40hex nº6:(40HEX-6.008):12/02/1993 << Back To 40hex nº 6
40Hex Number 6 Volume 2 Issue 2 File 008 Take a look at this. I picked it up on fidonet, originally from Virus-L digest. all the stuff in *< >*'s are my comments. - Demogorgon ------------------------------ VIRUS-L Digest Wednesday, 26 Feb 1992 Volume 5 : Issue 44 ------------------------------ Date: Tue, 25 Feb 92 10:10:14 -0500 >From: mha@baka.ithaca.ny.us (Mark Anbinder) Subject: MBDF Suspects Arrested (Mac) The Cornell Daily Sun reported in this morning's issue that two Cornell University sophomores, David Blumenthal and Mark Pilgrim, were arrested Monday evening and arraigned in Ithaca City Court on one count each of second degree computer tampering, in connection with the release of the MBDF virus that infected Macs worldwide over the last several days. The two are being held in Tompkins County Jail. *< huh? How does one get arrested for spreading a virus, you ask? read on >* Further charges are pending. --- ** many lines of mail routing crap have been deleted ** Date: Tue, 25 Feb 1992 11:47:32 PST >From: lipa@camis.stanford.edu (Bill Lipa) Subject: Alleged MBDF virus-creators arrested at Cornell "Computer Virus Traced to Cornell Students" by Jeff Carmona [The Cornell Daily Sun, 25 February 1992] Two Cornell students were arrested yesterday for allegedly creating and launching *< launching ? Bon voyage, we launched you !>* a computer virus that crippled computers around the world, according to M. Stuart Lynn, the University's vice president for information technologies. David Blumenthal '94 and Mark Pilgrim '94 were arrested by Department of Public Safety officers and arraigned in Ithaca City Court on one count of second-degree computer tampering, a misdemeanor, *< cool, its only a misdemeanor, how bad could it be ? >* Lynn said. Both students were remanded to the Tompkins County Jail and remained in custody early this morning. They are being held on $2,000 cash or $10,000 bail bond, officials said. Cornell received national attention in Nov. 1988 when Robert T. Morris Jr., a former graduate student, was accused of unleashing a computer virus into thousands of government and university computers. Morris, convicted under the 1986 Computer Fraud and Abuse Act, was fined $10,000, given a three-year probation and ordered to do 400 hours of community service by a federal judge in Syracuse, according to Linda Grace-Kobas, *< Whats a Koba?? >* director of the Cornell News Service. Lynn would not compare the severity of the current case with Morris', saying that "each case is different." Lynn said the virus, called "MBDFA" was put into three Macintosh games -- Obnoxious Tetris, Tetriscycle and Ten Tile Puzzle. On Feb. 14, the games were launched from Cornell to a public archive at Stanford University in Palo Alto, Calif, Lynn said. *< I guess these guys actually put it up on the archive under their own >* *< accounts! Don't they know they can trace that stuff? duhhh... >* From there, the virus spread to computers in Osaka, Japan and elsewhere around the world *< the archive was a dumb idea if thats how they got caught, but it spread like hell >* when users connected to computer networks via modems, he added. It is not known how many computers the virus has affected worldwide, he explained. When computer users downloaded the infected games, the virus caused "a modification of system software," *< oooh...lets not get too technical >* Lynn said. "This resulted in unusual behavior and system crashes," he added. Lynn said he was not aware of anyone at Cornell who reported finding the virus on their computers. The virus was traced to Cornell last Friday, authorities were quickly notified and an investigation began, Lynn said. "We absolutely deplore this kind of bahavior," Lynn said. "We will pursue this matter to the fullest." Armed with search warrants, Public Safety investigators removed more than a dozen crates full of evidence from the students' residences in Baker and Founders halls on West Campus. *< sounds like a typical, over-kill bust to me. If you don't know what it is, take it. >* Public Safety officials refused to disclose the contents of the crates or issue any comment about the incident when contacted repeatedly by phone last night. *< thats because they don't know what the fuck the stuff is >* "We believe this was dealt with very quickly and professionally," Lynn said. The suspects are scheduled to appear in Ithaca City Court at 1 p.m. today and additional charges are pending, according to Grace-Kobas. Because spreading a computer virus violates federal laws, "conceivably, the FBI could be involved," she added. Officials with the FBI could not be reached to confirm or deny this. Blumenthal and Pilgrim, both 19-year-olds, were current student employees at Cornell Information Technologies (CIT), Lynn said. He would not say whether the students launched the virus from their residence hall rooms or From a CIT office. Henrik N. Dullea '61, vice president for University relations, said he thinks "the act will immediately be associated with the University," not only with the individual students charged. Because a major virus originated from a Cornell student in the past, this latest incident may again "bring a negative reaction to the entire institution," Dullea said. *< "blah, blah, blah" >* "These are very selfish acts," Lynn said, referring to the intentional distribution of computer viruses, because innocent people are harmed. Lynn said he was unaware of the students' motive for initiating the virus. Lynn said CIT put out a notice yesterday to inform computer users about the "very virulent" virus. A virus-protection program, such as the new version of Disinfectant, can usually cure computers, but it may be necessary to "rebuild the hard drive" *< egad! Not the dreaded "virus-that-makes-you-rebuild-your- hard-drive" !