Feds nab second suspect in worm attacks

The U.S. Department of Justice announces that a juvenile had been arrested in connection with the release of a computer worm that spread in the same way as the MSBlast worm.

Robert Lemos Staff Writer, CNET News.com

Robert Lemos

covers viruses, worms and other security threats.

See full bio

Robert Lemos

Oct. 2, 2003 7:01 p.m. PT

2 min read

The U.S. Department of Justice announced on Friday that a juvenile had been arrested in connection with the release of a computer worm that spread in the same way as the MSBlast worm.

The suspect is thought to have created and released a worm that exploits a security flaw in Microsoft operating systems, according to a statement released by the Justice Department. The worm--known as Spybot.worm.lz, Randex.E and RPCSdbot--infects systems by taking advantage of a security flaw Microsoft revealed in mid-July.

The Justice Department said the arrest puts Internet scofflaws on notice.



		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

"Computer hackers need to understand that they will be pursued and held accountable for malicious activity, whether they be adults or juveniles," John McKay, U.S. Attorney for the Western District of Washington, said in the statement.

Because the suspect is a minor, the Justice Department declined to reveal his or her name or gender. A department representative was unavailable for immediate comment.

The arrest is the second stemming from viruses spread by online vandals exploiting the flaw. The original MSBlast worm (also known as Blaster and Lovsan), along with a flawed copycat known as Welchia and Nachi that was intended to protect vulnerable systems from the original worm, likely infected more than a million computers.

The Justice Department called the worm a "variant of the Blaster computer worm." However, the statement describes a different worm--the Randex.E worm, which uses the same flaw as the MSBlast worm to install a Trojan horse program known as SDBot. The program connects to the Internet relay chat (IRC) system and awaits commands from the attacker.

"The attacker can control it through IRC to cause denial-of-service attacks and install programs that the attacker specifies," said Oliver Friedrichs, senior manager for Symantec's security response team.

The original Blaster worm and its variants did not install a Trojan horse.

A suspect in the earlier case, Jeffrey Lee Parson of Minneapolis, was arrested and charged in late August with one count of intentionally damaging a protected computer. Parson allegedly created MSBlast.B, a variation that differed from the original worm mainly in that two files had been renamed--one with Parson's screen name, "teekid"--and a couple of profane messages aimed at Microsoft and Bill Gates had been added. The MSBlast.B variant achieved only modest distribution, infecting some 7,000 computers, according to Justice Department estimates.