Confusion surrounds Blaster-F worm investigation in Romania, Sophos Anti-Virus comments

September 05, 2003 Sophos Press Release

Police in Romania were reported earlier this week to have arrested a 24-year-old man in connection with the W32/Blaster-F internet worm.

According to media reports, Dan Dumitru Ciobanu, a graduate of the Technical University in Iasi, was said to have been traced through his online nickname "Enbiei" (used as a filename by the virus) and a section of Romanian language text contained inside the virus. The text, when translated into English, reads as follows:

"Don't go to the Hydrotechnics faculty!!! You are wasting your time... Birsan, your pension awaits!!! I urinate on the diploma!!!!!!"

This was said to have directed the authorities through a series of message boards to a website belonging to Ciobanu, containing his home address and telephone number.

According to reports from the media and a Romanian anti-virus company, police seized a number of computers from Ciobanu's home and workplace, which they say will be analysed for evidence.

However, the authorities in Romania are now saying that no arrest has taken place - and they are refusing to name any individuals who may be under investigation.

"Leaving a message in your virus about an old teacher you didn't like is a pretty dumb thing to do," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "This investigation comes less than a week after the FBI apprehended Jeffrey Lee Parson in Minnesota regarding an earlier variant of the Blaster worm. The message needs to go out loud and clear - writing and spreading a virus is unacceptable behaviour, and causes real harm to home users and businesses around the world."