The Columbus Day Virus has been isolated and may actually be one of a series of related viruses. It most closely resembles the DataCrime Virus. Contrary to speculation in a recent Federal Computing Weekly article, however, the Columbus Day Virus does not appear to be closely related to the Icelandic or West German virus. The Columbus Day Virus searches through the DOS directory for .COM files other than COMMAND.COM. It attaches to the end of a .COM file, which increases the size of the file by 1168 bytes. The virus infects any given .COM file only once. However, it will infect any uninfected .COM file that it encounters. If the virus executes, it will display the message:
DATACRIME VIRUS
RELEASED:l MARCH 1989
and then do a low-level format on track zero. Since this is the boot area of
the disk, the hard disk will be unbootable.
Detection of this virus is difficult because ASCII strings in the virus code are encrypted. Therefore, utilities that search files for particular ASCII strings are useless. There are two methods you can use to detect this virus. The first method is to check for a size increase of 1168 bytes in .COM files. Another possible method is to use VIRUSCAN* (see below), which should report the existence of this virus as well as several other viruses. If a machine is infected, users must copy over all infected .COM files using their original .COM files. This must be accomplished at one sitting to prevent re-infection. You should also examine backups to see if they are infected. You should repeat whatever detection method you decide to use every time you load a new .COM file or database into your PC or PC clone.
If the boot sector is destroyed, it can be restored with Disk Doctor, a utility in Norton Utilities Version 4.5 (Advanced Edition). Note that a restoration is possible only if the Disk Doctor utility had been previously run.
The DOE Center for Computer Security at Los Alamos has recently published a pamphlet, Computer Viruses and the Personal Computer User (CCS-89-03). CIAC recommends that you read and follow the excellent guidelines contained in this pamphlet.
Because VIRUSCAN is produced and distributed by a commercial developer, CIAC cannot at this time send copies of this software directly to you. To obtain a copy of VIRUSCAN, you need to send $15 with your name, address and phone number to:
The Computer Incident Advisory Capability (CIAC) has been helping several sites deal with a new strain of the Jerusalem/Israeli/Friday the 13th virus which infects IBM PC's and PC clones. This new strain, the "Little Black Box" virus, causes a small black box to appear in the lower left quadrant of the scrren. The virus adds 1808 bytes to an .exe file every time an application is executed until the executable image is too large to fit into memory or disk space is exhausted. This causes poor system performance. This virus will also add 1813 byes to .com files, one at a time. This causes parity errors which disrupt EGA and CGA screen.
This "Little Black Box" virus does not destroy files. It does, however, spread quickly. The most common way viruses are spread is through exchanging removable media. Please advise personnel at your site to follow your procedures which prevent virus infections.
The nVIR virus has recently infected significant numbers of Macintosh systems at several DOE sites. There are different strains of this virus. Each strain causes somewhat different symptoms such as printing errors on laser printers, slow system response time, or unpredictable system crashes.
The exact mechanisms by which nVIR spreads have recently been determined. Removable media (e.g., disks) are the primary means by which nVIR spreads. Thus, if a disk used in an infected Macintosh is removed and inserted in a second Macintosh, the other machine will become infected if any application on that disk is executed in the second machine. In addition, any method used to transfer programs between Macintoshes will spread the nVIR virus. This includes transfer via shareware over a network. However, nVIR cannot spread via a print network's hardware.
nVIR is initially difficult to detect. It spreads quickly and frequently affects backups before eradication procedures can be initiated.
Disks brought in from off-site are the most common source of nVIR infections. Unauthorized copies of commercial software brought from off-site or exchanged within a site also present a substantial risk of nVIR infection. Vendor demonstration programs are another suspected source of the nVIR virus.
We urge you first of all to review your site's policy on sharing disks and using and distributing non-licensed software. Another essential damage prevention measure is to have good anti-viral software available at your site. CIAC recommends that you test any suspect disk with Disinfectant 1.2, a freeware package which also eradicates viruses. Virus Detective, a shareware package, also tests disks to see if they are clean of nVIR and several other viruses. Although it is tedious to use, Gatekeeper, another shareware program, will provide several protection mechanisms. It is important to educate users about the importance of using only software from trusted sources to reduce the possibility of virus infections. Finally, CIAC recommends that your site uses dedicated machines for on-site vendor demonstrations.
The Columbus Day family of viruses will infect applications on IBM Personal Computers (PCs) and Compatibles. Execution of an infected program will cause the virus to replicate to other applications. When the system date is between October 13th and December 31st of any year and the computer has a hard disk, the virus strikes and displays the message:
DATACRIME VIRUS
RELEASED: 1 March 1989
Simultaneously, the virus makes the hard disk unreadable. Recovery after the
virus has altered the disk is extremely difficult. The enclosed procedures will
help to assure non-interrupted use of affected computers.
