Re: I love you Author evidence ?

[jdimov () CIS CLARION EDU (Jordan Dimov)]

The following two lines are from the source of the .vbs script:

  rem barok -loveletter(vbe) <i hate go to school>
  rem by: spyder / ispyder () mail com / @GRAMMERSoft Group /Manila,Philippines

Looks like the same fella.  So it's your typical 'cracker' profile:
tennager in high-school, most likely male, anti-social, hates school;
he's from the Philippines and speaks broken english.  The bugfix.exe
collects local private information (passwords that it can find) and mails
it to mailme () super net ph.  Just super.net.ph is not resolvable, but at
www.super.net.ph  it says they're a 'prepaid internet card provider' (i
didn't know such things existed).  Their web server is on a Linux
2.0.something box.

But anyway...  How important is it really to know the author?  And now the
FBI is tracking the worm?  Come on, give me a break.  Someone on
securityfocus.com said it best - busting 15 year old script kiddies just
makes us all look stupid.

On Mon, 6 Mar 2000, Thierry wrote:

> Hello,
>
> On 10/01/2000
> a guy going by the nick of spider submitted a program called barok to
> TLSecurity. He also submitted (kindly) a screenshot of the results, in
> which he alwayws disclose the isp he used etc...
>
> http://www.tlsecurity.net/backdoor/barok.htm
>
> This is the url with the screenshot. If we look closer at The
> *Bugfix.exe downloaded by the vbs script, and looking a the X-mail
> fields it sends (source X-Force.)
>
> To: mailme () super net ph
> Subject: Barok... email.passwords.sender.trojan
> X-Mailer: Barok... email.passwords.sender.trojan---by: spyder
>
> We see that it has Barok in it so presumably *bugfix.exe is nothing more
> then barok 1 or 2 (or a mod) from the same author.
>
> Thierry Zoller
> http://www.TLSecurity.net