'ILOVEYOU' has sinister side
- By Dan Verton, Diane Frank, Judi Hasson, Natasha Haubold
- May 04, 2000
The "ILOVEYOU" computer virus that has infected hundreds of thousands of
systems worldwide reportedly includes hidden code developed in the Philippines
that collects network passwords and transmits them to a World Wide Web site
maintained by an unknown attacker.
The virus code has been sent to the National Security Agency for evaluation.
However, some security and intelligence experts have warned that it is too
early to know whether the virus contains components that have intelligence
and national security implications.
According to security experts, the file WIN-BUGSFIX.exe is a backdoor created
in the Philippines that collects the network passwords cached in Microsoft
Corp.'s Windows operating system and then sends them to a Web site when
the infected user connects to the Internet.
Dave Jarrell, director of the Federal Computer Incident Response Capability
said no one is 100 percent sure what the executable does. However, he added,
the virus attempts to hide the fact that it has downloaded the executable
file by masquerading it has a benign application file, like a JPEG picture
file. "It could feasible go out and do this over and over again," he said.
According to moderators on the Bugtraq security listserv, "It seems the
WIN-BUGFIX.exe file will e-mail any cached passwords to MAILME@SUPER.NET.PH."
Narender Mangalam, director of security strategy for Computer Associates
International Inc., confirmed that there is a more malicious aspect to the
virus and that there could be national security implications because federal
agencies were infected. "All of it is a little hypothetical right now, but
that does not mean it can't happen," Mangalam said.
The company has posted a patch on its Web site that Mangalam said protects
systems against the entire virus and added that officials may know more
about its origin as early as Friday.
FedCIRC has been working with the National Infrastructure Protection Center's
analysis and warning center, as well as the National Security Agency and
the Energy Department's Computer Incident Advisory Capability.
DOE, which has had its share of cybersecurity problems, ordered security
guards to meet employees at the agency's building entrances in Washington,
D.C., this morning and warn them about the ILOVEYOU virus. The guards told
employees not to open e-mail with it. Nevertheless, the virus apparently
entered the computer system.
"It is still spreading," said DOE spokeswoman Ruth Vass. "Some of the machines
However, it was unclear whether the virus at spread to DOE facilities outside
of Washington, D.C., she said.