Full Disclosure mailing list archives
RE: Authorities eye MSBlaster suspect
From: "Jerry Heidtke" <jheidtke () fmlh edu>
Date: Fri, 29 Aug 2003 13:48:13 -0500
Except that teekid had nothing to do with either the original Blaster worm (which is apparently what Stephen Clowater assumed) or Nachia/Welchia/Blaster.D, which is the worm Jeremiah Cornelius refers to. Here's the whois for his domain: Domain: t33kid.com Registrant (JP397-IYD-REG) Jeff Parson root () t33kid com 603 8th Ave S. Hopkins, Minnesota 55343 US +1.1111111111 Administrative (JP421-IYD) TeeKid Rooted Networks root () t33kid com Information Not Given Information Not Given, Information Not Given 11111 US +1.1111111111 Billing (JP421-IYD) TeeKid Rooted Networks root () t33kid com Information Not Given Information Not Given, Information Not Given 11111 US +1.1111111111 Technical (JP421-IYD) TeeKid Rooted Networks root () t33kid com Information Not Given Information Not Given, Information Not Given 11111 US +1.1111111111 Record created on November 30, 2001 Record last updated on February 04, 2003 Record expires on November 30, 2003 Domain Name Servers: NS1.ZONEEDIT.COM NS2.ZONEEDIT.COM Here's the Google cache of his web server: http://216.239.41.104/search?q=cache:FEZleHDR3mcJ:t33kid.com/+teekid&hl= en&ie=UTF-8 What teekid did was take the original Blaster.A, decompress it, rename msblast.exe to penis32.exe, and use a hex-editor to change a few strings inside the executable. He didn't even recompress it. This "version" then became known as Blaster.B. Not very "l33t". According to TrendMicro, Blaster.B infected all of 16 computers. If he hadn't released the variant, you wouldn't have noticed any difference, even assuming that Trend's stats may be low by two orders of magnitude. The Nachia/Welchia/Blaster.D worm was written by someone who goes by the handle of Sowhat. He/she posted the source at https://www.xfocus.net/bbs/index.php?act=ST&f=1&t=26924. Quite a piece of work. I'm not aware of any traces left by the original author of Blaster.A Sometimes it helps to have some facts before calling for blood. Jerry -----Original Message----- From: Jeremiah Cornelius [mailto:jeremiah () nur net] Sent: Friday, August 29, 2003 11:33 AM To: steve () stevesworld hopto org Cc: Florian Weimer; Larry Roberts; full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Authorities eye MSBlaster suspect Stephen Clowater wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Throw him in prison for a while...he caused alot of hedache, downtime,
damage,
and most importantly, the never ending msblaster thread on FD! Stupidity should be punished, this guy wrote a crappy worm, shot his
mouth off
about it, and then got caught. Make an example out of him so at least
other
virus writers will learn that if they write the virus, they should shut
up
about it.
I suspect that the poor boy's efforts greatly raised the full-time employment prospects of many on this list. This lad had good intentions, if flawed in his reasonong and execution. He /did/ put to the test a theory that has choked this list and others for a few years. I suspect we won't be subjected to any more drivel about a "good worm" for some while now... ;-) -- Jeremiah Cornelius, CISSP, CCNA, MCSE farm9.com Security <mailto:jc () farm9 com> "Administration for Windows networks is similar to maintaining a 12-year old GM Truck. Brand new, W2K+3 already has 190K miles of wear." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Authorities eye MSBlaster suspect, (continued)
- Re: Authorities eye MSBlaster suspect Paul Schmehl (Aug 29)
- My life sucks - was Re: Authorities eye MSBlaster suspect security () brvenik com (Aug 29)
- Re: Authorities eye MSBlaster suspect Larry W. Cashdollar (Aug 30)
- Re: Authorities eye MSBlaster suspect Byron Copeland (Aug 29)
- Re: Authorities eye MSBlaster suspect Valdis . Kletnieks (Aug 31)
- Re: Authorities eye MSBlaster suspect Darren Reed (Aug 30)
- RE: Authorities eye MSBlaster suspect Nick FitzGerald (Aug 29)
- Re: Authorities eye MSBlaster suspect Mike Tancsa (Aug 29)
- Re: Authorities eye MSBlaster suspect Jeremiah Cornelius (Aug 29)
- Re: Authorities eye MSBlaster suspect morning_wood (Aug 29)
- Re: Authorities eye MSBlaster suspect Anthony Saffer (Aug 29)
- Re: Authorities eye MSBlaster suspect Paul Schmehl (Aug 29)
- Re: Authorities eye MSBlaster suspect Michael D Schleif (Aug 29)
- RE: Authorities eye MSBlaster suspect Steve Wray (Aug 29)
- Re: Authorities eye MSBlaster suspect Jeremiah Cornelius (Aug 29)