The Columbus Day Virus has been isolated and may actually be one of a series of related viruses. It most closely resembles the DataCrime Virus. Contrary to speculation in a recent Federal Computing Weekly article, however, the Columbus Day Virus does not appear to be closely related to the Icelandic or West German virus. The Columbus Day Virus searches through the DOS directory for .COM files other than COMMAND.COM. It attaches to the end of a .COM file, which increases the size of the file by 1168 bytes. The virus infects any given .COM file only once. However, it will infect any uninfected .COM file that it encounters. If the virus executes, it will display the message:
DATACRIME VIRUS
RELEASED:l MARCH 1989
and then do a low-level format on track zero. Since this is the boot area of
the disk, the hard disk will be unbootable.
Detection of this virus is difficult because ASCII strings in the virus code are encrypted. Therefore, utilities that search files for particular ASCII strings are useless. There are two methods you can use to detect this virus. The first method is to check for a size increase of 1168 bytes in .COM files. Another possible method is to use VIRUSCAN* (see below), which should report the existence of this virus as well as several other viruses. If a machine is infected, users must copy over all infected .COM files using their original .COM files. This must be accomplished at one sitting to prevent re-infection. You should also examine backups to see if they are infected. You should repeat whatever detection method you decide to use every time you load a new .COM file or database into your PC or PC clone.
If the boot sector is destroyed, it can be restored with Disk Doctor, a utility in Norton Utilities Version 4.5 (Advanced Edition). Note that a restoration is possible only if the Disk Doctor utility had been previously run.
The DOE Center for Computer Security at Los Alamos has recently published a pamphlet, Computer Viruses and the Personal Computer User (CCS-89-03). CIAC recommends that you read and follow the excellent guidelines contained in this pamphlet.
Because VIRUSCAN is produced and distributed by a commercial developer, CIAC cannot at this time send copies of this software directly to you. To obtain a copy of VIRUSCAN, you need to send $15 with your name, address and phone number to:
The Computer Incident Advisory Capability (CIAC) has been helping several sites deal with a new strain of the Jerusalem/Israeli/Friday the 13th virus which infects IBM PC's and PC clones. This new strain, the "Little Black Box" virus, causes a small black box to appear in the lower left quadrant of the scrren. The virus adds 1808 bytes to an .exe file every time an application is executed until the executable image is too large to fit into memory or disk space is exhausted. This causes poor system performance. This virus will also add 1813 byes to .com files, one at a time. This causes parity errors which disrupt EGA and CGA screen.
This "Little Black Box" virus does not destroy files. It does, however, spread quickly. The most common way viruses are spread is through exchanging removable media. Please advise personnel at your site to follow your procedures which prevent virus infections.
The nVIR virus has recently infected significant numbers of Macintosh systems at several DOE sites. There are different strains of this virus. Each strain causes somewhat different symptoms such as printing errors on laser printers, slow system response time, or unpredictable system crashes.
The exact mechanisms by which nVIR spreads have recently been determined. Removable media (e.g., disks) are the primary means by which nVIR spreads. Thus, if a disk used in an infected Macintosh is removed and inserted in a second Macintosh, the other machine will become infected if any application on that disk is executed in the second machine. In addition, any method used to transfer programs between Macintoshes will spread the nVIR virus. This includes transfer via shareware over a network. However, nVIR cannot spread via a print network's hardware.
nVIR is initially difficult to detect. It spreads quickly and frequently affects backups before eradication procedures can be initiated.
Disks brought in from off-site are the most common source of nVIR infections. Unauthorized copies of commercial software brought from off-site or exchanged within a site also present a substantial risk of nVIR infection. Vendor demonstration programs are another suspected source of the nVIR virus.
We urge you first of all to review your site's policy on sharing disks and using and distributing non-licensed software. Another essential damage prevention measure is to have good anti-viral software available at your site. CIAC recommends that you test any suspect disk with Disinfectant 1.2, a freeware package which also eradicates viruses. Virus Detective, a shareware package, also tests disks to see if they are clean of nVIR and several other viruses. Although it is tedious to use, Gatekeeper, another shareware program, will provide several protection mechanisms. It is important to educate users about the importance of using only software from trusted sources to reduce the possibility of virus infections. Finally, CIAC recommends that your site uses dedicated machines for on-site vendor demonstrations.
The Columbus Day family of viruses will infect applications on IBM Personal Computers (PCs) and Compatibles. Execution of an infected program will cause the virus to replicate to other applications. When the system date is between October 13th and December 31st of any year and the computer has a hard disk, the virus strikes and displays the message:
DATACRIME VIRUS
RELEASED: 1 March 1989
Simultaneously, the virus makes the hard disk unreadable. Recovery after the
virus has altered the disk is extremely difficult. The enclosed procedures will
help to assure non-interrupted use of affected computers.
This memo contains recommendations that users of an IBM personal computer or compatible computers (PC) may follow to prevent loss of information due to this virus. Also included are technical procedures on how to detect, protect, eradicate and recover from the Columbus Day family of viruses. A survey form is provided to aid the CIAC team in collecting data concerning the spread of this virus. It is requested that this form be completed at each site and returned to CIAC as soon as possible.
You may have seen a report about this topic on CNN or read about it in your local newspaper. However, all indications at this time are that these viruses are not as widespread as other viruses affecting IBM PCs and PC compatibles. The Computer Virus Industry Association (CVIA) reports that infections have been minimal. This data is collected from reports by programs like VIRUSCAN, and represents a very large sampling of the community. However, as with all viruses we should be prepared. If the DATACRIME virus attacks your machine it could do serious damage. Good backups are essential.
The DATACRIME (V1 and V2) family of viruses will infect one .COM file each time an infected program is executed. DATACRIME II will infect both .COM and .EXE files. It does this by searching the current directory and all sub-directories on the "C:" drive for a file to infect. If it fails to find a file, it will search other drives on your machine for a candidate file. The virus will not infect any file with "D" as the seventh letter of its name; thus, COMMAND.COM will not be infected. Each time the virus is run it checks the current date. If the date is between October 13th and December 31st of any year and the computer has a hard disk it displays the message:
DATACRIME VIRUS
RELEASED: 1 March 1989
Simultaneously, the virus formats the first 8 tracks of cylinder 0 of the
hard disk. This will effectively destroy the partition table, master boot
track, the boot record, the File Allocation Table (FAT), and a portion of the
root directory. Recovery at this point will be very difficult and will require
a low level format. Due to the way the virus executes, it's behaviors range
from no action, to complete data loss of the hard disk. We stated in the
previous memo on the Columbus Day Virus that you may be able to do a partial
recovery with, for example, Disk Doctor, in Norton Utilities Version 4.5. As we
examined the virus we determined that there is only a very small chance of
recovery by this method. Prevention and backups are the best course.
The CIAC recommends that each PC user follow the procedures below:
First Backup your hard-disk - most importantly the data. These viruses can't propagate through data files and you can always restore your applications from the distribution disks, but if your data is important to you, you should back it up now.
Now that you've backed up your data you can try to detect the virus. Utilities that search files for particular ASCII strings are ineffective, since the ASCII strings in the virus code are encrypted. There are several methods you can use to detect this virus. The first method, while labor intensive, doesn't require any special software. Check for any increase in the size of your .COM or .EXE files. The virus will not infect COMMAND.COM so examine other executable files, for example, FORMAT.COM, CHKDSK.COM, FIND.EXE and PRINT.COM.
Note that there are other reasons why the file size may not match. For example, you may have updated to a newer version of a program, or you are running Data Physician which changes the size of the file. However, a size change should signal that you need to investigate further.
Another possible method is to use a commercial product that will detect these viruses. This includes products like Flu-Shot+, VIRUSCAN, or Data Physician, which should report the existence of these viruses as well as certain other viruses.
