 |
|
 | technology > computing |
![[CNN Money]](http://i.cnn.net/cnn/images/main/fn.logo.newsnet.gif){kind=logo}
![[SI.com]](http://i.cnn.net/cnn/images/main/si.logo.gif){kind=logo}
( | |
 |
|
| |
| |
EDITIONS: | |
MULTIMEDIA: | |
E-MAIL: |
Subscribe to one of our news e-mail lists. Enter your address: |
DISCUSSION: |
CNN WEB SITES: |
 |
TIME INC. SITES: |
CNN NETWORKS: |
|
SITE INFO: |
WEB SERVICES: |
Focus of 'ILOVEYOU' investigation turns to owner of apartment
In this story: Program displays resumé, threat Thesis program was similar to virus Was virus a prank that went haywire? |
(CNN) - A relative of one of the people named in the "ILOVEYOU" virus investigation is linked to another, similar virus, according to the virus text and investigators. The same man, Onel de Guzman, also owns the apartment that was raided by Philippine authorities earlier this week.
| |||||||||||||||||||||||||||||||||||||||||
Justice Correspondent Pierre Thomas explains how authorities track computer hackers.
The "ILOVEYOU" virus, in its first line, mentioned "GRAMMERSoft Group," based in Manila, Philippines. An official at AMA Computer College in the Philippines said the group wrote programs for small- and medium-sized businesses and also wrote thesis projects for computer students.
Nineteen-year-old Jonathan James of Sweden, one of the investigators who helped identify the author of last year's "Melissa" virus, has found a Trojan horse program released in January this year that steals usernames and passwords. He notes that it's very similar to "WIN-BUGFIX.exe," the password-stealing program that was unknowingly housed by Internet provider Sky Internet. The "ILOVEYOU" virus tried to make infected computers download and run "WIN-BUGFIX.exe," but system administrators at Sky Internet took it off their servers very early in the virus outbreak.
The January program, called "Barok," also contained a reference to "GRAMMERSoft Group." The word "Barok" was used, too, in the "ILOVEYOU" virus. CNN.com has seen each of the virus' texts and confirmed investigators' findings.
Program displays resumé, threat
Another program, a Microsoft Word macro virus previously released in the Philippines, in addition to its main purpose occasionally displays a resumé. James also found this threat:
"Warning: If I don't get a stable job by the end of the month I will release a third virus that will remove all folders in the Primary Hard Disk ..."
The resume in the virus is one of "Michael I. Buen." Another "Melissa" researcher, Fredrik Bjorck of the University of Stockholm, had previously suggested that the "ILOVEYOU" virus may be named "Michael."
Buen and Onel de Guzman both attended AMA Computer College in the Philippines.
Further, the Michael Buen virus contains this acknowledgement:
"I'm thanking Byron for sharing his computer and ideas, book and time, I'm using his computer every Saturday and Sunday just to write this program. And to all GRAMMERSoft especially LIENQ, I know what the hell of hacking we are all doing but nevertheless it is still legitimate learning."
"Byron" is mentioned in the resume portion, under "Character references." The next character reference is "Onel de Guzman."
This is the second time that that surname has come up in the investigation. Investigators have issued a subpoena for Irene de Guzman, who lived in the Manila apartment that was searched this week. Caller ID records from Sky Internet showed, "without a doubt," according to company spokesman Toby Ayre, that the perpetrator made the attack from that apartment.
Onel de Guzman is Irene de Guzman's brother, and the man also owns the apartment that was raided by police.
Authorities know where Onel de Guzman is, according to Toby Ayre, a spokesman for Sky Internet in the Philippines. Sky Internet was the Internet provider that unknowingly housed the "WIN-BUGFIX.exe" program. It is expected that he will be questioned soon.
Thesis program was similar to virus
Officials at AMA Computer College said Onel de Guzman proposed a thesis program while at the college that was very similar to the "ILOVEYOU" virus. That program, school officials said, was combined with Buen's program.
Manuel Abad, executive vice president at the AMA Computer College, said a program written by Onel de Guzman was apparently combined with a program written by Buen which duplicates files and is similar to "add-ons" found in the "love bug" virus.
Abad said the program was proposed by De Guzman, 23, as his thesis program, a requirement for his graduation from the college. "The program as described in the proposal is very similar to the workings of the 'I love you' bug -- so we disapproved it," Abad said.
The thesis proposal said the goal of the program was "to get Windows passwords" ... "to steal and retrieve Internet accounts of the victim's computer."
Faculty members of the college wrote on the proposal, "This is illegal" and "We don't produce burglars."
Abad confirmed that both Buen and Onel de Guzman are members of GRAMMERSoft. Abad said the group wrote programs for small- and medium-sized businesses and also wrote thesis projects for computer students.
Was virus a prank that went haywire?
NBI agents told CNN that the virus may have started as a prank by students who did not anticipate the damage it would cause.
AMA Computer College in the Philippines appears in both the "ILOVEYOU"-related Trojan horse program and the Buen macro virus. In the resumé, Buen lists his college experience at AMA. In "WIN-BUGFIX.exe," Massachusetts-based investigator Richard M. Smith found this signature:
"BAROK... student of amacc mkt. phils"
Smith believes that "mkt" refers to the city of Makati, where AMA Computer College has a campus.
Smith, Jones and Bjorck have been working together on the investigation, as they did in order to find convicted "Melissa" virus author David L. Smith last year. Richard Smith's exploits include the discovery that the music program RealJukebox was passing CD information to RealNetworks without the user's knowledge. That resulted in RealJukebox issuing an apology and a patch to the program. He was also instrumental in showing how Web banner ads maintained by advertising company DoubleClick grab personal information and send them off to that company.
RELATED STORIES:
Should cyber ethics be taught at school?
May 9, 2000
Linux users unscathed by ILOVEYOU
May 9, 2000
'Love Bug' suspect could face both civil and criminal trials
May 8, 2000
I was bitten by the love bug
May 8, 2000
Clues lead to ILOVEYOU writer's older, cruder work
May 6, 2000
RELATED SITES:
AMA Computer Learning Center
Grammersoft
F-Secure Web - Main index
• F-Secure Virus Info Center
Symantec Worldwide Homepage
• Symantec AntiVirus Research Center
Norman
National Infrastructure Protection Center
CERT Coordination Center
Trend Micro
Symantec
Network Associates
Outlook 2000 Security Attachment
Outlook 98 Security Attachment
Outlook 97 Security Attachment
Note: Pages will open in a new browser windowExternal sites are not endorsed by CNN Interactive.