TECHNOLOGY
TOP STORIES

Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent

(MORE)

BUSINESS
Playing for Iraq's jackpot

Coke & smoke bite Dow

Sun Microsystems posts tiny profit

(MORE)

MARKETS	4:30pm ET, 4/16
DJIA	144.70	8257.60
NAS	3.71	1394.72
S&P	10.90	879.91

SPORTS
Jordan says farewell for the third time

Shaq could miss playoff game for child's birth

Ex-USOC official says athletes bent drug rules

(MORE)

All Scoreboards

WORLD

Quake help not fast enough, says Indian PM

U.S.

Bush: No help from Washington for California power crunch

POLITICS

Bush signs order opening 'faith-based' charity office for business

LAW

Prosecutor says witnesses saw rap star shoot gun in club

ENTERTAINMENT

Can the second 'Survivor' live up to the first?

HEALTH

Heart doctors debate ethics of testing super-aspirin

TRAVEL

Nurses to aid ailing airline passengers

FOOD

Texas cattle quarantined after violation of mad-cow feed ban

ARTS & STYLE

Ceramist Adler adds furniture to his creations

(MORE HEADLINES)

MAINPAGE WORLD U.S. WEATHER BUSINESS SPORTS

TECHNOLOGY

computing personal technology

SPACE HEALTH ENTERTAINMENT POLITICS LAW CAREER TRAVEL FOOD ARTS & STYLE BOOKS NATURE IN-DEPTH ANALYSIS LOCAL
EDITIONS:
CNN.com Europe change default edition
MULTIMEDIA:
video video archive audio multimedia showcase more services

E-MAIL:

Subscribe to one of our news e-mail lists.
Enter your address:

DISCUSSION:

chat
feedback

CNN WEB SITES:

CNNfyi.com
CNN.com Europe
AsiaNow
Spanish
Portuguese
German
Italian
Danish
Japanese
Chinese Headlines
Korean Headlines

TIME INC. SITES:

CNN NETWORKS:

CNN anchors
transcripts
Turner distribution

SITE INFO:

help
contents
search
ad info
jobs

WEB SERVICES:

Expert: Link in ILOVEYOU virus refers to Philippine university

May 6, 2000
Web posted at: 2:56 p.m. EDT (1856 GMT)

In this story:

Computer catastrophe avoided

Some suspect man in Manila

RELATED STORIES, SITES

By D. Ian Hopper, CNN Interactive Technology Editor

(CNN)-- According to a noted computer security investigator, another piece of malicious software linked to the "ILOVEYOU" computer virus, written by the same author, pinpoints a college in the Philippines.

When the ILOVEYOU virus runs, it attempts to change the user's start page to one of four pages, all located on one Internet provider in the Philippines -- Sky Internet. That page downloads and runs an executable file called WIN-BUGSFIX.exe.

It is that executable file program that scans a user's hard drive for username and password combinations, e-mailing them off to another e-mail address in the Philippines -- mailme@super.net.ph.

Sky Internet was tipped off to its involvement in the virus early in its infection by a European Internet provider, and only a few users downloaded the more dangerous part of the virus, according to Toby Ayre, a spokesman for Sky Internet.

"By 4:30 we had removed the (executable file). It only attacked a couple hundred people in Europe," Ayre said.

Computer catastrophe avoided

If that portion of the attack had reached more people, the results could have been catastrophic for computer users around the globe.

"I'm just happy the second part didn't hit the world," Ayre said. "It would have been extremely pathetic with 40 million people trying to change their passwords. Every password from every infected computer would have to be changed."

Computer security investigator Richard M. Smith, the man who identified the author of the infamous "Melissa" virus last year, says he has gone through the secondary payload's code and has found the same sort of signatures in the original ILOVEYOU virus text.

Both are signed by "spyder," Smith says, and make reference to a company in the Philippines called GrammerSoft Group. But the executable file also refers to "AMA Computer College," which is based in the Philippines.

Amable Mendoza Aguiluz Computer College has seven campuses in the Philippines, according to the college's Web site, and over 10,000 students. It offers four-year degrees in Computer Science and Computer Engineering.

The file specifically identifies the Quezon City campus of AMA Computer College. Sky Internet is also based in Quezon City.

Ayre told CNN.com that the person behind the virus had been trying to break directly into Sky Internet for some time, but his phone number was blocked from the provider's servers on April 1.

Then the author did an end run, breaking into the servers of Impact, another Manila Internet provider, in order to hop over to Sky Internet's network and place the file.

Some suspect man in Manila

Ayre said that Impact is cooperating with authorities, as is Sky Internet. The Philippine National Bureau of Investigation, Interpol, the FBI and the National Infrastructure Protection Center are working on the case.

Ayre says authorities told him a warrant will be served soon in the international investigation to find the creator of the virus.

Besides mailme@super.net.ph," the same person has a second e-mail address at the same Internet provider -- spyder@super.net.ph," according to Manuel Bong, a spokesman for Access Net, which owns Super.Net. Both viruses contain the text,"by: spyder."

Bong told CNN.com that his company believes the author is a 23-year-old man from the Pandacan neighborhood of Manila.

Although law enforcement sources in Washington also said investigators believe the virus may have originated with a young man in Manila, they caution that address codes can be faked.

Manila police said they are checking on a possible suspect but have made no arrests.