Virus Threat Found on Love Bug Suspect's Disks

Confiscated diskettes from the house of Onel De Guzman, the 23-year-old suspect in the "Love Bug" computer virus case, uncovered an earlier virus allegedly written by his college buddy, Michael Buen.

The virus, which works with Microsoft Word, prints out Buen's resume, with a warning that he will release a more destructive virus that will delete all folders on a victim's hard disk "if I don't find a stable job by the end of the month."

Investigators said, however, they found no evidence directly linking De Guzman to the Love Bug virus that caused havoc worldwide.

"No incriminating data was found on the diskettes other than on diskette 17 (numbered by the investigating National Bureau of Investigation, or NBI), which contained a strain of a virus supposedly authored by Michael Buen with acknowledgement to Onel De Guzman and a certain group, Grammersoft," said Elfren Meneses Jr., chief of the Anti-fraud and Computer Crimes Division of the NBI.

Meneses said the NBI's technical team scanned each of the diskettes sector by sector to identify any file, name or executable file saved or deleted from the disk.

Although no evidence was discovered, the diskettes revealed 40 names, about 30 of which have been identified as students of AMA Computer College (AMACC), where De Guzman and Buen studied.

Meneses said the NBI will invite for questioning, either by telephone or through a subpoena, all of the persons whose names were found in the diskettes.

Except for the case already filed against Reomel Ramones, the bank worker earlier arrested and released by the NBI for lack of evidence, the NBI has not filed any formal charges in the case.

"We will start from the information that we have found from diskette 17. This is just part of the investigation. As of now, we don't have any evidence to say that (the author of the virus) came from the Philippines," said Meneses.

Virus found

The Word Macro virus discovered on diskette 17 is the same virus earlier identified by US experts and traced back to Buen, who recently graduated from AMACC in Makati City. The virus infects all Microsoft Word 97 document files.

Once a user tries to print an infected file, the virus saves a copy of Buen's resume and prints it. If a user tries to save an infected file, a message appears on the screen that says: "Michael learns to hack." The virus also mismatches keyboard strokes.

In the attached resume, Buen also gives out a warning: "If I don't find a stable job by the end of next month, I will release a third virus that will delete all folders in the primary disk or para na rin finormat and hard disk mo (so that your hard disk will be formatted)."

Nelson Bartolome, assistant director of the NBI's Anti-fraud and Computer Crimes Division, said they found no significant similarity between the virus allegedly authored by Buen and the "Love Bug" virus, except that both were written in the same Visual Basic programming language.

Meneses said the NBI technical team concluded that Buen was "an above-average programmer with proficiency in Word macros and in the Visual Basic programming language."

Investigators, however, refused to confirm or deny that Buen was now the primary suspect in the case because of this new finding. Meneses said they will continue their investigation and question all the persons identified through the diskettes.

Also being examined are the data -- network logs, e-mail messages and passwords -- submitted by three Internet service providers, namely Sky Internet, ImpactNet and Access Net, that were used by the virus author to launch the "Love Bug" virus.

Meneses said they would also look into the diskettes further for other possible clues. The diskettes were seized on May 8 from the house of De Guzman. Also found in the house were five telephone sets, a plastic bag containing cables and "paraphernalia," two Zip cases, seven computer books and various computer magazines, including 14 issues of Computerworld Philippines.

Existing law sufficient

Bartolome said the existing law on access devices is enough to proceed with the case. He explained that the virus author had illegally used other people's Internet accounts, which is covered by Republic Act 8484.

"There's unauthorized access involved that denies the ISPs a way to properly bill their subscribers, which means loss of revenue for them," he said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Access Net AustraliaAMA GroupMicrosoft

Show Comments