Vulnerability Development mailing list archives
Re: I love you Author evidence ?
From: thierry () WAATLEEFT LU (Thierry)
Date: Fri, 7 Apr 2000 16:27:07 +0200
Jordan Dimov wrote:
The following two lines are from the source of the .vbs script: rem barok -loveletter(vbe) <i hate go to school> rem by: spyder / ispyder () mail com / @GRAMMERSoft Group /Manila,Philippines Looks like the same fella. So it's your typical 'cracker' profile: tennager in high-school, most likely male, anti-social, hates school; he's from the Philippines and speaks broken english.
What if people hadn't stereotypes branded into their mind ?
The bugfix.exe collects local private information (passwords that it can find) and mails it to mailme () super net ph. Just super.net.ph is not resolvable, but at www.super.net.ph it says they're a 'prepaid internet card provider' (i didn't know such things existed). Their web server is on a Linux 2.0.something box.
I actually heard on the radio the culprit would be female; anyways the bugfix.exe as pointed out is called Barok and created by spyder him/herself.
But anyway... How important is it really to know the author? And now the FBI is tracking the worm? Come on, give me a break. Someone on securityfocus.com said it best - busting 15 year old script kiddies just makes us all look stupid.
My comments were for those who feel concerned and/or interested in them. As soon as there is money or business loss coming into play (I wonder if shutting down mailservers creates millions of $ losses ?) some people feel like having to bust the guilty. I wonder why ? Also I want to apologize for the bad english in the previous mail,but hey it was very late over here :) Thierry On Mon, 6 Mar 2000, Thierry wrote:
Hello, On 10/01/2000 a guy going by the nick of spider submitted a program called barok to TLSecurity. He also submitted (kindly) a screenshot of the results, in which he alwayws disclose the isp he used etc... http://www.tlsecurity.net/backdoor/barok.htm This is the url with the screenshot. If we look closer at The *Bugfix.exe downloaded by the vbs script, and looking a the X-mail fields it sends (source X-Force.) To: mailme () super net ph Subject: Barok... email.passwords.sender.trojan X-Mailer: Barok... email.passwords.sender.trojan---by: spyder We see that it has Barok in it so presumably *bugfix.exe is nothing more then barok 1 or 2 (or a mod) from the same author. Thierry Zoller http://www.TLSecurity.net
Current thread:
- I love you Author evidence ? Thierry (Mar 06)
- Re: I love you Author evidence ? Jordan Dimov (May 07)
- Re: I love you Author evidence ? Thierry (Apr 07)
- Re: I love you Author evidence ? Elaine -HFB- Ashton (May 07)
- Re: I love you Author evidence ? Roelof Temmingh (May 07)
- Re: I love you Author evidence ? Martin Ixter (May 07)
- Re: I love you Author evidence ? Blue Boar (May 07)
- Re: I love you Author evidence ? Drexx Laggui (May 07)
- Re: I love you Author evidence ? Bobcat Felidae (May 09)
- Re: I love you Author evidence ? Sen_Ml Sen_Ml (May 09)
- Re: I love you Author evidence ? Thierry (Apr 07)
- Re: I love you Author evidence ? Erik Debill (May 07)
- Re: I love you Author evidence ? Jordan Dimov (May 07)
- password-protected zip files (was RE: Administrivia #8704) Michael Wojcik (May 07)
- Re: I love you Author evidence ? Christofer C. Bell (May 07)