ISP confirms bug's Filipino connection
"Our service was used as a gateway," said Ronald Eociario, a system administrator for the ISP. "We already have pinpointed the (suspected source)."
Eociario said he used log files to track the account's users to another ISP in the Philippines, but "we're not sure whether they're the (originating) host."
Instead, the worm writer could have obfuscated his identity by passing through several accounts before creating the four accounts that contained the code. That's a common practice among traditional network attackers.
The worm, which is officially called W95.ILOVEYOU.bin.worm and VBS_Loveletter-o, contacts one of four Web pages hosted on Sky Internet to download malicious code, in addition to its e-mail-spamming and infection components. Researchers have determined that the code copies system passwords and forwards them on to an e-mail address based in the Philippines. Sky Internet has since taken the file -- called WIN-BUGSFIX.exe -- offline.
The four Web pages that acted as remote download sites for the worm have been shut down, Eociario said.
Sky Internet first noticed the effects of the worm when traffic spiked at 4 p.m. local time (1 a.m. PST) on Thursday, signaling that a large number of computers had been infected and were dialing in to be "updated."
The ILOVEYOU worm first hit companies in Asia early Thursday morning and moved through Europe and then the United States as workers opened their early morning e-mail. The worm activates when users click on an attachment "LOVE-LETTER-FOR-YOU.TXT.vbs," replacing files with its code, mass mailing itself out and then attempting to connect to the servers in the Philippines.
Researchers confirmed that WIN-BUGSFIX.exe installs itself and then attempts to copy passwords. The passwords are then e-mailed to another account in the Philippines.
The National Infrastructure Protection Center, an agency jointly run by the FBI and the Department of Justice, said they were investigating the issue, but would not give details.