When Love Came to Town: A Virus Investigation

Here's a chronology of the investigation of the Love Bug virus, the most prolific virus of 2000.

Kim Zetter, PCWorld.com

The swiftness with which the LoveLetter virus spread in May 2000 was a headache to system administrators scrambling to contain it, but its speed was actually a boon to investigators trying to track its source; it meant that the virus trail was still hot. In the early days of viruses, it would take months or years for malicious code to spread and make itself known, so by the time investigators attempted to trace the virus, its trail was gone. In the case of LoveLetter, timeliness and other factors led to the quick capture of a suspect. Here's a snapshot of the virus outbreak and the subsequent investigation. (All times and dates are EDT.)

Wednesday, May 3, 2000: An electronic virus appears in computers in Asia and Europe. Among those hit are the European offices of Lucent Technologies, Credit Suisse, and the German subsidiary of Microsoft.

Thursday, May 4, 4:12 a.m.: The European offices of antivirus companies receive the first calls from clients who have been infected by the bug. By 5 a.m., researchers have begun to analyze the virus code for clues about how it works. (See "Renamed Love Letter Worm Still Spreads.")

Initial analysis reveals that the virus is a Visual Basic code that comes as an e-mail attachment named LOVE-LETTER-FOR-YOU.TXT.vbs. Because Windows' default settings hide file extensions, many users don't see the.vbs on their screen. (VBS stands for Visual Basic Script, the most common language in which viruses are written.) When recipients click on the attachment, the virus uses Microsoft Outlook to send itself to everyone in the user's address book, then contacts one of four Web pages hosted on Sky Internet, an Internet service provider in the Philippines. From these pages, the virus downloads a Trojan horse named WIN-BUGSFIX.exe, which collects usernames and passwords stored on the user's system and sends them to an e-mail address--mailme@super.net.ph--in the Philippines.

7 a.m.: Antivirus vendors begin to distribute a definition for the virus to their clients, but it's already too late for companies on the U.S. East Coast, where love-starved workers are opening their e-mail. In Melbourne, Australia, at the office of travel guide publisher Lonely Planet, a worker clicks on the attachment and within minutes the virus mails itself to more than 100 guidebook authors spread throughout the world. One author later remarks, "I should have suspected something was wrong the minute I saw that it was a love letter from my editor." To avoid further infection, the company sends workers home while it cleans out the mail system. (See "I Was Bitten by the Love Bug.")

1 p.m.: Amorous words are on everyone's lips as the virus spreads from mailbox to mailbox in the United States, including those at the Pentagon and the CIA. The FBI's National Infrastructure Protection Center (NIPC) launches an investigation to track down the distributor of the virus. If caught on American soil, the perpetrator will be charged under the federal Computer Fraud and Abuse Act.

4 p.m.: The first LoveLetter variant appears, with "Very Funny Joke" replacing "I Love You" in the subject line.

6:40 p.m.: Antivirus companies begin posting definitions for LoveLetter to their Web sites for general users to download. By the end of the day, some 20 countries have reported infections. (See "Love Letter's Fallout Continues.")

Friday, May 5: Nine more variants of the virus appear, including the Mother's Day variant (timely, since Mother's Day is nine days away). It informs recipients that $326.92 has been charged to their credit card for a "mother's day diamond" order, and includes a note to see the attached invoice. When users click on the attachment, the virus destroys system files necessary for booting. Another variant comes disguised as a message from Symantec's tech support office. Click on the attachment, it says, and receive an I Love You update to your Norton antivirus software. (See "Virus Spreads to New Digital Envelopes.")

Tuesday, May 9: Reports of virus infections begin to subside. (See "Recovery From Love (Bug) Sickness.")

Wednesday, May 10: To date, 29 variants of the virus are reported, and first estimates place the number of infected machines at about half a million worldwide. (See "'Love Bug' Spawns a New Friend.")

Thursday, May 18: Just as the outbreak begins to subside, NewLove appears, which seems to be a variant of LoveLetter but is much more destructive. A polymorphic worm, NewLove alters its code each time it moves to another machine, making detection difficult. The virus, which appears to have originated in Israel, overwrites any files on the hard disk that are not in use at the time of infection. While NewLove's reach doesn't match LoveLetter's--a bug in the program causes it to kill the host computer before it can spread itself through e-mail--it does destroy the hard drives on thousands of computers, mostly in the United States. (See "Love Letter's Legacy.")

Looking for Love--The Investigation Begins

By the time Californians woke up to news of the virus, governmental and individual investigators around the world have determined two things about the virus: It was written by someone who goes by the handle "Spyder," and Spyder lives in the Philippines.

How do they know? Like most attention-seeking virus writers, the author conveniently leaves a "signature" in the source code; it states his name, e-mail address, and hometown--Manila. Furthermore, the text identifies Spyder as a member of a small programmer's group called GRAMMERSoft. Here's how it looks in the code:

rem barok-loveletter(vbe)

rem by:spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines

"He at least cut [the search] down to one city and 10 million people for us," laughs Richard Smith, who with five others conducted an investigation in parallel to that of the FBI's and notified Mail.com, the domain for Spyder's e-mail account. Smith is a privacy watchdog who last year uncovered attempts by RealPlayer to siphon information from users about the music they downloaded and who also helped investigators find David L. Smith (no relation), who was convicted of distributing the Melissa virus in 1999. (See "Melissa Creator Pleads Guilty.")

