Romanian authorities on Thursday denied reports that a man has been detained in connection with the computer-crippling “Blaster” Internet worm, but confirmed they were investigating a suspect. Authorities there are looking for the author of a variant of MSBlaster that was released on Monday. The variant infected very few computers.
ROMANIAN-BASED antivirus firm Bitdefender said Wednesday that a 24-year-old suspect had been detained in connection with the variant, called MSBlaster.F.
But Romanian police spokesman Marius Tache denied that authorities had detained a suspect in the case. He said the local organized crime police were investigating a suspect, but he would not confirm if it was the 24-year-old cited by Bitdefender.
Bitdefender spokesman Mihai Radu said Thursday that the suspect was “detained” for questioning, but later released because of a lack of evidence. Police are still examining computers seized from the suspect, Radu said.
“They are waiting for the computer analysis to establish if he is or is not guilty,” Radu said.
Police appeared to be backing off the investigation, leaving the computer probe in the hands of local officers in Iasi to be aided by an inspector sent from Bucharest, the Romanian capital, according to Radu.
Word that a second MSBlaster suspect had been identified came only days after the arrest of 18-year-old Jeffrey Parson by U.S. authorities. Parson is also accused of writing an MSBlaster variant, MSBlaster.F, which the government alleges infected 7,000 computers.
The initial MSBLaster infected over 1 million computers.
The Romanian variant is a slightly altered version of the original worm. The author changed some of the text inside the worm to taunt a former teacher, Radu said. The worm had been designed to perform a denial of service attack on the school’s Web site, he added.
MSBlaster.F hardly spread at all; it infected only a few dozen computers, according to BitDefender.
Similar to the Parson case, the worm itself contained information that quickly narrowed investigator’s search for a suspect.
Mikko Hyppönen, a spokesperson for antivirus firm F-secure, said it was clear from the worm’s code that the suspect was a Romanian.
“We analyzed the virus on Monday and it was obvious from the code, and fact that it’s attacking this university, that it was a local person,” he said.
An English version of the message left inside the virus was posted earlier this week on F-secure’s Web site. It read: “Don’t go to the Hydrotechnics faculty!!! You are wasting your time...Barsan, the retirement wants you!!!”
The Associated Press contributed to this report.