Mbdf
Mbdf
Type File virus
Creator David Blumenthal, Mark Pilgrim
Date Discovered 1992.02.14
Place of Origin Ithaca, New York, USA
Source Language
Platform Mac OS
File Type(s) MBDF resource
Infection Length 638 bytes
Reported Costs

Mbdf is a benign file virus that appeared in early 1992. It was coded at Cornell University and ws uploaded to archives in a few places in the US and one in Japan and ended up pretty widespread. The virus itself was benign with no intended damage, though under certain circumstances could cause major problems.

Behavior

When the user runs an application with an infected resource, Mbdf is loaded into memory. Every clean application loaded while Mbdf is in memory will be infected. The virus is unable to spread on a MacPlus or a Mac SE, though it may spread on the Mac SE 30.

Though non-malicious, the virus does have the unintended problem of damaging the system file if the system is restarted while it is infecting it. This is probably quite likely to happen, given infecting the system file can take a long time since it needs to rewrite the whole thing and makes it appear the system is hung. There are other accounts that say it may damage other directories if infecting them during a system restart. It may also cause some applications to not work properly.

Origin and Discovery

Mbdf was eventually traced to Cornell, leading to the arrest of David Blumenthal and Mark Pilgrim, who uploaded the trojans containing the virus to an archive at Stanford University. It was also found at the universities of Michgan, Texas and Osaka. The two were held in jail. Blumenthal was known to play with viruses as a technical challenge. They were charged with second degree computer tampering, a misdemeanor.

Mbdf was discovered in Wales in February 1992. It was discovered when developers at Claris software, then makers of database software FileMaker, were running an integrity check on their software. The Tetricycle trojan that drops the virus was found uploaded on two archive sites hosting games on 14 February 1992, which is the earliest documented date of the Mbdf's existence.

Cornell was the point of origin of two very similar viruses, Cdef and Mdef, as well as the Unix Morris worm. Another Macintosh virus, Zuc passed through here, though it is believed to have originated in Italy.

Variants

Mbdf.B appeared in November of 1993. It is relatively similar to the original. As with the original, infected Claris applications will inform the user they have been altered. It will cause problems in the functionality of the BeHierarchic program and some applications may crash when the menu bar is selected with the mouse.

Effects

Mbdf was never believed to be very virulent, certainly not to the levels of nVir or Wdef, though it did at least cross an ocean. Also, lacking any deliberately malicious payload it was extremely unlikely it caused any real damage. There is the remote possibilty of transient damage, though there are few reports of this.

The virus did come accidentally bundled with software, sometimes even in official releases. It was quite commonly found in infected games and a trojan horse. It notably came on a CD of FileMaker distributed at a World Wide Developers Conference, though this version did not come from Claris Software. In October of 1994, Apple itself released a sample System 7.5 upgrade kit containing the virus. In July of 1997, a copy of Vellum 3D modelling software was released with the virus.

Sources

The Computer Incident Advisory Capability, New Virus on Macintosh Computers: MBDF A. 1992.02.25

Ronald Greinke. Virus Test Center, University of Hamburg, MBDF A Virus. 1996

Adam C. Engst. TidBITS, MBDF Virus. 1992.02.24

CNet Staff. CNet News, WWDC CD-ROM discs may have a virus. 2009.09.02

Attrition.org, Vendor FAIL - Certified Pre-Owned (CPO).

Symantec, MBDF.

Peter Hammes. Automated Systems Security Incident Support Team, ASSIST 93-32 1993.12.14

Jeff Carmona. The Cornell Daily Sun, Computer Virus Traced to Cornell Students. 1992.02.25

The New York Times, Accused Students Worked for Cornell. 1992.02.26

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License