When Love Came to Town: A Virus Investigation

Looking for Love--The Investigation Begins

By the time Californians woke up to news of the virus, governmental and individual investigators around the world have determined two things about the virus: It was written by someone who goes by the handle "Spyder," and Spyder lives in the Philippines.

How do they know? Like most attention-seeking virus writers, the author conveniently leaves a "signature" in the source code; it states his name, e-mail address, and hometown--Manila. Furthermore, the text identifies Spyder as a member of a small programmer's group called GRAMMERSoft. Here's how it looks in the code:

rem barok -loveletter(vbe)

rem by:spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines

"He at least cut [the search] down to one city and 10 million people for us," laughs Richard Smith, who with five others conducted an investigation in parallel to that of the FBI's and notified Mail.com, the domain for Spyder's e-mail account. Smith is a privacy watchdog who last year uncovered attempts by RealPlayer to siphon information from users about the music they downloaded and who also helped investigators find David L. Smith (no relation), who was convicted of distributing the Melissa virus in 1999. (See "Melissa Creator Pleads Guilty.")

ISP Acts Swiftly

Within minutes after LoveLetter began infecting computers, the Philippine ISP Sky Internet noticed increased traffic to its servers. Thousands of computers across Asia and Europe had begun dialing into four Web pages hosted by the ISP, where they auto-downloaded a Trojan horse posted by the LoveLetter writer.

Acting swiftly, the company's staff took down the pages and began tracking the origin of the virus and Trojan horse by examining their log files. They traced the posting to a prepaid ISP account at Supernet, another provider in the Philippines, where the virus was launched from two e-mail accounts--spyder@super.net.ph and mailme@super.net.ph. The prepaid account allowed the virus writer to maintain anonymity, but it also indicated that he was probably local, confirming the Manila connection.

The next step was to glean more information about the author by looking for other references to the names Spyder and GRAMMERSoft on the Internet. Virus writers tend to be serial writers and use the same m.o. repeatedly, so researchers look for other postings by authors for clues to their identity.

International Sleuths Team Up

Smith and five other sleuths, including a 27-year-old grad student at Stockholm University named Frederik Bjorck, searched newsgroups using the keywords Spyder, GRAMMERSoft, and barok (another word found in the source code). Within a day, Bjorck found a virus called Barok, which Spyder had posted four months earlier. Except for four bytes of code, Barok and the Trojan horse portion of LoveLetter shared identical code--nearly a perfect fingerprint match. A second version of Barok posted around the same time further identified the author as a "student of amacc mkt. Phils" and a member of GRAMMERSoft.

After a quick check, "amacc mkt." turned out to be the AMA Computer College in Makati City--a computer technician's college in a suburb of Manila. "So it went from 10 million people down to 10,000 people," says Smith, "and [then to] this computer college in Manila."

A little more sleuthing, adding the name of the college to the search terms, revealed a posting by another student from the school who also claimed membership in GRAMMERSoft. That student included his real name in the code, as well as the names of dozens of other people he knew.