Home & Office

ISP confirms bug's Filipino connection

Sky Internet of Quezon City says it traced downloads to another provider -- and user of its hosting service
Written by Robert Lemos, Contributor

Sky Internet, the Quezon City, Philippines, Internet service provider that inadvertently hosted some of the "ILOVEYOU" worm code, said late Thursday that the company has tracked the bug to another hosting service, but its efforts have apparently stopped there.

"Our service was used as a gateway," said Ronald Eociario, a system administrator for the ISP. "We already have pinpointed the (suspected source)."

Eociario said he used log files to track the account's users to another ISP in the Philippines, but "we're not sure whether they're the (originating) host."

Instead, the worm writer could have obfuscated his identity by passing through several accounts before creating the four accounts that contained the code. That's a common practice among traditional network attackers.

The worm, which is officially called W95.ILOVEYOU.bin.worm and VBS_Loveletter-o, contacts one of four Web pages hosted on Sky Internet to download malicious code, in addition to its e-mail-spamming and infection components. Researchers have determined that the code copies system passwords and forwards them on to an email address based in the Philippines. Sky Internet has since taken the file -- called WIN-BUGSFIX.exe -- offline.

The four Web pages that acted as remote download sites for the worm have been shut down, Eociario said.

Early worm catches the user?

Sky Internet first noticed the effects of the worm when traffic spiked at 4 p.m. local time (1 a.m. PST) on Thursday, signalling that a large number of computers had been infected and were dialing in to be "updated."

The ILOVEYOU worm first hit companies in Asia early Thursday morning and moved through Europe and then the United States as workers opened their early morning email. The worm activates when users click on an attachment "LOVE-LETTER-FOR-YOU.TXT.vbs," replacing files with its code, mass mailing itself out and then attempting to connect to the servers in the Philippines.

Researchers confirmed that WIN-BUGSFIX.exe installs itself and then attempts to copy passwords. The passwords are then e-mailed to another account in the Philippines.

The National Infrastructure Protection Centre, an agency jointly run by the FBI and the Department of Justice, said they were investigating the issue, but would not give details.

What do you think? Tell the Mailroom. And read what others have said.

Go to our ILOVEYOU Special Report

Editorial standards