The Mother’s Day virus is a varient of the original I Love You virus. Computer bug troubles persist as tricky mutations make the rounds. An article by: By Bob Sullivan MSNBC U.S. investigators have told NBC News’ Pete Williams they have identified a suspect they believe is responsible for the ILOVEYOU virus. “We’re convinced,” the virus attack originated in the Philippines, said one official, who added the suspect won’t be identified until a search warrant is executed. Meanwhile, there are now five known variants of the bug, including one that tries to trick victims into opening an attachment by claiming it’s a bill for diamonds purchased at a special Mother’s Day price. U.S. FEDERAL AGENTS, working in cooperation with local authorities, were led to the suspect by electronic evidence, NBC’s Williams was told. The official, who requested anonymity, added the FBI is now seeking a search warrant and is waiting only for authority from Philippines judges before they serve the warrant. Meanwhile, anti-virus experts say computer administrators around the world are continuing to fight the Love Bug, which now comes in five flavors, including the more dangerous “Mother’s Day” mutation. “We’ve seen the situation just get worse in Asia and Europe during Friday,” said Mikko Hypponen, manager of anti-virus research at F-Secure Corp. “With four new variants out after the original one, it’s getting more and more difficult for end users to know which e-mail to avoid.” Beginning of Mother’s day threat text: The latest variant might cause the most trouble. It attempts to prey on consumer fears of erroneous credit card charges and arrives with the subject line “Mother’s Day Order Confirmation.” The body of the message then tells the potential victim: “We have proceeded to charge your credit card for the amount of $326.92 for the mothers day diamond special. We have attached a detailed invoice to this email. Please print out the attachment and keep it in a safe place. Thanks Again and Have a Happy Mothers Day! mothersday@subdimension.com.” The attached file, mothersday.vbs, is very similar to the original ILOVEYOU virus but is considerably more destructive. It sets out to delete all .INI and .BAT files from all local and network drives. Removing such files could make it impossible to restart a victim’s computer. “With only eight days to go until Mother’s Day, this attack is quite credible,” Hypponen said. Carey Nachenberg, chief virus researcher at Symantec, makers of the highly popular Norton anti-virus product, tells CNBC that 'Love Bug' copycat viruses are beginning to spread, and that computer networks are extremely vulnerable to future worms. End of Mother’s day threat text. A Manila Internet services provider, Supernet, said it was assisting in the investigation, adding that the virus appeared to have first spread from two of its e-mail addresses. “The author of the virus used two e-mail addresses through Supernet — spyder@super.net.ph and mailme@super.net.ph,” Jose Carlotta, chief operating officer of parent company Access Net Inc, a Manila Internet company, told Reuters. Inside all versions of the “love” virus are the two Supernet e-mail addresses. Combined with information gleaned from Internet chat rooms, Carlotta said, the e-mails provided investigators with a solid lead, but no definitite information. The e-mails have been linked to prepaid Internet access accounts so it was not immediately possible to zero in on the owner, he added. Toby Ayre, a technical consultant for SkyInternet, another Philippine ISP, told reporters it appeared the same hacker had tried to break into their systems. In response, the company blacklisted the local Manila telephone number the intruder was using. “We banned this particular person from our servers on April 1,” Ayre said. He added that the hacker had used the same “signature” at SkyInternet as had been seen at Supernet. “We have provided the NBI, the FBI, and Interpol with all of the audit trails for every transaction that involves this virus and they’re using that information,” he added. STILL CIRCUMNAVIGATING THE GLOBE While authorities tried to track down the culprit, the ILOVEYOU virus continued to infect computers around the globe on Friday, though not at the rate of Thursday’s rampage. The federally-funded CERT Coordination Center, a clearinghouse for U.S. computer crisis information, said it was still receiving reports of outbreaks. New variations of the “worm” were also winging around the Internet, in some cases foiling anti-virus protection. A version of the virus named “Luck” started appearing Thursday afternoon, and other copycats have followed. One variant, called Susitikim (which in Lithuanian means: Let’s meet), has a subject line that reads “Susitikem shi vakara kavos puodukui.” In Lithuanian, the sentence translates into: “Let’s meet this evening for coffee.” The virus shut down networks at corporations and government agencies all around the world. The U.S. Navy, Army, and NASA research centers all shut off e-mail access to protect their systems from the storm. Several government agencies were still infected; according to NBC’s Betsy Steuart, the U.S. State Department found about 120,000 versions of the I Love You virus and its various mutations on their servers. HOW IT WORKS ILOVEYOU arrives as an e-mail attachment in a message apparently sent by a colleague. The virus