Philippine ISP cooperating with FBI in virus probe

U.S. and Philippine law enforcement officials are working together to track down the source of a potent virus unleashed today, according to an Internet service provider that temporarily hosted files used in the attacks.

Philippine ISP Sky Internet confirmed it had shut down access to virus files that had been placed on their systems earlier today. Network logs indicated that the files had come from another service provider in that country, the company said. Sky Internet is working with the FBI and authorities in the Philippines, said Darwin Bawasanta, a systems development manager at Sky Internet.

"We're trying to verify whether that's really a legitimate connection, or a way to divert attention away from a legitimate perpetrator," he said.

An FBI representative said that the agency "is currently assessing any impact this has had both nationally and internationally."

According to Elias Levy, a security analyst with Security Focus, the link to the Web pages--now removed--was a crucial aspect of the virus' defenses against antivirus measures.

"We've seen this at least once before, where virus has a dynamic component," he said, "That gives it the capability of changing its behavior in the future. It could have been changed to remove files, make it look for credit cards, or install a network sniffer."

In an analysis provided by Security Focus, Levy explained that the I Love You virus replicates in three different ways: through email attachments, Internet Relay Chat file transfers, and through shared drives on a computer network.

Once the virus has found its way in, it writes itself into three different locations: two under the Windows directory, one under the system directory.

Then it modifies the computer's registry keys, which normally contain configuration information that tells the computer what programs to launch on start-up. The worm modifies the registry so that it starts running when the computer is restarted.

In a step now rendered impotent, the worm modifies the registry key that determines the start page for Microsoft?s Internet Explorer browser, pointing to one of four Web pages hosted by Sky Internet.

Those four pages linked to an executable called "win-bugsfix.exe." Virus code made the executable run.

The executable then looked up the computer's dial-up connection passwords, and mailed them to an email address in the Philippines.

Next, the executable created an HTML file on the computer's hard drive to infect other computers connected on IRC. Giving it great and speedy virulence, it next spread to everyone listed in the victim's Windows address book.

In one of the most malicious aspects of the virus, it then went on to overwrite various music and graphics files and rename them .vbs files.

"You can't get those files back easily," said Levy. "You might be able to recover some. But the virus is not just renaming it. If you're a Web developer this will give you quite a few headaches."

In one curious exception, Levy noted that the virus goes after MP2 and MP3 files, but only hides them.

"Those files you can recover," he said.

Antivirus experts said they were amazed by the power of the virus. "I've been doing antivirus research for the past nine years, and it hasn't been this bad," said Mikko Hypponen, a research manager at computer security firm F-Secure, who noted that the first report received of the virus came in at around 9:00 a.m. GMT (2 a.m. PT) today from Norway. "It's...twice as widespread as the Melissa virus."

By 1 p.m. GMT (6 a.m. PT), F-Secure had reports from more than 20 countries, Hypponen said.

As corporate network administrators worked to neutralize the threat, a new version of the virus sprang up with the email header "Joke."

Hypponen, who called the Love virus "destructive," said the most damage could be to media houses--including radio stations, magazines and advertising agencies--that could potentially lose photo archives and music files.

"A large publishing house that got hit with the virus this morning lost their complete photo archives," Hypponen said. "The problem is it automatically deletes your (image and music) files. (Antivirus upgrades) can remove the virus but can't undo the damage. If you don't have backups to your files, you lose."

Several security sites have posted instructions for removing the virus, but many were not easily accessible, presumably because of heavy traffic. Those sites include:

• http://download.mcafee.com/

• http://www. datafellows.com/download-purchase/updates.html

• http://www.antivirus.co m/download/pattern.asp

• http://www.so phos.com/downloads/ide/index.html#loveleta

• http://www.thepope.org/in dex.pl?node_id=140

One mid-sized Web site reported that the worm wreaked havoc on its computers today, but that the public site was spared the Windows-specific worm because it is served off a Linux computer.

"It was taking any MP3 files and it was making duplicates of itself with a VBScript extension, and any '.jpg' files on our server were being transformed to VBScript," said the site's administrator, who did not want the site identified. "We've got an employee who got nailed heavily, and every '.jpg' graphic has been converted to a '.vbs' file."

One site heavily dependent on the integrity of its MP3 files--MP3.com--has apparently weathered the Love bug unscathed. A representative said the company's information systems administrators sent a warning to employees about the worm early in the day, and no damage had yet been reported.

Sources said that several government organizations in the Washington, D.C., area, including the Pentagon, the Federal Reserve, the Coast Guard and the Defense Department, were hit by the email virus.

"We certainly have seen scattered instances of it throughout the Defense Department, but I don't have any overall assessment at this time," said department spokeswoman Susan Hansen. "Our joint task force on computer network defense has this under consideration. I can confirm that, like many other organizations, we too...have seen this virus."

The National Infrastructure Protection Center, which has helped coordinate the investigation into denial-of-service attacks, today issued a warning about the virus.

Last year, the Melissa virus clogged corporate email servers across the country, causing more than $80 million in damage. A New Jersey resident, David Smith, was arrested and charged with disseminating the original Melissa virus.

News.com's Melanie Austria Farmer and Evan Hansen contributed to this report.