If you find you are infected but DATACRIME hasn't struck yet DON'T PANIC. Do the following: Copy the infected files to a diskette and clearly label it as a virus and protect this disk. We need copies of all DATACRIME viruses that infect DOE machines so please call the CIAC for instructions on how to handle this sample. You must completely rid your machine of this virus. The procedure below is believed to be necessary because current eradication programs can not guarantee 100% recovery.
Again, make sure that you have backed up all your data. Ensure that there are no system or application files (any file that ends in .COM or .EXE) on your backup floppies. The next step will destroy all information on the hard disk, so ensure that your backups and distribution disks are safe. Follow the necessary procedures to format your hard-drive. Seek expert assistance if you are not familiar with how to carry out this procedure.
Now take out your original disks and write protect each one of them. If you have a virus detection program that works, run it on the application disks to ensure they are virus-free. Reinstall all of your applications from the original virus-free distribution disks. You should examine all of your floppies and backups that contain applications or system files to prevent reinfection. Remember, one infected file will reinfect your system.
The Norton Public Domain Virus Utility, PD Edition 5.50, (C) 1989
Peter Norton
Your System has been infected with a Christmas virus! Selected
files were just eliminated! Without these files, you might as well
use your computer as a damn, boat anchor! If you do NOT own a
boat, you may want to replace the files which were just erased.
Try to determine which files they were. HARDY HA! HA! HA! HOW
DO YOU FEEL NOW; YOU IDIOT? MERRY CHRISTMAS AND HAPPY NEW YEAR!
If your system has the trojan horse, you will obtain a report similar to the
following when using PKUNZIP (a utility which separates and decompresses
files):
1065 Implode 650 39% 10-04-89 12:26 9778978d --w READ-ME.NOW 38907 Implode 30156 23% 10-02-89 11:57 c333dec0 --w NORTSHOT.EXE ----- ------ ----- ------------ 39972 30806 23% 2
NORTSTOP.ZIP and NORTSHOT.ZIP are not viruses. They will not replicate themselves and spread from machine to machine. Once you have removed this trojan horse, it can only be reintroduced by copying the files once again from public sources.
Types: WDEF A, WDEF B
Platform: Apple Macintosh
Damage: No intentional damage, see symptoms.
Symptoms: The virus can cause:
At this time their appears to be two strains of WDEF, WDEF A and WDEF B. These strains are similar except WDEF B beeps every time it infects a new Desktop file.
Disinfectant 1.3 , Vaccine 1.0.1, GateKeeper 1.1.1, Symantec's SAM Intercept 1.10, and HJC's Virex INIT 1.12 do not detect WDEF, although new versions of many of these products which claim to be able to detect WDEF are rapidly being developed. Please also note that Disinfectant 1.4 detects only one strain of the WDEF virus.
There recently has been considerable attention in the news media about a new trojan horse which advertises that it provides information on the AIDS virus to users of IBM PC computers and PC clones. Once it enters a system, the trojan horse replaces AUTOEXEC.BAT, and may count the number of times the infected system has booted until a criterion number (90) is reached. At this point PC CYBORG hides directories, and scrambles (encrypts) the names of all files on drive C: There exists more than one version of this trojan horse, and at least one version does not wait to damage drive C:, but will hide directories and scramble file names upon the first boot after the trojan horse is installed.
At first PC CYBORG was distributed only in Europe, although several PC CYBORG infections have recently been reported in the U.S. No DOE site has been affected yet, and the probability of a widespread infection of this trojan horse throughout DOE is extremely small. This trojan horse is introduced into systems through a disk called the AIDS Information Introductory Diskette, which has been mailed to a mailing list which the author(s) of this trojan horse obtained. PC CYBORG is a trojan horse, not a virus, and thus is limited in ability to spread. This information bulletin is being distributed in response to questions raised because of the considerable media attention the trojan horse has received, more than because of a genuine threat to systems.
If you receive a disk in the mail which purports to provide information on AIDS, do not load the disk into your computer. Please save the disk, and contact CIAC immediately. If you have already run this disk, please also call CIAC as soon as possible. It is important to leave your PC on if it is currently on, or leave it off if it is currently off. Failure to do so may result in loss of your data, or make recovery more difficult. CIAC has developed recovery procedures, which are too lengthy to publish in this bulletin.
CIAC information bulletin A-15 describes vulnerabilities within Apple MACs. Please contact CIAC for further information.
Note: This bulletin has been superseded by CIAC Bulletin B-16.
CIAC Information Bulletin A-9 reported the existence of the WDEF virus on Macintosh computers. The purpose of this bulletin is to provide additional information about eradicating this virus.
Disinfectant 1.5 and the most recent version, Disinfectant 1.6, are capable of detecting and eradicating WDEF, but are not designed to prevent the spread of WDEF during its execution. If an infected disk is inserted into the Macintosh while Disinfectant is running (for the purposes of eradicating WDEF), WDEF will infect ANY OTHER UNLOCKED MOUNTED VOLUMES. If Disinfectant is to be used to eradicate a WDEF infection, CIAC recommends the following procedure:
Types: Only one known variant: CORETEST.COM VERSION 2.6, 32469 bytes, timestamp 6-6-86 9:44
Platform: IBM PC and PC clones running MS DOS or IBM-PC DOS
Damage: Varies from slow program execution to low level formatting of disk
Symptoms: A variety of disruptions and/or damage, based on a random number between one and twelve. Affects system performance, writing to screen, clock, printer and/or keyboard malfunctions, random disk writes, garbled printer output, boot sector, File Allocation Table (FAT) or directory overwrites, and a low level format of select tracks on the hard disk. Other symptoms include the floppy disk motor continuously running, FAT, directory and/or boot sector damaged diskettes.
Detection: Examine the Master Boot Record (MBR) for the message:
SOFTLOK+ V3.0 SOFTGUARD SYSTEMS INC
2840 St. Thomas Expwy, Suite 201
Santa Clara, CA 95051
(see important note below) or search the MBR and memory for the following hex
string:
e4 61 8a e0 0c 80 e6 61.If you suspect a program, you can use the search string:
64 02 31 94 42 01 d1 c2 4e 79 f7Caution: These search strings are based on the trojan program examined by the discoverer. If there are modifications to this program, the above search strings may not work.
Eradication: Remove trojan program by deleting. To recover from a corrupt MBR, back-up current data files and programs, perform a low level format and restore data files and programs from a recent backup.
CIAC has been alerted that there may be a new trojan horse called the Twelve Tricks Trojan Horse. CIAC has not been able to obtain a copy of this program, and cannot at this time confirm the information contained in this bulletin. This trojan program affects computers running the MS DOS operating system or common variants (IBM PC-DOS etc.). It can produce a variety of disruptions and/or damage, including a slowdown of system performance, blanking or jerky motion in the scrolling window, clock, printer and/or keyboard malfunctions, random disk writes, garbled printer output, boot sector, File Allocation Table (FAT) or directory overwrites, and a low level format of select tracks on the hard disk. Other symptoms include the floppy disk motor continuously running, FAT, directory and/or boot sector damaged diskettes. The particular damage which occurs depends on a random number between 1 and 12 that the trojan program generates.
SOFTLOK+ V3.0 SOFTGUARD SYSTEMS INC
2840 St. Thomas Expwy, Suite 201
Santa Clara, CA 95051
Important Note: There is absolutely no evidence to link the origin of
this trojan horse to any company or organization, such as the one mentioned
above. The motivation of the author of this trojan horse to mention the company
listed above is currently unknown.
There are several additional ways to detect the trojan. The following hexadecimal string can be found in the MBR of infected machines:
e4 61 e0 0c 80 e6 61The above string can also be found at location 0:38b in memory if you have booted from a corrupted MBR. You can use Debug as a search tool.
