[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Authorities eye MSBlaster suspect
- To: "Jeremiah Cornelius" <jeremiah@nur.net>, <steve@stevesworld.hopto.org>
- Subject: RE: [Full-Disclosure] Authorities eye MSBlaster suspect
- From: "Jerry Heidtke" <jheidtke@fmlh.edu>
- Date: Fri, 29 Aug 2003 13:48:13 -0500
Except that teekid had nothing to do with either the original Blaster
worm (which is apparently what Stephen Clowater assumed) or
Nachia/Welchia/Blaster.D, which is the worm Jeremiah Cornelius refers
to.
Here's the whois for his domain:
Domain: t33kid.com
Registrant (JP397-IYD-REG)
Jeff Parson
root@t33kid.com
603 8th Ave S.
Hopkins, Minnesota 55343 US
+1.1111111111
Administrative (JP421-IYD)
TeeKid
Rooted Networks
root@t33kid.com
Information Not Given
Information Not Given, Information Not Given 11111 US
+1.1111111111
Billing (JP421-IYD)
TeeKid
Rooted Networks
root@t33kid.com
Information Not Given
Information Not Given, Information Not Given 11111 US
+1.1111111111
Technical (JP421-IYD)
TeeKid
Rooted Networks
root@t33kid.com
Information Not Given
Information Not Given, Information Not Given 11111 US
+1.1111111111
Record created on November 30, 2001
Record last updated on February 04, 2003
Record expires on November 30, 2003
Domain Name Servers:
NS1.ZONEEDIT.COM
NS2.ZONEEDIT.COM
Here's the Google cache of his web server:
http://216.239.41.104/search?q=cache:FEZleHDR3mcJ:t33kid.com/+teekid&hl=
en&ie=UTF-8
What teekid did was take the original Blaster.A, decompress it, rename
msblast.exe to penis32.exe, and use a hex-editor to change a few strings
inside the executable. He didn't even recompress it. This "version" then
became known as Blaster.B. Not very "l33t". According to TrendMicro,
Blaster.B infected all of 16 computers. If he hadn't released the
variant, you wouldn't have noticed any difference, even assuming that
Trend's stats may be low by two orders of magnitude.
The Nachia/Welchia/Blaster.D worm was written by someone who goes by the
handle of Sowhat. He/she posted the source at
https://www.xfocus.net/bbs/index.php?act=ST&f=1&t=26924. Quite a piece
of work. I'm not aware of any traces left by the original author of
Blaster.A
Sometimes it helps to have some facts before calling for blood.
Jerry
-----Original Message-----
From: Jeremiah Cornelius [mailto:jeremiah@nur.net]
Sent: Friday, August 29, 2003 11:33 AM
To: steve@stevesworld.hopto.org
Cc: Florian Weimer; Larry Roberts; full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Authorities eye MSBlaster suspect
Stephen Clowater wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Throw him in prison for a while...he caused alot of hedache, downtime,
damage,
>and most importantly, the never ending msblaster thread on FD!
>
>Stupidity should be punished, this guy wrote a crappy worm, shot his
mouth off
>about it, and then got caught. Make an example out of him so at least
other
>virus writers will learn that if they write the virus, they should shut
up
>about it.
>
I suspect that the poor boy's efforts greatly raised the full-time
employment prospects of many on this list. This lad had good
intentions, if flawed in his reasonong and execution.
He /did/ put to the test a theory that has choked this list and others
for a few years. I suspect we won't be subjected to any more drivel
about a "good worm" for some while now... ;-)
--
Jeremiah Cornelius, CISSP, CCNA, MCSE
farm9.com Security
<mailto:jc@farm9.com>
"Administration for Windows networks is similar to maintaining a 12-year
old GM Truck. Brand new, W2K+3 already has 190K miles of wear."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html