Manila Couple Identified as ‘ILoveYou’ Suspects

Following a digital trail that experts said was strewn with clues, authorities in the Philippines on Monday arrested one man and named his girlfriend as the suspected authors of the “ILoveYou” computer virus.

The swiftness with which the FBI and other authorities identified suspects reflects the ease with which some computer crimes can be traced despite--and partly because of--the complexity of the systems on which they are committed.

The couple, both bank employees, were identified by the Philippine National Bureau of Investigation as Reomel Ramones, 27, and Irene de Guzman, his 23-year-old girlfriend. Ramones was arrested after the couple’s home was raided early Monday, and de Guzman was expected to turn herself in by today, authorities said.

There was also speculation that de Guzman’s unemployed sister, who lives with the couple, may have been the author of the program because she is a recent graduate of a computer school linked by U.S. security experts to the “Love Bug” virus.

Law enforcement officials were led to the couple largely by evidence in the code of the virus itself, which spread around the world with unprecedented speed last week, infecting millions of machines and disrupting businesses and government agencies in at least 20 countries.

Philippine authorities said they seized computer disks, telephones and other equipment in their raid of the apartment in a lower-middle-class neighborhood of Manila, but that there was no computer in the dwelling. They also reported that Ramones had “opted to remain silent” when he was taken into custody. Manila radio stations reported that he denied involvement in the crimes.

Two FBI agents participated in the raid. But officials at the Justice Department in Washington said they were only beginning to get details on the suspects and the evidence against them.

“Everything is in flux right now,” said Chris Painter, deputy chief of the criminal crimes section of the Justice Department. “I wouldn’t say with any certainty that the person who committed the crime has been caught yet. The FBI worked closely with [Philippine officials] and continues to work closely with them.”

The apparent break in the case raised a number of legal issues because Philippine authorities said their laws do not clearly address computer crimes, and U.S. officials said that if they sought extradition of the couple it would be the first such attempt in connection with a computer crime.

Federico Opinion, chief of the National Bureau of Investigation, said authorities planned to employ a law against improper use of “access devices” to pursue a case against the suspects. He said the maximum penalty under that law is 20 years in prison. No charges had been filed Monday, but authorities had 36 hours to do so.

U.S. Atty. Gen. Janet Reno said in a news conference Monday that the case underscores the need for universalizing laws on computer crime.

“It is important for countries all over the world to join together in developing common legislation that will enable us to work together in matters such as this,” she said. “Crime is becoming international in its origins and in its consequences, and it is going to be very important that we have the same sheet of music, if you will, to play from.”

Security experts estimate that the virus has spread to millions of computers around the globe, showing up in Internet users’ e-mail accounts as messages with the intriguing subject line that gave the virus its name: “ILOVEYOU.”

The virus remains dormant until the e-mail and an accompanying attachment are opened, prompting the program to prey on the popular Microsoft Outlook Express e-mail program by sending copies of the contagion to every address listed in the program’s address book. The virus also damages certain files on the computer’s hard drive.

Hundreds of major corporations were affected, including Ford Motor Co. and Time Warner Inc. The virus also swept through government offices from the White House to the British Parliament.

Speculation has centered on the Philippines since late last week because of a number of clues embedded in the virus. The second line of the virus’ source code includes the words “Spyder,” apparently the online name of the author, and “Manila, Philippines.”

The line also listed an e-mail address, ispyder@mail.com, an account with a free e-mail service based in New York that some believe was used to bounce messages back to the Philippines.

Security experts said those markings on the source code could have been a ruse or the work of an unsophisticated hacker.

“It’s possible someone wrote this not knowing it was going to spread so fast and get them in so much trouble,” said David Chess, an anti-virus researcher at IBM. “They may not have realized their malice was going to be so successful, and so didn’t go to as much care to hide themselves.”

There were other clues. The virus also attempts to fetch from a Web site based in the Philippines a program that steals passwords from the host computer and sends them to an e-mail address in the Philippines, Chess said.

Philippine authorities placed the Manila couple under surveillance Saturday, apparently after the FBI provided them with computer logs and other records that connected the virus to the suspects.

*

Times staff writer Eric Lichtblau and wire services contributed to this report.