CIAC Bulletins and Advisories

U.S. Department of Energy Computer Incident Advisory Capability

The following virus-related information is excerpted from CIAC Bulletins and Advisories:

Columbus Day Virus

CIAC Bulletin Number 02: September 8, 1989

Notice of Columbus Day Virus Affecting IBM PCs and PC Clones

The DOE Computer Incident Advisory Capability (CIAC) has learned that there is a Columbus Day Virus which may attack MS-DOS (PC-DOS) personal computers on or after October 12 or October 13, 1989. Note that October 13 is a Friday the thirteenth. You should make the information in this notice available to appropriate personnel at your site so that the virus can be detected and eradicated.

The Columbus Day Virus has been isolated and may actually be one of a series of related viruses. It most closely resembles the DataCrime Virus. Contrary to speculation in a recent Federal Computing Weekly article, however, the Columbus Day Virus does not appear to be closely related to the Icelandic or West German virus. The Columbus Day Virus searches through the DOS directory for .COM files other than COMMAND.COM. It attaches to the end of a .COM file, which increases the size of the file by 1168 bytes. The virus infects any given .COM file only once. However, it will infect any uninfected .COM file that it encounters. If the virus executes, it will display the message:

    DATACRIME VIRUS

    RELEASED:l MARCH 1989

and then do a low-level format on track zero. Since this is the boot area of the disk, the hard disk will be unbootable.

Detection of this virus is difficult because ASCII strings in the virus code are encrypted. Therefore, utilities that search files for particular ASCII strings are useless. There are two methods you can use to detect this virus. The first method is to check for a size increase of 1168 bytes in .COM files. Another possible method is to use VIRUSCAN* (see below), which should report the existence of this virus as well as several other viruses. If a machine is infected, users must copy over all infected .COM files using their original .COM files. This must be accomplished at one sitting to prevent re-infection. You should also examine backups to see if they are infected. You should repeat whatever detection method you decide to use every time you load a new .COM file or database into your PC or PC clone.

If the boot sector is destroyed, it can be restored with Disk Doctor, a utility in Norton Utilities Version 4.5 (Advanced Edition). Note that a restoration is possible only if the Disk Doctor utility had been previously run.

The DOE Center for Computer Security at Los Alamos has recently published a pamphlet, Computer Viruses and the Personal Computer User (CCS-89-03). CIAC recommends that you read and follow the excellent guidelines contained in this pamphlet.

Because VIRUSCAN is produced and distributed by a commercial developer, CIAC cannot at this time send copies of this software directly to you. To obtain a copy of VIRUSCAN, you need to send $15 with your name, address and phone number to:

* The University of California neither endorses VIRUSCAN nor guarantees the effectiveness of this software package. CIAC will test this package in the near future to determine whether it provides adequate detection of the Columbus Day virus.


Jerusalem/Israeli/Friday the 13th Virus

CIAC Information Bulletin 04: June 5, 1989

The Computer Incident Advisory Capability (CIAC) has been helping several sites deal with a new strain of the Jerusalem/Israeli/Friday the 13th virus which infects IBM PC's and PC clones. This new strain, the "Little Black Box" virus, causes a small black box to appear in the lower left quadrant of the scrren. The virus adds 1808 bytes to an .exe file every time an application is executed until the executable image is too large to fit into memory or disk space is exhausted. This causes poor system performance. This virus will also add 1813 byes to .com files, one at a time. This causes parity errors which disrupt EGA and CGA screen.

This "Little Black Box" virus does not destroy files. It does, however, spread quickly. The most common way viruses are spread is through exchanging removable media. Please advise personnel at your site to follow your procedures which prevent virus infections.


Macintosh nVIR Virus

CIAC Advisory Notice Number 09

The nVIR virus has recently infected significant numbers of Macintosh systems at several DOE sites. There are different strains of this virus. Each strain causes somewhat different symptoms such as printing errors on laser printers, slow system response time, or unpredictable system crashes.

The exact mechanisms by which nVIR spreads have recently been determined. Removable media (e.g., disks) are the primary means by which nVIR spreads. Thus, if a disk used in an infected Macintosh is removed and inserted in a second Macintosh, the other machine will become infected if any application on that disk is executed in the second machine. In addition, any method used to transfer programs between Macintoshes will spread the nVIR virus. This includes transfer via shareware over a network. However, nVIR cannot spread via a print network's hardware.

nVIR is initially difficult to detect. It spreads quickly and frequently affects backups before eradication procedures can be initiated.

Disks brought in from off-site are the most common source of nVIR infections. Unauthorized copies of commercial software brought from off-site or exchanged within a site also present a substantial risk of nVIR infection. Vendor demonstration programs are another suspected source of the nVIR virus.

We urge you first of all to review your site's policy on sharing disks and using and distributing non-licensed software. Another essential damage prevention measure is to have good anti-viral software available at your site. CIAC recommends that you test any suspect disk with Disinfectant 1.2, a freeware package which also eradicates viruses. Virus Detective, a shareware package, also tests disks to see if they are clean of nVIR and several other viruses. Although it is tedious to use, Gatekeeper, another shareware program, will provide several protection mechanisms. It is important to educate users about the importance of using only software from trusted sources to reduce the possibility of virus infections. Finally, CIAC recommends that your site uses dedicated machines for on-site vendor demonstrations.


IBM PC Columbus Day (Datacrime) Virus

CIAC Information Bulletin Number 10: September 22, 1989

I. Executive Summary

On September 8, 1989 the DOE Computer Incident Advisory Capability (CIAC) issued a notice about the Columbus Day Virus, also known as the DATACRIME virus, which may attack MS-DOS (PC-DOS) personal computers. Since that time CIAC has gathered considerable information and has obtained and analyzed two versions of this virus.

The Columbus Day family of viruses will infect applications on IBM Personal Computers (PCs) and Compatibles. Execution of an infected program will cause the virus to replicate to other applications. When the system date is between October 13th and December 31st of any year and the computer has a hard disk, the virus strikes and displays the message:

    DATACRIME VIRUS

    RELEASED: 1 March 1989

Simultaneously, the virus makes the hard disk unreadable. Recovery after the virus has altered the disk is extremely difficult. The enclosed procedures will help to assure non-interrupted use of affected computers.

This memo contains recommendations that users of an IBM personal computer or compatible computers (PC) may follow to prevent loss of information due to this virus. Also included are technical procedures on how to detect, protect, eradicate and recover from the Columbus Day family of viruses. A survey form is provided to aid the CIAC team in collecting data concerning the spread of this virus. It is requested that this form be completed at each site and returned to CIAC as soon as possible.

II. Detailed Information on the Columbus Day (DATACRIME) Virus

DATACRIME-V1 (also known as the 1168 Virus, named for its length) and DATACRIME-V2 (also known as the 1280 virus) are both closely related Columbus Day Viruses with only minor changes. A related virus, DATACRIME II, is currently being examined. This bulletin gives details about what to expect from this family of viruses and makes further recommendations for protecting your systems.

You may have seen a report about this topic on CNN or read about it in your local newspaper. However, all indications at this time are that these viruses are not as widespread as other viruses affecting IBM PCs and PC compatibles. The Computer Virus Industry Association (CVIA) reports that infections have been minimal. This data is collected from reports by programs like VIRUSCAN, and represents a very large sampling of the community. However, as with all viruses we should be prepared. If the DATACRIME virus attacks your machine it could do serious damage. Good backups are essential.

The DATACRIME (V1 and V2) family of viruses will infect one .COM file each time an infected program is executed. DATACRIME II will infect both .COM and .EXE files. It does this by searching the current directory and all sub-directories on the "C:" drive for a file to infect. If it fails to find a file, it will search other drives on your machine for a candidate file. The virus will not infect any file with "D" as the seventh letter of its name; thus, COMMAND.COM will not be infected. Each time the virus is run it checks the current date. If the date is between October 13th and December 31st of any year and the computer has a hard disk it displays the message:

    DATACRIME VIRUS

    RELEASED: 1 March 1989

Simultaneously, the virus formats the first 8 tracks of cylinder 0 of the hard disk. This will effectively destroy the partition table, master boot track, the boot record, the File Allocation Table (FAT), and a portion of the root directory. Recovery at this point will be very difficult and will require a low level format. Due to the way the virus executes, it's behaviors range from no action, to complete data loss of the hard disk. We stated in the previous memo on the Columbus Day Virus that you may be able to do a partial recovery with, for example, Disk Doctor, in Norton Utilities Version 4.5. As we examined the virus we determined that there is only a very small chance of recovery by this method. Prevention and backups are the best course.

The CIAC recommends that each PC user follow the procedures below:

First Backup your hard-disk - most importantly the data. These viruses can't propagate through data files and you can always restore your applications from the distribution disks, but if your data is important to you, you should back it up now.

Now that you've backed up your data you can try to detect the virus. Utilities that search files for particular ASCII strings are ineffective, since the ASCII strings in the virus code are encrypted. There are several methods you can use to detect this virus. The first method, while labor intensive, doesn't require any special software. Check for any increase in the size of your .COM or .EXE files. The virus will not infect COMMAND.COM so examine other executable files, for example, FORMAT.COM, CHKDSK.COM, FIND.EXE and PRINT.COM.

Note that there are other reasons why the file size may not match. For example, you may have updated to a newer version of a program, or you are running Data Physician which changes the size of the file. However, a size change should signal that you need to investigate further.

Another possible method is to use a commercial product that will detect these viruses. This includes products like Flu-Shot+, VIRUSCAN, or Data Physician, which should report the existence of these viruses as well as certain other viruses.

If you find you are infected but DATACRIME hasn't struck yet DON'T PANIC. Do the following: Copy the infected files to a diskette and clearly label it as a virus and protect this disk. We need copies of all DATACRIME viruses that infect DOE machines so please call the CIAC for instructions on how to handle this sample. You must completely rid your machine of this virus. The procedure below is believed to be necessary because current eradication programs can not guarantee 100% recovery.

Again, make sure that you have backed up all your data. Ensure that there are no system or application files (any file that ends in .COM or .EXE) on your backup floppies. The next step will destroy all information on the hard disk, so ensure that your backups and distribution disks are safe. Follow the necessary procedures to format your hard-drive. Seek expert assistance if you are not familiar with how to carry out this procedure.

Now take out your original disks and write protect each one of them. If you have a virus detection program that works, run it on the application disks to ensure they are virus-free. Reinstall all of your applications from the original virus-free distribution disks. You should examine all of your floppies and backups that contain applications or system files to prevent reinfection. Remember, one infected file will reinfect your system.


Trojan horse in Norton Utilities for IBM PCs and clones

CIAC Information Bulletin Number A-6: November 7, 1989, 1730 PST

Information about a trojan horse in Norton Utilities for IBM PCs and clones

CIAC has been informed that a trojan horse has been found in a number of IBM PCs and PC clones which run Norton Computing utilities. This trojan horse appears superficially to be a legitimate file within Norton Utilities named either NORTSTOP.ZIP or NORTSHOT.ZIP. (The file contents are the same, regardless of the name used.) The trojan horse program must be run (i.e., the EXE file for the program must be executed) for any damage to occur to your system. If run, the program lists the directory and displays a message that one's machine is free of viruses. Damage resulting from running this program occurs only if the trojan horse program is executed between December 24 and December 31 inclusive. In this case, the program will erase files with selected file extensions.

Detection

You can detect this trojan horse by using Norton Utilities to examine the .EXE file for either of the .ZIP files listed above. The EXE file will contain the following message:
    The Norton Public Domain Virus Utility,  PD Edition 5.50,   (C) 1989

    Peter Norton



    Your System has been infected with a Christmas virus! Selected

    files were just eliminated!  Without these files, you might as well

    use your computer as a damn, boat anchor!  If you do NOT own a

    boat, you may want to replace the files which were just erased.

    Try to determine which files they were.  HARDY   HA!  HA!  HA!  HOW

    DO YOU FEEL NOW; YOU IDIOT?  MERRY CHRISTMAS AND HAPPY NEW YEAR!

If your system has the trojan horse, you will obtain a report similar to the following when using PKUNZIP (a utility which separates and decompresses files):
 1065  Implode    650   39%  10-04-89  12:26  9778978d  --w  READ-ME.NOW

38907  Implode  30156   23%  10-02-89  11:57  c333dec0  --w  NORTSHOT.EXE

-----          ------ -----                                  ------------

39972          30806   23%                                         2

Eradication

If you should discover this trojan horse, do not execute the file NORTSHOT.EXE. Please make a copy of the bogus .EXE and .ZIP files on a diskette before you do anything else. Eradicating the NORTSTOP.ZIP and NORTSHOT.ZIP trojan horse is straightforward; simply use your disk operating system to delete all files named NORTSHOT.EXE and the .ZIP file that created it. Please then send the diskette to CIAC at the address below as soon as possible.

Note

According to information provided to CIAC, this trojan horse is not found in the version of Norton Utilities sold in commercial software outlets. It is only found in versions of Norton Utilities available from public sources (e.g., bulletin boards).

NORTSTOP.ZIP and NORTSHOT.ZIP are not viruses. They will not replicate themselves and spread from machine to machine. Once you have removed this trojan horse, it can only be reintroduced by copying the files once again from public sources.


Information about the WDEF virus

CIAC Information Bulletin Number A-9: December 18, 1989, 1400 PST

Summary

A new Macintosh virus called WDEF is spreading rapidly. It is not necessary to run a program for the virus to spread. The WDEF virus is not programmed to damage a system, but due to software errors in this virus, it can cause serious problems such as system crashes, poor performance, and damage to disks. Disinfectant 1.5, VirusDetective and GateKeeper Aid V1.0 can be used to detect and eradicate this virus.

Critical WDEF Facts

Name: WDEF

Types: WDEF A, WDEF B

Platform: Apple Macintosh

Damage: No intentional damage, see symptoms.

Symptoms: The virus can cause:

Detection/Eradication: GateKeeper Aid, Disinfectant 1.5; others should be available in the next few weeks.

Introduction

A new form of computer virus called WDEF has been released into the Macintosh world. WDEF only infects the invisible "Desktop" files used by the Macintosh operating system's "Finder." WDEF does not infect applications, document files, or other system files. Unlike the other viruses, it does not at this time appear to spread through the sharing of applications, but rather through the sharing of diskettes. WDEF spreads from disk to disk very rapidly. It is not necessary to run a program for the virus to spread. WDEF has been in existence since mid-October of this year and has been found at many locations throughout the United States.

At this time their appears to be two strains of WDEF, WDEF A and WDEF B. These strains are similar except WDEF B beeps every time it infects a new Desktop file.

Symptoms

The WDEF virus is not programmed to damage a system. However, due to errors in the virus code itself, it can cause serious problems. Below is a list of known symptoms:

Prevention

With AppleShare servers you do not need a Desktop. If you are comfortable using a software developers' package called ResEdit, you should remove the Desktop. You should also not allow the "make changes" privilege to the root directory on the server. This should eliminate any possibility that this virus from spreading to an AppleShare server.

Detection

Packages which claim to detect WDEF are Disinfectant 1.5 and GateKeeper Aid V1.0 (to be used in conjunction with GateKeeper 1.11). Virus Detective 3.1 can also be used to find the WDEF virus. You will, however, have to add the search string: Creator=ERIK & Resource WDEF & Any

Disinfectant 1.3 , Vaccine 1.0.1, GateKeeper 1.1.1, Symantec's SAM Intercept 1.10, and HJC's Virex INIT 1.12 do not detect WDEF, although new versions of many of these products which claim to be able to detect WDEF are rapidly being developed. Please also note that Disinfectant 1.4 detects only one strain of the WDEF virus.

Eradication

Disinfectant 1.5 should be used to eradicate WDEF. When using Disinfectant to repair WDEF infections, you must use Finder instead of MultiFinder. Otherwise Disinfectant cannot write to the normally 'Busy' Desktop file. If you do not prefer use Disinfectant 1.5, CIAC can advise you of alternate eradication procedures using ResEdit.


Information about the PC CYBORG (AIDS) trojan horse

CIAC Information Bulletin Number A-10: December 19, 1989, 1600 PST

There recently has been considerable attention in the news media about a new trojan horse which advertises that it provides information on the AIDS virus to users of IBM PC computers and PC clones. Once it enters a system, the trojan horse replaces AUTOEXEC.BAT, and may count the number of times the infected system has booted until a criterion number (90) is reached. At this point PC CYBORG hides directories, and scrambles (encrypts) the names of all files on drive C: There exists more than one version of this trojan horse, and at least one version does not wait to damage drive C:, but will hide directories and scramble file names upon the first boot after the trojan horse is installed.

At first PC CYBORG was distributed only in Europe, although several PC CYBORG infections have recently been reported in the U.S. No DOE site has been affected yet, and the probability of a widespread infection of this trojan horse throughout DOE is extremely small. This trojan horse is introduced into systems through a disk called the AIDS Information Introductory Diskette, which has been mailed to a mailing list which the author(s) of this trojan horse obtained. PC CYBORG is a trojan horse, not a virus, and thus is limited in ability to spread. This information bulletin is being distributed in response to questions raised because of the considerable media attention the trojan horse has received, more than because of a genuine threat to systems.