>* in some cases, he added. A former roommate of Blumenthal said he was not surprised by news of the arrest. Computers were "more than a hobby" for Blumenthal, said Glen Fuller '95, his roommate from last semester. "He was in front of the computer all day," Fuller said. Blumenthal, who had a modem, would "play around with viruses because they were a challenge to him," Fuller said. He said that, to his knowledge, Blumenthal had never released a virus before. -->-<------ Cut Here -------------------------- ------------------------------ VIRUS-L Digest Friday, 28 Feb 1992 Volume 5 : Issue 46 ------------------------------ Date: Wed, 26 Feb 92 11:08:45 -0800 >From: karyn@cheetah.llnl.gov (Karyn Pichnarczyk) Subject: CIAC Bulletin C-17: MBDF A on Macintosh (Mac) NO RESTRICTIONS _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN New Virus on Macintosh Computers: MBDF A February 25, 1992, 1130 PST Number C-17 ________________________________________________________________________ NAME: MBDF A virus PLATFORM: Macintosh computers-except MacPlus and SE (see below) DAMAGE: May cause program crashes SYMPTOMS: Claris applications indicate they have been altered; some shareware may not work, unexplained system crashes DETECTION & ERADICATION: Disinfectant 2.6,Gatekeeper 1.2.4, Virex 3.6, VirusDetective 5.0.2, Rival 1.1.10, SAM 3.0 ________________________________________________________________________ Critical Facts about MBDF A A new Macintosh virus, MBDF A, (named for the resource it exploits) has been discovered. This virus does not appear to maliciously cause damage, but simply copies itself from one application to another. MBDF A was discovered at two archive sites in newly posted game applications, and has a high potential to be very widespread. Infection Mechanism This virus is an "implied loader" virus, and it works in a similar manner to other implied loader viruses such as CDEF and MDEF. Once the virus is active, clean appliacation programs will become infected as soon as they are executed. MBDF A infects only applications, and does not affect data files. This virus replicates under both System 6 and System 7. While MBDF A may be present on ALL types of Macintosh systems, it will not spread if the infected system is a MacPlus or a Mac SE (although it does spread on an SE/30). Potential Damage The MBDF A virus has no malicious damaging characteristics, however, it may cause programs to inexplicably crash when an item is selected from the menu bar. Some programs, such as the shareware "BeHierarchic" program, have been reported to not operate correctly when infected. Applications written with self-checking code, such as those written by the Claris corporation, will inform the user that they have been altered. When MBDF A infects the system file, it must re-write the entire system file back to disk; this process may take two or three minutes. If the user assumes the system has hung, and reboots the Macintosh while this is occuring, the entire system file will be corrupted and an entire reload of system software must then be performed. This virus can be safely eradicated from most infected programs, although CIAC recommends that you restore all infected files from an uninfected backup. Detection and Eradication Because MBDF A has been recently discovered, only anti-viral packages updated since February 20, 1992 will locate and eradicate this virus. All the major Macintosh anti-viral product vendors are aware of this virus and have scheduled updates for their products. These updates have all been available since February 24, 1992. The updated versions of some products are Disinfectant 2.6, Gatekeeper 1.2.4, Virex 3.6, SAM 3.0, VirusDetective 5.0.2, and Rival 1.1.10. Some Macintosh applications (such as the Claris software mentioned above) may contain self-verification procedures to ensure the program is valid before each execution; these programs will note unexpected alterations to their code and will inform the user. MBDF A has been positively identified as present in two shareware games distributed by reliable archive sites: "Obnoxious Tetris" and "Ten Tile Puzzle". The program "Tetricycle" (sometimes named "Tetris-rotating") is a Trojan Horse program which installs the virus. If you have downloaded these or any other software since February 14, 1992 (the day these programs were loaded to the archive sites), CIAC recommends that you acquire an updated version of an anti-viral product and scan your system for the existence of MBDF A. For additional information or assistance, please contact CIAC: Karyn Pichnarczyk (510) 422-1779 or (FTS) 532-1779 karyn@cheetah.llnl.gov Call CIAC at (510)422-8193/(FTS)532-8193. Send e-mail to ciac@llnl.gov PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Some of the other teams include the NASA NSI response team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your agency's team will coordinate with CIAC. CIAC would like to thank Gene Spafford and John Norstad, who provided some of the information used in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. -->-<----- Cut Here ------------------------- --- ------------------------------ VIRUS-L Digest Friday, 28 Feb 1992 Volume 5 : Issue 46 ------------------------------ Date: Wed, 26 Feb 92 15:32:02 -0500 >From: mha@baka.ithaca.ny.us (Mark Anbinder) Subject: Cornell MBDF Press Release (Mac) _____________________________________________________ PRESS RELEASE ISSUED BY CORNELL NEWS SERVICE 2/25/91 Students charged with releasing computer virus By Linda Grace-Kobas Following a university investigation that tracked a computer virus and its originators, two Cornell students were arrested and charged with computer tampering for allegedly launching a computer virus embedded in three games into national computer archives. Arraigned Feb. 24 in Ithaca City Court were David S. Blumenthal, 19, a sophomore in the College of Engineering, and Mark Andrew Pilgrim, 19, a sophomore in the College of Arts and Sciences. They were charged with computer tampering in the second degree, a Class A misdemeanor. The pair is being held in Tompkins County Jail with bail set at $2,000 cash bond or $10,000 property bond. At a hearing Tuesday afternoon, Judge Sherman returned the two to jail with the same bond and recommended that they remain in jail until at least Friday pending the federal investigation. A preliminary hearing is set for April 10. Both students were employed by Cornell Information Technologies, which runs the university's computer facilities. Pilgrim worked as a student operator in an Apple Macintosh facility from which the virus is believed to have been launched. The university's Department of Public Safety is working with the Tompkins County district attorney's office, and additional charges are expected to be filed. The Federal Bureau of Investigation has contacted the university to look at possible violations of federal laws, officials said. The Ithaca Police Department is also assisting in the investigation. "We absolutely abhor this type of behavior, which appears to violate the university's computer abuse policy as well as applicable state and federal law," commented M. Stuart Lynn, vice president for information technologies, who headed the investigation to track the originators of the virus. "Cornell will pursue all applicable remedies under our own policies and will cooperate with law enforcement authorities." Lynn said Cornell was alerted Feb. 21 that a Macintosh computer virus embedded in versions of three computer games, Obnoxious Tetris, Tetricycle and Ten Tile Puzzle, had possibly been launched through a Cornell computer. A virus is normally embedded in a program and only propagates to other programs on the host system, he explained. Typically, when an infected application is run, the virus will attack the system software and then other applications will become infected as they are run. The virus, MBDF-A, had been deposited on Feb. 14 directly and indirectly into several computer archives in the U.S. and abroad, including SUMEX-AIM at Stanford University and archives at the University of Texas, the University of Michigan and another in Osaka, Japan. These archives store thousands of computer programs available to users of Internet, the worldwide computer network. Macintosh users who downloaded the games to their computers were subject to a variety of problems, notably the modification of system software and application programs, resulting in unusual behavior and possible system crashes. Apparently, there was no intent to destroy data, Lynn said, but data could be destroyed in system crashes. Reports of the virus have been received from across the United States and around the world, including Wales, Britain, Lynn said, adding that he has no estimate for the number of individuals who might have obtained the games. As soon as the virus was identified, individuals and groups across the country involved with tracking viruses sent messages across computer networks to alert users who might have been affected by the virus, Lynn added. The virus has since been removed from all archives and "disinfectant" software available to the Internet community has been modified so that individual Macintosh users can purge their computers of it. "Our sense is that the virus was controlled very rapidly," he said. In 1988, Cornell received national attention when graduate student Robert T. Morris Jr. launched a computer virus into important government and university research networks. That virus, actually considered a "worm" since it was self-perpetuating, caused major damage in high-level systems. Morris was convicted under the 1986 Computer Fraud and Abuse Act and fined $10,000, given three years probation and ordered to do 400 hours of community service by a federal judge in Syracuse, N.Y. The new virus differs greatly from the Morris worm, Lynn said. "This virus is not to be compared with the Morris worm, which independently moved from machine to machine across the network," he explained. All Macintosh users should take appropriate measures to be certain their systems are not infected with the virus. News Service science writer William Holder also contributed to this report. --- Mark H. Anbinder 607-257-2070 - FAX 607-257-2657 BAKA Computers, Inc. QuickMail QM-QM 607-257-2614 200 Pleasant Grove Road mha@baka.ithaca.ny.us Ithaca, NY 14850 -->-<----- Cut Here -------------------------