On the trail of the ILOVEYOU author

Investigators on the hunt for the ILOVEYOU author believe they are close to nabbing their man. Or is it their woman?
Written by Robert Lemos, Contributor

Digital detectives are closing in on their man. Or is it their woman? As the computing world recovers from the debilitating effects of the ILOVEYOU virus late last week, investigators in the Philippines seem to have a bead on a woman who they believe could be the author.

Yet even at this late stage of the investigation, some cyber sleuths believe that investigators should turn their attention elsewhere. In this hunt for the perpetrator of the nasty virus that erupted with a vengeance Wednesday night, the portrait of the author has morphed almost as many times as the virus itself.

On Sunday, investigators reportedly believed the writer to be a Philippines-based female student at a local Makati City college, known as the AMA Computer College. Makati City is a suburb of Manila that is home to much of the foreign community residing in the Philippines and boasts a distinctive technological bent.

The evidence being followed by the investigators most likely revolve around six pieces of information included in the ILOVEYOU worm and its downloadable component -- the password-sniffing Trojan, WIN-BUGSFIX.exe:

  • the apparent alias of the writer: spyder;
  • an e-mail address in the worm: ispyder@mail.com
  • an e-mail used by the Trojan as a destination for sniffed passwords: mailme@super.net.ph
  • a name: Barok;
  • a phrase: 'i hate go to school'; and
  • a group's name: GRAMMERSoft
  • Spyder's history

    Spyder is assumed to be the author of the worm. While little is known about him/her, a hacker known as Spyder released a program, named Barok 2.1, on the Net in January. The function of the Barok program resembles the downloadable component of the worm, known as WIN-BUGSFIX.exe. A look at the object code of that component reveals that it contains the phrase:

    "barok... i hate to go to school suck -- by spyder @Copyright (c) 2000 GRAMMERSoft Group-Manila, Phils"

    The same phrase can be found in Barok 2.1 as well. In fact, the WIN-BUGSFIX.exe program and the remote component of Barok 2.1 -- known as the server -- differ by 4 bytes. That almost proves beyond a doubt that the author of Barok 2.1 and the ILOVEYOU virus are one and the same: Spyder.

    Barok 2.1 seems to have been created expressly for the virus. A previous version released in January, Barok 2.0 has another line within the 'server' code:

    "BAROK -- student of amacc mkt. phils -- by: spyder @Copyright (c) 2000 GRAMMERSoft Group"

    A look at schools in the Philippines area turns up the name of the AMA Computer College in Makati City near Manila. That's the school which investigators have now homed in on.

    Follow the email

    A separate tack followed in the Philippines is currently investigaing the owners of three email accounts -- ispyder@mail.com, mailme@super.net.ph and spyder@super.net.ph -- and the source of four Web pages.

    Access Net, the Internet service provider (ISP) that owns Super.Net, stated on Friday that tracking the user through its servers is difficult. That's due to the fact that it provides service through prepaid cards. "Being a free account, the writer(s) obviously capitalized on the anonymity that he/she could maintain," said Jose O. Carlotta, chief operating officer for the Pasig City, Philippines, company, in a Friday email interview.

    "We do not require any information from the card buyer to create his/her email account. Future access to the email account (can) be done by access through another card or through another service provider."

    Yet, the fact that a prepaid card had to be bought to establish the account ties the virus's author much more strongly to the Philippines. "Our cards are very popular and widely distributed in Metro Manila," said Carlotta.

    However, Carlotta added a caveat. "The culprit could have ... hacked the password of this account," he said. "(That's) something he has done with impunity with accounts belonging to other post-paid service providers with whom the needed registration information is more stringent." With records from phone calls to access the service the police believe they have found their man, er, woman.

    Would you prosecute British Gas for making it possible to put your head in the oven and turn the gas on? Chris Long is taking no prisoners with this one, he accuses users who got the ILOVEYOU virus of having the IQ equivilent to a pin mould.

    What do you think? Tell the Mailroom. And read what others have said.

    Take me to Part II

    Go to ZDNet's ILOVEYOU Special Report

    Editorial standards