, SecurityFocus 2000-05-08
Search leads to one arrest with another on the way. No computer is found.
The Philippine National Bureau of Investigation arrested a 27-year-old man Monday in connection with the "LoveLetter" Internet virus that tore through computers all around the world last week.The NBI reportedly made the arrest while searching the Pandacan, Manila home of a 23-year-old woman whom they've identified as their chief suspect in the case. The woman has reportedly made arrangements to self-surrender to authorities today or tomorrow.
The LoveLetter virus spreads through email messages with the subject "ILOVEYOU," and the body "kindly check the attached LOVELETTER coming from me." The "love letter" attachment is a Visual Basic script, which, if executed, sends a single copy of itself to every email address in the victim's Microsoft Outlook address book -- the same tactic used with devastating success by the Melissa virus in March, 1999.
The program also attempts to propagate over Internet Relay Chat, and it writes itself over other programs on a victim's hard drive, while replacing files with common point-and-click extension like .mp3 with deceptively named decoy copies of itself.
Within the virus code the author identifies his or herself as "spyder" from Manila, Philippines, with an email address of ispyder@mail.com. The author dates the code March, 2000. Another comment in the program reads, "i hate go to school."
In addition to spreading virulently, the worm also sets the victim's Internet Explorer home page to another program at any one of four web accounts hosted by Sky Internet, a Philippine ISP. Sky Internet has since closed those accounts and blocked access to the program, which obtained victim's passwords for shared file systems, and emailed them to an account at another Philippine ISP owned by Access Net Inc.
Jose O. Carlotta, Chief Operating Officer of Access Net Inc., indicated in an email interview Monday shortly before the search and arrest that the account, and another used by the same person, may have provided a lead in the case. "[W]e furnished logs of public chat transmissions related to the use of the suspect accounts wherein the user of the said accounts revealed himself (sex deduced) as 23 years of age and living in Pandacan," wrote Carlotta, who was not aware that a specific suspect had been identified.
Investigators reportedly seized seventeen items in the search, but no computer.