If you receive a disk in the mail which purports to provide information on AIDS, do not load the disk into your computer. Please save the disk, and contact CIAC immediately. If you have already run this disk, please also call CIAC as soon as possible. It is important to leave your PC on if it is currently on, or leave it off if it is currently off. Failure to do so may result in loss of your data, or make recovery more difficult. CIAC has developed recovery procedures, which are too lengthy to publish in this bulletin.


Virus Information Update

CIAC Information Bulletin Number A-15

CIAC information bulletin A-15 describes vulnerabilities within Apple MACs. Please contact CIAC for further information.

Note: This bulletin has been superseded by CIAC Bulletin B-16.


Eradicating WDEF using Disinfectant 1.5 or 1.6

CIAC Information Bulletin Number A-17: February 2, 1990, 1400 PST

CIAC Information Bulletin A-9 reported the existence of the WDEF virus on Macintosh computers. The purpose of this bulletin is to provide additional information about eradicating this virus.

Disinfectant 1.5 and the most recent version, Disinfectant 1.6, are capable of detecting and eradicating WDEF, but are not designed to prevent the spread of WDEF during its execution. If an infected disk is inserted into the Macintosh while Disinfectant is running (for the purposes of eradicating WDEF), WDEF will infect ANY OTHER UNLOCKED MOUNTED VOLUMES. If Disinfectant is to be used to eradicate a WDEF infection, CIAC recommends the following procedure:

  1. Prepare a system disk using LOCKED originals. Use the instructions provided with the Macintosh documentation if you require assistance in preparing this system disk. If possible, you should not use your hard disk to prepare this system disk. Copy Disinfectant version 1.5 or version 1.6 to this disk. Lock the disk and shut down the system.
  2. Reboot the Macintosh using the prepared system disk. Launch Disinfectant off the floppy and use the SCAN function to check your hard disk for the WDEF virus. If found, use the DISINFECT function to remove WDEF from your hard disk. Quit Disinfectant.
  3. Reboot the Macintosh using this prepared system disk. You should drag any hard disks that automatically appear on the desktop to trash to unmount them. Launch the copy of Disinfectant on the system disk. Use the SCAN facility of Disinfectant to verify that WDEF has not infected the system disk. If it has, you will have to eject the system disk, unlock it, and insert it again. Use the DISINFECT function of Disinfectant to eradicate WDEF. Next, you should eject the system disk and lock it again. Reinsert the system disk.
  4. Use Disinfectant to scan ALL of your floppy disks. WDEF will infect both system and non-system disks; to completely eradicate WDEF you will have to disinfect all of your disks (including backup disks). DO NOT USE YOUR HARD DRIVE DURING THIS PROCEDURE.
  5. Once all of your floppy disks are disinfected, reboot your system using the locked system disk. Now run Disinfectant and disinfect your hard disk. Once WDEF has been eradicated from all floppies and your hard disk, the eradication procedure is complete.
The most recent versions of other tools such as SAM, VIREX, GATEKEEPER, and GATEKEEPER AID may also be used to eradicate or prevent the spread of the WDEF virus. If you have questions concerning these tools, contact CIAC for assistance.


The Twelve Tricks Trojan Horse

CIAC Information Bulletin Number A-20: March 8, 1990, 1300 PST

Summary

CIAC has been informed of a possible new trojan horse called the Twelve Tricks Trojan Horse. The intention of this bulletin is to rapidly inform the DOE community about this possible threat and to help eliminate confusion and false rumors. However, CIAC has been able neither to obtain a copy of this trojan horse, nor to confirm the information received to date. This trojan horse affects computers running the MS DOS operating system or common variants (IBM PC-DOS etc.). It can produce a variety of disruptions and/or damage as described below.

Critical Facts about Twelve Tricks Trojan Horse

Name: Twelve Tricks Trojan

Types: Only one known variant: CORETEST.COM VERSION 2.6, 32469 bytes, timestamp 6-6-86 9:44

Platform: IBM PC and PC clones running MS DOS or IBM-PC DOS

Damage: Varies from slow program execution to low level formatting of disk

Symptoms: A variety of disruptions and/or damage, based on a random number between one and twelve. Affects system performance, writing to screen, clock, printer and/or keyboard malfunctions, random disk writes, garbled printer output, boot sector, File Allocation Table (FAT) or directory overwrites, and a low level format of select tracks on the hard disk. Other symptoms include the floppy disk motor continuously running, FAT, directory and/or boot sector damaged diskettes.

Detection: Examine the Master Boot Record (MBR) for the message:

    SOFTLOK+ V3.0 SOFTGUARD SYSTEMS INC

    2840 St. Thomas Expwy, Suite 201

    Santa Clara, CA 95051

(see important note below) or search the MBR and memory for the following hex string:
    e4 61 8a e0 0c 80 e6 61.

If you suspect a program, you can use the search string:
    64 02 31 94 42 01 d1 c2 4e 79 f7

Caution: These search strings are based on the trojan program examined by the discoverer. If there are modifications to this program, the above search strings may not work.

Eradication: Remove trojan program by deleting. To recover from a corrupt MBR, back-up current data files and programs, perform a low level format and restore data files and programs from a recent backup.

CIAC has been alerted that there may be a new trojan horse called the Twelve Tricks Trojan Horse. CIAC has not been able to obtain a copy of this program, and cannot at this time confirm the information contained in this bulletin. This trojan program affects computers running the MS DOS operating system or common variants (IBM PC-DOS etc.). It can produce a variety of disruptions and/or damage, including a slowdown of system performance, blanking or jerky motion in the scrolling window, clock, printer and/or keyboard malfunctions, random disk writes, garbled printer output, boot sector, File Allocation Table (FAT) or directory overwrites, and a low level format of select tracks on the hard disk. Other symptoms include the floppy disk motor continuously running, FAT, directory and/or boot sector damaged diskettes. The particular damage which occurs depends on a random number between 1 and 12 that the trojan program generates.

Detection

Detecting this trojan horse is straightforward. Using Debug or a similar utility, inspect your machine's hard disk at cylinder zero, head zero, sector one. If this trojan horse has infected your machine, the following will be displayed near the start of the master boot record:
    SOFTLOK+ V3.0 SOFTGUARD SYSTEMS INC

    2840 St. Thomas Expwy, Suite 201

    Santa Clara, CA 95051

Important Note: There is absolutely no evidence to link the origin of this trojan horse to any company or organization, such as the one mentioned above. The motivation of the author of this trojan horse to mention the company listed above is currently unknown.

There are several additional ways to detect the trojan. The following hexadecimal string can be found in the MBR of infected machines:

    e4 61 e0 0c 80 e6 61

The above string can also be found at location 0:38b in memory if you have booted from a corrupted MBR. You can use Debug as a search tool.

A useful search string to detect the source program (containing the trojan horse) is

    be 64 02 31 94 42 01 d1 c2 4e 79 f7

Eradication

Trojan programs can be removed by simply deleting them. To recover from a corrupt MBR, back-up current data files and programs, perform a low level format and restore data files and programs. Note: FDISK will erase other directory information as well as replace the MBR. Thus, we recommend that you do not use FDISK alone to eradicate the trojan unless you are prepared to lose directory information from other partitions. Because the file system may be corrupted, CIAC recommends a full backup, low level format, and recovery.

Trojan programs can be removed by simply deleting them. If you find the string above in the MBR or in memory at 0:38b, you need to boot from a clean DOS diskette and replace the partition record. DO NOT use Fdisk to do this unless you are prepared for Fdisk to zero your FAT and directory; you will lose all your data that way. One way would be to do a file-by-file backup, low-level format to get rid of the trojan MBR, then Fdisk Format and restore your data files and programs from your backup.

Additional Information

There is currently no evidence that anything similar to the Tweleve Tricks Trojan has affected any machines in the United States. It is possible, however that there will be attempts to introduce this malicious code in the United States. (This trojan horse is not self-replicating, and cannot spread the way viruses do.) In particular CIAC urges you to carefully check any software distributed through trade shows, U.S. mail, or electronic bulletin boards, and to use only licensed copies of software. Please contact CIAC if you become aware of any machines infected by this malicious code.

Appended message

Excerpt from a message from Dr. Alan Solomon posted to virus-l.
We have recently received and analyzed a trojan that we believe warrants an urgent alert. We are calling it the Twelve Tricks trojan, and it is very interesting, very nasty, and quite complex. This message is not meant to be a complete description of the trojan - we feel that it is important to get a warning out quickly, rather than aim for completeness. It is not a virus.

The trojan consists of a program (more about this aspect later) which you run; running the program, as well as the obvious things that the program is expected to do, also replaces the partition record (also called the Master Boot Record, or MBR) on your hard disk with its own version. This can easily be recognized by inspecting the hard disk at cylinder zero, head zero, sector one, which can be done with a disk sector editor such as Peeka. If the partition has this trojan in place, it will contain the following text near the beginning:

    SOFTLoK+ V3.0 SOFTGUARD SYSTEMS INC

    2840 St. Thomas Expwy, Suite 201

    Santa Clara, CA 95051 (408) 970-9420

At this point, let us state that we believe that the company mentioned above has nothing whatsoever to do with the trojan; perhaps the trojan author has a grudge against them.

The trojan uses a far call to the hard disk Bios code in order to plant this partition. To do this, it must know the location in memory of the entry point; it tries five different ones, one of which is the one documented in the IBM PC-XT Technical reference manual, and the other four are presumably fairly common alternatives.

The purpose of planting the trojan with a far call is, we believe, to escape detection by Active Monitor programs that protect a computer by monitoring the interrupt table, and preventing unauthorized writes to system areas on the hard disk. Since the Twelve Tricks doesn't use an interrupt to plant the MBR, such programs won't be able to prevent it. We tested this using Flushot+, probably the most successful of the Active Monitors, and Twelve Tricks went straight through it - the same would be true, we think, of any other Active Monitor.

The Replacement MBR

When the MBR is run, which is every time you boot from the hard disk, Twelve Tricks copies 205 (d7h) bytes of itself onto locations 0:3000h to 0:3d6h. This overwrites part of the interrupt vector table, but it is a part that doesn't get used very much. This means that these d7h bytes are memory resident without having to use any of the TSR calls of Dos, and without having to reserve part of high memory. Reserving part of high memory is the usual ploy used by Boot Sector Viruses, but the drawback of that route is that you might notice that a few kb from your 640 kb has disappeared (CHKSK would reveal this). The method used by Twelve Tricks would not show up as a loss from your 640 kb.

When the computer is started up, a random number generator determines which of the Twelve Tricks will be installed. It does the installation by replacing one of the interrupt vectors with a vector that points to the Twelve Tricks own code, and then chains on to the original code. The twelve tricks are:

  1. Insert a random delay loop in the timer tick, so that 18.2 times per second, the computer executes a loop that is randomly between 1 and 65536 long (different each time it is executed). This slows the machine down, and makes it work rather jerkily.
  2. Insert an End-of-Interupt in the timer tick. This interferes with the servicing of hardware interrupts, so for example, the clock is stopped, TSRs that depend on the timer tick don't work, and the floppy motor is permanently on.
  3. Every time a key is pressed or released, the timer tick count is incremented by a random number between 0 and 65535. This has a variety of effects; programs sometimes won't run, when you type "TIME" you get "Current time is divide overflow", and copying files sometimes doesn't work."
  4. Every time interrupt 0dh is executed, only do the routine three times out of four. Interrupt 0dh is used on PCs and XTs for the fixed disk, on ATs for the parallel port.
  5. Every time interrupt 0eh is executed, only do the routine three times out of four. Interrupt 0eh is used for the floppy disk.
  6. Every time interrupt 10h is called (this is the video routine), insert a delay loop that is randomly between 1 and 65536 long (different each time it is executed). This slows the video down, and makes it work rather jerkily and/or slowly.
  7. Every time the video routine to scroll up is called, instead of the requested number of lines being scrolled, the entire scrolling window is blanked.
  8. Every time a request is made to the diskette handler, it is converted into a write request. This means that the first time you try to read or write to a diskette, whatever happens to be in the buffer will be written to the diskette, and will probably overwrite the boot sector, FAT or directory, as these must be read before anything else can be done. If you try to read a write protected diskette, you get "Write protect error reading drive A.". If you do a DIR of a write enabled diskette, you get "General Failure...", and if you inspect the diskette using a sector editor, you'll find that the boot and FAT have been zeroed or over-written.
  9. Every time interrupt 16h is called (READ THE KEYBOARD) the keyboard flags (Caps lock, Num lock, shirt states etc) are set randomly before the keystroke is returned. This means that at the Dos prompt, the keyboard will only work occasionally. Programs that poll interrupt 16h will be unusable. Holding down the Del key will trigger a Ctrl-Alt-Del.
  10. Everything that goes to the printer is garbled by xoring it with a byte from the timer tick count.
  11. Every letter that is sent to the printer has its case reversed by xoring it with 20h. Also, non-alpha characters are xored, so a space becomes a null, and line feeds don't feed lines.
  12. Whenever the Time-of-Day interrupt (lah) is executed, do an End-of-Interrupt instead. This means that you can't set the system clock, and the time is set permanently to one value.
These are the twelve tricks. In addition there are two more things that the trojan does. It uses a random number generator; one time out of 4096, it does a low level format of the track that contains the active boot sector; this will also destroy part of the first copy of the FAT. You can recover from this by creating a new boot sector, and copying the second copy of the FAT back over the first copy. After it does the format, it will display the message "SOFTLoK+ " etc. as above, and hang the computer.

If it doesn't do the format, it makes a random change to a random word in one of the first 16 sectors of the FAT, which will make a slight and increasing corruption in the file system. This is perhaps the worst of the things that it does, as it will cause an increasing corruption of the files on the disk.

The Dropper program

The program that drops the trojan was, in the specimen that we analyzed, a hacked version of CORETEST, a program to benchmark hard disk performance. The file is CORETEST.COM, it is version 2.6, (dated 1986 in the copyright message) had a length of 32469 bytes, and it was timestamped 6-6-86, 9:44. When we looked in more detail at this program, we found some interesting things.

It looks as if the original CORETEST program was an EXE file, and the trojan author prepended his code to it. This code consists of some relocation stuff, then a decryptor, to decrypt the following 246h bytes. The description is a double xor with a changing byte. Those 246h bytes, when run, examine the memory to try to find one of five sets of hard disk handler code (presumably corresponding to five Bioses). When it finds one of them, (we have identified the first one as being the IBM XT Bios) it plants the trojan MBR in place, using a far call to the Bios code. The trojan MBR is 200h of the 246h bytes. The trojan is patched so that it also does disk accesses using a far call to the same location. Finally, the prepended trojan passes control to the original program. We call the combination of the prepended code, plus the original program, the Dropper.

The main purpose of the encryption, we would guess, is to evade detection by programs that check code for bombs and trojans. There are no suspicious strings or interrupt calls in the code until it is decrypted at run time.

As far as we can tell, it is not a virus, but a trojan. However, it is unlikely that all the patching to the original program was done by hand - it is far more likely that the trojan author wrote a prepender program (we would call this the Prepender), to automatically attack his code to the target executable. If this is the case, then there are two consequences. The first is that he might have trojanized other programs besides the one that we have examined. In other words, there might be other Droppers around besides the one we have examined. The second is that if that is the case, we cannot rely on the encryption having the same seed each time, as the Prepender might change the seed each time is operates. So it would be unsafe to assume we can use a search string based on the decryptor.

Indeed, a further possibility exists. The Prepender program might have been placed into circulation, and people running it would unwittingly be creating additional Droppers. There is absolutely no evidence to suggest that that is actually the case, but we would ask anyone who detects this Dropper in one of their files, to also examine all the others.

Detection

Here's a variety of ways to detect the trojan. The hexadecimal string e4 61 e0 0c 80 e6 61 is to be found in the MBR. This string will also be found in memory if you have booted from a trojanized MBR, at location 0:38b. You can use Debug to search in memory.

A useful search string to detect the Dropper is

    be 64 02 31 94 42 01 d1 c2 4e 79 f7

Getting rid of it

It's easy to get rid of Droppers; just delete them and replace them with a clean copy. If you find the string above in the MBR or in memory at 0:38b, you need to boot from a clean Dos diskette and replace the partition record. DO NOT use Fdisk to do this unless you are prepared for Fdisk to zero your FAT and directory; you will lose all your data that way. One way would be to do a file-by-file backup, low-level format to get rid of the trojan MBR, then Fdisk Format and restore your backup. We would recommend doing two backups using as different methods as possible if you use this route, in case one of them fails to restore.

The other way to replace the partition is to run a program that drops a clean partition record onto the MBR, but doesn't change the partitioning data. We are currently preparing one of these - please ask if you need it.

Damage done

The whole of the MBR is used for the code. Most normal MBRs don't use more than half the space, and a number of other programs have started using this space. For example Disk Manager, and the Western Digital WDXT-Gen controllers (but the Dropper doesn't work on the WDXT-Gen). This means that the Dropper might cause an immediate problem in some circumstances.

