|Home » News » Roundups » ILOVEYOU
May 9, 2000 4:10 PM UTC
Philippine authorities were forced to release Reomel Ramones for lack of evidence. Another hearing is scheduled for May 19. Irene de Guzman was never apprehended.
Despite having their home under surveillance since last Friday, the NBI could not find anything directly linking Ramones and the de Guzmans to the ILOVEYOU worm.
The judge gave the NBI ten days to come up with something more substantial before dismissing the case unconditionally. According to one source, Irene de Guzman was never brought in for questioning, but was warned off by Ramones. According to another source, both de Guzman sisters were questioned.
Björck Wins Favor Again?
The NBI are now giving faint credence to the theory of Fredrik Björck, saying they 'do not totally dismiss this claim'.
In Australia authorities were still skeptical that the culprit was a German residing in their country. 'We have nothing to work on other than someone's point of view from a Stockholm university. We have no information from a credible source,' a spokesman for the Australian Federal Police said.
'There's been no direct contact. I believe the Swedish police have been speaking to him. If we had inquiries to make we'd make them through our liaison network overseas to the Swedish Police.'
The AFP has not contacted the Swedish expert or the Swedish police, according to the spokesman.
The clues used by authorities in their search for the ILOVEYOU author are anemic at best:
- The password-sniffing Trojan WIN-BUGSFIX.exe.
- The ostensible alias used: 'spyder'.
- Two email addresses: firstname.lastname@example.org and email@example.com.
- The phrase 'i hate go to school'.
- The name 'GRAMMERSoft Group'.
At first glance, not much to go on. But then this is not really the first appearance of 'Spyder' or WIN-BUGSFIX.exe either.
'Spyder' was on the net back in January with a program called Barok 2.1, which differs from WIN-BUGSFIX.exe by only four bytes. Moreover, both executables contain the phrase:
barok... i hate to go to school suck ->
by spyder @Copyright (c) 2000 GRAMMERSoft Group>Manila, Phils
Authorities say this is enough to tie 'Spyder' to ILOVEYOU, and that Barok was expressly developed for use with the worm. The previous version of Barok, 2.0, contains the phrase:
BAROK -- student of amacc mkt. phils ->
by: spyder @Copyright (c) 2000 GRAMMERSoft Group
Which is why the NBI has been looking at AMACC, the AMA Computer College in Makati City. Irene's sister Jocelyn graduated recently from AMACC.
The authorities are also trying to track three email addresses - firstname.lastname@example.org, email@example.com and firstname.lastname@example.org - as well as four web accounts. But tracking like this is difficult in the Philippines, where much of the Internet access is paid for by prepaid cards. The users retain nearly total anonymity.
'Being a free account, the writer(s) obviously capitalized on the anonymity that he/she could maintain,' said Jose Carlotta of Access Net. 'We do not require any information from the card buyer to create his/her email account. Future access to the email account (can) be done by access through another card or through another service provider.'
And if a prepaid card was used to access the accounts, then the user would have been in the Philippines. Yet there is no evidence that a prepaid card was ever used. Says Carlotta, 'The culprit could have hacked the password - something he has done with impunity with accounts belonging to other post-paid service providers with whom the needed registration information is more stringent.'
The Philippines authorities are under a great deal of pressure to solve the case, despite there being no way of knowing the culprit is in the Philippines, according to David Kennedy at ICSA.
'If they can keep the focus on the virus and off the hostages, the better it is for their national esteem. Any arrest they can make, even if it is the wrong guy, will help them.'