Back Orifice CDs infected with CIH virus

Summary:Cult of the Dead Cow confirms official CD-ROMs were infected with deadly virus, apologizes -- 'We screwed up.'

UPDATED 6:33 PM PT

Cult of the Dead Cow confirmed Thursday that official CD-ROM versions of its controversial Back Orifice 2000 program are infected with the CIH virus.

"There must have been a virus on the duplicating machine and we didn't know about it," cDc member DilDog said in a phone interview.

"This incident is unfortunate and we are doing what we can do to rectify it. We can't apologize enough.

"We screwed up," he said.

cDc, which distributed 32 official CD-ROM versions of BO2K at the DEF CON hacking convention last weekend, had previously denied that its CD-ROMs were infected with Win95.CIH, a virus that reformats hard drives and, on some machines, can erase the BIOS information that the computer needs to operate.

Web version clean
Although an embarrassing publicity snafu for the high-profile hacking group, the CIH incident doesn't affect cDc's method for mass distribution of BO2K -- the Web.

Like its predecessor, Back Orifice, BO2K was released on the Web on Wednesday, where it is available for free download.

PC Week Labs senior analyst Jim Rapoza, who downloaded and tested the Web-version of BO2K, confirmed that the Web version is virus-free. DilDog said that the Web version of the program is "absolutely clean."

DilDog said cDc mistakenly believed that only pirated copies of BO2K -- burned and distributed at DEF CON within 45 minutes of the hacking tool's splashy debut -- were infected with CIH.

However, cDc changed its tuned after several anti-virus firms and ZDNN reported finding CIH on official CD-ROMs -- confirming that the executable files in the CD-ROM were infected.

"We would like to thank various individuals profusely for pointing this out to us," DilDog said.

cDc member Count Zero, who gave ZDNN its CIH-infected BO2K CD-ROM with "Virus Free" written on the case, said the incident was not malicious.

"We are not perfect ... It was human error. Our error. We weren't trying to do anything malicious," he said.

'We do accept responsibility'
DilDog said he couldn't explain exactly how the CD-ROMs were infected with CIH; however, it appears the infection occurred before DEF CON, during the duplication of the official BO2K CD-ROMs.

"On my way to DEF CON I burned one CD with a series of stuff I needed (including the executable files for BO2K). All of this stuff was scanned ... nothing contained anything bad," he said. "As a last minute thing, we decided to make some duplicates to hand out at DEF CON."

DilDog said he handed the master CD-ROM to a "third party ... a very trusted friend of mine" who burned 25 copies of BO2K, using his PC. Those copies were identified with white cDc labels.

"It appears that the machine that we used in the duplicates had a virus on it," DilDog said. "We do accept responsibility for not having scanned the final copies of the CDs, but the master from which they were all duplicated was scanned and had nothing on it. So it must have been one of those flash in the pan kind of things where we had a virus apparently on the duplication machine and we didn’t know about it."

By DilDog's count, 22 of those infected copies were handed out during BO2K's debut on Saturday. Within 45 minutes of the BO2K debut, cDc began hearing reports of infected BO2K copies from DEF CON attendees, who already had pirated copies of the official CD-ROMs.

Both Count Zero and DilDog said they mistakenly believed that the official CD-ROMs were virus free, and that only the pirated copies were infected. Count Zero said he then took one of the remaining official CD-ROMs and, without scanning, burned another 10 official copies of BO2K. "My error was I assumed that the original was virus free," Count Zero said.

Count Zero labeled those 10 new versions of BO2K with cDc stickers and wrote "Virus Free -- Count Zero" on the CD-ROMs' jewel cases. He then handed out those 10 CD-ROMs. ZDNN received one of those "Virus Free" copies of BO2K, which Norton's Anti-Virus found contained CIH.

Believing its BO2K copies were virus free, DilDog said cDc discounted initial reports of CIH infection. "It was only one or two days ago, I guess, that we got word from people that it was our CDs," he said.

Since then, DilDog said, cDc has run virus scans on all its PCs, but every machine has tested clean. "We are really at a loss as to how it got on there," he said. "There must have been a virus on the duplicating machine and we didn't know about it."