The main damage done, however, will be in the impression that this trojan creates that your hardware is suffering from a variety of faults, which usually go away when you reboot (only to be replaced by other faults). Also, the FAT gets progressively corrupted.


The MDEF or Garfield Virus on Macintosh Computers

CIAC Information Bulletin Number A-25: May 23, 1990, 1000 PST

Summary

A new Macintosh virus called MDEF or the Garfield virus is spreading rapidly. This virus is not a variant of the WDEF virus, and should not be confused with WDEF. The MDEF virus spreads through system and application files, and may cause serious damage to the menu system. Disinfectant 1.8, GateKeeper, Virus Detective DA are effective against this virus, but Vaccine can cause undesirable side effects.

Name: MDEF

Types: Only one known variant

Platform: Apple Macintosh models 128K and 512K, 512KE, Mac Plus, SE, SE/30, II, IIx, IIcx, IIci and IIfx.

Damage: Possible removal of system menus.

Symptoms: The virus can cause:

Detection/Eradication: Disinfectant 1.8, GateKeeper, Virus Detective DA; others should be available shortly.

Introduction

CIAC has learned of a new Macintosh virus called the MDEF or Garfield virus. Although its name is similar to WDEF, MDEF is an entirely different virus. Currently, the MDEF virus is known to infect the Macintosh 128K and 512K, 512KE, Mac Plus, SE, SE/30, II, IIx, IIcx, IIci and IIfx. This virus will not spread from 128K or 512K Macintoshes, but will cause these models to crash.

MDEF actually refers to one of the resources on Macintosh computers. The MDEF virus is so named because this virus infects the MDEF resources. If you attempt to detect the MDEF virus using ResEdit or a similar tool and discover the MDEF resources, this does not indicate that your computer is infected by the MDEF virus.

Symptoms

Preliminary indications are that after performing a currently unspecified set of actions, the virus will remove itself from the system along with the code to control the menu system. This will result in the loss of all menus generated by the system. Regardless of the particular model of Macintosh computer subject to infections by the MDEF virus, this virus infects the system file and applications. Typically, the finder and DA handler also become infected. However, neither the desktop nor the document files become infected. The MDEF virus infects the system file when an infected application is run, and infects other applications when they are executed on an infected system. On the Macintosh IIci and IIfx, the MDEF virus spreads from infected applications to uninfected system files, but does not propagate from infected systems to uninfected applications.

Detection and Eradication

Disinfectant 1.8 has recently been released to detect and eradicate the MDEF virus. GateKeeper also prevents the MDEF virus from infecting the system file. To use the Virus Detective DA, add the following search strings:
    Resource MDEF & Name "Garfield"

    Resource MDEF & ID = 5378

Caution: CIAC has been advised that the use of Vaccine may have an undesirable side effect. Vaccine will inform the user that the system file has been infected, but is only partially effective in preventing this virus from infecting the system file! The system file will be damaged as a result of running Vaccine when an application containing the MDEF virus is executed.


A New Macintosh Trojan Horse Threat--STEROID

CIAC Information Bulletin Number A-26: June 7, 1990, 1100 PST

Name: Steroid trojan horse

Types: Only one known variant

Platform: Apple Macintosh computers

Damage: Erases all mounted disks

Symptoms: Can be identified by:

Detection/Eradication: Examine system folder; if Steroid is there, save a copy and then drag the icon to the trash folder and empty trash.

Critical Steroid Facts

A Macintosh trojan horse called "Steroid" has been discovered. The purported purpose of Steroid is to make QuickDraw run faster on computers with 9 inch screens. Steroid is actually an INIT that contains malicious code to check for the system date and to erase all mounted disks if this date is July 1, 1990 or afterwards. (Note: earlier reports indicated that June 6, 1990 is the trigger date, but the sources of these reports now claim that July 1 is the trigger date.)

Steroid is a trojan horse, not a virus, and thus is limited in ability to spread. This trojan horse is a genuine threat; however, because it is being posted to electronic bulletin boards, and has already been downloaded by unsuspecting users on the West Coast. If you use a bulletin board, make sure that you do not download any software claiming to improve QuickDraw performance or related in any way to "Steroid." Since "Steroid" is an INIT, you would have had to put it in your system folder to have this trojan horse. If you are unsure if you have installed "Steroid," look in your system folder for start-up documents with the name "Steroid" or "Quickdraw Accelerator." Another detection method is to use RESEDIT; look for documents in the system folder with the Creator: "QDAC," Type "INIT," and a code size of 1080 and a data size of 267.

If your Macintosh computer contains this INIT, please make a copy on a floppy before you do anything else and send that copy to CIAC at your earliest convenience. Then drag the Steroid INIT to the trash icon and empty the trash. If you unknowingly have used Steroid before July 1, 1990, no damage appears possible at this time. It is important, however, to determine if you have shared Steroid with anyone else, and, if so, to notify them of the information in this bulletin. If you use Steroid on or after July 1, 1990, CIAC has been advised that you can recover if you use the SUM II Disk Clinic tool to restore erased files. Do not use the machine until you have recovered the files using SUM. CIAC can provide more detailed procedures in this case.

The following is an excerpt from a bulletin board posting by Apple:

    So far, we know that the code does the following:



    OPERATIONS AT RESTART:

    ----------------------

     DATE & TIME CHECK (Loop)

     SYSENVIRONS CHECK

     GETS VOLUME INFORMATION (probably checking for HFS)

     GETS SOME ADRESSES (Toolbox traps)

     DOES SOME HFS DISPATCH OPERATIONS

     VOLUME IS REINITIALIZED to "Untitled"



    INFORMATION:

    ------------

    TYPE:      INIT

    CREATOR:   qdac

    CODE SIZE: 1080

    DATA SIZE: 267

    ID:        148

    Name:      QuickDraw Accelerator

    File Name: "  Steroid" (First 2 characters are ASCII 1)



    WHAT TO DO:

    -----------

    If your disk becomes erased, you can use SUM II Disk Clinic to recover the

    deleted files.  We have tried this and it seems to work.



    IF YOU HAVE STEROID ON YOUR SYSTEM, DISABLE IT IMMEDIATELY.


The Disk Killer (Orge) Virus on MS DOS Computers

CIAC Information Bulletin Number A-27: June 28, 1990, 1000 PST

Name: Disk Killer virus (also known as the Ogre virus)

Types: Only one known variant

Platform: MS DOS computers

Damage: Overwrites mounted disks

Symptoms: Writes "COMPUTER OGRE 04/01/89" on screen and overwrites disk

Detection/Eradication: VIRALERT, VIRHUNT, RESSCAN, CodeSafe, CleanUp, F-Prot, IBM Scan, Pro-Scan, and others (contact CIAC for information about these products)

Critical Disk Killer Facts

The Disk Killer virus is a destructive virus affecting MS DOS computers. This virus infects the boot sector, then hides itself by marking unused blocks on floppy or hard disks as bad. After remaining dormant for approximately 48 hours of operation (not calendar) time after the initial infection, Disk Killer executes upon the first boot or reboot after this period. Upon execution, this virus displays the following message:
    Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/89



    Warning!!



    Don't turn off the power or remove the diskette while Disk Killer

    is Processing!

Next, the word "PROCESSING" will be displayed, followed by this message:
    Now you can turn off the power.  I wish you Luck!

Disk Killer overwrites the boot sector, then the file allocation table (FAT), then the directory randomly with blocks of a single character.

The proper procedure depends upon when you detect Disk Killer:

  1. If your machine is infected before it executes and you detect this virus through a scan package (such as CodeSafe, RESSCAN, VIRHUNT, or IBM Scan)---TURN YOUR MACHINE OFF. Then use a write-protected bootable floppy disk to boot your system; otherwise, you will have disk Killer in memory, causing re-infection. Remove Disk Killer by installing and executing a PC virus eradication package such as VIRHUNT.
  2. If the message shown above appears on your computer's screen, Disk Killer has already executed---LEAVE YOUR MACHINE ON AND ALLOW THIS VIRUS TO EXECUTE WITHOUT INTERRUPTION (i.e., until "Now you can turn off the power..." is displayed). It is true that Disk Killer will overwrite your disk, but don't worry---you can restore all data and files from your disk (floppy or hard disk) using a recovery package such as UNKILL. Reboot from a write-protected master floppy, and remove the virus using virus eradication software.
Regardless of which particular procedure (1 or 2) you use, be sure to scan any disks (in particular, bootable floppies) before resuming normal activity with your computer.

Note: Because this virus modifies every byte in every sector on your disk, Norton Utilities not a feasible means of recovering from the Disk Killer virus. Note also that a considerable amount of incorrect information about responding to Disk Killer has already been distributed. If you follow this incorrect information, which advises you to turn your machine off as soon as Disk Killer begins to execute, it is extremely likely that you will not be able to fully recover from this virus.

Additional Note: The CIAC team first became aware of this virus early last Fall. At that time, however, we chose to briefly describe this virus in the CIAC Bulletin Board (FELIX) and CIAC Bulletin A-15, rather than to issue a separate bulletin; infections at that time appeared to be limited to MS DOS computers equipped with hard disks made by a particular manufacturer in Taiwan.


The Stoned (Marijuana or New Zealand) Virus on MS DOS Computers

CIAC Information Bulletin Number A-28: July 12, 1990, 1200 PST

Name: Stoned virus (also known as the Marijuana or New Zealand virus)

Types: At least four known variants

Platform: MS DOS computers

Damage: Not deliberately destructive--however, this virus overwrites some of boot sector/master boot record on infected disks (see text)

Symptoms: May write "Your computer is now stoned. Legalize marijuana" or similar message on screen (one variant has this message removed); may create hard disk errors or the inability to boot

Detection: VIRALERT, VIRHUNT, RESSCAN, CodeSafe, F-PROT, IBM Scan

Eradication: VIRHUNT, RESSCAN, CodeSafe, CleanUp, F-PROT and others (contact CIAC for information about these products)

Critical Stoned Virus Facts

The Stoned (Marijuana or New Zealand) virus is now one of the most common viruses among MS-DOS systems. The Stoned virus infects the boot sector/master boot record of floppy and hard disks. Once resident in memory, this virus may display a message similar to the following:
    Your computer is now stoned.  Legalize marijuana.

Although the Stoned virus apparently was not programmed to do damage, this virus can nevertheless damage a system. The Stoned virus may overwrite parts of infected disks that contain directory information or portions of user data files, specifically the boot sector of floppy disks along with Head 0, Track 0, Sector 3 on a diskette or the master boot record and Head 0, Track 0, Sector 7 on hard disks. If hard disks have last been partitioned under DOS 2, this virus overwrites portions of the File Allocation Table (FAT) as well. The result is overwriting of data files and indications of disk errors by CHKDSK. Variants of the Stoned virus produce slightly different effects: You can detect the Stoned virus with a variety of scan packages such as VIRALERT, VIRHUNT, RESSCAN, CodeSafe, F-PROT, IBM Scan. You can eradicate this virus by using packages such as VIRHUNT, RESSCAN, CodeSafe, CleanUp, F-PROT. If you cannot obtain a virus removal utility, we suggest you back up your applications and data from your hard disk, and then low-level format the disk to ensure that the master boot record is removed. Boot from a clean, writeprotected operating system disk, restore your system, and then restore the application and data files.

After you have cleaned your system, either with an eradication product or by formating the drive, scan again using a virus detection utility to ensure that the virus is not present. To ensure that your system does not immediately become re-infected, be sure to scan all of floppy disks for the virus as well. To clean floppies you may use one of the suggested products, or you may format new floppies on a clean system, then use the "copy" command to copy files from the infected floppies to the clean ones. Format the infected floppies to reuse them.

The Stoned virus typically spreads wherever floppy disks are shared. Infections can be easily prevented by adopting sound protection procedures. The Stoned virus infects hard disks when a PC is booted from an infected floppy. This virus does not infect applications, however. If you must boot from a floppy disk, ensure with a virus scan package that this disk is not infected, and write-protect this disk. This will prevent your boot disk from becoming infected. (Warning: under some circumstances the Stoned-infected floppy disk can infect a machine even if the computer does not have a bootable operating system on it.)

Additional Note: Basic information about the Stoned virus has been available through the CIAC Bulletin Board (FELIX) and CIAC Bulletin A-15 since the beginning of this year.

The assistance of Ken Van Wyk and Dave Chess is gratefully acknowledged.


The 4096 (4k, Stealth, IDF, etc.) Virus on MS DOS Computers

CIAC Information Bulletin Number A-29: July 18, 1990, 1200 PST

Name: 4096 virus (also known as the 4k, Stealth, IDF--Israel Defense Forces, 100 years, Century, and Frodo virus)

Types: Two known versions (also see note 1 about Fish virus)

Platform: MS-DOS computers running DOS 3.x or 4.x; does not appear to infect files in DOS 2.x

Damage: Can damage files by destructive cross-linking

Symptoms: May slow system performance somewhat; may cause the system to crash/hang, or may create hard disk errors; may write "FRODO LIVES" on screen on or after September 22, 1990 (one variant only)

Detection: VIRHUNT, RESSCAN, CodeSafe, Vi-Spy, IBM Scan, FPROT

Eradication: VIRHUNT, CodeSafe, FPROT, and others (contact CIAC for information about these products)

Critical 4096 Virus Facts

The 4096 (4k, Stealth, IDF--Israel Defense Forces, 100 years, Century, or Frodo) virus is one of a new breed of viruses ("Phase II" viruses--see note 2) that are so effective in masking their presence that they are nearly invisible to the user. The 4096 virus infects MS-DOS systems running DOS 3.x and 4.x. (Tests show that the 4096 virus is memory resident in DOS 2.x, but it will not infect files). This virus infects programs when a user runs or closes an executable file. The result is that the 4096 virus adds 4096 bytes to any .EXE or .COM files that have been opened, as well as to COMMAND.COM. (However, this virus disguises the size of infected files by causing the original file length to be displayed.) After initial infection, there are usually only subtle slowdowns in system performance. As more files become infected by this virus, it can disrupt the File Allocation Table (FAT), causing system crashes. The hard disk may also approach its storage capacity, causing CHKDSK to indicate the following when an infected executable file is run:
    Allocation error - File size adjusted

There is a trigger date of September 22, 1990. On or after this date the virus attempts to replace the original boot record with another boot record. Other reports indicate that the 4096 virus is unsuccessful in attempting to write the boot record. The result, however, is that the system may crash. In one version of the 4096 virus the following message is also displayed on or after the trigger date:
    FRODO LIVES

The 4096 virus is very difficult to detect, even if it has infected many files. There is logic to defeat detection on the basis of increased file size, virus-initiated interrupts, and/or checksums. The most current versions of virus detection packages such as VIRHUNT, RESSCAN, CodeSafe, Vi-Spy, and IBM Scan are effective against the 4096 virus. If you find that your computer is infected by this virus, you should turn your machine off, then boot from a clean floppy. Now run a virus eradication program (e.g., VIRHUNT, CodeSafe, etc.) from a non-infected, write-protected floppy disk. Alternately, you can use DOS COPY to change the extension of an executable version of a virus eradication program from .EXE to .DAT or some other similar extension. This will assure that your renamed anti-virus program cannot become infected. Virus Bulletin recommends an additional detection method for DOS 3.x systems---set the time stamp ahead to January 1, 2044, create a small file, then enter the DIR command. If the 4096 virus is present, the file size will be 4K and the date will be January 1 of the year 100 (see note 3 below). In DOS 4.x systems the displayed date will be January 1 of the year 99. Another detection method is to use Norton Utilities or a similar disk management utility to show the actual size of suspected files.

Note 1: The Fish virus is a modified, more sophisticated version of the 4096 virus. It increases file sizes by either 8K or 4K.

Note 2: Other phase two viruses include the Alabama, Virus 101, 1260, and Fish virus.

Note 3: The 4096 virus adds 100 to the year of file creation, but since MS-DOS normally displays only the last two digits of the year, the virus is not normally detectable on the basis of year of file creation. MS-DOS time stamps cannot exceed December 31, 2107. If the user sets the date to January 1, 2044, the virus code increases the year by 100, causing an illegal date. The number 100 is displayed instead.

Note 4: Basic information about the 4096 virus has been available through the CIAC Bulletin Board (FELIX) and CIAC Bulletin A-15 since the beginning of this year.

Ray Glath and Bill Kinney furnished a portion of the information in this bulletin.


Virus Propagation in Novell and Other Network

CIAC Informational Bulletin Number A-33: September 21, 1990, 1000 PST

Problem: Virus propagation on write-protected file systems

Types: Many known viruses, most frequently variants of the Jerusalem (Israeli) virus

Platform: MS-DOS computers

Damage: Files that use software write-protection schemes cannot be assumed safe from damage due to virus infection

Symptoms: Virus infection on write-protected files

Detection: VIRHUNT, RESSCAN, CodeSafe, Vi-Spy, IBM Scan, FPROT

Eradication: VIRHUNT, CodeSafe, FPROT, and others (see text in p. 2 of this bulletin for recommended procedures)

Critical Virus Propagation Facts

This bulletin is to warn of a virus threat to networks for MS-DOS systems. File servers (e.g., Novell file servers) use attribute bits to perform write protection on files stored on server machines. Many viruses will clear these attribute protection bits before they attempt infection, thus circumventing the write protection scheme. Thus, write-protecting a program does not guarantee that the file is not infected with the virus.

