
PRESS RELEASE ISSUED BY CORNELL NEWS SERVICE 2/25/91

Students charged
with releasing
computer virus


By Linda Grace-Kobas

Following a university investigation that tracked a computer virus and
its originators, two Cornell students were arrested and charged with
computer tampering for allegedly launching a computer virus embedded in
three games into national computer archives.  Arraigned Feb. 24 in
Ithaca City Court were David S. Blumenthal, 19, a sophomore in the
College of Engineering, and Mark Andrew Pilgrim, 19, a sophomore in the
College of Arts and Sciences.  They were charged with computer tampering
in the second degree, a Class A misdemeanor.  The pair is being held in
Tompkins County Jail with bail set at $2,000 cash bond or $10,000
property bond.  At a hearing Tuesday afternoon, Judge Sherman returned
the two to jail with the same bond and recommended that they remain in
jail until at least Friday pending the federal investigation.  A
preliminary hearing is set for April 10.

Both students were employed by Cornell Information Technologies, which
runs the university's computer facilities.  Pilgrim worked as a student
operator in an Apple Macintosh facility from which the virus is believed
to have been launched.  The university's Department of Public Safety is
working with the Tompkins County district attorney's office, and
additional charges are expected to be filed.  The Federal Bureau of
Investigation has contacted the university to look at possible violations
of federal laws, officials said.  The Ithaca Police Department is also
assisting in the investigation.

"We absolutely abhor this type of behavior, which appears to violate the
university's computer abuse policy as well as applicable state and
federal law," commented M. Stuart Lynn, vice president for information
technologies, who headed the investigation to track the originators of
the virus.  "Cornell will pursue all applicable remedies under our own
policies and will cooperate with law enforcement authorities."

Lynn said Cornell was alerted Feb. 21 that a Macintosh computer virus
embedded in versions of three computer games, Obnoxious Tetris,
Tetricycle and Ten Tile Puzzle, had possibly been launched through a
Cornell computer.  A virus is normally embedded in a program and only
propagates to other programs on the host system, he explained.
Typically, when an infected application is run, the virus will attack the
system software and then other applications will become infected as they
are run.

The virus, MBDF-A, had been deposited on Feb. 14 directly and indirectly
into several computer archives in the U.S. and abroad, including
SUMEX-AIM at Stanford University and archives at the University of Texas,
the University of Michigan and another in Osaka, Japan.  These archives
store thousands of computer programs available to users of Internet, the
worldwide computer network.

Macintosh users who downloaded the games to their computers were subject
to a variety of problems, notably the modification of system software and
application programs, resulting in unusual behavior and possible system
crashes.  Apparently, there was no intent to destroy data, Lynn said, but
data could be destroyed in system crashes.

Reports of the virus have been received from across the United States and
around the world, including Wales, Britain, Lynn said, adding that he has
no estimate for the number of individuals who might have obtained the
games.

As soon as the virus was identified, individuals and groups across the
country involved with tracking viruses sent messages across computer
networks to alert users who might have been affected by the virus, Lynn
added.  The virus has since been removed from all archives and
"disinfectant" software available to the Internet community has been
modified so that individual Macintosh users can purge their computers of
it.

"Our sense is that the virus was controlled very rapidly," he said.  In
1988, Cornell received national attention when graduate student Robert T.
Morris Jr. launched a computer virus into important government and
university research networks.  That virus, actually considered a "worm"
since it was self-perpetuating, caused major damage in high-level
systems.  Morris was convicted under the 1986 Computer Fraud and Abuse
Act and fined $10,000, given three years probation and ordered to do 400
hours of community service by a federal judge in Syracuse, N.Y.

The new virus differs greatly from the Morris worm, Lynn said.  "This
virus is not to be compared with the Morris worm, which independently
moved from machine to machine across the network," he explained.  All
Macintosh users should take appropriate measures to be certain their
systems are not infected with the virus.

News Service science writer William Holder also contributed to
this report.

                                                                                                                                                                                        