Authorities in the Philippines are investigating a bank employee and his alleged live-in partner as well as 10 students of the AMA Computer College (AMACC) for possibly spreading the devastating ILOVEYOU worm that caused billions of dollars in damage to computer systems worldwide.

The subject of the e-mail seemed harmless enough – the simple words “I Love You” – but in its attachment lurked code that has spread around the world, resulting in security supplier Web sites becoming overloaded by companies clamouring for a cure.

Reomel Ramones, an employee of the Equitable Bank’s computer division, and his live-in partner Irene De Guzman, were charged with violating Republic Act 8484 or the Access Devices Regulation Act of 1998. The National Bureau of Investigation (NBI) had earlier arrested Ramones at his house in Pandacan, Manila, but the DOJ decided to release him after 24 hours in custody.

At press time, the NBI had not been able to catch De Guzman, who did not surrender to the NBI despite promising through her counsel that she would show up at the NBI office shortly after Ramones was arrested.

The NBI is also gathering evidence against 10 students of the AMACC. The students were picked out based on information provided by Internet service provider Sky Internet, which was used by the worm author to store and send out the malicious files.

The Royal Canadian Mounted Police (RCMP), at the request of the Federal Government, investigated and analysed the virus, which ripped through business and personal systems beginning on May 4th.

Similar to Melissa

Paul Teeple, officer in charge of the RCMP’s Technical Security Branch in Gloucester, Ont., said the outbreak could be compared to the Melissa virus, which had caused extensive damage to business systems last year.

“It has that kind of look, and we’ve all been through that,” Teeple said.

Jim Hurley, managing director of security practice with the Aberdeen Group in Boston, agreed LoveLetter is similar to Melissa in that the virus is more a combination of a Trojan horse and worm.

He cautioned that even users who do not use Microsoft Outlook would be affected, as the virus targets Windows operating systems. “You’re going to get croaked if your mail system is on.”

Islandia, N.Y.-based Computer Associates (CA) warned that Windows 98 and Windows 2000 are targets, along with Windows NT 4 and 95 if a VBS host engine is installed.

The LoveLetter virus appears as an e-mail with the subject “ILOVEYOU” and a message that says, “kindly check the attached LOVELETTER coming from me.” The attachment is named “LOVE-LETTER-FOR-YOU.TXT.vbs.”

Worm Mutations

Several worm variants have cropped up. In one, the virus appeared as a confirmation of an apparent order for a “Mothers Day diamond special.” The message arrives with a subject line reading “Mothers Day Order Confirmation,” and once opened it offers an attached file, called mothersday.vbs, that appears to be an invoice. Another has the subject line, “Susitikim shi vakara kavos puoduki,” and yet another variant has a subject field of “fwd: Joke,” with an accompanying attachment called “Very Funny.vbs.” The final variant is identical to the original worm but has been slightly modified in an effort to make it undetectable to some antivirus programs.

The Worm sends itself to all recipients found in a Microsoft Outlook address book. According to officials at CA, the Worm has the potential to overload e-mail servers due to the volume of mail sent out automatically, the company said in a release.

“I think we’re all starved for affection,” Michael Foulkes, executive vice-president for TD Financial Group in Toronto, said, referring to how the virus spread so quickly and easily. Foulkes admitted the virus hit the TD Bank, residing in the mail systems and networks.

“We’re not alone in that by any stretch of the imagination. It doesn’t affect customers at all and we’re whacking it down with the usual antivirus software,” Foulkes said.

The Worm also sets the default page of Internet Explorer to get a copy of WIN_BUGFIX.exe, warned CA. The Worm searches through the all subdirectories and overwrites all files with the extensions .JPG, .VBS, .JS, .JSE, .CSS, .WSH, .SCT, .HTA, .MP3, and .MP2 with its own copy. The next time the affected file is clicked or activated, the Worm will execute. If the Internet Relay Chat (IRC) client is present in the system the Worm will generate an HTML file to send itself over the IRC channels.

Although there are suspects now in custody, others have also been identified by computer experts around the world. Swedish security specialist Fredrik Bjorck, who helped track down the author of the Melissa virus, said that a German exchange student living in Australia was the author of the worm. Another report surmised that the real culprit was a 23-year-old male in Pandacan who is or was a student of AMACC.

– With files from Stewart Brown,