This memo contains recommendations that users of an IBM personal computer or compatible computers (PC) may follow to prevent loss of information due to this virus. Also included are technical procedures on how to detect, protect, eradicate and recover from the Columbus Day family of viruses. A survey form is provided to aid the CIAC team in collecting data concerning the spread of this virus. It is requested that this form be completed at each site and returned to CIAC as soon as possible.
You may have seen a report about this topic on CNN or read about it in your local newspaper. However, all indications at this time are that these viruses are not as widespread as other viruses affecting IBM PCs and PC compatibles. The Computer Virus Industry Association (CVIA) reports that infections have been minimal. This data is collected from reports by programs like VIRUSCAN, and represents a very large sampling of the community. However, as with all viruses we should be prepared. If the DATACRIME virus attacks your machine it could do serious damage. Good backups are essential.
The DATACRIME (V1 and V2) family of viruses will infect one .COM file each time an infected program is executed. DATACRIME II will infect both .COM and .EXE files. It does this by searching the current directory and all sub-directories on the "C:" drive for a file to infect. If it fails to find a file, it will search other drives on your machine for a candidate file. The virus will not infect any file with "D" as the seventh letter of its name; thus, COMMAND.COM will not be infected. Each time the virus is run it checks the current date. If the date is between October 13th and December 31st of any year and the computer has a hard disk it displays the message:
DATACRIME VIRUS
RELEASED: 1 March 1989
Simultaneously, the virus formats the first 8 tracks of cylinder 0 of the
hard disk. This will effectively destroy the partition table, master boot
track, the boot record, the File Allocation Table (FAT), and a portion of the
root directory. Recovery at this point will be very difficult and will require
a low level format. Due to the way the virus executes, it's behaviors range
from no action, to complete data loss of the hard disk. We stated in the
previous memo on the Columbus Day Virus that you may be able to do a partial
recovery with, for example, Disk Doctor, in Norton Utilities Version 4.5. As we
examined the virus we determined that there is only a very small chance of
recovery by this method. Prevention and backups are the best course.
The CIAC recommends that each PC user follow the procedures below:
First Backup your hard-disk - most importantly the data. These viruses can't propagate through data files and you can always restore your applications from the distribution disks, but if your data is important to you, you should back it up now.
Now that you've backed up your data you can try to detect the virus. Utilities that search files for particular ASCII strings are ineffective, since the ASCII strings in the virus code are encrypted. There are several methods you can use to detect this virus. The first method, while labor intensive, doesn't require any special software. Check for any increase in the size of your .COM or .EXE files. The virus will not infect COMMAND.COM so examine other executable files, for example, FORMAT.COM, CHKDSK.COM, FIND.EXE and PRINT.COM.
Note that there are other reasons why the file size may not match. For example, you may have updated to a newer version of a program, or you are running Data Physician which changes the size of the file. However, a size change should signal that you need to investigate further.
Another possible method is to use a commercial product that will detect these viruses. This includes products like Flu-Shot+, VIRUSCAN, or Data Physician, which should report the existence of these viruses as well as certain other viruses.
If you find you are infected but DATACRIME hasn't struck yet DON'T PANIC. Do the following: Copy the infected files to a diskette and clearly label it as a virus and protect this disk. We need copies of all DATACRIME viruses that infect DOE machines so please call the CIAC for instructions on how to handle this sample. You must completely rid your machine of this virus. The procedure below is believed to be necessary because current eradication programs can not guarantee 100% recovery.
Again, make sure that you have backed up all your data. Ensure that there are no system or application files (any file that ends in .COM or .EXE) on your backup floppies. The next step will destroy all information on the hard disk, so ensure that your backups and distribution disks are safe. Follow the necessary procedures to format your hard-drive. Seek expert assistance if you are not familiar with how to carry out this procedure.
Now take out your original disks and write protect each one of them. If you have a virus detection program that works, run it on the application disks to ensure they are virus-free. Reinstall all of your applications from the original virus-free distribution disks. You should examine all of your floppies and backups that contain applications or system files to prevent reinfection. Remember, one infected file will reinfect your system.
The Norton Public Domain Virus Utility, PD Edition 5.50, (C) 1989
Peter Norton
Your System has been infected with a Christmas virus! Selected
files were just eliminated! Without these files, you might as well
use your computer as a damn, boat anchor! If you do NOT own a
boat, you may want to replace the files which were just erased.
