."

The ILOVEYOU worm first hit companies in Asia early Thursday morning and moved through Europe and then the United States as workers opened their early-morning e-mail. The worm activates when users click on an attachment "LOVE-LETTER-FOR-YOU.TXT.vbs," replacing files with its code, mass-mailing itself out and then attempting to connect to the servers in the Philippines.

Researchers confirmed that WIN-BUGSFIX.exe installs itself and then attempts to copy passwords. The passwords are then e-mailed to the mailme@super.net.ph address at Access Net.

Dow Jones reported that the Philippine National Bureau of Investigation has begun a search for the hacker after receiving a request from the U.S. Federal Bureau of Investigation.

The National Infrastructure Protection Center, an agency jointly run by the FBI and the Department of Justice, said it was investigating the issue but would not give details.


Southwest Airlines has cancelled 20,000 flights. Now for the really bad news

Southwest Airlines has cancelled 20,000 flights. Now for the really bad news

How to stop spam messages on your iPhone with this almost-secret hidden switch

How to stop spam messages on your iPhone with this almost-secret hidden switch

How to clean any flat screen TV or monitor

How to clean any flat screen TV or monitor