FBI investigates e-mails sent to virus author

[William Knowles <wk () C4I ORG>]

http://www.techserver.com/noframes/story/0,2294,500201388-500278198-501478088-0,00.html

By OLIVER TEVES, Associated Press

MANILA, Philippines (May 7, 2000 12:21 p.m. EDT
http://www.nandotimes.com) - U.S. government agents are going over
logs of angry e-mails sent by victims of the "ILOVEYOU" computer virus
to its creator, who used Philippine e-mail addresses, a Philippine
Internet service provider said Sunday.

Jose Carlotta, chief operating officer at Access Net, said he gave six
to seven pages of e-mail logs to FBI agents Saturday.

"A lot of these messages were from irate victims," Carlotta said.
"They were either insulting him, or ironically, some were praising him
for writing such a brilliant virus. From all over the world this guy
was getting both curses and praises."

In Washington, the FBI's Michael Vatis, the agency's lead investigator
on computer viruses, confirmed Sunday that the two countries are
jointly investigating a single suspect but said no arrests had been
made.

"We'll have to wait and see how their investigation progresses before
we can say anything," Vatis said.

He did express concern about a weekend delay in obtaining a search
warrant from a Philippines court.

"One of the concerns we often have in computer crimes is getting to
the target computer before evidence is erased, before a hard drive is
discarded or the trail is covered up by the suspect," Vatis said.
"Time is a critical factor in all of these cases because the evidence
is fleeting."

The "ILOVEYOU" virus unleashed a flood of e-mail that hit at least 45
million users in at least 20 countries on Thursday, according to one
estimate. The virus started with "ILOVEYOU" in the subject line, but
several variations appeared soon afterward, including one masquerading
as an e-mail joke and another as a receipt for a Mother's Day gift.

He said the virus both replicates itself and steals the user names and
passwords of unsuspecting victims.

The e-mail replies from angry virus recipients to the creator passed
through a U.S. e-mail address, isp-adm () mail com, which then forwarded
them to the two Access Net e-mail accounts used by the virus creator -
spyder () super net ph and mailme () super net ph, Carlotta said.

The two Access Net accounts were used only as a "catch basin" to store
hacked information, Carlotta said. They had received about 2,500
messages each before they were disabled before dawn Friday.

Carlotta said he believes the virus was launched from other Internet
service providers but the virus programmer used Access Net as his
e-mail return address. Net Access offers prepaid e-mail accounts
activated with the purchase of a plastic card, much like a phone card,
without the buyer needing to give personal information.

Authorities are still unable to identify the programmer, but several
possible suspects have emerged.

The Philippines' National Bureau of Investigation was following leads
that the virus maker was a 23-year-old man who lives in Manila's lower
middle-class district of Pandacan. Calls to the officer in charge of
the investigation were unanswered Sunday.

Computer security company ICSA.net in Reston, Va., said comparisons of
the "ILOVEYOU" virus with a password-stealing program written earlier
suggested the author is a student at AMA Computer College in the
Philippines.

Computer colleges in the Philippines sometimes teach students how to
cope with viruses by having them first write their own. AMA officials
could not be reached Sunday for comment.

A Swedish researcher said Saturday that he had found postings on the
Internet pointing to a German exchange student in Australia as the
virus creator. He reported the information to the FBI, but Vatis said
he couldn't comment on the allegation.

"I would caution people to understand, though, that in these types of
cases where there is immense attention to it and it's worldwide, there
are a lot of allegations that come up, many of which turn out to be
baseless," Vatis said.


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".