Try to determine which files they were. HARDY HA! HA! HA! HOW
DO YOU FEEL NOW; YOU IDIOT? MERRY CHRISTMAS AND HAPPY NEW YEAR!
If your system has the trojan horse, you will obtain a report similar to the
following when using PKUNZIP (a utility which separates and decompresses
files):
1065 Implode 650 39% 10-04-89 12:26 9778978d --w READ-ME.NOW 38907 Implode 30156 23% 10-02-89 11:57 c333dec0 --w NORTSHOT.EXE ----- ------ ----- ------------ 39972 30806 23% 2
NORTSTOP.ZIP and NORTSHOT.ZIP are not viruses. They will not replicate themselves and spread from machine to machine. Once you have removed this trojan horse, it can only be reintroduced by copying the files once again from public sources.
Types: WDEF A, WDEF B
Platform: Apple Macintosh
Damage: No intentional damage, see symptoms.
Symptoms: The virus can cause:
At this time their appears to be two strains of WDEF, WDEF A and WDEF B. These strains are similar except WDEF B beeps every time it infects a new Desktop file.
Disinfectant 1.3 , Vaccine 1.0.1, GateKeeper 1.1.1, Symantec's SAM Intercept 1.10, and HJC's Virex INIT 1.12 do not detect WDEF, although new versions of many of these products which claim to be able to detect WDEF are rapidly being developed. Please also note that Disinfectant 1.4 detects only one strain of the WDEF virus.
There recently has been considerable attention in the news media about a new trojan horse which advertises that it provides information on the AIDS virus to users of IBM PC computers and PC clones. Once it enters a system, the trojan horse replaces AUTOEXEC.BAT, and may count the number of times the infected system has booted until a criterion number (90) is reached. At this point PC CYBORG hides directories, and scrambles (encrypts) the names of all files on drive C: There exists more than one version of this trojan horse, and at least one version does not wait to damage drive C:, but will hide directories and scramble file names upon the first boot after the trojan horse is installed.
At first PC CYBORG was distributed only in Europe, although several PC CYBORG infections have recently been reported in the U.S. No DOE site has been affected yet, and the probability of a widespread infection of this trojan horse throughout DOE is extremely small. This trojan horse is introduced into systems through a disk called the AIDS Information Introductory Diskette, which has been mailed to a mailing list which the author(s) of this trojan horse obtained. PC CYBORG is a trojan horse, not a virus, and thus is limited in ability to spread. This information bulletin is being distributed in response to questions raised because of the considerable media attention the trojan horse has received, more than because of a genuine threat to systems.
If you receive a disk in the mail which purports to provide information on AIDS, do not load the disk into your computer. Please save the disk, and contact CIAC immediately. If you have already run this disk, please also call CIAC as soon as possible. It is important to leave your PC on if it is currently on, or leave it off if it is currently off. Failure to do so may result in loss of your data, or make recovery more difficult. CIAC has developed recovery procedures, which are too lengthy to publish in this bulletin.
CIAC information bulletin A-15 describes vulnerabilities within Apple MACs. Please contact CIAC for further information.
Note: This bulletin has been superseded by CIAC Bulletin B-16.
CIAC Information Bulletin A-9 reported the existence of the WDEF virus on Macintosh computers. The purpose of this bulletin is to provide additional information about eradicating this virus.
Disinfectant 1.5 and the most recent version, Disinfectant 1.6, are capable of detecting and eradicating WDEF, but are not designed to prevent the spread of WDEF during its execution. If an infected disk is inserted into the Macintosh while Disinfectant is running (for the purposes of eradicating WDEF), WDEF will infect ANY OTHER UNLOCKED MOUNTED VOLUMES. If Disinfectant is to be used to eradicate a WDEF infection, CIAC recommends the following procedure:
Types: Only one known variant: CORETEST.COM VERSION 2.6, 32469 bytes, timestamp 6-6-86 9:44
Platform: IBM PC and PC clones running MS DOS or IBM-PC DOS
Damage: Varies from slow program execution to low level formatting of disk
Symptoms: A variety of disruptions and/or damage, based on a random number between one and twelve. Affects system performance, writing to screen, clock, printer and/or keyboard malfunctions, random disk writes, garbled printer output, boot sector, File Allocation Table (FAT) or directory overwrites, and a low level format of select tracks on the hard disk. Other symptoms include the floppy disk motor continuously running, FAT, directory and/or boot sector damaged diskettes.
Detection: Examine the Master Boot Record (MBR) for the message:
SOFTLOK+ V3.0 SOFTGUARD SYSTEMS INC
2840 St. Thomas Expwy, Suite 201
Santa Clara, CA 95051
(see important note below) or search the MBR and memory for the following hex
string:
e4 61 8a e0 0c 80 e6 61.If you suspect a program, you can use the search string:
64 02 31 94 42 01 d1 c2 4e 79 f7Caution: These search strings are based on the trojan program examined by the discoverer. If there are modifications to this program, the above search strings may not work.
Eradication: Remove trojan program by deleting. To recover from a corrupt MBR, back-up current data files and programs, perform a low level format and restore data files and programs from a recent backup.
CIAC has been alerted that there may be a new trojan horse called the Twelve Tricks Trojan Horse. CIAC has not been able to obtain a copy of this program, and cannot at this time confirm the information contained in this bulletin. This trojan program affects computers running the MS DOS operating system or common variants (IBM PC-DOS etc.). It can produce a variety of disruptions and/or damage, including a slowdown of system performance, blanking or jerky motion in the scrolling window, clock, printer and/or keyboard malfunctions, random disk writes, garbled printer output, boot sector, File Allocation Table (FAT) or directory overwrites, and a low level format of select tracks on the hard disk. Other symptoms include the floppy disk motor continuously running, FAT, directory and/or boot sector damaged diskettes. The particular damage which occurs depends on a random number between 1 and 12 that the trojan program generates.
SOFTLOK+ V3.0 SOFTGUARD SYSTEMS INC
2840 St. Thomas Expwy, Suite 201
Santa Clara, CA 95051
Important Note: There is absolutely no evidence to link the origin of
this trojan horse to any company or organization, such as the one mentioned
above. The motivation of the author of this trojan horse to mention the company
listed above is currently unknown.
There are several additional ways to detect the trojan. The following hexadecimal string can be found in the MBR of infected machines:
e4 61 e0 0c 80 e6 61The above string can also be found at location 0:38b in memory if you have booted from a corrupted MBR. You can use Debug as a search tool.
A useful search string to detect the source program (containing the trojan horse) is
be 64 02 31 94 42 01 d1 c2 4e 79 f7
Trojan programs can be removed by simply deleting them. If you find the string above in the MBR or in memory at 0:38b, you need to boot from a clean DOS diskette and replace the partition record. DO NOT use Fdisk to do this unless you are prepared for Fdisk to zero your FAT and directory; you will lose all your data that way. One way would be to do a file-by-file backup, low-level format to get rid of the trojan MBR, then Fdisk Format and restore your data files and programs from your backup.
We have recently received and analyzed a trojan that we believe warrants an urgent alert. We are calling it the Twelve Tricks trojan, and it is very interesting, very nasty, and quite complex. This message is not meant to be a complete description of the trojan - we feel that it is important to get a warning out quickly, rather than aim for completeness. It is not a virus.The trojan consists of a program (more about this aspect later) which you run; running the program, as well as the obvious things that the program is expected to do, also replaces the partition record (also called the Master Boot Record, or MBR) on your hard disk with its own version. This can easily be recognized by inspecting the hard disk at cylinder zero, head zero, sector one, which can be done with a disk sector editor such as Peeka. If the partition has this trojan in place, it will contain the following text near the beginning:
SOFTLoK+ V3.0 SOFTGUARD SYSTEMS INC 2840 St. Thomas Expwy, Suite 201 Santa Clara, CA 95051 (408) 970-9420At this point, let us state that we believe that the company mentioned above has nothing whatsoever to do with the trojan; perhaps the trojan author has a grudge against them.The trojan uses a far call to the hard disk Bios code in order to plant this partition. To do this, it must know the location in memory of the entry point; it tries five different ones, one of which is the one documented in the IBM PC-XT Technical reference manual, and the other four are presumably fairly common alternatives.
The purpose of planting the trojan with a far call is, we believe, to escape detection by Active Monitor programs that protect a computer by monitoring the interrupt table, and preventing unauthorized writes to system areas on the hard disk. Since the Twelve Tricks doesn't use an interrupt to plant the MBR, such programs won't be able to prevent it. We tested this using Flushot+, probably the most successful of the Active Monitors, and Twelve Tricks went straight through it - the same would be true, we think, of any other Active Monitor.
The Replacement MBR
When the MBR is run, which is every time you boot from the hard disk, Twelve Tricks copies 205 (d7h) bytes of itself onto locations 0:3000h to 0:3d6h. This overwrites part of the interrupt vector table, but it is a part that doesn't get used very much. This means that these d7h bytes are memory resident without having to use any of the TSR calls of Dos, and without having to reserve part of high memory. Reserving part of high memory is the usual ploy used by Boot Sector Viruses, but the drawback of that route is that you might notice that a few kb from your 640 kb has disappeared (CHKSK would reveal this). The method used by Twelve Tricks would not show up as a loss from your 640 kb.
