U.S. authorities said Saturday they are helping police in the Philippines search for the creator of the most damaging computer virus ever, the "Love Bug" that swept around the world this week.
The identity of the programmer was still unclear. Security experts in the United States said clues in the virus code pointed to a student at a computer college in the Philippines, while a Swedish researcher said traces on the Internet pointed to a bored German exchange student.
The virus caused a flood of e-mails with the alluring subject line "ILOVEYOU" to course through computer systems in more than 20 countries on Thursday, overwhelming computer networks. Several variations appeared soon after, one masquerading as an e-mail joke, another as a receipt for a Mother's Day gift.
Anti-virus software maker Symantec said the latest variant of the virus poses as a warning message from their technical support team. Infected e-mails have the subject line "Virus ALERT!" and should be deleted.
In Washington, U.S. officials said they had turned over to Philippine authorities evidence from the virus' code suggesting that it might have originated in the Philippines. The officials cautioned Saturday that the evidence may be a ruse employed by the virus' author to mislead investigators.
Computer security company ICSA.net in Reston, Va., said comparisons of the "ILOVEYOU" virus with a password-stealing program written earlier suggested the author is a student at Amable Mendoza Aguiluz Computer College in the Philippines.
The Philippines' National Bureau of Investigation was following leads that the virus maker was a 23-year-old man who lives in Manila's lower middle-class district of Pandacan.
Bureau officials refused to comment on the progress of the investigation Saturday, but sources said agents could not obtain search or arrest warrants because courts were closed for the weekend.
"It's very difficult to say with any certainty that it is a Filipino," said Jose Carlotta, chief operating officer of Access Net, one of the Internet service providers used to launch the virus. The virus could have originated elsewhere and been sent to their computers before it was activated, he said.
Carlotta said the virus maker may have spread the virus in order to steal passwords so he could get free Internet access.
"He probably wasn't aware of the gravity of what he did," Carlotta said.
Meanwhile, Swedish researcher Fredrik Bjoerck said Saturday that sleuthing on the Internet allowed him to identify the virus maker as a German exchange student in Australia named Michael, probably in his 20s.
Bjoerck, a postgraduate student at Stockholm University, said he found postings in Internet discussion communities made from Access Net, and linked these to other postings and e-mails where "Michael" asked for programming tips that could have helped create the virus.
David Perry, a virus expert at computer security company Trend Micro Inc., said Bjoerck's detective work was "pretty good, but I don't know if you can make a legal case of it."
"People go out onto the Internet and leave incriminating evidence everywhere, because they don't realize how well tracked Internet e-mail is," Perry said. "There really isn't any privacy on the Internet."
Bjoerck said he had relayed some information to a colleague with contacts at the FBI, but he had not yet had formal contact with the agency. Bjoerck helped the FBI track down David L. Smith, the New Jersey programmer who released the Melissa e-mail virus that infected millions of computers in March 1999.
E-mails infected with the "Love Bug" reached 45 million e-mail users Thursday, according to one estimate, but the plague subsided fast.
"Things were pretty much winding down Friday, and it was our expectation that this was just going to be a normal weekend," said spokesman Bill Pollack at CERT, the government-chartered computer security team at Carnegie Mellon University in Pittsburgh.
Estimates of the worldwide damage from the virus range from hundreds of millions of dollars to $10 billion, mostly in lost work time.
|On the Net:|
National Infrastructure Protection Center
CERT Coordination Center
Anti-virus companies, including: