Copy Link
Add to Bookmark
Report
40Hex Issue 06 File 008
40Hex Number 6 Volume 2 Issue 2 File 008
Take a look at this. I picked it up on fidonet, originally from Virus-L
digest. all the stuff in *< >*'s are my comments.
- Demogorgon
------------------------------
VIRUS-L Digest Wednesday, 26 Feb 1992 Volume 5 : Issue 44
------------------------------
Date: Tue, 25 Feb 92 10:10:14 -0500
>From: mha@baka.ithaca.ny.us (Mark Anbinder)
Subject: MBDF Suspects Arrested (Mac)
The Cornell Daily Sun reported in this morning's issue that two
Cornell University sophomores, David Blumenthal and Mark Pilgrim, were
arrested Monday evening and arraigned in Ithaca City Court on one
count each of second degree computer tampering, in connection with the
release of the MBDF virus that infected Macs worldwide over the last
several days. The two are being held in Tompkins County Jail.
*< huh? How does one get arrested for spreading a virus, you ask? read on >*
Further charges are pending.
---
** many lines of mail routing crap have been deleted **
Date: Tue, 25 Feb 1992 11:47:32 PST
>From: lipa@camis.stanford.edu (Bill Lipa)
Subject: Alleged MBDF virus-creators arrested at Cornell
"Computer Virus Traced to Cornell Students"
by Jeff Carmona
[The Cornell Daily Sun, 25 February 1992]
Two Cornell students were arrested yesterday for allegedly creating and
launching *< launching ? Bon voyage, we launched you !>* a computer virus that
crippled computers around the world, according to M. Stuart Lynn, the
University's vice president for information technologies.
David Blumenthal '94 and Mark Pilgrim '94 were arrested by Department of
Public Safety officers and arraigned in Ithaca City Court on one count of
second-degree computer tampering, a misdemeanor, *< cool, its only a
misdemeanor, how bad could it be ? >* Lynn said.
Both students were remanded to the Tompkins County Jail and remained in
custody early this morning. They are being held on $2,000 cash or $10,000
bail bond, officials said.
Cornell received national attention in Nov. 1988 when Robert T. Morris
Jr., a former graduate student, was accused of unleashing a computer virus
into thousands of government and university computers.
Morris, convicted under the 1986 Computer Fraud and Abuse Act, was fined
$10,000, given a three-year probation and ordered to do 400 hours of community
service by a federal judge in Syracuse, according to Linda Grace-Kobas,
*< Whats a Koba?? >* director of the Cornell News Service.
Lynn would not compare the severity of the current case with Morris',
saying that "each case is different."
Lynn said the virus, called "MBDFA" was put into three Macintosh games --
Obnoxious Tetris, Tetriscycle and Ten Tile Puzzle.
On Feb. 14, the games were launched from Cornell to a public archive at
Stanford University in Palo Alto, Calif, Lynn said.
*< I guess these guys actually put it up on the archive under their own >*
*< accounts! Don't they know they can trace that stuff? duhhh... >*
From there, the virus spread to computers in Osaka, Japan and elsewhere around
the world *< the archive was a dumb idea if thats how they got caught, but it
spread like hell >* when users connected to computer networks via modems, he
added. It is not known how many computers the virus has affected worldwide, he
explained.
When computer users downloaded the infected games, the virus caused "a
modification of system software," *< oooh...lets not get too technical >* Lynn
said. "This resulted in unusual behavior and system crashes," he added.
Lynn said he was not aware of anyone at Cornell who reported finding the
virus on their computers.
The virus was traced to Cornell last Friday, authorities were quickly
notified and an investigation began, Lynn said.
"We absolutely deplore this kind of bahavior," Lynn said. "We will pursue
this matter to the fullest."
Armed with search warrants, Public Safety investigators removed more than
a dozen crates full of evidence from the students' residences in Baker and
Founders halls on West Campus. *< sounds like a typical, over-kill bust to
me. If you don't know what it is, take it. >*
Public Safety officials refused to disclose the contents of the crates or
issue any comment about the incident when contacted repeatedly by phone last
night. *< thats because they don't know what the fuck the stuff is >*
"We believe this was dealt with very quickly and professionally," Lynn
said.
The suspects are scheduled to appear in Ithaca City Court at 1 p.m. today
and additional charges are pending, according to Grace-Kobas.
Because spreading a computer virus violates federal laws, "conceivably,
the FBI could be involved," she added. Officials with the FBI could not be
reached to confirm or deny this.
Blumenthal and Pilgrim, both 19-year-olds, were current student employees
at Cornell Information Technologies (CIT), Lynn said. He would not say
whether the students launched the virus from their residence hall rooms or
From a CIT office.
Henrik N. Dullea '61, vice president for University relations, said he
thinks "the act will immediately be associated with the University," not
only with the individual students charged.
Because a major virus originated from a Cornell student in the past, this
latest incident may again "bring a negative reaction to the entire
institution," Dullea said. *< "blah, blah, blah" >*
"These are very selfish acts," Lynn said, referring to the intentional
distribution of computer viruses, because innocent people are harmed.
Lynn said he was unaware of the students' motive for initiating the virus.
Lynn said CIT put out a notice yesterday to inform computer users about the
"very virulent" virus. A virus-protection program, such as the new version of
Disinfectant, can usually cure computers, but it may be necessary to "rebuild
the hard drive" *< egad! Not the dreaded "virus-that-makes-you-rebuild-your-
hard-drive" !>* in some cases, he added.
A former roommate of Blumenthal said he was not surprised by news of the
arrest. Computers were "more than a hobby" for Blumenthal, said Glen Fuller
'95, his roommate from last semester. "He was in front of the computer all
day," Fuller said.
Blumenthal, who had a modem, would "play around with viruses because they
were a challenge to him," Fuller said. He said that, to his knowledge,
Blumenthal had never released a virus before.
-->-<------ Cut Here --------------------------
------------------------------
VIRUS-L Digest Friday, 28 Feb 1992 Volume 5 : Issue 46
------------------------------
Date: Wed, 26 Feb 92 11:08:45 -0800
>From: karyn@cheetah.llnl.gov (Karyn Pichnarczyk)
Subject: CIAC Bulletin C-17: MBDF A on Macintosh (Mac)
NO RESTRICTIONS
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
INFORMATION BULLETIN
New Virus on Macintosh Computers: MBDF A
February 25, 1992, 1130 PST Number C-17
________________________________________________________________________
NAME: MBDF A virus
PLATFORM: Macintosh computers-except MacPlus and SE (see below)
DAMAGE: May cause program crashes
SYMPTOMS: Claris applications indicate they have been altered; some
shareware may not work, unexplained system crashes
DETECTION &
ERADICATION: Disinfectant 2.6,Gatekeeper 1.2.4, Virex 3.6,
VirusDetective 5.0.2, Rival 1.1.10, SAM 3.0
________________________________________________________________________
Critical Facts about MBDF A
A new Macintosh virus, MBDF A, (named for the resource it exploits)
has been discovered. This virus does not appear to maliciously cause
damage, but simply copies itself from one application to another.
MBDF A was discovered at two archive sites in newly posted game
applications, and has a high potential to be very widespread.
Infection Mechanism
This virus is an "implied loader" virus, and it works in a similar
manner to other implied loader viruses such as CDEF and MDEF. Once
the virus is active, clean appliacation programs will become infected
as soon as they are executed. MBDF A infects only applications, and
does not affect data files. This virus replicates under both System 6
and System 7. While MBDF A may be present on ALL types of Macintosh
systems, it will not spread if the infected system is a MacPlus or a
Mac SE (although it does spread on an SE/30).
Potential Damage
The MBDF A virus has no malicious damaging characteristics, however,
it may cause programs to inexplicably crash when an item is selected
from the menu bar. Some programs, such as the shareware
"BeHierarchic" program, have been reported to not operate correctly
when infected. Applications written with self-checking code, such as
those written by the Claris corporation, will inform the user that
they have been altered.
When MBDF A infects the system file, it must re-write the entire
system file back to disk; this process may take two or three minutes.
If the user assumes the system has hung, and reboots the Macintosh
while this is occuring, the entire system file will be corrupted and
an entire reload of system software must then be performed.
This virus can be safely eradicated from most infected programs,
although CIAC recommends that you restore all infected files from an
uninfected backup.
Detection and Eradication
Because MBDF A has been recently discovered, only anti-viral packages
updated since February 20, 1992 will locate and eradicate this virus.
All the major Macintosh anti-viral product vendors are aware of this
virus and have scheduled updates for their products. These updates
have all been available since February 24, 1992. The updated versions
of some products are Disinfectant 2.6, Gatekeeper 1.2.4, Virex 3.6,
SAM 3.0, VirusDetective 5.0.2, and Rival 1.1.10. Some Macintosh
applications (such as the Claris software mentioned above) may contain
self-verification procedures to ensure the program is valid before
each execution; these programs will note unexpected alterations to
their code and will inform the user.
MBDF A has been positively identified as present in two shareware
games distributed by reliable archive sites: "Obnoxious Tetris" and
"Ten Tile Puzzle". The program "Tetricycle" (sometimes named
"Tetris-rotating") is a Trojan Horse program which installs the virus.
If you have downloaded these or any other software since February 14,
1992 (the day these programs were loaded to the archive sites), CIAC
recommends that you acquire an updated version of an anti-viral
product and scan your system for the existence of MBDF A.
For additional information or assistance, please contact CIAC:
Karyn Pichnarczyk
(510) 422-1779 or (FTS) 532-1779
karyn@cheetah.llnl.gov
Call CIAC at (510)422-8193/(FTS)532-8193.
Send e-mail to ciac@llnl.gov
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Some of the other teams include the NASA NSI response
team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your
agency's team will coordinate with CIAC.
CIAC would like to thank Gene Spafford and John Norstad, who provided
some of the information used in this bulletin. This document was
prepared as an account of work sponsored by an agency of the United
States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any
warranty, express or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, apparatus, product, or process disclosed, or represents
that its use would not infringe privately owned rights. Reference
herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or
favoring by the United States Government or the University of
California. The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government or
the University of California, and shall not be used for advertising or
product endorsement purposes.
-->-<----- Cut Here -------------------------
---
------------------------------
VIRUS-L Digest Friday, 28 Feb 1992 Volume 5 : Issue 46
------------------------------
Date: Wed, 26 Feb 92 15:32:02 -0500
>From: mha@baka.ithaca.ny.us (Mark Anbinder)
Subject: Cornell MBDF Press Release (Mac)
_____________________________________________________
PRESS RELEASE ISSUED BY CORNELL NEWS SERVICE 2/25/91
Students charged
with releasing
computer virus
By Linda Grace-Kobas
Following a university investigation that tracked a computer virus and
its originators, two Cornell students were arrested and charged with
computer tampering for allegedly launching a computer virus embedded in
three games into national computer archives. Arraigned Feb. 24 in
Ithaca City Court were David S. Blumenthal, 19, a sophomore in the
College of Engineering, and Mark Andrew Pilgrim, 19, a sophomore in the
College of Arts and Sciences. They were charged with computer tampering
in the second degree, a Class A misdemeanor. The pair is being held in
Tompkins County Jail with bail set at $2,000 cash bond or $10,000
property bond. At a hearing Tuesday afternoon, Judge Sherman returned
the two to jail with the same bond and recommended that they remain in
jail until at least Friday pending the federal investigation. A
preliminary hearing is set for April 10.
Both students were employed by Cornell Information Technologies, which
runs the university's computer facilities. Pilgrim worked as a student
operator in an Apple Macintosh facility from which the virus is believed
to have been launched. The university's Department of Public Safety is
working with the Tompkins County district attorney's office, and
additional charges are expected to be filed. The Federal Bureau of
Investigation has contacted the university to look at possible violations
of federal laws, officials said. The Ithaca Police Department is also
assisting in the investigation.
"We absolutely abhor this type of behavior, which appears to violate the
university's computer abuse policy as well as applicable state and
federal law," commented M. Stuart Lynn, vice president for information
technologies, who headed the investigation to track the originators of
the virus. "Cornell will pursue all applicable remedies under our own
policies and will cooperate with law enforcement authorities."
Lynn said Cornell was alerted Feb. 21 that a Macintosh computer virus
embedded in versions of three computer games, Obnoxious Tetris,
Tetricycle and Ten Tile Puzzle, had possibly been launched through a
Cornell computer. A virus is normally embedded in a program and only
propagates to other programs on the host system, he explained.
Typically, when an infected application is run, the virus will attack the
system software and then other applications will become infected as they
are run.
The virus, MBDF-A, had been deposited on Feb. 14 directly and indirectly
into several computer archives in the U.S. and abroad, including
SUMEX-AIM at Stanford University and archives at the University of Texas,
the University of Michigan and another in Osaka, Japan. These archives
store thousands of computer programs available to users of Internet, the
worldwide computer network.
Macintosh users who downloaded the games to their computers were subject
to a variety of problems, notably the modification of system software and
application programs, resulting in unusual behavior and possible system
crashes. Apparently, there was no intent to destroy data, Lynn said, but
data could be destroyed in system crashes.
Reports of the virus have been received from across the United States and
around the world, including Wales, Britain, Lynn said, adding that he has
no estimate for the number of individuals who might have obtained the
games.
As soon as the virus was identified, individuals and groups across the
country involved with tracking viruses sent messages across computer
networks to alert users who might have been affected by the virus, Lynn
added. The virus has since been removed from all archives and
"disinfectant" software available to the Internet community has been
modified so that individual Macintosh users can purge their computers of
it.
"Our sense is that the virus was controlled very rapidly," he said. In
1988, Cornell received national attention when graduate student Robert T.
Morris Jr. launched a computer virus into important government and
university research networks. That virus, actually considered a "worm"
since it was self-perpetuating, caused major damage in high-level
systems. Morris was convicted under the 1986 Computer Fraud and Abuse
Act and fined $10,000, given three years probation and ordered to do 400
hours of community service by a federal judge in Syracuse, N.Y.
The new virus differs greatly from the Morris worm, Lynn said. "This
virus is not to be compared with the Morris worm, which independently
moved from machine to machine across the network," he explained. All
Macintosh users should take appropriate measures to be certain their
systems are not infected with the virus.
News Service science writer William Holder also contributed to
this report.
---
Mark H. Anbinder 607-257-2070 - FAX 607-257-2657
BAKA Computers, Inc. QuickMail QM-QM 607-257-2614
200 Pleasant Grove Road mha@baka.ithaca.ny.us
Ithaca, NY 14850
-->-<----- Cut Here -------------------------