A useful search string to detect the source program (containing the trojan horse) is
be 64 02 31 94 42 01 d1 c2 4e 79 f7
Trojan programs can be removed by simply deleting them. If you find the string above in the MBR or in memory at 0:38b, you need to boot from a clean DOS diskette and replace the partition record. DO NOT use Fdisk to do this unless you are prepared for Fdisk to zero your FAT and directory; you will lose all your data that way. One way would be to do a file-by-file backup, low-level format to get rid of the trojan MBR, then Fdisk Format and restore your data files and programs from your backup.
We have recently received and analyzed a trojan that we believe warrants an urgent alert. We are calling it the Twelve Tricks trojan, and it is very interesting, very nasty, and quite complex. This message is not meant to be a complete description of the trojan - we feel that it is important to get a warning out quickly, rather than aim for completeness. It is not a virus.The trojan consists of a program (more about this aspect later) which you run; running the program, as well as the obvious things that the program is expected to do, also replaces the partition record (also called the Master Boot Record, or MBR) on your hard disk with its own version. This can easily be recognized by inspecting the hard disk at cylinder zero, head zero, sector one, which can be done with a disk sector editor such as Peeka. If the partition has this trojan in place, it will contain the following text near the beginning:
SOFTLoK+ V3.0 SOFTGUARD SYSTEMS INC 2840 St. Thomas Expwy, Suite 201 Santa Clara, CA 95051 (408) 970-9420At this point, let us state that we believe that the company mentioned above has nothing whatsoever to do with the trojan; perhaps the trojan author has a grudge against them.The trojan uses a far call to the hard disk Bios code in order to plant this partition. To do this, it must know the location in memory of the entry point; it tries five different ones, one of which is the one documented in the IBM PC-XT Technical reference manual, and the other four are presumably fairly common alternatives.
The purpose of planting the trojan with a far call is, we believe, to escape detection by Active Monitor programs that protect a computer by monitoring the interrupt table, and preventing unauthorized writes to system areas on the hard disk. Since the Twelve Tricks doesn't use an interrupt to plant the MBR, such programs won't be able to prevent it. We tested this using Flushot+, probably the most successful of the Active Monitors, and Twelve Tricks went straight through it - the same would be true, we think, of any other Active Monitor.
The Replacement MBR
When the MBR is run, which is every time you boot from the hard disk, Twelve Tricks copies 205 (d7h) bytes of itself onto locations 0:3000h to 0:3d6h. This overwrites part of the interrupt vector table, but it is a part that doesn't get used very much. This means that these d7h bytes are memory resident without having to use any of the TSR calls of Dos, and without having to reserve part of high memory. Reserving part of high memory is the usual ploy used by Boot Sector Viruses, but the drawback of that route is that you might notice that a few kb from your 640 kb has disappeared (CHKSK would reveal this). The method used by Twelve Tricks would not show up as a loss from your 640 kb.
When the computer is started up, a random number generator determines which of the Twelve Tricks will be installed. It does the installation by replacing one of the interrupt vectors with a vector that points to the Twelve Tricks own code, and then chains on to the original code. The twelve tricks are:
These are the twelve tricks. In addition there are two more things that the trojan does. It uses a random number generator; one time out of 4096, it does a low level format of the track that contains the active boot sector; this will also destroy part of the first copy of the FAT. You can recover from this by creating a new boot sector, and copying the second copy of the FAT back over the first copy. After it does the format, it will display the message "SOFTLoK+ " etc. as above, and hang the computer.
- Insert a random delay loop in the timer tick, so that 18.2 times per second, the computer executes a loop that is randomly between 1 and 65536 long (different each time it is executed). This slows the machine down, and makes it work rather jerkily.
- Insert an End-of-Interupt in the timer tick. This interferes with the servicing of hardware interrupts, so for example, the clock is stopped, TSRs that depend on the timer tick don't work, and the floppy motor is permanently on.
- Every time a key is pressed or released, the timer tick count is incremented by a random number between 0 and 65535. This has a variety of effects; programs sometimes won't run, when you type "TIME" you get "Current time is divide overflow", and copying files sometimes doesn't work."
- Every time interrupt 0dh is executed, only do the routine three times out of four. Interrupt 0dh is used on PCs and XTs for the fixed disk, on ATs for the parallel port.
- Every time interrupt 0eh is executed, only do the routine three times out of four. Interrupt 0eh is used for the floppy disk.
- Every time interrupt 10h is called (this is the video routine), insert a delay loop that is randomly between 1 and 65536 long (different each time it is executed). This slows the video down, and makes it work rather jerkily and/or slowly.
- Every time the video routine to scroll up is called, instead of the requested number of lines being scrolled, the entire scrolling window is blanked.
- Every time a request is made to the diskette handler, it is converted into a write request. This means that the first time you try to read or write to a diskette, whatever happens to be in the buffer will be written to the diskette, and will probably overwrite the boot sector, FAT or directory, as these must be read before anything else can be done. If you try to read a write protected diskette, you get "Write protect error reading drive A.". If you do a DIR of a write enabled diskette, you get "General Failure...", and if you inspect the diskette using a sector editor, you'll find that the boot and FAT have been zeroed or over-written.
- Every time interrupt 16h is called (READ THE KEYBOARD) the keyboard flags (Caps lock, Num lock, shirt states etc) are set randomly before the keystroke is returned. This means that at the Dos prompt, the keyboard will only work occasionally. Programs that poll interrupt 16h will be unusable. Holding down the Del key will trigger a Ctrl-Alt-Del.
- Everything that goes to the printer is garbled by xoring it with a byte from the timer tick count.
- Every letter that is sent to the printer has its case reversed by xoring it with 20h. Also, non-alpha characters are xored, so a space becomes a null, and line feeds don't feed lines.
- Whenever the Time-of-Day interrupt (lah) is executed, do an End-of-Interrupt instead. This means that you can't set the system clock, and the time is set permanently to one value.
If it doesn't do the format, it makes a random change to a random word in one of the first 16 sectors of the FAT, which will make a slight and increasing corruption in the file system. This is perhaps the worst of the things that it does, as it will cause an increasing corruption of the files on the disk.
The Dropper program
The program that drops the trojan was, in the specimen that we analyzed, a hacked version of CORETEST, a program to benchmark hard disk performance. The file is CORETEST.COM, it is version 2.6, (dated 1986 in the copyright message) had a length of 32469 bytes, and it was timestamped 6-6-86, 9:44. When we looked in more detail at this program, we found some interesting things.
It looks as if the original CORETEST program was an EXE file, and the trojan author prepended his code to it. This code consists of some relocation stuff, then a decryptor, to decrypt the following 246h bytes. The description is a double xor with a changing byte. Those 246h bytes, when run, examine the memory to try to find one of five sets of hard disk handler code (presumably corresponding to five Bioses). When it finds one of them, (we have identified the first one as being the IBM XT Bios) it plants the trojan MBR in place, using a far call to the Bios code. The trojan MBR is 200h of the 246h bytes. The trojan is patched so that it also does disk accesses using a far call to the same location. Finally, the prepended trojan passes control to the original program. We call the combination of the prepended code, plus the original program, the Dropper.
The main purpose of the encryption, we would guess, is to evade detection by programs that check code for bombs and trojans. There are no suspicious strings or interrupt calls in the code until it is decrypted at run time.
As far as we can tell, it is not a virus, but a trojan. However, it is unlikely that all the patching to the original program was done by hand - it is far more likely that the trojan author wrote a prepender program (we would call this the Prepender), to automatically attack his code to the target executable. If this is the case, then there are two consequences. The first is that he might have trojanized other programs besides the one that we have examined. In other words, there might be other Droppers around besides the one we have examined. The second is that if that is the case, we cannot rely on the encryption having the same seed each time, as the Prepender might change the seed each time is operates. So it would be unsafe to assume we can use a search string based on the decryptor.
Indeed, a further possibility exists. The Prepender program might have been placed into circulation, and people running it would unwittingly be creating additional Droppers. There is absolutely no evidence to suggest that that is actually the case, but we would ask anyone who detects this Dropper in one of their files, to also examine all the others.
Detection
Here's a variety of ways to detect the trojan. The hexadecimal string e4 61 e0 0c 80 e6 61 is to be found in the MBR. This string will also be found in memory if you have booted from a trojanized MBR, at location 0:38b. You can use Debug to search in memory.
A useful search string to detect the Dropper is
be 64 02 31 94 42 01 d1 c2 4e 79 f7Getting rid of itIt's easy to get rid of Droppers; just delete them and replace them with a clean copy. If you find the string above in the MBR or in memory at 0:38b, you need to boot from a clean Dos diskette and replace the partition record. DO NOT use Fdisk to do this unless you are prepared for Fdisk to zero your FAT and directory; you will lose all your data that way. One way would be to do a file-by-file backup, low-level format to get rid of the trojan MBR, then Fdisk Format and restore your backup. We would recommend doing two backups using as different methods as possible if you use this route, in case one of them fails to restore.
The other way to replace the partition is to run a program that drops a clean partition record onto the MBR, but doesn't change the partitioning data. We are currently preparing one of these - please ask if you need it.
Damage done
The whole of the MBR is used for the code. Most normal MBRs don't use more than half the space, and a number of other programs have started using this space. For example Disk Manager, and the Western Digital WDXT-Gen controllers (but the Dropper doesn't work on the WDXT-Gen). This means that the Dropper might cause an immediate problem in some circumstances.
The main damage done, however, will be in the impression that this trojan creates that your hardware is suffering from a variety of faults, which usually go away when you reboot (only to be replaced by other faults). Also, the FAT gets progressively corrupted.
Name: MDEF
Types: Only one known variant
Platform: Apple Macintosh models 128K and 512K, 512KE, Mac Plus, SE, SE/30, II, IIx, IIcx, IIci and IIfx.
Damage: Possible removal of system menus.
Symptoms: The virus can cause:
MDEF actually refers to one of the resources on Macintosh computers. The MDEF virus is so named because this virus infects the MDEF resources. If you attempt to detect the MDEF virus using ResEdit or a similar tool and discover the MDEF resources, this does not indicate that your computer is infected by the MDEF virus.
Resource MDEF & Name "Garfield"
Resource MDEF & ID = 5378
Caution: CIAC has been advised that the use of Vaccine may have an
undesirable side effect. Vaccine will inform the user that the system file has
been infected, but is only partially effective in preventing this virus from
infecting the system file! The system file will be damaged as a result of
running Vaccine when an application containing the MDEF virus is executed.
Name: Steroid trojan horse
Types: Only one known variant
Platform: Apple Macintosh computers
Damage: Erases all mounted disks
Symptoms: Can be identified by:
Steroid is a trojan horse, not a virus, and thus is limited in ability to spread. This trojan horse is a genuine threat; however, because it is being posted to electronic bulletin boards, and has already been downloaded by unsuspecting users on the West Coast. If you use a bulletin board, make sure that you do not download any software claiming to improve QuickDraw performance or related in any way to "Steroid." Since "Steroid" is an INIT, you would have had to put it in your system folder to have this trojan horse. If you are unsure if you have installed "Steroid," look in your system folder for start-up documents with the name "Steroid" or "Quickdraw Accelerator." Another detection method is to use RESEDIT; look for documents in the system folder with the Creator: "QDAC," Type "INIT," and a code size of 1080 and a data size of 267.
If your Macintosh computer contains this INIT, please make a copy on a floppy before you do anything else and send that copy to CIAC at your earliest convenience. Then drag the Steroid INIT to the trash icon and empty the trash. If you unknowingly have used Steroid before July 1, 1990, no damage appears possible at this time. It is important, however, to determine if you have shared Steroid with anyone else, and, if so, to notify them of the information in this bulletin. If you use Steroid on or after July 1, 1990, CIAC has been advised that you can recover if you use the SUM II Disk Clinic tool to restore erased files. Do not use the machine until you have recovered the files using SUM. CIAC can provide more detailed procedures in this case.
The following is an excerpt from a bulletin board posting by Apple:
So far, we know that the code does the following:
OPERATIONS AT RESTART:
----------------------
DATE & TIME CHECK (Loop)
SYSENVIRONS CHECK
GETS VOLUME INFORMATION (probably checking for HFS)
GETS SOME ADRESSES (Toolbox traps)
DOES SOME HFS DISPATCH OPERATIONS
VOLUME IS REINITIALIZED to "Untitled"
INFORMATION:
------------
TYPE: INIT
CREATOR: qdac
CODE SIZE: 1080
DATA SIZE: 267
ID: 148
Name: QuickDraw Accelerator
File Name: " Steroid" (First 2 characters are ASCII 1)
WHAT TO DO:
-----------
If your disk becomes erased, you can use SUM II Disk Clinic to recover the
deleted files. We have tried this and it seems to work.
IF YOU HAVE STEROID ON YOUR SYSTEM, DISABLE IT IMMEDIATELY.
Name: Disk Killer virus (also known as the Ogre virus)
Types: Only one known variant
Platform: MS DOS computers
Damage: Overwrites mounted disks
Symptoms: Writes "COMPUTER OGRE 04/01/89" on screen and overwrites disk
Detection/Eradication: VIRALERT, VIRHUNT, RESSCAN, CodeSafe, CleanUp, F-Prot, IBM Scan, Pro-Scan, and others (contact CIAC for information about these products)
Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/89
Warning!!
Don't turn off the power or remove the diskette while Disk Killer
is Processing!
Next, the word "PROCESSING" will be displayed, followed by this message:
Now you can turn off the power. I wish you Luck!Disk Killer overwrites the boot sector, then the file allocation table (FAT), then the directory randomly with blocks of a single character.
The proper procedure depends upon when you detect Disk Killer:
Note: Because this virus modifies every byte in every sector on your disk, Norton Utilities not a feasible means of recovering from the Disk Killer virus. Note also that a considerable amount of incorrect information about responding to Disk Killer has already been distributed. If you follow this incorrect information, which advises you to turn your machine off as soon as Disk Killer begins to execute, it is extremely likely that you will not be able to fully recover from this virus.
Additional Note: The CIAC team first became aware of this virus early last Fall. At that time, however, we chose to briefly describe this virus in the CIAC Bulletin Board (FELIX) and CIAC Bulletin A-15, rather than to issue a separate bulletin; infections at that time appeared to be limited to MS DOS computers equipped with hard disks made by a particular manufacturer in Taiwan.
Name: Stoned virus (also known as the Marijuana or New Zealand virus)
Types: At least four known variants
Platform: MS DOS computers
Damage: Not deliberately destructive--however, this virus overwrites some of boot sector/master boot record on infected disks (see text)
Symptoms: May write "Your computer is now stoned. Legalize marijuana" or similar message on screen (one variant has this message removed); may create hard disk errors or the inability to boot
Detection: VIRALERT, VIRHUNT, RESSCAN, CodeSafe, F-PROT, IBM Scan
Eradication: VIRHUNT, RESSCAN, CodeSafe, CleanUp, F-PROT and others (contact CIAC for information about these products)
Your computer is now stoned. Legalize marijuana.Although the Stoned virus apparently was not programmed to do damage, this virus can nevertheless damage a system. The Stoned virus may overwrite parts of infected disks that contain directory information or portions of user data files, specifically the boot sector of floppy disks along with Head 0, Track 0, Sector 3 on a diskette or the master boot record and Head 0, Track 0, Sector 7 on hard disks. If hard disks have last been partitioned under DOS 2, this virus overwrites portions of the File Allocation Table (FAT) as well. The result is overwriting of data files and indications of disk errors by CHKDSK. Variants of the Stoned virus produce slightly different effects:
After you have cleaned your system, either with an eradication product or by formating the drive, scan again using a virus detection utility to ensure that the virus is not present. To ensure that your system does not immediately become re-infected, be sure to scan all of floppy disks for the virus as well. To clean floppies you may use one of the suggested products, or you may format new floppies on a clean system, then use the "copy" command to copy files from the infected floppies to the clean ones. Format the infected floppies to reuse them.