ZDNN's Robert Lemos contributed to this story.

UPDATED 6:33 PM PT

Cult of the Dead Cow confirmed Thursday that official CD-ROM versions of its controversial Back Orifice 2000 program are infected with the CIH virus.

"There must have been a virus on the duplicating machine and we didn't know about it," cDc member DilDog said in a phone interview.

"This incident is unfortunate and we are doing what we can do to rectify it. We can't apologize enough.

"We screwed up," he said.

cDc, which distributed 32 official CD-ROM versions of BO2K at the DEF CON hacking convention last weekend, had previously denied that its CD-ROMs were infected with Win95.CIH, a virus that reformats hard drives and, on some machines, can erase the BIOS information that the computer needs to operate.

Web version clean
Although an embarrassing publicity snafu for the high-profile hacking group, the CIH incident doesn't affect cDc's method for mass distribution of BO2K -- the Web.

Like its predecessor, Back Orifice, BO2K was released on the Web on Wednesday, where it is available for free download.

PC Week Labs senior analyst Jim Rapoza, who downloaded and tested the Web-version of BO2K, confirmed that the Web version is virus-free. DilDog said that the Web version of the program is "absolutely clean."

DilDog said cDc mistakenly believed that only pirated copies of BO2K -- burned and distributed at DEF CON within 45 minutes of the hacking tool's splashy debut -- were infected with CIH.

However, cDc changed its tuned after several anti-virus firms and ZDNN reported finding CIH on official CD-ROMs -- confirming that the executable files in the CD-ROM were infected.

"We would like to thank various individuals profusely for pointing this out to us," DilDog said.

cDc member Count Zero, who gave ZDNN its CIH-infected BO2K CD-ROM with "Virus Free" written on the case, said the incident was not malicious.

"We are not perfect ... It was human error. Our error. We weren't trying to do anything malicious," he said.

'We do accept responsibility'
DilDog said he couldn't explain exactly how the CD-ROMs were infected with CIH; however, it appears the infection occurred before DEF CON, during the duplication of the official BO2K CD-ROMs.

"On my way to DEF CON I burned one CD with a series of stuff I needed (including the executable files for BO2K). All of this stuff was scanned ... nothing contained anything bad," he said. "As a last minute thing, we decided to make some duplicates to hand out at DEF CON."

DilDog said he handed the master CD-ROM to a "third party ... a very trusted friend of mine" who burned 25 copies of BO2K, using his PC. Those copies were identified with white cDc labels.

"It appears that the machine that we used in the duplicates had a virus on it," DilDog said. "We do accept responsibility for not having scanned the final copies of the CDs, but the master from which they were all duplicated was scanned and had nothing on it. So it must have been one of those flash in the pan kind of things where we had a virus apparently on the duplication machine and we didn’t know about it."

By DilDog's count, 22 of those infected copies were handed out during BO2K's debut on Saturday. Within 45 minutes of the BO2K debut, cDc began hearing reports of infected BO2K copies from DEF CON attendees, who already had pirated copies of the official CD-ROMs.

Both Count Zero and DilDog said they mistakenly believed that the official CD-ROMs were virus free, and that only the pirated copies were infected. Count Zero said he then took one of the remaining official CD-ROMs and, without scanning, burned another 10 official copies of BO2K. "My error was I assumed that the original was virus free," Count Zero said.

Count Zero labeled those 10 new versions of BO2K with cDc stickers and wrote "Virus Free -- Count Zero" on the CD-ROMs' jewel cases. He then handed out those 10 CD-ROMs. ZDNN received one of those "Virus Free" copies of BO2K, which Norton's Anti-Virus found contained CIH.

Believing its BO2K copies were virus free, DilDog said cDc discounted initial reports of CIH infection. "It was only one or two days ago, I guess, that we got word from people that it was our CDs," he said.

Since then, DilDog said, cDc has run virus scans on all its PCs, but every machine has tested clean. "We are really at a loss as to how it got on there," he said. "There must have been a virus on the duplicating machine and we didn't know about it."

ZDNN's Robert Lemos contributed to this story.

Topics: Malware, PCs, Security

About

HAVANA:19840

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.