Date: Tue, 25 Feb 1992 11:47:32 PST From: lipa@camis.stanford.edu (Bill Lipa) Subject: Alleged MBDF virus-creators arrested at Cornell "Computer Virus Traced to Cornell Students" by Jeff Carmona [The Cornell Daily Sun, 25 February 1992] Two Cornell students were arrested yesterday for allegedly creating and launching a computer virus that crippled computers around the world, according to M. Stuart Lynn, the University's vice president for information technologies. David Blumenthal '94 and Mark Pilgrim '94 were arrested by Department of Public Safety officers and arraigned in Ithaca City Court on one count of second-degree computer tampering, a misdemeanor, Lynn said. Both students were remanded to the Tompkins County Jail and remained in custody early this morning. They are being held on $2,000 cash or $10,000 bail bond, officials said. Cornell received national attention in Nov. 1988 when Robert T. Morris Jr., a former graduate student, was accused of unleashing a computer virus into thousands of government and university computers. Morris, convicted under the 1986 Computer Fraud and Abuse Act, was fined $10,000, given a three-year probation and ordered to do 400 hours of community service by a federal judge in Syracuse, according to Linda Grace-Kobas, director of the Cornell News Service. Lynn would not compare the severity of the current case with Morris', saying that "each case is different." Lynn said the virus, called "MBDFA" was put into three Macintosh games -- Obnoxious Tetris, Tetriscycle and Ten Tile Puzzle. On Feb. 14, the games were launched from Cornell to a public archive at Stanford University in Palo Alto, Calif, Lynn said. From there, the virus spread to computers in Osaka, Japan and elsewhere around the world when users connected to computer networks via modems, he added. It is not known how many computers the virus has affected worldwide, he explained. When computer users downloaded the infected games, the virus caused "a modification of system software," Lynn said. "This resulted in unusual behavior and system crashes," he added. Lynn said he was not aware of anyone at Cornell who reported finding the virus on their computers. The virus was traced to Cornell last Friday, authorities were quickly notified and an investigation began, Lynn said. "We absolutely deplore this kind of bahavior," Lynn said. "We will pursue this matter to the fullest." Armed with search warrants, Public Safety investigators removed more than a dozen crates full of evidence from the students' residences in Baker and Founders halls on West Campus. Public Safety officials refused to disclose the contents of the crates or issue any comment about the incident when contacted repeatedly by phone last night. "We believe this was dealt with very quickly and professionally," Lynn said. The suspects are scheduled to appear in Ithaca City Court at 1 p.m. today and additional charges are pending, according to Grave-Kobas. Because spreading a computer virus violates federal laws, "conceivably, the FBI could be involved," she added. Officials with the FBI could not be reached to confirm or deny this. Blumenthal and Pilgrim, both 19-year-olds, were current student employees at Cornell Information Technologies (CIT), Lynn said. He would not say whether the students launched the virus from their residence hall rooms or From a CIT office. Henrik N. Dullea '61, vice president for University relations, said he thinks "the act will immediately be associated with the University," not only with the individual students charged. Because a major virus originated from a Cornell student in the past, this latest incident may again "bring a negative reaction to the entire institution," Dullea said. "These are very selfish acts," Lynn said, referring to the intentional distribution of computer viruses, because innocent people are harmed. Lynn said he was unaware of the students' motive for initiating the virus. Lynn said CIT put out a notice yesterday to inform computer users about the "very virulent" virus. A virus-protection program, such as the new version of Disinfectant, can usually cure computers, but it may be necessary to "rebuild the hard drive" in some cases, he added. A former roommate of Blumenthal said he was not surprised by news of the arrest. Computers were "more than a hobby" for Blumenthal, said Glen Fuller '95, his roommate from last semester. "He was in front of the computer all day," Fuller said. Blumenthal, who had a modem, would "play around with viruses because they were a challenge to him," Fuller said. He said that, to his knowledge, Blumenthal had never released a virus before. - ---------------- Date: Tue, 25 Feb 1992 16:12:14 PST From: John Norstad Subject: Virus Fighters However, I must let everyone know that I'm more than a bit embarrased. As the author of Disinfectant, I am in a way just the most visible tip of a very large iceberg. The rest of the iceberg deserves just as much credit and thanks as do I. The only problem is, you don't know who these people are! I can't list the names of these people, or even the name of our Internet- based organization. This is not the same group as the Disinfectant Working Group I mention in my online manual, although there is quite a bit of overlap between the two groups. Let me just tell you very briefly what has happened since last Wednesday morning concerning this new MBDF virus. The virus was reported to me, and a copy was sent to me, last Wednesday morning by a Professor of Mathematics in Wales. I immediately forward his note and the virus to the group. By Wednesday evening, several members of the group had completely disassembled, analyzed, and tested the virus. I did NOT do any of this work! On Thursday morning, the same professor in Wales sent me a note saying that he thought he had gotten the virus from sumex-aim. I checked, and sure enough, the games he mentioned were infected at sumex. I again immediately notified our group, which includes the managers of sumex. The sumex managers started working furiously checking files, shutting down the archive temporarily, and tracing back the source of the infection. They quickly discovered a trail leading to Cornell University. I began working on Disinfectant 2.6. Others in the group worked on their anti-viral programs, helped prepare public announcements, and continued to do technical research on the virus. Others in the group notified the authorities at Cornell and began cooperating on that front. To make a long story short, the net result is that: a) Within three days of the discovery of the virus, all of the major commercial, freeware, and shareware Mac anti-viral tools were updated to deal with the new virus. b) Two Cornell sophomores have been arrested, arraigned, and are now in jail, less than six days after discovery of the virus. This brief historical summary of the events of the past six days is a wonderful example of the power of the Internet, and is a wonderful example of the tremendous spirit of cooperation fostered by the Internet. At least a dozen people were directly involved in this process. I was just one of them. I was not even the "leader," just a participant. So again, it's embarassing. The credit should go to the group, not just to me. - -------- ------- End of forwarded message -------