ISP Acts Swiftly

Within minutes after LoveLetter began infecting computers, the Philippine ISP Sky Internet noticed increased traffic to its servers. Thousands of computers across Asia and Europe had begun dialing into four Web pages hosted by the ISP, where they auto-downloaded a Trojan horse posted by the LoveLetter writer.

Acting swiftly, the company's staff took down the pages and began tracking the origin of the virus and Trojan horse by examining their log files. They traced the posting to a prepaid ISP account at Supernet, another provider in the Philippines, where the virus was launched from two e-mail accounts--spyder@super.net.ph and mailme@super.net.ph. The prepaid account allowed the virus writer to maintain anonymity, but it also indicated that he was probably local, confirming the Manila connection.

The next step was to glean more information about the author by looking for other references to the names Spyder and GRAMMERSoft on the Internet. Virus writers tend to be serial writers and use the same m.o. repeatedly, so researchers look for other postings by authors for clues to their identity.

International Sleuths Team Up

Smith and five other sleuths, including a 27-year-old grad student at Stockholm University named Frederik Bjorck, searched newsgroups using the keywords Spyder, GRAMMERSoft, and barok (another word found in the source code). Within a day, Bjorck found a virus called Barok, which Spyder had posted four months earlier. Except for four bytes of code, Barok and the Trojan horse portion of LoveLetter shared identical code--nearly a perfect fingerprint match. A second version of Barok posted around the same time further identified the author as a "student of amacc mkt. Phils" and a member of GRAMMERSoft.

After a quick check, "amacc mkt." turned out to be the AMA Computer College in Makati City--a computer technician's college in a suburb of Manila. "So it went from 10 million people down to 10,000 people," says Smith, "and [then to] this computer college in Manila."

A little more sleuthing, adding the name of the college to the search terms, revealed a posting by another student from the school who also claimed membership in GRAMMERSoft. That student included his real name in the code, as well as the names of dozens of other people he knew.

Investigation Draws Broad Cooperation

By that time, the LoveLetter investigation was being conducted on various fronts. While the press conducted its own search, the FBI, the Philippines National Bureau of Investigation (NBI), and the ISPs conducted theirs. All parties shared notes in what Smith described as a "morphic exchange of information."

Meanwhile, the ISP company Supernet had examined its call-in log files and was able to determine the phone number and PC from which the virus was sent. Armed with this information, the NBI was able to pinpoint an apartment in the Pandacan district of Manila. On Saturday, May 6, Manila police set up surveillance on the apartment while waiting for a search warrant to come through on Monday. Among the suspects the police were focusing on was a female resident of the apartment, whom police claimed was the registered owner of the computer used to launch the virus.

Smith's group gave the FBI the list of names they'd found in Barok, which the Manila police compared to the enrollment list at AMA Computer College. Two names on the list matched those of students.

Initial Arrest Raises Questions

On Monday, May 8, search warrant in hand, NBI agents raided the apartment of 27-year-old Reomel Lamores, an employee at China Bank, whom they believed to be Spyder. Lamores's 23-year-old live-in girlfriend, Irene de Guzman, was named as another suspect. Lamores claimed mistaken identity and said that neither he nor his girlfriend was responsible for the virus, but he wouldn't say who was. Police found no computer in the apartment where Lamores and de Guzman lived, but they did seize a computer disk that turned out to contain a virus similar to LoveLetter. In the absence of harder evidence, however, authorities released Lamores on May 9, pending further investigation. (See "'Love Bug' Suspect in Custody.")

Since Lamores was not a student at the AMA college, Smith believed authorities had the wrong person. Among the names that Smith's group turned over to the FBI was Onel de Guzman, who had been a student at the college and who shared the apartment with Lamores and Irene de Guzman. "[W]e assumed that Irene must be [his] sister," said Smith, "and [since] girls don't write viruses, we assumed [the writer] was him."

On May 10, the AMA Computer College revealed that Onel de Guzman had submitted a thesis proposal on a virus that would download a Trojan horse to capture network passwords (a mirror of what the LoveLetter did). The proposal was rejected by de Guzman's instructors because it advocated illegal activity.

The news of de Guzman's involvement elicited mixed local reactions. Fellow students at AMA lauded him as a hero, and an editorial in the Philippine Star acknowledged him for putting the Philippines on the map and proving "that the Filipino has the creativity and ingenuity to turn... the world upside down."

Accidental Attack Acknowledged

On May 11, faced with a list of circumstantial evidence, de Guzman admitted that he may have released the virus accidentally while fooling around with other members of the GRAMMERSoft group, but he sidestepped the issue of whether he wrote it. On June 7, charges against Lamores were dropped, and authorities warned that charges against de Guzman were pending.

Problems then arose over the lack of a Philippines law that could be used to charge de Guzman--one prohibiting hacking or the spreading of viruses. A bill pending in the Philippines Congress covered virus activity, but in the absence of such a law, the suspect also could not be extradited to the United States.

On June 14, under political and international pressure, Philippines President Joseph Estrada pushed through the E-commerce Act, which carries a maximum three-year jail term for convicted hackers, along with a fine starting at $2350. The law, however, could not be applied retroactively to de Guzman.

On June 29, barring any other law with which to prosecute him, authorities charged de Guzman under the Access Devices Act of 1994, which outlaws the illegal use of account numbers and passwords--a law that generally applies only to credit-card theft. (See "'Love Bug' Suspect Charged.") They were ultimately forced to drop charges, however, after concluding that the law could not be applied in this case.