The following is a common scenario reported to CIAC: a floppy infected with the Jerusalem-B virus is inserted into a user's PC attached to a Novell network. Once this virus is executed, it resides in the PC's memory. When the user attempts to logon to the file server (running the program login.exe), the virus infects this program, even though the program is write-protected. Login.exe is a shared program that is executed by each user as s/he connects to the Novell network. Thus, each time a user logs in to the network, his/her machine immediately becomes infected with the Jerusalem-B virus. The network allows the Jerusalem-B virus to spread considerably more quickly than if it had spread through exchange of floppy disks.

When someone disinfects a system of PCs or PC clones on a Novell or similar file system, CIAC recommends the following procedures:

  1. Detect the virus using one of the recommended packages for detecting and identifying the virus. Determine exactly which virus has infected the system, and that all virus types have been detected. Contact CIAC if you need assistance.
  2. Deactivate the network connecting the PCs/PC clones together. This includes shutting down the file servers and unmounting the partitions from the users' PCs/PC clones.
  3. Disinfect the server machines using an anti-virus package known to be effective against the detected virus. Alternately, reformat the server disks and re-install the system from original diskettes, then restore the data files from a recent backup. Do not attempt to restore programs (i.e., executable files) from a backup, as this is likely to reinfect your system.
  4. Disinfect each user's PC/PC clone using the same procedure as in step 2.
  5. Verify that the virus does not reside on the file server or any user's PC/PC clone.
  6. Bring the network file system back up.

End of FY90 Update

CIAC Informational Bulletin Number A-34: September 30, 1990, 1300 PST

During the twelve months of this fiscal year, CIAC team members have engaged in a number of activities. One of the main activities has been assisting sites in recovering from incidents. Our involvement has led to a number of valuable lessons learned--things that can improve your site's computer security as well as enhance the DOE community's coordination and handling of incidents.

Viruses. The major viruses with which we have dealt in the MS-DOS arena during the last 12 months are Jerusalem, Stoned, Cascade (1701/1704), Ohio, Ping Pong, and Disk Killer. Of these viruses, Jerusalem and Disk Killer are most likely to produce damage. In the Macintosh arena, nVIR and WDEF are most prevalent, although neither is likely to damage a system. For a summary of the major viruses, refer to CIAC Bulletin A-15. In addition to frequently obtaining reports of viruses spreading through exchange of removable media (disks), we are also hearing about viruses spreading rapidly through Novelle and other microcomputer networks (see CIAC Bulletin A-33). Vendor demonstrations and shrink wrap software are increasingly becoming a source of virus outbreaks.

We have found that sites with implemented procedures for detecting and eradicating viruses have significantly decreased the time and effort involved in recovering from this type of incident. Users of PCs, PC clones, and Macintoshes frequently do not know exactly whom to call if there is a suspected virus infection--the number of a support person should be posted on every small system! This is particularly important with users of classified systems. Finally, Disinfectant 2.1 and FPROT (freeware detection/eradication packages for Macintosh and MS-DOS computers, respectively) are available from CIAC for the asking.


Virus Information Update

CIAC Information Bulletin Number B-16: March 1, 1991

CIAC periodically issues bulletins about specific computer viruses. These bulletins, however, do not cover all the computer viruses that affect the PC-DOS/MS-DOS and Macintosh platforms. The purpose of this bulletin is to identify most of the known viruses for these platforms, and give an overview of the effects of each virus. This bulletin supersedes CIAC Bulletin A-15 issued last year, and includes (at least by name) more than 100 new viruses. As we continue to gather more information, we will add it to future editions of this document.

Click here to read CIAC Bulletin B-16.


Brunswick Virus on MS DOS Computers

CIAC Information Bulletin Number B-35: August 1, 1991, 1430 PDT

Name: Brunswick virus

Aliases: Brunswick, 910129

Types: Two known variants

Platform: MS-DOS computers

Damage: May overwrite Master Boot Record

Symptoms: Not apparent until attack phase when Master Boot Record is destroyed and disk will not boot

First Discovered: January 1991

Detection: VIRHUNT v. 1.3D-1, VIRSCAN v.2.0.2 and others (contact CIAC for information about these products)

Eradication: VIRHUNT v. 1.3D-1, VIRSCAN v.2.0.2 and others

Critical Brunswick Virus Facts

The Brunswick virus infects the boot sector/master boot record of hard disks and floppies in drives A: and B: only. Once resident, this virus covertly infects all floppies and hard disks it contacts. An infected machine does not display any obvious indications of infection; therefore it can be very difficult to determine if your system is infected until the attack phase commences.

Brunswick usually enters a machine through the boot-up of an infected floppy. (This entry method is similar to that employed by the "Stoned" virus described in CIAC Advisory A-28.) The virus immediately infects the Master Boot Record through Interrupt 13. Thereafter, all disks placed in floppy A: or B: will become infected until the machine is re-booted from a clean disk. Infection occurs differently for hard disks and floppies. On hard disks, the original boot record is moved to Cylinder 0 Sector 16 Head 0. On floppy drives, the original boot record is relocated to Cylinder 0 Sector 3 Head 1. If hard disks have last been partitioned under DOS 2.0, the virus will overwrite portions of the File Allocation Table. The virus contains logic to prevent re-infection of disks and code to save the BIOS Parameter block so that 3.5 inch 1.44 MB floppies will remain readable after infection (unlike "Stoned").

The Brunswick virus mechanics are fairly straightforward. It retains a generation counter which is decremented within each new infection. Upon boot-up, the virus compares this counter to an internal constant. If the counter is larger than the constant, no action is taken; else the virus destroys the master boot record by overwriting it with random characters. This generation counter is never changed within a particular infection; therefore, if an infection and a successful boot-up have occurred, this particular infection will NEVER destroy the Master boot record (although infections will still take place).

Newer versions of anti-viral products mentioned above will detect the virus. An unauthorized write attempt to a write-protected floppy is another indication that this virus may be resident. Removal is a simple process of running any of the previously mentioned virus removal utilities. If none of these are available, contact CIAC to obtain manual removal instructions.

Infections can be easily prevented by adopting sound protection procedures, such as write-protecting all floppies and checking all diskettes before use with a trusted scanning utility. Also, always open the floppy door before booting a PC because booting with an infected NON-BOOTABLE floppy WILL CAUSE INFECTION to the hard disk.


Virus distributed in PCNFS software fix for MS-DOS computers

CIAC Information Bulletin Number B-40: September 9, 1991, 1030 PDT

Critical Information about Virus in PCNFS software fix

Problem: The Jerusalem-B Virus has inadvertently been distributed with some copies of one version of PCNFS software fix.

Platform: MS-DOS computers

Software: Sun PCNFS software fix PCNFS 3.5b, file NET.EXE

Damage: File deletion, file corruption, system slowdown

Detection: File size of newly distributed PCNFS 3.5b file NET.EXE not equal to 100181 bytes; or use of VIRHUNT, VIRSCAN, FPROT, and others

Eradication: VIRHUNT, VIRSCAN and others; replacement of NET.EXE

CIAC has been notified of the inadvertent distribution of a virus in a Sun Microsystems PCNFS software fix for MS-DOS computers. This distribution, which was sent to a limited user community, contained a file NET.EXE which may have been infected with the Jerusalem-B virus. This fix, entitled "PCNFS 3.5b," was distributed between July and August, 1991 to those requesting a patch for PCNFS 3.5. Sun has contacted all customers who had received the suspect file, and has distributed a new virus-free NET.EXE to all parties. If NET.EXE from PCNFS 3.5b does not have a file size of 100181, this file is probably infected with the Jerusalem-B virus.

It is very important to execute a virus detection/eradication package if a suspect NET.EXE file is located. If your site has received the suspect file and follow-up letter, call CIAC, Sun's support number (1-800-USA-4SUN), or your local Sun office for assistance.

NOTE: For more information on the Jerusalem virus, see CIAC bulletin "Virus Propagation in Novell and Other Networks" (A-33) or "Little Black Box (Jerusalem) virus alert" (un-numbered series, 1989). CIAC recommends anti-viral scanning of all software (including new software and upgrades to existing software) before installation is initiated.

Thanks to Sun Microsystems for assistance in providing information described in this bulletin.


End of FY91 Update

CIAC Information Bulletin Number B-45: September 30, 1991, 1700 PST

During this fiscal year, CIAC team members have engaged in a number of activities, including assisting sites in recovering from incidents and helping sites prepare for future incidents by presenting the CIAC workshops. Our involvement has led to a number of valuable lessons learned--things that can improve your site's computer security as well as enhance the DOE community's coordination and handling of incidents.

Viruses. During the past year, viruses on MS-DOS and Macintosh computers continued to infect a small but significant number of systems throughout DOE. In the MS-DOS arena, the Jerusalem-B, Cascade, and Disk-Killer viruses continued to be most prevalent. Of these viruses, Disk Killer and Jerusalem-B were most likely to cause damage to systems. During this last fiscal year, the Stoned-2, Horse, and Horse-2 viruses emerged as new threats. In the Macintosh arena, WDEF and nVIR continued to be the major source of threat, but with the advent of Macintosh System-7, the WDEF threat has been reduced since this virus will not run on this version of the operating system. Networked file systems and demonstration software continues to be the main source of these virus infections, and we continued to receive reports of infected vendor software (see CIAC Bulletin B-40). CIAC Bulletin B-16 provided an updated list of viruses and their symptoms (updated from information provided in A-15).

CIAC assisted DOE in evaluating an anti-viral product to be purchased and licenced throughout DOE. This product, "Data Physician Plus," is very effective in finding and eradicating viruses on MS-DOS platforms. For the Macintosh, Disinfectant (the latest version is 2.5.2) continues to be a good anti-viral freeware package. Contact CIAC for assistance in obtaining anti-virus packages.


Dir II Virus on MS DOS Computers

CIAC Information Bulletin Number C-2: October 18, 1991, 15:30 PDT

Critical Dir II Virus Facts

Name: Dir II virus

Aliases: Dir-2, MG series II, Creeping Death, DRIVER-1024, Cluster

Virus Type: Directory infector with stealth characteristics

Variants: Unsubstantiated reports exist for two variants

Platform: MS-DOS computers

Damage: May destroy all .EXE and .COM files and backup diskettes, crash some lookalike systems, CHKDSK /F destroys all executible files

Symptoms: CHKDSK reports many cross-linked files and lost file chains can corrupt backups, copied files are only 1024 bytes long, more (see below)

First Discovered: May 1991 in Bulgaria

Eradication: Perform a series of simple DOS commands (see below)

The Dir II virus presents a new type of MS-DOS virus called a directory infector. This virus modifies entries in the directory structure, causing the computer to jump to the virus code before execution of a program begins. Also, this virus utilizes stealth techniques to hide its existence in memory.

How Infection Occurs

Initial hard disk infection occurs when a file with an infected directory is executed. The virus establishes itself in memory and puts a copy of itself on the last cluster of the disk. Once the virus is active in memory, executing any file (infected or not) will cause the virus to infect the directory entry of ALL .EXE and .COM files in the current directory and in the directories listed in the PATH variable. Additional detailed information on the infection technique is included in the appendix at the end of this bulletin.

Potential Damage

If there is currently information residing on the last cluster of the disk, this virus will overwrite it upon installation. Since most backup utilities fill diskettes to capacity, backups are prone to immediate corruption upon initial infection.

The most damaging characteristic of this virus occurs if a user boots from a clean diskette and attempts to run a disk optimizer program such as CHKDSK /F, Norton Disk Doctor, or other similar utility programs. When such a program attempts to "fix" the disk, all infected executibles will "become" the virus, effectively destroying the original file!

Detection

Although current versions of many common anti-viral utilities will not detect this virus and are unable to remove it, manual detection can be performed using the following methods:
  1. Boot from the suspect infected hard disk. With the suspected virus active in memory, execute the command CHKDSK with NO arguments. Then reboot from a clean, write protected diskette (such as the original DOS diskette), and execute the command CHKDSK with no arguments again. If many cross-linked files and lost file chains are reported during the second CHKDSK and not the first, it is an indication of infection.
  2. Boot from the suspected infected hard disk. With the suspected virus active in memory, use the COPY command to copy suspect files with the extension .EXE or .COM. Examine the file length of these copied files by using the DIR command, then reboot from a clean, write protected diskette and perform the same copy command(s). If the file length of the second copy is very small (around 1K) but the file length of the first copy is much larger, you may be infected with the Dir II virus.

Eradication

To manually eradicate this virus, follow these steps for every infected disk and diskette:
  1. While Dir II is active in memory, use the COPY command to copy all .EXE and .COM files to files with a different extension. Example: COPY filename.com filename.vom
  2. Reboot system from a clean, write protected diskette to ensure the system does not have the virus in memory.
  3. Delete all files with extensions of .EXE and .COM. This will remove all pointers to the virus.
  4. Rename all executibles to their original names. Example: RENAME filename.vom filename.com
  5. Examine all these executibles you have just restored. If any are 1K in length, they probably are a copy of the virus. Destroy any executibles of this size.
CIAC would like to thank Bill Kenny of DDI for his help with this bulletin.


Appendix: Detailed DIR II Information

The DOS directory structure contains the following entries: filename, extension, attribute, time, date, cluster, filesize, and an unused area; the cluster entry is the pointer to where the actual file exists on the disk. Dir II infects the directory structure by scrambling the original cluster entry and storing it in part of the unused area, then placing a pointer to the viral code in the cluster entry. Thus when a program is executed, the computer executes the viral code, the virus decrypts the original cluster entry, then the virus allows the original program to proceed.

Upon initial infection, the virus links itself into the device driver chain, copying itself to the last cluster (or last two clusters, if cluster size is less than 1024 bytes) on the disk and infects the directory structure of all .EXE and .COM files residing in the current directory and all directories defined in the path. The virus infects all files with .EXE or .COM as an extension whether or not they are executible, EXCEPT if the size of the file is less than 2K, larger than 256K, or has an attribute of System, Volume, or Directory set. Therefore it does not infect the two hidden system files, but it DOES infect command.com.

Following the supplied eradication steps will simply remove all "live" pointers to the viral code. After eradication you may wish to use a direct disk access utility (such as Norton Utilities) to directly access the viral code existing on the last cluster on the disk and overwrite it with blanks. Another recommended final clean-up entails running a disk optimizer program that will clean out all unnecessary deleted files. It is important to remember that this virus has infected all .COM and .EXE files, even if they are tagged as deleted. Therefore if an undelete utility is used on these files, the virus can resurface.

Other Facts About Dir II:


Novell Network Support Encyclopedia Update Virus

CIAC Advisory Notice Number C-11: December 18, 1991 1000 PST

Virus Inadvertently Distributed in Novell Network Support Encyclopedia Update

Problem: 5 1/4 inch diskettes sent from Novell to customers from December 9-16, 1991 contain the Stoned-3 virus.

Platform: PC/MS-DOS systems running Novell Netware software.

Damage: Potential to overwrite boot sector of fixed and floppy disks; potential to create infected floppyless boot image files and thereby propagate the virus via the network.

Solution: Scan all incoming software.

Detection/Eradication: Data Physician Plus, other antiviral packages.

Critical Facts about Inadvertent Virus Distribution

CIAC has learned that Novell, Inc. has inadvertently sent diskettes infected with the Stoned-3 virus to Novell Netware customers. These diskettes are labelled "Network Support Encyclopedia - Standard Volume Update." The Novell part number for these disks is 883-001495-004. Infected diskettes were distributed from December 9-16, 1991.

The Stoned-3 virus is a minor variation of the Stoned virus. This virus infects the boot sector of a hard disk or diskette and will sometimes display the message (sic):

    "Your PC is now Stoned!.....LEGALISE MARIJUANA!"

This virus becomes memory resident and will infect any other disks accessed by the PC while the virus is memory resident. For additional information, please see CIAC Bulletin A-28 for more information on the Stoned virus family, and B-16 for a summary of known viruses.

If you discover that the Stoned virus has infected your PC, it may be removed using the VIRHUNT package licensed to DOE by Digital Dispatch Incorporated. CIAC also recommends that you follow a policy of scanning all new software before using or installing it on your PC. This policy should be followed for all vendor-supplied shrink-wrapped software as well as bulletin board or shareware software, since a few other vendors have inadvertently distributed viruses with packaged software in the past. CIAC recommends that if you are from a DOE site and are not already using an effective anti-viral scanner, you should contact your site's computer security department to obtain a free copy of Data Physician PLUS! (which contains VIRHUNT and several other useful packages). In addition, since new viruses are constantly being discovered, we recommend that you ensure that your anti-viral scanner has been updated to the most recent version. The most recent version of Data Physician PLUS! is V 3.0C.


Michelangelo Virus on MS DOS Computers

CIAC Information Bulletin Number C-15: February 6, 1992, 1400 PDT

Name: Michelangelo virus

Platform: MS-DOS computers

Damage: On March 6 will destroy all files on infected disks and diskettes that are accessed.

Symptoms: CHKDSK reports "total bytes memory" 2048 bytes less than expected

Detection: DDI Data Physician Plus! v 3.0C, FPROT 2.01, other anti-viral packages updated since late September 1991

Eradication: DDI Data Physician Plus! v 3.0C, FPROT 2.01, other anti-viral packages updated since late September 1991

Critical Facts about Michelangelo Virus

The Michelangelo virus, one of the most widespread viruses among MS DOS systems, infects the Master Boot Record of hard disks and the boot sector of floppy disks. This virus will destroy infected disks on March 6 (Michelangelo's birthday). It infects very rapidly and quietly, usually showing no indication of its presence until a virus detection utility notes its existence.

Infection Mechanism

This virus is very similar to the Stoned family of viruses (see CIAC Bulletin A-28 for a description of the Stoned virus). When a Michelangelo-infected diskette is placed in the A: drive and the machine is booted, the virus is loaded into memory from the infected floppy disk. It then quickly infects the machine by moving the hard disk's original boot sector to another location on the disk, and installs itself as the boot sector. From then on, any access to another disk spreads the virus to that disk. The disk which infects the hard disk does NOT have to be a bootable system diskette to spread the infection. Also, all boot infector viruses, such as this one, do NOT affect user files, therefore, a backup prior to eradication will enable full recovery of all user data and programs.

Potential Damage

On March 6 of any year this virus will destroy all data on any disk from which the machine is booted. This occurs by overwriting hard disk sectors 1-17, heads 0-3, tracks 0-255, or the entire diskette with random characters, thus making recovery questionable at best. Note that if your hard disk is partitioned and contains another operating system, such as UNIX, in the area overwritten, that data will be destroyed as well. On all other days of the year this virus lays dormant, merely copying itself to other disks. The infection mechanism of this virus may also cause read errors to occur upon some high density (1.2 M) diskettes.

A problem can occur if a disk is infected by both the Michelangelo and the Stoned viruses AT THE SAME TIME. Both move the 'original' boot sector to the same location on the disk, so when the second infection occurs, the original clean boot sector is destroyed by being overwritten by the first virus. CIAC recommends a low-level format of the disk if this double-infection occurs, although performing the DOS SYS operation may repair a damaged diskette, and performing the undocumented FDISK/MBR operation (in DOS 5.0 only) may repair a damaged hard disk.

Detection and Eradication

Because the Michelangelo virus has been discovered relatively recently, only anti-virus products updated since early autumn of 1991 will detect it. If you suspect your PC has this virus and do not have an updated version of a virus scanner, running CHKDSK will report a "total bytes memory" value 2048 bytes less than expected. For example, a PC with 640 KBytes of memory will normally return a value of 655,360 bytes, with Michelangelo that value would be 653,312. Of course, having less "total bytes memory" does not necessarily mean a virus is resident on your machine, as some valid memory resident programs can affect this value as well.

CIAC is aware of at least two publicized cases of this virus being inadvertently distributed by vendors. The vendors involved are Leading Edge and DaVinci Systems; both vendors have made an attempt to contact all recipients of the software involved.

CIAC stresses the importance of checking all incoming diskettes with an anti-viral utility, such as VIRHUNT from DDI's Data Physician Plus! package. CIAC recommends that once a system has had a virus eradicated, it be powered down. The computer should then be observed closely throughout the entire boot-up process. Another virus scan should be performed on the machine to ensure that it is devoid of any virus.


New Virus on Macintosh Computers: MBDF A

CIAC Information Bulletin Number C-17: February 25, 1992, 1130 PST

Name: MBDF A virus

Platform: Macintosh computers-except MacPlus and SE (see below)

Damage: May cause program crashes

Symptoms: Claris applications indicate they have been altered; some shareware may not work, unexplained system crashes

Detection & Eradication: Disinfectant 2.6,Gatekeeper 1.2.4, Virex 3.6, VirusDetective 5.0.2, Rival 1.1.10, SAM 3.0

Critical Facts about MBDF A

A new Macintosh virus, MBDF A, (named for the resource it exploits) has been discovered. This virus does not appear to maliciously cause damage, but simply copies itself from one application to another. MBDF A was discovered at two archive sites in newly posted game applications, and has a high potential to be very widespread.

Infection Mechanism

This virus is an "implied loader" virus, and it works in a similar manner to other implied loader viruses such as CDEF and MDEF. Once the virus is active, clean appliacation programs will become infected as soon as they are executed. MBDF A infects only applications, and does not affect data files. This virus replicates under both System 6 and System 7. While MBDF A may be present on ALL types of Macintosh systems, it will not spread if the infected system is a MacPlus or a Mac SE (although it does spread on an SE/30).

Potential Damage

The MBDF A virus has no malicious damaging characteristics, however, it may cause programs to inexplicably crash when an item is selected from the menu bar. Some programs, such as the shareware "BeHierarchic" program, have been reported to not operate correctly when infected. Applications written with self-checking code, such as those written by the Claris corporation, will inform the user that they have been altered.

When MBDF A infects the system file, it must re-write the entire system file back to disk; this process may take two or three minutes. If the user assumes the system has hung, and reboots the Macintosh while this is occuring, the entire system file will be corrupted and an entire reload of system software must then be performed.

This virus can be safely eradicated from most infected programs, although CIAC recommends that you restore all infected files from an uninfected backup.

Detection and Eradication

Because MBDF A has been recently discovered, only anti-viral packages updated since February 20, 1992 will locate and eradicate this virus. All the major Macintosh anti-viral product vendors are aware of this virus and have scheduled updates for their products. These updates have all been available since February 24, 1992. The updated versions of some products are Disinfectant 2.6, Gatekeeper 1.2.4, Virex 3.6, SAM 3.0, VirusDetective 5.0.2, and Rival 1.1.10. Some Macintosh applications (such as the Claris software mentioned above) may contain self-verification procedures to ensure the program is valid before each execution; these programs will note unexpected alterations to their code and will inform the user.

MBDF A has been positively identified as present in two shareware games distributed by reliable archive sites: "Obnoxious Tetris" and "Ten Tile Puzzle". The program "Tetricycle" (sometimes named "Tetris-rotating") is a Trojan Horse program which installs the virus. If you have downloaded these or any other software since February 14, 1992 (the day these programs were loaded to the archive sites), CIAC recommends that you acquire an updated version of an anti-viral product and scan your system for the existence of MBDF A.

CIAC would like to thank Gene Spafford and John Norstad, who provided some of the information used in this bulletin.


PKZIP Trojan Alert

CIAC Information Bulletin Number C-27: July 8, 1992, 1700 PT

Problem: Bogus versions of the PKZIP archiving software have been released to Bulletin Board Systems (BBS).

Platform: PCs running PC-DOS, or MS-DOS

Damage: One version attempts to erase the hard disk.

Detection: Look for the files: PKZ201.ZIP, PKZ201.EXE, PKZIPV2.ZIP, or PKZIPV2.EXE

Removal: Save a copy of the files for CIAC, then delete the files. Do not extract or run these files.

Critical Facts about the PKZIP Trojan

CIAC has learned that two bogus versions of the popular archiving utility PKZIP for PC-DOS and MS-DOS machines are being circulated on several BBSs around the country. The two bogus versions of PKZIP are, 2.01 (PKZ201.ZIP and PKZ201.EXE) and 2.2 (PKZIPV2.ZIP and PKZIPV2.EXE). If you have downloaded any of these files, do not attempt to use them. You risk the destruction of all the data on your hard disk if you do.

At the current time, the released version of PKZIP is version 1.10. A new version of PKZIP is expected to be released in the next few months. Its version number was planned to be 2.00, but may be increased to a number greater than 2.2 to prevent confusion with the bogus versions. PKWARE Inc. has indicated it will never issue a version 2.01 or 2.2 of PKZIP. A good copy of the latest version of PKZIP can always be gotten from the PKWARE BBS listed below.

According to PKWARE Inc. version 2.01 is a hacked version of PKZIP 1.93 Alpha. While this version does not intentionally do any damage, it is alpha level software, and may have serious bugs in it.

Version 2.2 is a simple batch file that attempts to erase your C:\ and C:\DOS directories. If your hard disk has been erased by this program, you may be able to recover it using hard disk undelete utilities such as those in Norton Utilities, or PCTools. Don't do anything that might create or expand a file on your hard disk until you have undeleted the files, as you may overwrite the deleted files which will destroy them. To examine a file to see if it is version 2.2, type it to the screen with the DOS TYPE command. If the file that prints on the screen is a short batch file with commands such as DEL C:\*.*, or DEL C:\DOS\*.* then you have the bogus file.

If you should happen to see any of these files on a BBS, please contact the sysop of that BBS immediately, and ask him to remove them. If you have downloaded one of these files, please save a copy for CIAC, and then delete the files from your hard disk. PKWARE Inc. has also asked to be informed of any occurrences of these files, and can be reached at,

or by mail: CIAC would like to acknowledge the contribution of: PKWARE Inc.


November 17 Virus on MS DOS Computers

CIAC Information Bulletin Number D-10: March 15, 1993 1000 PST

Name: November 17 virus

Aliases: NOV 17, 855

Platform: MS DOS Computers

Damage: On November 17 will destroy hard disk contents

Symptoms: Files grow by 855, 768, 880, or 800 bytes

Detection/Eradication: FPROT 207, Scan V102, Novi

Critical Facts about the November 17 virus

The November 17 virus is a simplistic file infector virus which has recently been discovered to be fairly widespread. This virus will overwrite the hard disk on November 17 of any year.

Infection Mechanism

This virus is a file infector virus (see CIAC bulletins A-20, A-27, A-29, B-35, and 3 bulletins from Fiscal Year 1989 for information on similar file infector viruses). Upon execution of a virus-infected program, NOV 17 will become memory resident at the top of memory and inhabit 896 bytes of memory.

Once resident, it will infect any .COM and .EXE programs when the file attributes are set or read, when the file is opened for READ, and upon loading and execution. Therefore, if the virus is resident in memory, and a new disk with clean executibles is copied, the original disk's .EXE and .COM files will become infected if the disk is not write-protected. It can easily be transferred via LAN's anytime an executible file is opened or executed over the LAN. This virus will not infect files with a filename of SCAN.EXE or CLEAN.EXE, and it will not infect files that have the system bit set. It does not affect data files.

Potential Damage

On November 17 of any year this virus will overwrite portions of the C: drive or current drive, depending on the variant. On any other day of the year this virus will simply replicate. Some variants will cause this overwrite process to occur on days after November 17.

Detection and Eradication

Many recent versions of antivirus products will detect this virus. Another method of direct detection is to search for the string "SCAN.CLEAN.COMEXE", which can be found within the virus code of every infection.

Until March of 1993, there had been no reports of this virus in the United States. Because of this fact, some anti-virus products do not detect the presence of it by name. Some products, such as Data Physician Plus!, do detect when it they themselves become infected, at which point a message such as "A virus has been detected, would you like to continue?" may appear on the screen. This message means that the antivirus product's self check mechanism has detected a modification to itself, and at this point CIAC recommends that you check the machine with a different antivirus product, or call CIAC for additional information on virus handling.

Virus Variants

There are four known variants to this virus, all increase file lengths by a different amount and take up a different amount of resident memory. The variants increase file lengths of infected files by 768, 800, 880, and 855 bytes. The 768 variant is almost identical to the original virus but takes up 800 bytes of memory; it was discovered in May of 1992. The variant which adds 800 bytes to files takes up 832 bytes of memory, was discovered in March of 1993, and activates November 17-30 of any year. The 880 variant, which uses 928 bytes of memory, first seen in November, 1992, will activate on any date from November 17-December 31 of any year. The 855 variant, also called Nov17B, first seen in September of 1992, causes infected .EXE files to hang the system when executed.

Due to the nature of this virus's infection mechanism, it is sometimes not possible to remove the infection from a host program. CIAC recommends that if this virus is discovered a copy be kept and then all infected files be deleted and restored from backup.


Satan Bug Virus on MS-DOS computers

CIAC Information Bulletin Number D-22: September 4, 1993 1000 PDT

Name: Satan Bug virus

Platform: MS-DOS/PC-DOS Computers

Type: Memory resident, polymorphic, encrypted

Damage: Infects .COM, .EXE, .SYS, and .OVL files. Damages infected files, makes LANs inaccessible by damaging the LAN drivers.

Symptoms: Files grow at each infection, file dates change, files on LAN file servers become inaccessible.

Detection: DataPhysician Plus 4.0B, Scan V106, Norton AntiVirus 2.1 with August 1993 virus definitions.

Critical Facts about the Satan Bug Virus

CIAC has been alerted that the Satan Bug virus, a new virus previously thought to be contained, has been located at multiple sites in the "wild." The Satan Bug virus is an encrypted, polymorphic virus that infects all .COM, .EXE, .SYS, and .OVL files on MS-DOS/PC-DOS computers.

Infection Mechanism

When an infected file is run, the virus installs itself in memory, and then infects COMMAND.COM. Thereafter, whenever an executable file is opened or executed it is infected with the virus. Infected files grow in size from 2.9K to 5.4K bytes, and the creation date is increased by 100 years.

Potential Damage

It does not appear that this virus does any intentional damage, but infected files may be inoperative. In addition, the virus is not easily removed from infected files, requiring that they be replaced with uninfected copies from backup disks (See Appendix). The virus damages network drivers, making it impossible for a machine to connect to a network and use network services.

Detection

Anti-virus scanners dated before August 1993 that use virus signature scanning will not be able to recognize this virus. Anti-virus scanners that use file signature scanning should be able to detect that the files have been changed, but will not be able to name the virus. Most anti-virus scanner vendors are updating their programs at this time, so scanners dated after August 1993 should be able to detect the virus by name. As of the release of this bulletin, McAfee's SCANV 106 and Norton AntiVirus version 2.1 with the August 1993 virus definitions update are known to detect it. The DataPhysician Plus package (VirHunt, ResScan) version 4.0B is in final testing and will be available soon.

Warning

If you run an infected anti-virus scanner, nearly every executable file on your disk will be infected. Virus scanners must open a file to scan it, and if this virus is in memory, the act of opening the file for scanning will infect it. Most scanners first check themselves to see if they are infected with a virus, and display a "Virus Found" or "File Damaged" message when they start up. If this happens, do not scan your disk with this scanner. Even if the scanner claims that it can remove the virus from itself, don't scan your disk with it. The memory resident portion of the virus will still infect your disk.

To scan a computer infected with a memory resident virus like the Satan Bug virus, you must boot the computer with a clean (uninfected), locked floppy that contains a clean version of the virus scanner software. Delete any infected files the scanner finds, and replace them with fresh copies. See the Appendix for more information.

CIAC wishes to thank Bill Kenny of DDI, Joe Wells of Symantec and David Proulx of NAVCERT for their help in preparing this bulletin.


Appendix: Scanners, Encrypted Viruses and Removing Memory Resident Viruses

The following appendix answers some frequently asked questions about virus scanners, encrypted viruses, and disinfecting hard disks.

Anti-Virus Scanners

Virus scanners use two different methods for detecting infected files; scanning for virus signatures, and scanning for changes in executable files. A signature scanner must have a string of bytes or signature that it can detect in a file that uniquely identifies a virus. If a virus does not contain a known signature, then the scanner will not detect it. File scanners look at a files attributes, creation date and time, length, checksum, file header, and other properties to determine if a file has changed. A file scanner can detect a new virus, but can not tell what virus it is. Actually, a file scanner can not tell if a file is infected by a virus only that a file has changed in some way. However, any changes in executable files should be viewed with a lot of suspicion. Few executable files rewrite themselves after installation. None of the DOS utility programs (FORMAT, ASSIGN, etc.) should ever change during normal use, so view changes there as a probable virus infection.

Problems Removing Encrypted Viruses

Encrypted viruses like the Satan Bug are particularly difficult to remove from an infected program. Most viruses of this type attach themselves to the end of a program, and then remove a small piece from the beginning of the program and insert code there that causes the virus code to be run first. When the virus code completes running, it executes the small piece of code it removed from the beginning of the program and then continues with the original program. That way, when you run an infected program, you will only notice a slight hesitation at the beginning when the virus code runs, and then the infected program runs like normal.

Encrypted viruses store this piece of the normal program within the virus code and then encrypt the virus code. For an anti-virus program to be able to patch an infected program, it must be able to decrypt the encrypted virus to find the piece of missing code so that it can be put back where it belongs. The Satan Bug virus has up to nine levels of encryption, the level being different for each infection. Decrypting this much code is a very difficult process, so most anti-virus programs are not expected to be able to repair programs infected with the Satan Bug virus.

On the other hand, some file signature scanning programs may save enough of the scanned files to be able to repair an infected program. The Data Physician Plus package does save a sufficient amount of information to be able to repair a program infected with the Satan Bug virus. However, you must have created the file signature file before your program was infected. Again, if at all possible, you should always replace infected files rather than repairing them to insure that you have undamaged copies.

Disinfecting Hard Disks Infected With a Memory Resident Program Virus

In order to disinfect a disk infected with a memory resident program virus, you first need to get the virus out of memory, then you need to scan the disk with an uninfected copy of the Virus Scanner. To get the virus out of memory, boot your computer with a clean, locked boot disk. Then you can scan the hard disk using an anti-virus scanner, also located on a locked disk. The following steps can be used to disinfect systems infected with memory resident program viruses such as the Satan Bug. It is also applicable to non-memory resident program viruses, but is not applicable to boot sector viruses and partition table viruses which need additional steps.
  1. You need a locked, uninfected emergency boot floppy disk that contains the virus scanner, FORMAT.EXE, SYS.COM, and FDISK.COM, any disk management software needed to access your hard disk such as DiskManager. You also need simple CONFIG.SYS and AUTOEXEC.BAT files that let you bring up your system in a limited way, and any backup/restore software you may use. You need to have made this disk before your system gets infected, or make it on some other uninfected machine.
  2. Boot the infected computer with the locked, uninfected floppy.
  3. Run the copy of the virus scanner on the uninfected floppy and scan the hard disks on the infected computer.
  4. Once the scan has completed, delete any infected files the scanner found and scan the disk again. Repeat this step until no more infected or changed files are found. Alternately, you can let the scanner disinfect all the files if it can, but this is not always possible or preferable.
  5. When the scanner indicates that the hard disk is clean: Restore the system using the SYS command. This step replaces the invisible system files, COMMAND.COM, and the boot sector.
  6. Restore any deleted executables from your locked master disks or backup sets.
  7. Scan the disk again with your virus scanner. Note that at this point, the scanner may detect changes in some files because you have copied in new versions. If the scanner detects a virus, then delete the infected file. Later you will need to scan your source disk for that infected file, to see if it is infected as well.
  8. Remove the emergency floppy and reboot the computer. Your computer should boot up correctly.
  9. Insert the emergency floppy and run the scanner again just to be sure you have gotten every infected file.
  10. Start scanning any floppy disks that may have been infected by your computer. Keep in mind that the virus could have been active for months before you discovered it.

nVir A Virus Found on CD-ROM

CIAC Advisory Notice Number E-19: May 5, 1994 1500 PDT

Problem: The Macintosh nVir A virus has been found in the "README." file on the Journal of Vacuum Science & Technology CD-ROM Vol.12 1Q94.

Platform: Macintosh, all versions of the operating system. This virus has no effect on the MS-DOS files also on the disk.

Damage: The virus can easily infect your computer.

Solution: Check with publisher, do not execute "README." file.

Vulnerability Assessment: This CD-ROM is included as part of the American Vacuum Society's (AVS) journal distribution, and is distributed to members of the AVS. The virus is not overtly damaging, but does damage the system and applications during infection.

Critical Information about the CD-ROM distribution, and the nVir A Virus

CIAC has investigated a report of a virus in the CD-ROM distribution of a technical journal. The Journal of Vacuum Science & Technology A&B (Second Series Volume 12, 1994), which apparently was inadvertently infected with the nVir A virus before production of the CD-ROM. All known copies of this CD-ROM distribution are infected with this Macintosh virus.

The CD-ROM can be identified by the following titles printed on the disk: A title in large bold type: "JVST A&B Vol. 12 1Q94" A subtitle in small type: "JVST-A Vol 12(1) and 12(2) JVST-B, Vol 12(1)"

The infected file is "README." in the root directory of the CD-ROM, which is a DOCMaker Stand-Alone document reader application. This file is the one referred to in the instruction manual to run for viewing or printing the user manual, however doing so will infect the system file of your Macintosh.

This disk can also be read via a PC using DOS or Windows, but those systems will be unaffected, because the nVir A virus is specific to the Macintosh operating system.

The nVir A virus is a virus that at first only replicates, but after a certain amount of executions it has a small chance of saying "Don't Panic" if MacinTalk is installed, or having the computer beep if MacinTalk is not installed. It is not an intentionally destructive virus, but does damage the system and applications during the infection process. Infected systems occasionally crash, and printing is often delayed or damaged.

CIAC recommends that if you have received this CD-ROM, you immediately mark it as containing a Macintosh computer virus, and do not run the "README." file in the root directory. If you are using this disk on a PC system, you do not need to worry as the PC files on this disk are not infected. If you have already run this infected file, get a copy of an anti-virus program such as Disinfectant, and scan your hard disk for infected files. Replace all the infected files that you can, and repair those that you cannot replace. If your hard disk has been infected, you must scan every floppy disk that has been in your system since the infection occurred.

Even though the CD-ROM contains an infected file, the file can only infect your system if it is executed. The other files on the disk can still be installed and used without causing an infection. To install the Adobe Acrobat document reader on your Macintosh, run the Installer program in the JVST_94:install:mac:reader folder. To install the search utility, run the JVST_INSTALL;1 program in the JVST_94:install:mac:wordkeep directory. You can also view the README.DOC file, which contains the instructions for using the PC and Windows versions of the reader, using a word processor. Only the "README." file must be avoided.

If you must access the data in the infected "README." file, carefully copy the file to a floppy disk and repair it using an anti-virus utility such as Disinfectant, and then scan it again to insure it has been repaired. If the repaired file is no longer infected, you may then run it to view the document. Again, do not run the copy of the "README." file that is on the CD-ROM, as it is still infected, and cannot be repaired due to the write-only nature of the CD-ROM.

The publisher has sent a letter to all known recipients of this CD-ROM distribution explaining this problem.

CIAC wishes to thank Judy Lim, Rick Stulen and Art Pontau of Sandia National Labs for first bringing this to our attention and for supplying us with a copy of the CD-ROM. CIAC also wishes to thank the ASSIST team for helping us to contact the publishers of this journal.


Trojan Attack on Chinon CD-ROM Drives

CIAC Information Bulletin Number E-20: May 6, 1994 1200 PDT

Problem: A Trojan-horse program, CD-IT.ZIP, masquerading as an improved driver for Chinon CD-ROM drives, corrupts system files and the hard disk.

Platform: All MS-DOS and PC-DOS machines.

Damage: Once in memory, the program destroys system files, requiring a format of the infected drive to correct.

Solution: Do not execute the program in CD-IT.ZIP.

Vulnerability Assessment: The program is not dangerous if not run, but can cause serious damage to a hard drive if it is. As of this date, we don't know of any anti-virus software that recognizes it.

Critical Information about the CD-IT.ZIP Trojan

CIAC has received information from Chinon America regarding a Trojan-horse program masquerading as an improved driver for Chinon CD-ROM drives. The following text is the press release from Chinon America:
TORRANCE, CALIFORNIA, U.S.A., 1994 APR 29 (NB) -- A new "Trojan Horse" computer virus is on the Internet and is labeled with the name of the fourth largest manufacturer of compact disc read-only memory (CD-ROM) drives. Chinon America, Incorporated, the company whose name has been improperly used on the rogue program, is warning IBM and compatible personal computer (PC) users to beware of the program known as "CD-IT.ZIP."

A Chinon CD-ROM drive user brought the program to the company's attention after downloading it from a Baltimore, Maryland Fidonet server. One of the clues that the virus, masquerading as a utility program, wasn't on the up-and-up was that it purports "to enable read/write to your CD-ROM drive," a physically impossible task.

CD-IT is listed as authored by Joseph S. Shiner, couriered by HDA, and copyrighted by Chinon Products. Chinon America told Newsbytes it has no division by that name. Other clues were obscenities in the documentation as well as a line indicating that HDA stands for Haven't Decided a Name Yet.

David Cole, director of research and development for Chinon, told Newsbytes that the company knows of no one who has actually been infected by the program. Cole said the virus isn't particularly clever or dynamic, but none of the virus software the company tried was able to eradicate the rogue program. Chinon officials declined to comment on what antivirus software programs were used.

If CD-IT is actually run, it causes the computer to lock up, forcing a reboot, and then stays in memory, corrupting critical system files on the hard disk. Nothing but a high-level reformat of the hard disk drive will eradicate the virus at this point, a move that sacrifices all data on the drive. It will also corrupt any network volumes available.

"We felt that it was our responsibility as a member of the computing community to alert Internet users of this dangerous virus that is being distributed with our name on it. Even though we have nothing to do with the virus is it particularly disturbing for us to think that many of our loyal customers could be duped into believing that the software is ours," Cole explained.

Chinon is encouraging anyone who might have information that could lead to the arrest and prosecution of the parties responsible for CD-IT to call the company at 310-533-0274. In addition, the company has notified the major distributors of virus protection software, such as Symantec and McAfee Associates, so they may update their programs to detect and eradicate CD-IT.

(Linda Rohrbough/19940429/Press Contact: Rolland Going, The Terpin Group for Chinon, tel 310-798-7875, fax 310-798-7825; Public Contact: Chinon, CD-IT Information, 310-533-0274)

CIAC recommends that if you find a copy of the file CD-IT.ZIP, that you do not install it on your computer. If you have already installed and run the file, shut down your machine immediately. Check with your anti-virus vendor to see if they have a scanner/repair utility available. If not, boot from a clean, locked floppy. If you can still access your hard disk, backup any important files that were not included in your last backup, reformat the drive and restore it from your last backup.

CIAC is currently obtaining a copy of this Trojan from Chinon, and will make any new information about this Trojan available in a future copy of CIAC Notes.

CIAC would like to thank Chinon America for the information contained in this advisory and Brian Lev of NASIRC for forwarding it to us.


KAOS4 Virus

CIAC Information Bulletin Number E-32a: August 2, 1994 1600 PST

Problem: A new computer virus is preventing systems from booting.

Platform: All MS-DOS, PC-DOS, Windows systems.

Damage: May damage executable files and make systems unbootable.

Solution: Update your Anti-Virus program to detect/remove the virus.

Vulnerability Assessment: The KAOS4 virus is becoming widespread after being posted to a USNET newsgroup. The virus has been seen at multiple locations within the DOE community. The virus does not appear to be intentionally damaging, but does render systems unbootable until the system files can be replaced. Most current virus scanners must be revised to detect it.

Critical Information about the KAOS4 Virus

CIAC has received information that a new computer virus named KAOS4 was posted to a USENET newsgroup, which resulted in its wide distribution. Our research indicates the virus is not intentionally damaging, but it does tend to make systems unbootable until the virus is removed. Most virus scanners do not detect this virus without being updated, however most file change detectors should detect it now.

The most common symptom of an infection from this virus is that infected machines become unbootable. Unfortunately, that is a common symptom of many other problems, including hardware problems. If a machine has become unbootable from its hard disk, but can boot from a floppy, compare the size of COMMAND.COM with the original copy. If it has changed, suspect a virus. If you examine COMMAND.COM with a disk editor and find the text KAOS4 in the last sector, you know you have the KAOS4 virus.

The KAOS4 virus is a variant of the Vienna virus that has been extended to infect .EXE files as well as .COM files. The virus is direct acting (it runs once whenever an infected program is run) and randomly infects one .COM and one .EXE file every time it is run. It attacks COMMAND.COM first and then attacks other files. During our testing, it seemed to prefer the \DOS and the \NU (Norton Utilities) directories, but that may be coincidental.

The virus adds 697 bytes to the length of both .COM and .EXE files, but the modification date of the files does not change. The following text is in the clear in the last sector of an infected program file.

    KAOS4 / Kohntark

It is not detected by DDI's DataPhysician Plus version 4.0D or McAfee's SCAN version 116.

A virus signature file is available from DDI named KAOS4.PRG that works with version 4.0C of DataPhysician Plus, giving it the capability to detect this virus.

NOTE: DO NOT use this file with version 4.0D of DataPhysician Plus; use it with version 4.0C instead. There is a problem with version 4.0D that prevents the user installed virus signature file from working correctly.

There are two ways to install the KAOS4.PRG file into the VirHUNT program in DataPhysician Plus: you can load it on the command line or you can install it with a program menu command. To start VirHUNT, and load the signature file on the command line, type the following at the DOS prompt:

    VIRHUNT USC:\DDI\KAOS4.PRG

This assumes that the KAOS4.PRG file is in the DDI directory on the C drive. If the file is stored somewhere else, change the path to point to the appropriate location. The file will be loaded into VirHUNT and VirHUNT can be used to scan any attached disks for the virus.

To load the file in a running version of VirHUNT, select the Options menu and the E: User specified search/remove command. In the dialog box that is displayed, type KAOS4.PRG. Include a path with the file name if the file is not in the default directory. You may now scan files like normal and if the KAOS4 virus is detected, it is reported as an "Unknown Virus". The signature file also contains sufficient information to remove the virus from an infected program, but programs should be replaced whenever possible.

The file KAOS4.PRG is available on the CIAC file servers. You can use anonymous FTP to ciac.llnl.gov (128.115.19.53) and find the file in the /pub/ciac/sectools/pcvirus directory. It can also be obtained from the CIAC BBS in the File Transfer:Downloads: PC Virus section.

A special version of McAfee's SCAN program named SCN-KAOS.ZIP is available that only removes the KAOS4 virus. It is available on the McAfee BBS (408-988-4004), Compuserve, or via anonymous FTP to mcafee.com.

A new version of the Norton Anti-Virus, Virus Definitions file is available to make NAV 3.0 detect and remove KAOS4. The file is 30a09b.zip and is available on the Symantec BBS (503-484-6669), and Compuserve.

CIAC wishes to thank Bill Kenny of DDI for so quickly getting us a signature file for this new virus.


Appendix: Protecting a PC Against New Viruses

Note: The following sections use the DataPhysician Plus package to illustrate how to apply the virus detection strategies. This package is used in these examples because the DOE has a site license for it, making it relevant to the CIAC constituency. There are many other packages available with similar capabilities.

With new viruses appearing almost weekly, it seems almost impossible to keep an up-to-date scanner available on every vulnerable machine. In the time it takes to distribute a new scanner, several new viruses are already in the wild. So how do you protect a machine against new viruses?

First, not all machines need to be protected. If a machine never shares floppy disks with anyone and never downloads an executable file (documents are OK) over a network, that machine is highly unlikely to ever encounter a new virus. While that machine should be scanned occasionally, the risk of virus infection does not warrant more extensive checking.

For the rest of us that do exchange files and executables, most current anti-virus programs have ways to protect against a new virus. Actually, there are two capabilities in most anti-virus programs to protect against new viruses: TSR (Terminate and Stay Resident) suspicious activity detectors and program change detectors.

A. Suspicious Activity Detectors

A suspicious activity detector is a small TSR program that is loaded into memory at boot time and then watches over a system for virus type activities. Suspicious activities include such things as writing to the boot blocks of a disk, changing or creating an executable file, or going memory resident. When such an activity occurs, the suspicious activity detector pauses the activity and displays a dialog box giving you the option of continuing the activity or halting it. Since some suspicious activity is normal, you must decide whether to stop or continue it. For example, copying an executable file creates a new executable file which sets off the alarm. Since this is a normal activity, you would allow it to continue. If, on the other hand, when you start up your word processor and the suspicious activity detector detects an attempt to change the executable for your spreadsheet program, you should prevent the activity from occurring, as this is not a normal activity for a word processor.

In the DataPhysician Plus package, available to all DOE sites, the suspicious activity detector is the VirALERT program. VirALERT is loaded as a device driver in your CONFIG.SYS file. Normally, the DataPhysician Plus installer program takes care of installing VirALERT for you. VirALERT has several options that set the type of suspicious activity to watch for. Each of the options is explained in the installer program. While you might think that you should set the options to detect all suspicious activity, that might not be a good idea. If the suspicious activity detector alarms all the time, you will probably start ignoring it and won't notice when a truely suspicious activity indicates a virus is present. A reasonable setup from the CONFIG.SYS file is the following:

    DEVICE=C:\DDI\VIRALERT.SYS TV Z=RESSCAN.COM, WIN-RS.COM

With this setup, VirALERT checks for any attempts to write an executable file, (T) watches for other TSR programs attempting to install themselves, (V) warns you when it is off, and (Z=...) ignores the TSR programs in RESSCAN.COM and WIN-RS.COM. In general, the installer does all this setup for you.

If you are performing an activity that sets off the suspicious activity detector, such as copying a directory full of executable files, you don't want to have to sit there pressing C (Continue) every time the dialog pops up. In this case, you can disable VirALERT by pressing I (Inactivate) to turn VirALERT off for the duration of this command. VirALERT automatically turns back on again when the command completes. You can also toggle VirALERT off by pressing Alt-V to see the VirALERT dialog, press the space bar until OFF appears and press Esc to continue. You must repeat this sequence to turn VirALERT back on again.

B. Program Change Detectors

A program change detector creates and stores a signature for some or all the executable files on your disk. Later, using the stored signatures, the program change detector can tell if any executable file has changed. In addition, most program change detectors store those parts of a program that are most often changed by a virus and can usually restore the program using those stored parts, even for a program infected with a new, unknown virus. Unlike a virus scanner that can be used after an infection has occurred, a program change detector requires some forethought. A program change detector must have a baseline program signature file in order to tell that a change has occurred. Thus, you must have run the scanner before an infection occurred to create that signature file.

The VirHUNT program in the DataPhysician Plus package contains both a virus scanner and a program scanner. The virus scanner searches for known viruses in your executable files, and the program scanner is the program change detector. The program scanner must be run once with the create new signature file option set to store the program signatures. It is then run later to scan for changes in the protected programs. The installer program does this initial scan for you if you request it.

As with virus scanners, a problem with a signature scanner is that it takes a lot of time to scan a hard disk. If the scanner is set up in the AUTOEXEC.BAT file to run every time a machine is booted, it extends the amount of time it takes to boot a machine. A large hard disk can take several minutes to scan, significantly trying a user's patience. Scanning the whole hard disk for viruses or for program changes every time you boot is probably unreasonable for all but the front door and open machines in your organization. A front door machine is one reserved by an organization specifically for scanning disks coming into an organization. Open machines are those made available for anyone to use and, because of their uncontrolled nature, are very susceptible to viruses.

A better strategy is to scan the whole hard disk at times convenient to the user (at night, at lunch, etc) and to only scan a few particularly sensitive files at boot time. By always scanning those files most likely to be infected by a new virus, you should catch most new infections before they have gone very far. In most cases, the root directory of the C drive and the DOS directory are the most likely places for a new infection to occur. Of course, you should always scan any floppies brought into your area, including those in shrink wrapped containers and any new executable files copied onto your hard disk.

To use the program signature scanner in an efficient manner, you need to make two program signature scans: one of the whole hard disk and one of the directories you are going to scan at every boot. Before creating the program signature file, you must insure that your disk is free from virus infections, otherwise the scanner will include the virus as part of the signature for a program. Assuming your disk is well scanned and as clean of infections as you can make it, perform the following steps to create the initial program signature file.

  1. Start VirHUNT.
  2. Execute the command: Options, F: Signature Mode, A: Set signature options, G: Create new signatures, and press Esc to return to the main menu.
  3. Execute the command: Options, A: Directory to scan.
  4. Type ALL in the dialog box and press Return.
  5. Open the Options menu and check that the command: D: Scan subdirectories is set to Yes.
  6. Open the Options menu and check that the command: B: Scan is set to Files, memory and boot.
  7. Execute the command: Scan and sit back while all the files are scanned and a signature file is created named VIRHUNT.SIG.
  8. When this process completes, you may want to save a copy of this signature file on a floppy disk.
You now need a second signature file for only those files you want to scan at every boot up.

With all the options set as in the steps above, perform the following steps.

  1. Execute the command: Options, A: Directory to scan.
  2. In the dialog box, type the directories you want to scan at every boot time and press return. For example, C:\ C:\DOS scans the root directory on the C drive and the DOS directory.
  3. Execute the command: Options, D: Scan subdirectories, which should toggle the option to No.
  4. Execute the command: Options, F: Signature Mode, A: Set signature options, G: Create new signatures, B: Set signature filename.
  5. In the dialog box that appears, type a file name for the program signature file such as VIRHUNT2.SIG, press return and then Esc to return to the main menu.
  6. Execute the Scan command and sit back while this small group of files is scanned and a second program signature file is created.
To actually do a signature scan, assuming nothing is set (default,) perform the following steps.
  1. Start VirHUNT.
  2. Execute the command: Options, F: Signature Mode, A: Set signature options, B: Scan, find New files.
  3. While still in the signature mode, execute the command: B: Set signature filename.
  4. In the dialog box that appears, type VIRHUNT2.SIG, press return and then Esc to return to the main menu. To scan all the files on the disk, instead of just the ones in C:\ and C:\DOS, use VIRHUNT.SIG as the filename instead of VIRHUNT2.SIG.
  5. Execute the command: Options, A: Directory to scan.
  6. In the dialog box, type C:\ C:\DOS. To scan the whole drive, change this to ALL.
  7. Open the Options menu and check that the command: D: Scan subdirectories is set to No. To scan the whole disk, set this to Yes.
  8. Open the Options menu and check that the command: B: Scan is set to Files, memory and boot.
  9. Execute the command: Options, E: User specified search/remove.
  10. In the dialog box that appears, type KAOS4.PRG and press return. This loads the virus signature file for the KAOS4 virus.
  11. Execute the command: Scan and sit back while all the files are scanned.
The program first does a virus scan for all the files in C:\ and C:\DOS directories and then does a program signature scan for all the files in the VIRHUNT2.SIG signature file. It checks the C:\ and C:\DOS directories and lists any new executable files found there.

If the new files are legitimate and you want to not alarm every time you run a scan, you must create a new signature file for those directories as you did above.

To do the same run of VirHUNT every time the machine is booted, place the following command in the AUTOEXEC.BAT file.

    C:\DDI\VIRHUNT.EXE C:\ C:\DOS USC:\DDI\KAOS4.PRG SCN SFC:\DDI\VIRHUNT2.SIG LIC:\DDI\SCAN.OUT SISN QU

This command assumes that the files VIRHUNT.EXE, KAOS4.PRG, and VIRHUNT2.SIG are all in the C:\DDI directory. Started with this command VirHUNT scans the C:\ and C:\DOS directories. The US option loads the KAOS4.PRG virus signature file. The SCN option sets scan subdirectories to No. The SISN does a program signature scan and reports new files found. The QU option makes the program quit after it finishes a successful scan. The SF option sets the file name of the program signature file to use and the LI option sets the file to use to store the results of the scan.

C. Dealing With Stealth Viruses

Stealth viruses are a special problem for virus scanners and program change detectors. A "good" stealth virus can hide its presence on a disk by diverting low level disk read requests to different sectors so that when a scanner examines a file, the file appears OK. In fact, it is infected with a virus. However, a stealth virus can not do its stealthy things if it is not in memory. To defeat a stealth virus, boot the system using a clean, locked floppy. You can then use your scanner programs to find and remove any virus. If there is any chance that your scanner program on the hard disk is infected (it will usually tell you if it is) have another copy of the scanner on the clean, locked floppy to do your scanning with. If the scanner on your hard disk indicates that it was infected, be sure to shut down completely and reboot to get the virus out of memory.

Unfortunately, some virus infected hard drives cannot be mounted by a system without the virus in memory. Monkey is of this type. Because they move the partition table to a different place on the disk, the virus must be in memory in order to access the partition data so that the drive can be mounted. Luckily, most virus scanners know how to locate and remove these viruses.

Note that KAOS4 is not a stealth virus.


One_half Virus (MS-DOS)

CIAC Information Bulletin Number E-34: September 13, 1994 1600 PDT

Problem: A previously unknown computer virus is damaging systems.

Platform: All MS-DOS, PC-DOS, Windows systems, all versions.

Damage: Damages files, encrypts hard drive.

Solution: Update your Anti-Virus program to detect/remove the virus.

Vulnerability Assessment: While it is not epidemic, the virus has been seen at an East coast site and it isn't detected by the current versions of most virus scanners (revised versions are upcoming). The virus is intentionally damaging and all files on an infected machine are at risk. Warning: Removing the virus may make some files inaccessible (see below).

Critical Information about the One_half Virus

CIAC has received information about a new computer virus named One_half. The virus, first discovered in April 1994 and previously seen only in Europe, has been found at an East coast site in the United States. The virus is intentionally damaging and all files on an infected machine are at risk. Removal of the virus without first saving critical files could render those files unrecoverable (more below).

Symptoms

Symptoms of the infection include problems connecting to a file server, changes in file sizes, an inability to start Windows, an inability to boot a system and damaged files. If a suspicious activity detector, such as DDI's VirAlert program, is installed, it intercepts an attempt to write to the master boot record of a hard drive when an infected file is run. If the master boot record is already infected, VirAlert warns that system interrupt 21 is pointing to a non-existent block of memory when the system is booted.

Virus Morphology

When an infected file is run, the virus attacks the master boot record of the hard drive. It copies the original master boot record to a sector that is eight back from the end of the first track and modifies the master boot record to run the virus code. The remainder of the virus code is found in the last seven sectors of the first track on the hard disk. The following strings are in clear text in the virus code.
    Dis is one half.

    Press any key to continue ...

    Did you leave the room ?

The virus also contains the names of several prominent antivirus products;
    SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV

The virus is multipartite, infecting .COM and .EXE files as well as the master boot record. The virus adds 3544 bytes to .COM and .EXE files.

The virus is polymorphic and changes its appearance with every infection by inserting different do-nothing instructions between the actual commands in the virus code.

The virus is a stealth virus and actively hides the infection in the first track. With the virus in memory, any examination of the first track on the hard drive will see only the normal master boot record in the first sector and empty sectors for the rest of the track.

The virus is intentionally damaging. Every time an infected machine boots, the virus encrypts two cylinders of the DOS partition of the hard drive starting with the highest numbered cylinder and progressing to lower numbered ones. The virus then hides the fact that it is encrypting the hard drive by decrypting any of the encrypted sectors whenever they are accessed by the system. Only with the virus out of memory do you see the encrypted sectors.

Detection and Removal

Warning: Because of the encryption the virus does, be sure you copy any important files to a floppy disk or tape before removing the virus. The CHK_HALF program described below does not decrypt any encrypted cylinders, so when the virus is removed, the encryption key is lost with it and any files in the encrypted cylinders are lost.

DDI has made a detection/removal utility available named CHK_HALF. This program must be run from a machine that was booted with a KNOWN, CLEAN, LOCKED floppy to insure that the virus is not in memory. When CHK_HALF is run, it scans the current drive and master boot record and removes any virus infections it finds. The utility does not scan memory first and will not work correctly with the virus in memory, so be sure the system was booted with a clean, locked floppy. The utility also does not decrypt any encrypted cylinders, so be sure to copy any important files before removing the virus.

  1. Save on a floppy disk or tape any irreplaceable files before attempting to scan or clean a system. If the files are in one of the encrypted sectors, the virus must be in memory for them to be retrieved. If any of these files are executables, be sure to scan them before putting them back on a cleaned machine.
  2. Boot your system with a clean locked floppy to insure the virus is not in memory.
  3. Run the CHK_HALF.EXE program to scan and remove the virus. Delete any files that CHK_HALF was not able to clean.
  4. Run a disk maintenance utility such as that included in Norton Utilities or PC Tools to locate and repair damaged directory structures and files caused by encryption of the cylinders and by the bug in the virus.
  5. Replace any damaged or missing files on the system.
The file CHK_HALF.ZIP is available on the CIAC file servers. Use anonymous FTP to connect to ciac.llnl.gov (128.115.19.53) and find the file in the /pub/ciac/sectools/pcvirus directory. The CRC-32 checksum from pkzip for the file is: e02bf70a, and its expanded file length is 14,024 bytes.

Version 4.0E of the Department of Energy's site licensed antiviral product, Data Physician Plus!, will be available the week of Sept. 12, 1994 and will detect and remove this virus. Other antivirus software which detect this virus include Dr. Solomon's Antivirus Toolkit version 6.65 (currently available), Norton's AntiVirus October 1 monthly update, and McAfee Scan version 2.11, which is scheduled for shipping in mid-September, F-PROT version 2.14a, scheduled for the end of September.

CIAC wishes to thank Bill Kenny of DDI for spending his Labor day weekend laboring to write a detection/removal package for this virus so we would have it on Tuesday morning.


AOLGOLD Trojan Program

CIAC Information Bulletin Number G-03: November 16, 1995 1300 PST
Changed by: Paul S. Mauvais, 16-Nov-1995

Problem: A trojan program is being distributed around America Online and other networks called AOLGOLD.ZIP.

Platform: DOS-based PCs

Damage: When the INSTALL.EXE program is executed, most files on users C: drive are deleted.

Solution: See the descriptions below

Vulnerability Assessment: Users who download the AOLGOLD.ZIP or INSTALL.EXE trojaned programs, and who unpack, and execute them may destroy files on their DOS C: drive.

Information on the AOLGOLD Trojan Program

The AOLGOLD Trojan program was recently discovered on America Online (AOL). Notice about the Trojan has been circulated to all America Online subscribers. Notice about the Trojan and a copy of the Trojan program were supplied to CIAC by Doug Bigelow, who is on the staff of America Online.

Apparently, an e-mail message is being circulated that contains an attached archive file named AOLGOLD.ZIP. A README file that is in the archive describes it as a new and improved interface for the AOL online service. Note that there is no such program as AOLGOLD. Also, simply reading an e-mail message or even downloading an included file will not do damage to your machine. You must execute (or run) the downloaded file to release the Trojan and have it cause damage.

If you unzip the archive, you get two files: INSTALL.EXE and README.TXT. The README.TXT file again describes AOLGOLD as a new and improved interface to the AOL online service. The INSTALL.EXE program is a self-extracting ZIP archive. When you run the install program, it extracts 18 files onto your hard drive:

    MACROS.DRV

    VIDEO.DRV

    INSTALL.BAT

    ADRIVE.RPT

    SUSPEND.DRV

    ANNOY.COM

    MACRO.COM

    SP-NET.COM

    SP-WIN.COM

    MEMBRINF.COM

    DEVICE.COM

    TEXTMAP.COM

    HOST.COM

    REP.COM

    EMS2EXT.SYS

    EMS.COM

    EMS.SYS

    README.TXT

This file list includes another README.TXT file. If you examine the new README.TXT file, it starts out with "Ever wanted the Powers of a Guide" and continues with some crude language. The README.TXT file indicates that the included program is a guide program that can be used to kick other people off of AOL.

If you stop at this point and do nothing but examine the unzipped files with the TYPE command, your machine will not be damaged. The following three files contain the Trojan program:

    MACROS.DRV

    VIDEO.DRV

    INSTALL.BAT

The rest of the files included in the archive appear to have been grabbed at random to simply fill up the archive and make it look official.

The Trojan program is started by running the INSTALL.BAT file. The INSTALL.BAT file is a simple batch file that renames the VIDEO.DRV file to VIRUS.BAT and then runs it. VIDEO.DRV is an amateurish DOS batch file that starts deleting the contents of several critical directories on your C: drive, including:

    c:\

    c:\dos

    c:\windows

    c:\windows\system

    c:\qemm

    c:\stacker

    c:\norton

It also deletes the contents of several other directories, including those for several online services and games, such as:
    c:\aol20

    c:\prodigy

    c:\aol25

    c:\mmp169

    c:\cserve

    c:\doom

    c:\wolf3d

When the batch file completes, it prints a crude message on the screen and attempts to run a program named DoomDay.EXE. Bugs in the batch file prevent the DOOMDAY.EXE program from running. Other bugs in the file cause it to delete itself if it is run from any drive but the C: drive. The programming style and bugs in the batch file indicates that the Trojan writer appears to have little programming experience.

Recovery

**WARNING** Do not copy any files onto your hard disk before trying to recover your hard drive.

The files are deleted with the DOS del command, and can be recovered with the DOS undelete command. The files are still on your disk, only the directory entries have been removed. If you copy any new files onto your hard disk, they will likely be written over the deleted files, making it impossible to recover the deleted files.

If you have delete protection installed on your system, recovery will be relatively easy. If not, the DOS undelete command can be used, but you will have to supply the first letter of each file name as it is recovered. In many cases, you will probably want to restore the directories by reinstalling them from the original installation disks, but do that last. You must recover any unreplaceable files first using undelete and then replace any others by copying or reinstalling them from the distribution disks.

To recover the system:

  1. Boot the system with a clean, locked floppy containing the recovery program for the recovery files you have installed, or the DOS UNDELETE.EXE program if you do not have recovery files installed.
  2. Type the VIRUS.BAT file to get a list of the directories the Trojan tried to delete. Ignore any directories that don't exist on your machine.
  3. Run the recovery program and recover your files. You may have to help it find the recovery files, such as MIRROR, which will be in the root directory. You may have to recover the MIRROR file first and then use it to recover the other files.
  4. If you are using only the DOS undelete command, type:

        undelete directory
    
    
    where directory is the name of the directory to examine. To undelete the files in the dos directory, use:
        undelete c:\dos
    
    
    The undelete program will present you with a list of deleted files with the first letter replaced with a question mark. Without delete protection, you will have to supply this letter in order to undelete the file.

  5. After you have restored as many files as you want or can using the UNDELETE command, replace any others by reinstalling them using the original installation disks.
The Operations staff at America Online has released the following bulletin to their users:

--BEGIN MESSAGE--

Dear Member:

As you know, we strive to keep you informed on various issues regarding online safety.

We want to take this opportunity to remind you about potential computer viruses and Trojan horses and how to protect your computer. First, a virus is a program that is designed to spread and usually attaches itself to a program with the goal of spreading to other computers. A Trojan horse is a program that is intended to corrupt your computer but has to be activated before it can be executed. For example, a Trojan horse can be distributed as an attached file to an email but the file has to be downloaded and executed before harm is done.

If you receive email from unknown senders with an attached file, it is a good rule of thumb not to download the files. In addition, if you ever receive a file in email you believe could cause problems, please forward it immediately to TOSEMAIL1, and explain your concerns to our Terms of Service staff.

We have received recent inquiries regarding a Trojan horse that is sent as an attached file in an email message entitled "AOLGOLD" and "Install.exe". It is important to understand that no virus or Trojan horse can be passed along by simply reading email. However, we strongly urge that if you receive email with an attached file with this name not to download it.

Due to the private nature of electronic mail, we cannot scan files in email for viruses as we do with files in public areas of the service.

We have never had an occurrence of a virus or Trojan horse being spread through simply reading email. In order for one to spread to your computer, you would have to proactively select the attached file and download it to your hard drive. It is therefore advisable never to download attached files from an unknown sender.

AOL incorporates virus protection throughout the service and scans all posted software, text, and sound files in public areas. We also offer our members the Virus Information Center on AOL where you'll find information about the latest virus or Trojan horse, along with updates to all the popular commercial, shareware, and freeware anti-virus tools. Keyword: VIRUS.

Thank you for taking an active role in maintaining a safe online environment.

Sincerely,
AOL Operations Staff

--END MESSAGE--

CIAC wishes to thank the staff of America Online, especially Mr. Don Bigelow for their assistance in providing the information necessary to prepare this bulletin.


Winword Macro Viruses

CIAC Information Bulletin Number G-10a: February 8, 1996 18:00 GMT
Changed by: Bill Orvis, 8-Feb-1996

Problem: Word macro viruses are no longer an isolated threat, but they are a significant hazard to the information on a computer.

Platform: Any platform that can run Microsoft Word 6.0 or later: Windows 3.1, WFW 3.11, Win 95, Windows NT, and Macintosh.

Damage: Files can be deleted and may not be recoverable.

Solution: Scan all new Word documents before opening them in the same way that you now scan all executable files before running them. Install version 2 of the Microsoft macro virus detection tool.

Vulnerability Assessment: The vulnerability of systems to this type of virus is high, because most users are not in the habit of scanning documents. Documents are much more mobile than executable files in an organization, passing from machine to machine as different people write or edit them.

Critical Information Concerning Winword Macro Viruses

CIAC has obtained information about six macro viruses currently in the wild, five of which infect Microsoft Word 6.0 documents, and one that infects an Excel worksheet. Two of these viruses are damaging. This bulletin describes these viruses: WARNING: The new macro viruses are not detected by the original protection macro available from Microsoft which only detects Concept (scan831.dot, see CIAC Notes 95-12). A new protection program is available from Microsoft and most anti-virus scanner developers are adding macro virus detection to their products. The new Microsoft scanner is available from Microsoft at: with a description available at: The files are also available from the CIAC archive.

WARNING: The new macro virus detector from Microsoft only scans files if they are opened with the File-Open command in Word and not if they are opened by double-clicking the document or by selecting the document from the recent documents list at the bottom of the File menu. You must use the File-Open command to activate the protection.

What Are Macro Viruses?

A macro virus is a piece of self-replicating code written in an application's macro language. Many applications have macro capabilities such as the automatic playback of keystrokes available in early versions of Lotus 1-2-3. The distinguishing factor which makes it possible to create a virus with a macro is the existence of auto-execute macros in the language. An auto-execute macro is one which is executed in response to some event and not in response to an explicit user command. Common auto-execute events are opening a file, closing a file, and starting an application. Once a macro is running, it can copy itself to other documents, delete files, and create general havoc in a person's system. These things occur without the user explicitly running the macro.

In Microsoft Word there are three types of hazardous, auto-executing macros: auto-execute macros, auto-macros, and macros with command names. There is one auto-execute macro in Word named AutoExec. If a macro named AutoExec is in the "normal.dot" template or in a global template stored in Word's startup directory, it is executed whenever Word is started. The only way to disable the execution of AutoExec is to insert the flag /m in the command line used to start Word.

The second type of dangerous macros are auto-macros.

    Name         Runs when you

    ------------------------------------

    AutoNew      create a new document.

    AutoOpen     open a document.

    AutoClose    close a document.

    AutoExit     quit Word.

The auto-macros can be disabled by executing the Word.Basic command "DisableAutoMacros" in a macro. Note that the example in Word's online help of executing this command in the command line when starting Word does not work. The command must be executed in a macro. Auto-macros are also disabled by holding down the shift key while opening a document.

The third type of dangerous macros are those named for an existing Word command. If a macro in the global macro file or in an attached, active template has the name of an existing Word command, the macro command replaces the Word command. For example, if you create a macro named FileSave in the "normal.dot" template, that macro is executed whenever you choose the Save command on the File menu. There is no way to disable this feature.

Macro viruses spread by having one or more auto-execute macros in a document. By opening or closing the document or using a replaced command, you activate the virus macro. As soon as the macro is activated, it copies itself and any other macros it needs to the global macro file "normal.dot". After they are stored in normal.dot they are available in all opened documents.

At this point, the macro viruses try to spread themselves to other documents, usually by including an AutoClose macro that attaches the virus macros to the document and saves it. The macro viruses that cause damage contain a trigger that starts the damage routines and those routines do the actual damage. The trigger is some event that the virus writer has programmed his virus to watch for such as a date or the number of days since the infection occurred.

An important point to make here is that Word documents (.DOC files) can not contain macros, only Word templates (.DOT files) can contain macros. However, it is a relatively simple task to mask a template as a document by changing the file name extension from .DOT to .DOC.

DMV (Word) Macro Virus

The DMV (Demonstration Macro Virus) virus was originally described in the paper "Document Macro Viruses" by Joel McNamara who conveniently infected the document containing the paper with the virus so the reader could experience it first hand. The virus itself is simply an example of how such a virus could be implemented and does not attempt to hide itself at all. The virus is not harmful and is relatively simple to remove using the Tools Macro command in Microsoft Word (See below). The virus installs a single macro named AutoClose onto the "normal.dot" global macro file. The AutoClose macro infects all new documents when they are closed. The macro does no damage other than to spread itself. When the macro runs, it displays numerous dialog boxes telling you what it is doing, making it obvious if you are infected.

DMV (Excel) Macro Virus

The Excel version of the DMV macro virus works the same as the Word version but uses the Visual Basic for Applications language built into Excel. The Excel document contains a macro sheet which implements an AutoClose macro. When you close the file, the macro is activated and copies itself to Excel's global macro file. When other worksheets are closed, the macro attaches itself to them as well.

Concept (Prank) Macro Virus

The Concept macro (alias Prank) is similar to the DMV macro virus in that it is a demonstration that a macro virus can be created. A document infected with the Concept virus contains the macros:
    AAAZAO     AutoOpen

    AAAZFS     Payload

When an infected file is opened the AutoOpen macro is run and copies the virus files to the global macro file. During the copying process, it changes the name of AAAZFS to FileSaveAs. Whenever a document is saved, the FileSaveAs command copies the virus macros into it and saves it. The AAAZAO macro becomes the AutoOpen macro on the saved document file. The Payload macro does nothing. The first time the macro runs a dialog box appears with the single digit "1" contained in it.

Nuclear Macro Virus

A document infected with the Nuclear macro virus contains nine macros:
    AutoExec        AutoOpen        DropSuriv

    FileExit        FilePrint       FilePrintDefault

    FileSaveAs      InsertPayload   Payload

All of these are copied to the global macro file when an infected document is opened. When any document is saved, the virus copies all the macros onto it and saves it. Printing a document during the last 5 seconds of any minute causes the following text to appear at the top of the printed page:
    "And finally I would like to say:"

    "STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!"

After April 5th, it attempts to delete your system files but fails because of a bug in the virus. The virus also attempts to infect a system with the Suriv binary virus, but fails again because of a bug.

Colors Macro Virus

A document infected with the Colors virus contains the following eight macros:
    AutoClose        AutoExec        AutoOpen

    FileExit         FileNew         FileSave

    FileSaveAs       ToolsMacro

The virus changes many of the menu items to make it difficult to delete. For example, it effectively removes the Tools Macros command so you can't list or delete the macros in a program with that command.

After being accessed 300 times, Colors activates and randomly changes the system colors in the win.ini file making the screen look strange.

FormatC Macro Virus

The FormatC macro virus consists of a single macro named AutoOpen. Opening an infected document causes this macro to run and the macro copies itself to the global macro file. If the viruses payload is activated, it attempts to format the C: drive.

WARNING: The format command in most modern versions of DOS can be reversed. If this virus strikes, get some knowledgeable help before doing anything to your system. Don't do anything that might write something on the hard drive until you get knowledgeable help. You may need only boot from a floppy and run unformat to recover the whole drive. What you do depends on what utility programs (Norton Utilities, PCTools, and so forth) you have installed on your system.

Wordmacro/Hot

A new Word macro virus just appeared in the wild named Wordmacro/Hot and it is destructive. The Wordmacro/Hot virus attaches itself like the others, adding macros to documents and to the "normal.dot" global macro file. New documents are infected when they are saved. After about 14 days, the virus deletes the contents of any document as you open it and does a save which effectively wipes out the document. It is unlikely that you will be able to recover the contents of a file deleted in this way unless you have Make Backup turned on. Don't start opening the backup copies before cleaning the virus, because it will clear the contents of every document you open while it is active.

An infected document contains the following macros:

    AutoOpen     DrawBringInFrOut     InsertPBreak     ToolsRepaginat

When the virus infects the Word program, these macros are copied to "normal.dot" and renamed in the same order to:
    StartOfDoc   AutoOpen             InsertPageBreak  FileSave

The virus adds the item: "OLHot=nnnnn" to the winword.ini file where nnnnn is a date 14 days in the future. The virus uses this date to determine when it is going to trigger. The virus also checks for the existence of the file: "c:\dos\ega5.cpi" and does not infect a machine if the file exists. This was apparently a feature to protect the virus writer.

Detecting A Macro Virus

Document files must now be treated in the same manner as executables in terms of virus protection. If you don't know where a Word document has been, scan it before opening it with Word. Most anti-virus scanners have been modified to detect macro viruses in Word documents, so use those scanners to check any new documents that have been copied onto your machine. For example, version 2.21 of the shareware version of F-Prot detects all but the FormatC and Hot viruses.

Microsoft has released a new version of its macro virus protection program (see below) that checks all Word documents as you open them with the File-Open command and tells you if they contain a macro or not. It can only detect the Concept virus by name, but any document with a macro attached should be considered suspect.

You can use the Organizer dialog box (see below) to check for strange macros attached to your documents. The Organizer can open a document in the background (without running any attached macros) and let you see what macros are attached to it. You can also use it to delete macros from a document.

You can watch for virus activity when opening or saving a document, but it is generally preferable to detect a virus before it gets installed. If you have already opened a document that suspect has a virus, use the Tools Macro command to see a list of the macros attached to Word. If you can't open the Macro dialog box, try the Organizer dialog box instead.

Protecting A System From Macro Viruses

A feature of Microsoft's products is that automatic execution of auto-macros and auto-execute macros is enabled by default. In fact, it is difficult to turn off. This is a problem in protecting against macro viruses.

Currently, the best protection is to install Microsoft's macro virus protection template. The template is available directly from Microsoft's web site or from the CIAC archive. A description of the scanner is available at:

and the scanner itself is available at: If you don't find these files at microsoft.com, it could be that the scanner has been revised again. In that case, connect to: and use the search command to search for "macro virus".

WARNING: The new macro virus detector from Microsoft only scans files if they are opened with the File-Open command in Word and not if they are opened by double-clicking the document or by selecting the document from the recent documents list at the bottom of the File menu. You must use the File-Open command to activate the protection.

To install the macro virus protection, simply open the template file with Word and follow the instructions. The macros automatically install themselves in your global macro file (just like the virus). A protected version of Word should have the following four macros attached to the "normal.dot" file:

    AutoExit     FileOpen     InstVer    ShellOpen

FileOpen calls ShellOpen whenever a document is opened. ShellOpen checks each newly opened document to see if it has any macros attached. If there are macros in the document that is being opened, ShellOpen displays a dialog box giving you the choice to open the document anyway, remove the macros and open it, or cancel the open command.

If, for some reason, you can't use Microsoft's protection macro, you can disable auto-macros. You have three options:

  1. Disable the auto-macros.
  2. Disable the auto-macros and the auto-execute macro.
  3. Hold down Shift whenever you open a file to disable the AutoOpen macro.
To disable auto-macros, create the following macro named AutoExec in the global macro file (normal.dot).
    MAIN

       DisableAutoMacros 1

       MsgBox "Auto-macros are disabled."

    End Sub

All auto-macros are disabled but a virus could still infect a system if it is activated by a command that replaces a normal command.

To disable auto-macros and the auto-execute macro, create the following macro in the global macro file (normal.dot) and name it "DisableMyAutoMacros".

    MAIN

       DisableAutoMacros 1

       MsgBox "Auto-macros are disabled."

    End Sub

In the Program Manager or the Explorer in Windows 95, select the Word icon and choose the Properties command on the File menu. Add the following switch to the command line for Word.
    /mDisableMyAutoMacros

This command disables the AutoExec macro and runs the DisableMyAutoMacros procedure when Word starts up. Again, this does not disable macros with command names from replacing the commands. This also only works if you start Word by double clicking on the Word icon. If you start Word by double clicking on a document, it will not see the switch and will not run the DisableMyAutoMacros procedure.

When you hold down the Shift key while opening or double clicking a document, the AutoOpen macro is prevented from running. Other auto-macros may still run so you must check for a virus before doing anything else.

WARNING: The three methods of disabling auto-macros and the auto-execute macro do not fully protect you from a virus. While they prevent the auto-execute and auto-macro commands from running, they do not prevent any macros named the same as commands from replacing those commands. Any virus that uses replaced commands to initiate an infection will not be stopped. Only an external scanner or the Microsoft template will detect a document containing macros before it is opened.

Removing Macro Viruses

If you have an anti-virus scanner which detects and removes a macro virus, use it instead of trying to do it by hand. The scanner will generally do the job and is much easier than removing the virus by hand.

If you have Microsoft's virus macro protection installed, it will give you the option to remove any attached macros when you open the document. If you save the document with the same name, it will overwrite the infected document.

If you don't have a scanner or the protection macro, you can use the Organizer to find and remove macro viruses without infecting your system. The first step is to start Word and open the Organizer dialog box. There are two ways to open the Organizer: 1. use the Tools Macro command and press the Organizer button; 2. use the File Templates command and press the Organizer button. In the Organizer dialog box click the macros tab, click the Open File button, select the infected document and click OK. Back in the Organizer dialog box, select all the macros listed in the file and click the Delete button to remove them. Click the Close File button to close and save the file. The file can now be opened normally.

If you have just infected yourself by opening an infected document, don't close the document or quit Word. If you close the infected file or quit Word, you run the risk of running another of the auto-execute macros. See if you can get to the Organizer dialog box. Once in the Organizer you can delete the virus macros from the infected document and from the "normal.dot" file. Save those files, quit Word and restart it. You can then use the Organizer to check other documents for a virus infection.

If you can't get to the Organizer, quit Word without saving anything, find the "normal.dot" file and delete it. When you restart Word, it will create a new, empty "normal.dot" file. Note that you will also lose any custom styles which were stored in the "normal.dot" file and will have to redefine them.

On The Macintosh

These macro viruses will run under Word 6 on the Macintosh, but most of the file access capability used by the viruses to damage a system will not work well. This is because file naming conventions on the Macintosh are different from those on other systems. Since the damaging parts of the viruses are written with a DOS-based file system in mind, it is unlikely that they will work.

Macro Viruses and E-Mail Messages

Many rumors have been circulated around the network about there being an e-mail message that destroys your system when you read it (Good Times). This can not happen with the current batch of mail readers. While an infected document could be attached to an e-mail message and would be downloaded to your disk when you read the attached message, it will not automatically be executed. As long as it has not been executed or read, it can not infect your system with a virus. At this point, you should scan it to make sure it is not infected.

Conclusions

Macro viruses are here to stay and we must deal with them in the same manner that we have had to deal with other viruses. If you don't know where a file has been, don't use it in your computer until you scan it. That is, if it is an executable, don't run it; if it is a document, don't open it. It does not matter how you obtained the file, whether it is a download from a BBS or web site, an attachment to an e-mail message, or a shrink-wrapped package from a commercial developer, scan them all. Even blank, preformatted disks are occasionally showing up with viruses.

The second thing to do is to install the Microsoft macro virus protection template to warn you if a document contains macros before you open it.

Keep in mind that while Microsoft products are being targeted by these viruses, they are not the only products which have a macro capability which could be exploited. Hopefully, in the next release of software programs which include extensive macro capabilities, there will be an easy way to disable macro execution and warn the user if documents contain macros. This change will make the problem of macro viruses go away very quickly.

CIAC wishes to acknowledge the help of Michael Messuri and Charles Renert of Symantec Corp. and Chuck Noble of Digital Equipment Corp. for valuable assistance in the preparation of this bulletin.


Who is CIAC?

CIAC is the U.S. Department of Energy's Computer Incident Advisory Capability. Established in 1989, shortly after the Internet Worm, CIAC provides various computer security services free of charge to employees and contractors of the DOE, such as: Incident Handling Consulting, Computer Security Information, On-site Workshops, White-hat Audits.

CIAC is located at Lawrence Livermore National Laboratory in Livermore, California, and is a part of its Computer Security Technology Center. Further information can be found at CIAC. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. See FIRST for more details.

Previous CIAC notices, anti-virus software, pgp public key, and other information are available from the CIAC Computer Security Archive:

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.


Last Modified February 12, 1996