A renowned computer privacy expert in the United States has traced the authorship of the "ILOVEYOU" e-mail virus or "Love Bug" to a student at the AMA Computer College in Manila, the Washington Post reported yesterday.
Richard Smith, a Massachusetts computer expert who helped track down the author of last year's "Melissa" virus, told the Post that other programs created by the author of the "Love Bug" included a notation that the creator was a student of the computer school owned by former Philippine Y2K adviser Amable Aguiluz.
As this developed, Philippine National Police chief Director General Panfilo Lacson said the PNP has identified the Filipino hacker. But he refused to identify the suspect, saying more evidence was being gathered before making an arrest.
"We have already identified the perpetrator of this virus under a joint operation between the NBI (National Bureau of Investigation) and the police," said Lacson, who was accompanying President Estrada to Zamboanga City yesterday.
Lacson said he cannot reveal the name of the suspect because "it might preempt the arrest which we are planning to do."
NBI officials, who had indicated the other day that early evidence pointed to a female hacker, said they have the suspect under surveillance and have asked a lower court issue an arrest warrant.
"We have a suspect," said Nelson Bartolome, chief of the NBI's anti-fraud and computer unit said.
Since Friday, authorities have been desperately looking for a judge to authorize a search warrant to "permit the seizure of the computer" used in the attack.
An NBI source expressed concern that the suspect may have already destroyed all vital evidence linking him or her to the virus.
"We may not have enough evidence to file charges," the source lamented.
Some computer experts have already cautioned that the Philippine trail could be a deliberate smoke screen, hiding the true source of the bug.
For instance, Fredrik Bjorck, a computer security researcher in Sweden who worked with Smith last year in the hunt for Melissa's author, claimed he tracked the attacks to a German exchange student living in Australia.
The student used Philippine Internet service providers (ISPs) to launch his attacks, Bjorck suggested.
The virus first appeared Thursday and spread around the world in a matter of hours via an e-mail bearing the message "ILOVEYOU."
With the e-mail comes an attachment, which, when opened using Microsoft Outlook software, sends the virus to the e-mail addresses stored within the software, researchers said.
Once the virus infects a personal computer (PC), it can destroy certain files not only on the user's own hard drive, but also other files on networks to which the user is connected.
Up to nine copycat variants were then circulated with new messages, including "Joke," "Very Funny," and the especially destructive "Mother's Day Order Confirmation" e-mail, which overwrites the ".bat" and ".ini" files needed to start up a computer.
The perpetrator identified himself as "mailme," "spyder" and "ispyder," and left a message saying "I hate to go to school."
An estimated 10 million computers have been infected worldwide and $2.61 billion in damage caused.
Among those hit around the world were computer networks at the US Congress, the White House and Pentagon, and the British and Danish parliaments.
Authorities said many leads point to the Philippines as the birthplace of the virus.
For starters, a Philippine ISP called SuperNet said the virus appears to have first been sent from two of its e-mail addresses.
Some computer security experts also said a programming technique used in the creation of the virus is similar, if not identical, to one written by a man in the Philippines last year.
An even stronger clue, experts said, is that in addition to destroying data, the virus attempts to activate another program from a Philippine website that steals passwords from victims' computers and sends them back to an e-mail address in the Philippines.
According to earlier reports, a comparison of notes made by Philippine ISPs narrowed down the suspect to a 23-year-old man from Manila's Pandacan district.
Robbie Villabona, SKYiNet' s technical operations director, said the virus was stored in their webspace in two parts -- one that deleted visual and audio files and one that attached itself to an e-mail.
SKYiNET was one of three local service providers used to spread the virus.
Villabona said their company's mail server has been blocking the virus from entering computers of their estimated 20,000 subscribers since it was detected Thursday, he said.
"As a result of this virus, some other networks in the world blocked traffic from our server. It has affected us substantially," he said.
Villabona said they had helped NBI agents in tracking down the suspect by giving them "server logs."
"We have given the NBI appropriate information (so) that they can identify the suspect. The next step is to identify and apprehend," he said.
Jose Carlotta, chief operating officer of Access Net, said the creator of the computer virus could have been unaware of the damage he or she would cause worldwide and might not even be a Filipino as had initially been suspected.
"It's very difficult to say with any certainty that it is a Filipino. It could have come from somewhere else and 're-originated' from the Philippines," he said.
Access Net is one of three ISPs from where the virus was suspected to have been launched.
"There is a lot of speculation right now. Until they are actually able to establish an identity behind this person, it is very hard to say for certain," he said.
Carlotta, however, said the information is still "very, very sketchy." "Pandacan is a very big area. It's like finding a needle in a haystack," he said.
Carlotta said the virus maker may have only wanted to collect passwords to get free Internet access.
"If he has got graver intentions from what he's done, I am not aware of that and it's purely speculation. I might even say that he or she probably wasn't aware of the gravity of what he did," he said.