The Stoned virus typically spreads wherever floppy disks are shared. Infections can be easily prevented by adopting sound protection procedures. The Stoned virus infects hard disks when a PC is booted from an infected floppy. This virus does not infect applications, however. If you must boot from a floppy disk, ensure with a virus scan package that this disk is not infected, and write-protect this disk. This will prevent your boot disk from becoming infected. (Warning: under some circumstances the Stoned-infected floppy disk can infect a machine even if the computer does not have a bootable operating system on it.)
Additional Note: Basic information about the Stoned virus has been available through the CIAC Bulletin Board (FELIX) and CIAC Bulletin A-15 since the beginning of this year.
The assistance of Ken Van Wyk and Dave Chess is gratefully acknowledged.
Name: 4096 virus (also known as the 4k, Stealth, IDF--Israel Defense Forces, 100 years, Century, and Frodo virus)
Types: Two known versions (also see note 1 about Fish virus)
Platform: MS-DOS computers running DOS 3.x or 4.x; does not appear to infect files in DOS 2.x
Damage: Can damage files by destructive cross-linking
Symptoms: May slow system performance somewhat; may cause the system to crash/hang, or may create hard disk errors; may write "FRODO LIVES" on screen on or after September 22, 1990 (one variant only)
Detection: VIRHUNT, RESSCAN, CodeSafe, Vi-Spy, IBM Scan, FPROT
Eradication: VIRHUNT, CodeSafe, FPROT, and others (contact CIAC for information about these products)
Allocation error - File size adjustedThere is a trigger date of September 22, 1990. On or after this date the virus attempts to replace the original boot record with another boot record. Other reports indicate that the 4096 virus is unsuccessful in attempting to write the boot record. The result, however, is that the system may crash. In one version of the 4096 virus the following message is also displayed on or after the trigger date:
FRODO LIVESThe 4096 virus is very difficult to detect, even if it has infected many files. There is logic to defeat detection on the basis of increased file size, virus-initiated interrupts, and/or checksums. The most current versions of virus detection packages such as VIRHUNT, RESSCAN, CodeSafe, Vi-Spy, and IBM Scan are effective against the 4096 virus. If you find that your computer is infected by this virus, you should turn your machine off, then boot from a clean floppy. Now run a virus eradication program (e.g., VIRHUNT, CodeSafe, etc.) from a non-infected, write-protected floppy disk. Alternately, you can use DOS COPY to change the extension of an executable version of a virus eradication program from .EXE to .DAT or some other similar extension. This will assure that your renamed anti-virus program cannot become infected. Virus Bulletin recommends an additional detection method for DOS 3.x systems---set the time stamp ahead to January 1, 2044, create a small file, then enter the DIR command. If the 4096 virus is present, the file size will be 4K and the date will be January 1 of the year 100 (see note 3 below). In DOS 4.x systems the displayed date will be January 1 of the year 99. Another detection method is to use Norton Utilities or a similar disk management utility to show the actual size of suspected files.
Note 1: The Fish virus is a modified, more sophisticated version of the 4096 virus. It increases file sizes by either 8K or 4K.
Note 2: Other phase two viruses include the Alabama, Virus 101, 1260, and Fish virus.
Note 3: The 4096 virus adds 100 to the year of file creation, but since MS-DOS normally displays only the last two digits of the year, the virus is not normally detectable on the basis of year of file creation. MS-DOS time stamps cannot exceed December 31, 2107. If the user sets the date to January 1, 2044, the virus code increases the year by 100, causing an illegal date. The number 100 is displayed instead.
Note 4: Basic information about the 4096 virus has been available through the CIAC Bulletin Board (FELIX) and CIAC Bulletin A-15 since the beginning of this year.
Ray Glath and Bill Kinney furnished a portion of the information in this bulletin.
Problem: Virus propagation on write-protected file systems
Types: Many known viruses, most frequently variants of the Jerusalem (Israeli) virus
Platform: MS-DOS computers
Damage: Files that use software write-protection schemes cannot be assumed safe from damage due to virus infection
Symptoms: Virus infection on write-protected files
Detection: VIRHUNT, RESSCAN, CodeSafe, Vi-Spy, IBM Scan, FPROT
Eradication: VIRHUNT, CodeSafe, FPROT, and others (see text in p. 2 of this bulletin for recommended procedures)
The following is a common scenario reported to CIAC: a floppy infected with the Jerusalem-B virus is inserted into a user's PC attached to a Novell network. Once this virus is executed, it resides in the PC's memory. When the user attempts to logon to the file server (running the program login.exe), the virus infects this program, even though the program is write-protected. Login.exe is a shared program that is executed by each user as s/he connects to the Novell network. Thus, each time a user logs in to the network, his/her machine immediately becomes infected with the Jerusalem-B virus. The network allows the Jerusalem-B virus to spread considerably more quickly than if it had spread through exchange of floppy disks.
When someone disinfects a system of PCs or PC clones on a Novell or similar file system, CIAC recommends the following procedures:
During the twelve months of this fiscal year, CIAC team members have engaged in a number of activities. One of the main activities has been assisting sites in recovering from incidents. Our involvement has led to a number of valuable lessons learned--things that can improve your site's computer security as well as enhance the DOE community's coordination and handling of incidents.
Viruses. The major viruses with which we have dealt in the MS-DOS arena during the last 12 months are Jerusalem, Stoned, Cascade (1701/1704), Ohio, Ping Pong, and Disk Killer. Of these viruses, Jerusalem and Disk Killer are most likely to produce damage. In the Macintosh arena, nVIR and WDEF are most prevalent, although neither is likely to damage a system. For a summary of the major viruses, refer to CIAC Bulletin A-15. In addition to frequently obtaining reports of viruses spreading through exchange of removable media (disks), we are also hearing about viruses spreading rapidly through Novelle and other microcomputer networks (see CIAC Bulletin A-33). Vendor demonstrations and shrink wrap software are increasingly becoming a source of virus outbreaks.
We have found that sites with implemented procedures for detecting and eradicating viruses have significantly decreased the time and effort involved in recovering from this type of incident. Users of PCs, PC clones, and Macintoshes frequently do not know exactly whom to call if there is a suspected virus infection--the number of a support person should be posted on every small system! This is particularly important with users of classified systems. Finally, Disinfectant 2.1 and FPROT (freeware detection/eradication packages for Macintosh and MS-DOS computers, respectively) are available from CIAC for the asking.
CIAC periodically issues bulletins about specific computer viruses. These bulletins, however, do not cover all the computer viruses that affect the PC-DOS/MS-DOS and Macintosh platforms. The purpose of this bulletin is to identify most of the known viruses for these platforms, and give an overview of the effects of each virus. This bulletin supersedes CIAC Bulletin A-15 issued last year, and includes (at least by name) more than 100 new viruses. As we continue to gather more information, we will add it to future editions of this document.
Click here to read CIAC Bulletin B-16.
Name: Brunswick virus
Aliases: Brunswick, 910129
Types: Two known variants
Platform: MS-DOS computers
Damage: May overwrite Master Boot Record
Symptoms: Not apparent until attack phase when Master Boot Record is destroyed and disk will not boot
First Discovered: January 1991
Detection: VIRHUNT v. 1.3D-1, VIRSCAN v.2.0.2 and others (contact CIAC for information about these products)
Eradication: VIRHUNT v. 1.3D-1, VIRSCAN v.2.0.2 and others
Brunswick usually enters a machine through the boot-up of an infected floppy. (This entry method is similar to that employed by the "Stoned" virus described in CIAC Advisory A-28.) The virus immediately infects the Master Boot Record through Interrupt 13. Thereafter, all disks placed in floppy A: or B: will become infected until the machine is re-booted from a clean disk. Infection occurs differently for hard disks and floppies. On hard disks, the original boot record is moved to Cylinder 0 Sector 16 Head 0. On floppy drives, the original boot record is relocated to Cylinder 0 Sector 3 Head 1. If hard disks have last been partitioned under DOS 2.0, the virus will overwrite portions of the File Allocation Table. The virus contains logic to prevent re-infection of disks and code to save the BIOS Parameter block so that 3.5 inch 1.44 MB floppies will remain readable after infection (unlike "Stoned").
The Brunswick virus mechanics are fairly straightforward. It retains a generation counter which is decremented within each new infection. Upon boot-up, the virus compares this counter to an internal constant. If the counter is larger than the constant, no action is taken; else the virus destroys the master boot record by overwriting it with random characters. This generation counter is never changed within a particular infection; therefore, if an infection and a successful boot-up have occurred, this particular infection will NEVER destroy the Master boot record (although infections will still take place).
Newer versions of anti-viral products mentioned above will detect the virus. An unauthorized write attempt to a write-protected floppy is another indication that this virus may be resident. Removal is a simple process of running any of the previously mentioned virus removal utilities. If none of these are available, contact CIAC to obtain manual removal instructions.
Infections can be easily prevented by adopting sound protection procedures, such as write-protecting all floppies and checking all diskettes before use with a trusted scanning utility. Also, always open the floppy door before booting a PC because booting with an infected NON-BOOTABLE floppy WILL CAUSE INFECTION to the hard disk.
Platform: MS-DOS computers
Software: Sun PCNFS software fix PCNFS 3.5b, file NET.EXE
Damage: File deletion, file corruption, system slowdown
Detection: File size of newly distributed PCNFS 3.5b file NET.EXE not equal to 100181 bytes; or use of VIRHUNT, VIRSCAN, FPROT, and others
Eradication: VIRHUNT, VIRSCAN and others; replacement of NET.EXE
CIAC has been notified of the inadvertent distribution of a virus in a Sun Microsystems PCNFS software fix for MS-DOS computers. This distribution, which was sent to a limited user community, contained a file NET.EXE which may have been infected with the Jerusalem-B virus. This fix, entitled "PCNFS 3.5b," was distributed between July and August, 1991 to those requesting a patch for PCNFS 3.5. Sun has contacted all customers who had received the suspect file, and has distributed a new virus-free NET.EXE to all parties. If NET.EXE from PCNFS 3.5b does not have a file size of 100181, this file is probably infected with the Jerusalem-B virus.
It is very important to execute a virus detection/eradication package if a suspect NET.EXE file is located. If your site has received the suspect file and follow-up letter, call CIAC, Sun's support number (1-800-USA-4SUN), or your local Sun office for assistance.
NOTE: For more information on the Jerusalem virus, see CIAC bulletin "Virus Propagation in Novell and Other Networks" (A-33) or "Little Black Box (Jerusalem) virus alert" (un-numbered series, 1989). CIAC recommends anti-viral scanning of all software (including new software and upgrades to existing software) before installation is initiated.
Thanks to Sun Microsystems for assistance in providing information described in this bulletin.
During this fiscal year, CIAC team members have engaged in a number of activities, including assisting sites in recovering from incidents and helping sites prepare for future incidents by presenting the CIAC workshops. Our involvement has led to a number of valuable lessons learned--things that can improve your site's computer security as well as enhance the DOE community's coordination and handling of incidents.
Viruses. During the past year, viruses on MS-DOS and Macintosh computers continued to infect a small but significant number of systems throughout DOE. In the MS-DOS arena, the Jerusalem-B, Cascade, and Disk-Killer viruses continued to be most prevalent. Of these viruses, Disk Killer and Jerusalem-B were most likely to cause damage to systems. During this last fiscal year, the Stoned-2, Horse, and Horse-2 viruses emerged as new threats. In the Macintosh arena, WDEF and nVIR continued to be the major source of threat, but with the advent of Macintosh System-7, the WDEF threat has been reduced since this virus will not run on this version of the operating system. Networked file systems and demonstration software continues to be the main source of these virus infections, and we continued to receive reports of infected vendor software (see CIAC Bulletin B-40). CIAC Bulletin B-16 provided an updated list of viruses and their symptoms (updated from information provided in A-15).
CIAC assisted DOE in evaluating an anti-viral product to be purchased and licenced throughout DOE. This product, "Data Physician Plus," is very effective in finding and eradicating viruses on MS-DOS platforms. For the Macintosh, Disinfectant (the latest version is 2.5.2) continues to be a good anti-viral freeware package. Contact CIAC for assistance in obtaining anti-virus packages.
Aliases: Dir-2, MG series II, Creeping Death, DRIVER-1024, Cluster
Virus Type: Directory infector with stealth characteristics
Variants: Unsubstantiated reports exist for two variants
Platform: MS-DOS computers
Damage: May destroy all .EXE and .COM files and backup diskettes, crash some lookalike systems, CHKDSK /F destroys all executible files
Symptoms: CHKDSK reports many cross-linked files and lost file chains can corrupt backups, copied files are only 1024 bytes long, more (see below)
First Discovered: May 1991 in Bulgaria
Eradication: Perform a series of simple DOS commands (see below)
The Dir II virus presents a new type of MS-DOS virus called a directory infector. This virus modifies entries in the directory structure, causing the computer to jump to the virus code before execution of a program begins. Also, this virus utilizes stealth techniques to hide its existence in memory.
The most damaging characteristic of this virus occurs if a user boots from a clean diskette and attempts to run a disk optimizer program such as CHKDSK /F, Norton Disk Doctor, or other similar utility programs. When such a program attempts to "fix" the disk, all infected executibles will "become" the virus, effectively destroying the original file!
Upon initial infection, the virus links itself into the device driver chain, copying itself to the last cluster (or last two clusters, if cluster size is less than 1024 bytes) on the disk and infects the directory structure of all .EXE and .COM files residing in the current directory and all directories defined in the path. The virus infects all files with .EXE or .COM as an extension whether or not they are executible, EXCEPT if the size of the file is less than 2K, larger than 256K, or has an attribute of System, Volume, or Directory set. Therefore it does not infect the two hidden system files, but it DOES infect command.com.
Following the supplied eradication steps will simply remove all "live" pointers to the viral code. After eradication you may wish to use a direct disk access utility (such as Norton Utilities) to directly access the viral code existing on the last cluster on the disk and overwrite it with blanks. Another recommended final clean-up entails running a disk optimizer program that will clean out all unnecessary deleted files. It is important to remember that this virus has infected all .COM and .EXE files, even if they are tagged as deleted. Therefore if an undelete utility is used on these files, the virus can resurface.
Other Facts About Dir II:
Virus Inadvertently Distributed in Novell Network Support Encyclopedia Update
Problem: 5 1/4 inch diskettes sent from Novell to customers from December 9-16, 1991 contain the Stoned-3 virus.
Platform: PC/MS-DOS systems running Novell Netware software.
Damage: Potential to overwrite boot sector of fixed and floppy disks; potential to create infected floppyless boot image files and thereby propagate the virus via the network.
Solution: Scan all incoming software.
Detection/Eradication: Data Physician Plus, other antiviral packages.
The Stoned-3 virus is a minor variation of the Stoned virus. This virus infects the boot sector of a hard disk or diskette and will sometimes display the message (sic):
"Your PC is now Stoned!.....LEGALISE MARIJUANA!"This virus becomes memory resident and will infect any other disks accessed by the PC while the virus is memory resident. For additional information, please see CIAC Bulletin A-28 for more information on the Stoned virus family, and B-16 for a summary of known viruses.
