Presumptive Romanian author of Msblast.F detained today

September 2003


The alleged author of MsBlast.F has been detained by police forces after a short quest involving

BitDefender, an award-winning provider of security software and services, announces today that the Romanian presumed creator of MsBlast.F has been detained by police forces after a short quest involving the propagation and effects of new virus variant.

Dan Dumitru Ciobanu, 24 years old, from Iasi - Romania is the alleged author of this MsBlast.F version, which he seems to have implemented within the computer network of the Iasi Technical University. Story appears to be repeating, as in the Parson case (the Minnesota teenager, author of Msblast.B): excellent academic results, scholarships during 4 of his 5 years of graduate studies.

Ciobanu was apprehended while he was working in a photo developing lab. Authorities have removed two computers from Ciobanu's home and work place. The equipment was sealed and remains to be analyzed in presence of the defendant, of the district attorney and the defendant lawyer. More information will be provided after data analysis, as the BitDefender experts are involved in further investigations.

"We were delighted with the technical details supplied by BitDefender antivirus experts, that helped us enormously in correctly identifying the suspect", stated Mr. Plai Gheorghi, Chief Inspector of the Iasi Centre for Combat Against the Organized Crime and Drug Enforcement. "The Strategic Economical Investigation Division from the Internal Affairs Ministry expresses its gratitude for the prompt support granted by SOFTWIN's professionals", Mr. Plai Gheorghi concluded.

September 1st brought a new MsBlast version, with low spreading and risk attributes. This malware was easily tracked to a Romanian issuer, as it enclosed a few strings in native language, all dedicated to undermine Hydrotechnical University based in Iasi, Romania, and specifically one of its professors. This variant shares the same functionality and active mechanisms as original MsBlast.A, the only differences being a change of the virus filename into enbiei.exe and the aforementioned strings remaining unused by the virus.

The quest for an author was short and rapidly undertaken by BitDefender antivirus specialists and local authorities, the first supplying the technical information that conducted to the author identification. The main point helping to the author discovery was his nickname, used as a copyright ("copywrong") name in all materials written by Dan Ciobanu.

The amazing side of this peculiar situation is that two people are to stand trial for having modified original code of MsBlast.A, but the creator of the worm is still out there. Antivirus specialists concur in saying that such altered versions are not as difficult to create as original, new ones. Still, Dan Dumitru Ciobanu could now face 15 years in a state prison, accordingly to the Romanian newly adopted law.

In the particular circumstances entailed by the last Msblast outbreak, BitDefender experts have developed a specific feature in their antivirus scanning engines, to detect any attempt to use the Microsoft Windows DCOM-RPC vulnerability for system intrusion, successfully identifying any possible virus replication.

BitDefender antidote is available for download for all infected users.
All Windows 2000 and XP users are urged to patch their systems from http://www.microsoft.com/downloads/search.aspx?displaylang=en.

For more details, please contact us or see the technical description.

For a permanent protection, BitDefender Antivirus commercial solutions are available for sale on the Internet or at local distributors and start from USD 29.95.


Share This ON: