Except that teekid had nothing to do with either the original Blaster worm (which is apparently what Stephen Clowater assumed) or Nachia/Welchia/Blaster.D, which is the worm Jeremiah Cornelius refers to.
Here's the whois for his domain: Domain: t33kid.com Registrant (JP397-IYD-REG) Jeff Parson [EMAIL PROTECTED] 603 8th Ave S. Hopkins, Minnesota 55343 US +1.1111111111 Administrative (JP421-IYD) TeeKid Rooted Networks [EMAIL PROTECTED] Information Not Given Information Not Given, Information Not Given 11111 US +1.1111111111 Billing (JP421-IYD) TeeKid Rooted Networks [EMAIL PROTECTED] Information Not Given Information Not Given, Information Not Given 11111 US +1.1111111111 Technical (JP421-IYD) TeeKid Rooted Networks [EMAIL PROTECTED] Information Not Given Information Not Given, Information Not Given 11111 US +1.1111111111 Record created on November 30, 2001 Record last updated on February 04, 2003 Record expires on November 30, 2003 Domain Name Servers: NS1.ZONEEDIT.COM NS2.ZONEEDIT.COM Here's the Google cache of his web server: http://216.239.41.104/search?q=cache:FEZleHDR3mcJ:t33kid.com/+teekid&hl= en&ie=UTF-8 What teekid did was take the original Blaster.A, decompress it, rename msblast.exe to penis32.exe, and use a hex-editor to change a few strings inside the executable. He didn't even recompress it. This "version" then became known as Blaster.B. Not very "l33t". According to TrendMicro, Blaster.B infected all of 16 computers. If he hadn't released the variant, you wouldn't have noticed any difference, even assuming that Trend's stats may be low by two orders of magnitude. The Nachia/Welchia/Blaster.D worm was written by someone who goes by the handle of Sowhat. He/she posted the source at https://www.xfocus.net/bbs/index.php?act=ST&f=1&t=26924. Quite a piece of work. I'm not aware of any traces left by the original author of Blaster.A Sometimes it helps to have some facts before calling for blood. Jerry -----Original Message----- From: Jeremiah Cornelius [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 11:33 AM To: [EMAIL PROTECTED] Cc: Florian Weimer; Larry Roberts; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Authorities eye MSBlaster suspect Stephen Clowater wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Throw him in prison for a while...he caused alot of hedache, downtime, damage, >and most importantly, the never ending msblaster thread on FD! > >Stupidity should be punished, this guy wrote a crappy worm, shot his mouth off >about it, and then got caught. Make an example out of him so at least other >virus writers will learn that if they write the virus, they should shut up >about it. > I suspect that the poor boy's efforts greatly raised the full-time employment prospects of many on this list. This lad had good intentions, if flawed in his reasonong and execution. He /did/ put to the test a theory that has choked this list and others for a few years. I suspect we won't be subjected to any more drivel about a "good worm" for some while now... ;-) -- Jeremiah Cornelius, CISSP, CCNA, MCSE farm9.com Security <mailto:[EMAIL PROTECTED]> "Administration for Windows networks is similar to maintaining a 12-year old GM Truck. Brand new, W2K+3 already has 190K miles of wear." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
