Attack Of The Love Bug

• Share

(3 of 6)

Fiendishly created, the Love Bug strikes with a one-two punch. Once you've clicked open that fatal attachment and activated its deadly code, the virus either erases or moves a wide range of data files. It singles out in particular so-called jpgs and MP3s--digital pictures and music--and, like a natural virus, replaces them with identical copies of itself. Then, if it finds the Microsoft Outlook Express e-mail program on your computer, it raids the program's address book and sends copies of itself to everyone on that list. (The more innocent Melissa grabbed only the first 50 names.) Technically, this two-pronged approach makes the Love Bug both a virus and a worm; it's a virus because it breeds on a host computer's hard drive and a worm because it also reproduces over a network.

As these replicated messages spread, they created monumental jams, slowing Internet traffic to a crawl. And they quickly attracted the attention of virus hunters. At the F-Secure headquarters just outside Helsinki, Hypponen's team first got word of the virus at 9:41 a.m. local time, seven hours ahead of the Eastern U.S. That was when Bulgarian-born Katrin Tocheva, one of the few women in the tight-knit antiviral community, opened an e-mail containing a sample of the ILOVEYOU attachment and a warning from their Norwegian field office; a U.S. client's European network had been hit and needed help. She alerted the rest of the staff, who went immediately into emergency mode.

At ICSA.net a Pennsylvania computer-security company, chief scientist Peter Tippett was also getting warnings from his European offices. By 4 a.m., he began rounding up his 15-person antivirus SWAT team. Because of the stiff competition among antivirus-software makers, others were mobilizing too. "Our Leyden team in Holland was up and awake and began the initial research," says Ron Moritz, chief technology officer of Symantec, one of the antiviral Big Three (the other two are McAfee and Computer Associates).

Their first challenge: nailing the bug's digital fingerprint. "Every virus, every attack has a unique pattern, a unique set of bits," says Moritz. "Once you know what that is, you can then identify it each and every time it comes in." The second challenge: identifying the perpetrator. Clues weren't hard to find. Embedded in the virus' code--or blueprint--were the alias "spyder," an e-mail address and the words "Manila,Philippines." The code also yielded a short sentence in broken English that provided at least the shadow of a motive: "i hate go to school." Was the world facing a cyber-Columbine? By 4:30 a.m. Eastern time, the virus fighters had linked the Love Bug to a website hosted by Sky Internet, an Internet service provider based in Quezon, the Philippines. They persuaded the ISP to close down the site, but the Love Bug kept on spreading.

The feds were moving as well. By 11 a.m., the National Infrastructure Protection Center, an FBI-based group created to defend against cyberattacks on crucial public and private networks, posted a virus alert on its Web page. Meanwhile, nipc was assessing the extent of the damage at home, and the FBI launched a massive criminal investigation. Under the Computer Fraud and Abuse Act of 1986, the Love Bug's author could face a penalty of as much as five years behind bars and a $250,000 fine.