targets users of Microsoft Outlook and only works under the Windows operating system. (Microsoft is a partner in MSNBC.) If a victim is tricked into opening the attached program, which is written in Microsoft’s Visual Basic script, the virus renames every jpg image file and mp3 music file it can find. The images are deleted, but the mp3 files are backed up elsewhere on the victim’s computer. The program also deletes a host of other files with the following extensions: .VBS, .VBE, .JS, .JSE, .CSS, .WSH, .SCT and *.HTA But before deleting image and music files, the virus e-mails itself to every person or destination in the victim’s various address books, including any corporate distribution lists. That’s why it spreads so fast. But the virus also has another trick up its sleeve. After infection, it changes the victim’s Internet start page to one of four Web pages hosted at skyinet.net by SkyInternet. There, the victim’s computer is instructed to download a passwordstealing program called WIN-BUGSFIX.EXE. Ronald Elciario, a network administrator at SkyInternet, told MSNBC those Web pages have since been removed and the account holder’s services have been terminated. In the virus’s source code, an individual named “spyder” takes credit for authoring the program. Mikko Hypponen, manager of antivirus research at FSecure Corp., said the name is unknown on the virus scene. In a bit of programming understatement, the code contains a comment, likely by the author, suggesting the virus is “simple but I think this is good.” The code also references Manila, but that doesn’t necessarily indicate the author lives there. Other than the e-mail addresses, there are no other hints as to who “spyder” might be other than this cryptic message within the code: “barok -loveletter(vbe) “I hate go to school”.” It’s the love letter seen ’round the world, reports NBC’s Pete Williams. Computer technicians around the globe held their breath Friday, hoping they had largely beat back the virus. Perhaps tens of millions of computers have been infected, experts said, and it is already being called the worst virus outbreak ever. But there is evidence that ILOVEYOU may yet do more damage before the worst is over. Companies in New Zealand and Australia reported infection as daylight came to that part of the world Friday, and others resorted to shutting off all e-mail to protect themselves from infection. “I don’t think it’s over,” said Joe Wells, a long-time antivirus industry observer. “Melissa came and went because it had limitations. This thing doesn’t turn itself off.” That might be bad news for the thousands of businesses that forced to shut down entire networks on Thursday in order to quarantine computers from infection. If even one copy of the virus remains on a network, restarting mail services could restart Thursday’s ordeal all over again. So many employees left work Thursday night with no guarantee things would be back to normal by Friday. Where to get help Several antivirus companies and computer pros are offering information and tools to help remove the ILOVEYOU virus from PCs. Many sites are working slowly because of high traffic. • ZDNet ILOVEYOU Anti-Virus Center • McAfee.com Anti-Virus • F-Secure's info on how ILOVEYOU works • Trend Micro's HouseCall online virus scanner • Info from thePope.org on removing ILOVEYOU The statistics Thursday were staggering. Nearly 30 percent of businesses in Great Britain, and nearly 80 percent in Sweden, have been infected by the virus, according to Network Associates. In fact, the company said, ATM cash machines in Belgium were knocked offline thanks to the deluge of e-mail traffic created by the virus. The CERT Coordination Center has received reports that over 300,000 computers had been infected — and that only represents those systems where administrators registered the infections with CERT. Many companies — and even the Army and the Navy, NASA — resorted to simply shutting down their e-mail systems while the virus wormed its way around the Internet. “This is the worst I’ve ever seen in my nine years in the business,” said Hypponen. Internet users were advised to update their virus scanning software as soon as possible. But throughout the day Thursday, antivirus Web pages were swamped with traffic and largely unreadable. But the standard advice held true — the best bet is to avoid opening attachments entirely. “Only human nature to want to open a letter that leads off with ‘I love you,’ ” said David Perry, public education director at antivirus research firm Trend Micro. He said he also suspects that because it had been several months since the last virus scare, computer users are a bit more gullible than they were perhaps a year ago, in the wake of the Melissa virus. The file attachment is called “LOVE LETTER FOR YOU.TXT.vbs,” which might also be adding to the confusion for consumers. It offers the appearance of being a harmless text file, and the “vbs” extension, which stands for Visual Basic Script, may also mislead users who are now trained to be skeptical of executable files with the extension .exe. Computers aren’t the only victims. One doctor who e-mailed MSNBC said the virus had been arriving every five minutes to his pager, which receives incoming e-mails. Several readers also report having received the virus by fax, since both pagers and fax numbers can be listed in an Outlook address book.