If you discover that the Stoned virus has infected your PC, it may be removed using the VIRHUNT package licensed to DOE by Digital Dispatch Incorporated. CIAC also recommends that you follow a policy of scanning all new software before using or installing it on your PC. This policy should be followed for all vendor-supplied shrink-wrapped software as well as bulletin board or shareware software, since a few other vendors have inadvertently distributed viruses with packaged software in the past. CIAC recommends that if you are from a DOE site and are not already using an effective anti-viral scanner, you should contact your site's computer security department to obtain a free copy of Data Physician PLUS! (which contains VIRHUNT and several other useful packages). In addition, since new viruses are constantly being discovered, we recommend that you ensure that your anti-viral scanner has been updated to the most recent version. The most recent version of Data Physician PLUS! is V 3.0C.
Name: Michelangelo virus
Platform: MS-DOS computers
Damage: On March 6 will destroy all files on infected disks and diskettes that are accessed.
Symptoms: CHKDSK reports "total bytes memory" 2048 bytes less than expected
Detection: DDI Data Physician Plus! v 3.0C, FPROT 2.01, other anti-viral packages updated since late September 1991
Eradication: DDI Data Physician Plus! v 3.0C, FPROT 2.01, other anti-viral packages updated since late September 1991
A problem can occur if a disk is infected by both the Michelangelo and the Stoned viruses AT THE SAME TIME. Both move the 'original' boot sector to the same location on the disk, so when the second infection occurs, the original clean boot sector is destroyed by being overwritten by the first virus. CIAC recommends a low-level format of the disk if this double-infection occurs, although performing the DOS SYS operation may repair a damaged diskette, and performing the undocumented FDISK/MBR operation (in DOS 5.0 only) may repair a damaged hard disk.
CIAC is aware of at least two publicized cases of this virus being inadvertently distributed by vendors. The vendors involved are Leading Edge and DaVinci Systems; both vendors have made an attempt to contact all recipients of the software involved.
CIAC stresses the importance of checking all incoming diskettes with an anti-viral utility, such as VIRHUNT from DDI's Data Physician Plus! package. CIAC recommends that once a system has had a virus eradicated, it be powered down. The computer should then be observed closely throughout the entire boot-up process. Another virus scan should be performed on the machine to ensure that it is devoid of any virus.
Name: MBDF A virus
Platform: Macintosh computers-except MacPlus and SE (see below)
Damage: May cause program crashes
Symptoms: Claris applications indicate they have been altered; some shareware may not work, unexplained system crashes
Detection & Eradication: Disinfectant 2.6,Gatekeeper 1.2.4, Virex 3.6, VirusDetective 5.0.2, Rival 1.1.10, SAM 3.0
When MBDF A infects the system file, it must re-write the entire system file back to disk; this process may take two or three minutes. If the user assumes the system has hung, and reboots the Macintosh while this is occuring, the entire system file will be corrupted and an entire reload of system software must then be performed.
This virus can be safely eradicated from most infected programs, although CIAC recommends that you restore all infected files from an uninfected backup.
MBDF A has been positively identified as present in two shareware games distributed by reliable archive sites: "Obnoxious Tetris" and "Ten Tile Puzzle". The program "Tetricycle" (sometimes named "Tetris-rotating") is a Trojan Horse program which installs the virus. If you have downloaded these or any other software since February 14, 1992 (the day these programs were loaded to the archive sites), CIAC recommends that you acquire an updated version of an anti-viral product and scan your system for the existence of MBDF A.
CIAC would like to thank Gene Spafford and John Norstad, who provided some of the information used in this bulletin.
Problem: Bogus versions of the PKZIP archiving software have been released to Bulletin Board Systems (BBS).
Platform: PCs running PC-DOS, or MS-DOS
Damage: One version attempts to erase the hard disk.
Detection: Look for the files: PKZ201.ZIP, PKZ201.EXE, PKZIPV2.ZIP, or PKZIPV2.EXE
Removal: Save a copy of the files for CIAC, then delete the files. Do not extract or run these files.
At the current time, the released version of PKZIP is version 1.10. A new version of PKZIP is expected to be released in the next few months. Its version number was planned to be 2.00, but may be increased to a number greater than 2.2 to prevent confusion with the bogus versions. PKWARE Inc. has indicated it will never issue a version 2.01 or 2.2 of PKZIP. A good copy of the latest version of PKZIP can always be gotten from the PKWARE BBS listed below.
According to PKWARE Inc. version 2.01 is a hacked version of PKZIP 1.93 Alpha. While this version does not intentionally do any damage, it is alpha level software, and may have serious bugs in it.
Version 2.2 is a simple batch file that attempts to erase your C:\ and C:\DOS directories. If your hard disk has been erased by this program, you may be able to recover it using hard disk undelete utilities such as those in Norton Utilities, or PCTools. Don't do anything that might create or expand a file on your hard disk until you have undeleted the files, as you may overwrite the deleted files which will destroy them. To examine a file to see if it is version 2.2, type it to the screen with the DOS TYPE command. If the file that prints on the screen is a short batch file with commands such as DEL C:\*.*, or DEL C:\DOS\*.* then you have the bogus file.
If you should happen to see any of these files on a BBS, please contact the sysop of that BBS immediately, and ask him to remove them. If you have downloaded one of these files, please save a copy for CIAC, and then delete the files from your hard disk. PKWARE Inc. has also asked to be informed of any occurrences of these files, and can be reached at,
Name: November 17 virus
Aliases: NOV 17, 855
Platform: MS DOS Computers
Damage: On November 17 will destroy hard disk contents
Symptoms: Files grow by 855, 768, 880, or 800 bytes
Detection/Eradication: FPROT 207, Scan V102, Novi
Once resident, it will infect any .COM and .EXE programs when the file attributes are set or read, when the file is opened for READ, and upon loading and execution. Therefore, if the virus is resident in memory, and a new disk with clean executibles is copied, the original disk's .EXE and .COM files will become infected if the disk is not write-protected. It can easily be transferred via LAN's anytime an executible file is opened or executed over the LAN. This virus will not infect files with a filename of SCAN.EXE or CLEAN.EXE, and it will not infect files that have the system bit set. It does not affect data files.
Until March of 1993, there had been no reports of this virus in the United States. Because of this fact, some anti-virus products do not detect the presence of it by name. Some products, such as Data Physician Plus!, do detect when it they themselves become infected, at which point a message such as "A virus has been detected, would you like to continue?" may appear on the screen. This message means that the antivirus product's self check mechanism has detected a modification to itself, and at this point CIAC recommends that you check the machine with a different antivirus product, or call CIAC for additional information on virus handling.
Due to the nature of this virus's infection mechanism, it is sometimes not possible to remove the infection from a host program. CIAC recommends that if this virus is discovered a copy be kept and then all infected files be deleted and restored from backup.
Name: Satan Bug virus
Platform: MS-DOS/PC-DOS Computers
Type: Memory resident, polymorphic, encrypted
Damage: Infects .COM, .EXE, .SYS, and .OVL files. Damages infected files, makes LANs inaccessible by damaging the LAN drivers.
Symptoms: Files grow at each infection, file dates change, files on LAN file servers become inaccessible.
Detection: DataPhysician Plus 4.0B, Scan V106, Norton AntiVirus 2.1 with August 1993 virus definitions.
To scan a computer infected with a memory resident virus like the Satan Bug virus, you must boot the computer with a clean (uninfected), locked floppy that contains a clean version of the virus scanner software. Delete any infected files the scanner finds, and replace them with fresh copies. See the Appendix for more information.
CIAC wishes to thank Bill Kenny of DDI, Joe Wells of Symantec and David Proulx of NAVCERT for their help in preparing this bulletin.
Encrypted viruses store this piece of the normal program within the virus code and then encrypt the virus code. For an anti-virus program to be able to patch an infected program, it must be able to decrypt the encrypted virus to find the piece of missing code so that it can be put back where it belongs. The Satan Bug virus has up to nine levels of encryption, the level being different for each infection. Decrypting this much code is a very difficult process, so most anti-virus programs are not expected to be able to repair programs infected with the Satan Bug virus.
On the other hand, some file signature scanning programs may save enough of the scanned files to be able to repair an infected program. The Data Physician Plus package does save a sufficient amount of information to be able to repair a program infected with the Satan Bug virus. However, you must have created the file signature file before your program was infected. Again, if at all possible, you should always replace infected files rather than repairing them to insure that you have undamaged copies.
Problem: The Macintosh nVir A virus has been found in the "README." file on the Journal of Vacuum Science & Technology CD-ROM Vol.12 1Q94.
Platform: Macintosh, all versions of the operating system. This virus has no effect on the MS-DOS files also on the disk.
Damage: The virus can easily infect your computer.
Solution: Check with publisher, do not execute "README." file.
Vulnerability Assessment: This CD-ROM is included as part of the American Vacuum Society's (AVS) journal distribution, and is distributed to members of the AVS. The virus is not overtly damaging, but does damage the system and applications during infection.
The CD-ROM can be identified by the following titles printed on the disk: A title in large bold type: "JVST A&B Vol. 12 1Q94" A subtitle in small type: "JVST-A Vol 12(1) and 12(2) JVST-B, Vol 12(1)"
The infected file is "README." in the root directory of the CD-ROM, which is a DOCMaker Stand-Alone document reader application. This file is the one referred to in the instruction manual to run for viewing or printing the user manual, however doing so will infect the system file of your Macintosh.
This disk can also be read via a PC using DOS or Windows, but those systems will be unaffected, because the nVir A virus is specific to the Macintosh operating system.
The nVir A virus is a virus that at first only replicates, but after a certain amount of executions it has a small chance of saying "Don't Panic" if MacinTalk is installed, or having the computer beep if MacinTalk is not installed. It is not an intentionally destructive virus, but does damage the system and applications during the infection process. Infected systems occasionally crash, and printing is often delayed or damaged.
CIAC recommends that if you have received this CD-ROM, you immediately mark it as containing a Macintosh computer virus, and do not run the "README." file in the root directory. If you are using this disk on a PC system, you do not need to worry as the PC files on this disk are not infected. If you have already run this infected file, get a copy of an anti-virus program such as Disinfectant, and scan your hard disk for infected files. Replace all the infected files that you can, and repair those that you cannot replace. If your hard disk has been infected, you must scan every floppy disk that has been in your system since the infection occurred.
Even though the CD-ROM contains an infected file, the file can only infect your system if it is executed. The other files on the disk can still be installed and used without causing an infection. To install the Adobe Acrobat document reader on your Macintosh, run the Installer program in the JVST_94:install:mac:reader folder. To install the search utility, run the JVST_INSTALL;1 program in the JVST_94:install:mac:wordkeep directory. You can also view the README.DOC file, which contains the instructions for using the PC and Windows versions of the reader, using a word processor. Only the "README." file must be avoided.
If you must access the data in the infected "README." file, carefully copy the file to a floppy disk and repair it using an anti-virus utility such as Disinfectant, and then scan it again to insure it has been repaired. If the repaired file is no longer infected, you may then run it to view the document. Again, do not run the copy of the "README." file that is on the CD-ROM, as it is still infected, and cannot be repaired due to the write-only nature of the CD-ROM.
The publisher has sent a letter to all known recipients of this CD-ROM distribution explaining this problem.
CIAC wishes to thank Judy Lim, Rick Stulen and Art Pontau of Sandia National Labs for first bringing this to our attention and for supplying us with a copy of the CD-ROM. CIAC also wishes to thank the ASSIST team for helping us to contact the publishers of this journal.
Problem: A Trojan-horse program, CD-IT.ZIP, masquerading as an improved driver for Chinon CD-ROM drives, corrupts system files and the hard disk.
Platform: All MS-DOS and PC-DOS machines.
Damage: Once in memory, the program destroys system files, requiring a format of the infected drive to correct.
Solution: Do not execute the program in CD-IT.ZIP.
Vulnerability Assessment: The program is not dangerous if not run, but can cause serious damage to a hard drive if it is. As of this date, we don't know of any anti-virus software that recognizes it.
TORRANCE, CALIFORNIA, U.S.A., 1994 APR 29 (NB) -- A new "Trojan Horse" computer virus is on the Internet and is labeled with the name of the fourth largest manufacturer of compact disc read-only memory (CD-ROM) drives. Chinon America, Incorporated, the company whose name has been improperly used on the rogue program, is warning IBM and compatible personal computer (PC) users to beware of the program known as "CD-IT.ZIP."CIAC recommends that if you find a copy of the file CD-IT.ZIP, that you do not install it on your computer. If you have already installed and run the file, shut down your machine immediately. Check with your anti-virus vendor to see if they have a scanner/repair utility available. If not, boot from a clean, locked floppy. If you can still access your hard disk, backup any important files that were not included in your last backup, reformat the drive and restore it from your last backup.A Chinon CD-ROM drive user brought the program to the company's attention after downloading it from a Baltimore, Maryland Fidonet server. One of the clues that the virus, masquerading as a utility program, wasn't on the up-and-up was that it purports "to enable read/write to your CD-ROM drive," a physically impossible task.
CD-IT is listed as authored by Joseph S. Shiner, couriered by HDA, and copyrighted by Chinon Products. Chinon America told Newsbytes it has no division by that name. Other clues were obscenities in the documentation as well as a line indicating that HDA stands for Haven't Decided a Name Yet.
David Cole, director of research and development for Chinon, told Newsbytes that the company knows of no one who has actually been infected by the program. Cole said the virus isn't particularly clever or dynamic, but none of the virus software the company tried was able to eradicate the rogue program. Chinon officials declined to comment on what antivirus software programs were used.
If CD-IT is actually run, it causes the computer to lock up, forcing a reboot, and then stays in memory, corrupting critical system files on the hard disk. Nothing but a high-level reformat of the hard disk drive will eradicate the virus at this point, a move that sacrifices all data on the drive. It will also corrupt any network volumes available.
"We felt that it was our responsibility as a member of the computing community to alert Internet users of this dangerous virus that is being distributed with our name on it. Even though we have nothing to do with the virus is it particularly disturbing for us to think that many of our loyal customers could be duped into believing that the software is ours," Cole explained.
Chinon is encouraging anyone who might have information that could lead to the arrest and prosecution of the parties responsible for CD-IT to call the company at 310-533-0274. In addition, the company has notified the major distributors of virus protection software, such as Symantec and McAfee Associates, so they may update their programs to detect and eradicate CD-IT.
(Linda Rohrbough/19940429/Press Contact: Rolland Going, The Terpin Group for Chinon, tel 310-798-7875, fax 310-798-7825; Public Contact: Chinon, CD-IT Information, 310-533-0274)
CIAC is currently obtaining a copy of this Trojan from Chinon, and will make any new information about this Trojan available in a future copy of CIAC Notes.
CIAC would like to thank Chinon America for the information contained in this advisory and Brian Lev of NASIRC for forwarding it to us.
Problem: A new computer virus is preventing systems from booting.
Platform: All MS-DOS, PC-DOS, Windows systems.
Damage: May damage executable files and make systems unbootable.
Solution: Update your Anti-Virus program to detect/remove the virus.
Vulnerability Assessment: The KAOS4 virus is becoming widespread after being posted to a USNET newsgroup. The virus has been seen at multiple locations within the DOE community. The virus does not appear to be intentionally damaging, but does render systems unbootable until the system files can be replaced. Most current virus scanners must be revised to detect it.
The most common symptom of an infection from this virus is that infected machines become unbootable. Unfortunately, that is a common symptom of many other problems, including hardw