When the computer is started up, a random number generator determines which of the Twelve Tricks will be installed. It does the installation by replacing one of the interrupt vectors with a vector that points to the Twelve Tricks own code, and then chains on to the original code. The twelve tricks are:
These are the twelve tricks. In addition there are two more things that the trojan does. It uses a random number generator; one time out of 4096, it does a low level format of the track that contains the active boot sector; this will also destroy part of the first copy of the FAT. You can recover from this by creating a new boot sector, and copying the second copy of the FAT back over the first copy. After it does the format, it will display the message "SOFTLoK+ " etc. as above, and hang the computer.
- Insert a random delay loop in the timer tick, so that 18.2 times per second, the computer executes a loop that is randomly between 1 and 65536 long (different each time it is executed). This slows the machine down, and makes it work rather jerkily.
- Insert an End-of-Interupt in the timer tick. This interferes with the servicing of hardware interrupts, so for example, the clock is stopped, TSRs that depend on the timer tick don't work, and the floppy motor is permanently on.
- Every time a key is pressed or released, the timer tick count is incremented by a random number between 0 and 65535. This has a variety of effects; programs sometimes won't run, when you type "TIME" you get "Current time is divide overflow", and copying files sometimes doesn't work."
- Every time interrupt 0dh is executed, only do the routine three times out of four. Interrupt 0dh is used on PCs and XTs for the fixed disk, on ATs for the parallel port.
- Every time interrupt 0eh is executed, only do the routine three times out of four. Interrupt 0eh is used for the floppy disk.
- Every time interrupt 10h is called (this is the video routine), insert a delay loop that is randomly between 1 and 65536 long (different each time it is executed). This slows the video down, and makes it work rather jerkily and/or slowly.
- Every time the video routine to scroll up is called, instead of the requested number of lines being scrolled, the entire scrolling window is blanked.
- Every time a request is made to the diskette handler, it is converted into a write request. This means that the first time you try to read or write to a diskette, whatever happens to be in the buffer will be written to the diskette, and will probably overwrite the boot sector, FAT or directory, as these must be read before anything else can be done. If you try to read a write protected diskette, you get "Write protect error reading drive A.". If you do a DIR of a write enabled diskette, you get "General Failure...", and if you inspect the diskette using a sector editor, you'll find that the boot and FAT have been zeroed or over-written.
- Every time interrupt 16h is called (READ THE KEYBOARD) the keyboard flags (Caps lock, Num lock, shirt states etc) are set randomly before the keystroke is returned. This means that at the Dos prompt, the keyboard will only work occasionally. Programs that poll interrupt 16h will be unusable. Holding down the Del key will trigger a Ctrl-Alt-Del.
- Everything that goes to the printer is garbled by xoring it with a byte from the timer tick count.
- Every letter that is sent to the printer has its case reversed by xoring it with 20h. Also, non-alpha characters are xored, so a space becomes a null, and line feeds don't feed lines.
- Whenever the Time-of-Day interrupt (lah) is executed, do an End-of-Interrupt instead. This means that you can't set the system clock, and the time is set permanently to one value.
If it doesn't do the format, it makes a random change to a random word in one of the first 16 sectors of the FAT, which will make a slight and increasing corruption in the file system. This is perhaps the worst of the things that it does, as it will cause an increasing corruption of the files on the disk.
The Dropper program
The program that drops the trojan was, in the specimen that we analyzed, a hacked version of CORETEST, a program to benchmark hard disk performance. The file is CORETEST.COM, it is version 2.6, (dated 1986 in the copyright message) had a length of 32469 bytes, and it was timestamped 6-6-86, 9:44. When we looked in more detail at this program, we found some interesting things.
It looks as if the original CORETEST program was an EXE file, and the trojan author prepended his code to it. This code consists of some relocation stuff, then a decryptor, to decrypt the following 246h bytes. The description is a double xor with a changing byte. Those 246h bytes, when run, examine the memory to try to find one of five sets of hard disk handler code (presumably corresponding to five Bioses). When it finds one of them, (we have identified the first one as being the IBM XT Bios) it plants the trojan MBR in place, using a far call to the Bios code. The trojan MBR is 200h of the 246h bytes. The trojan is patched so that it also does disk accesses using a far call to the same location. Finally, the prepended trojan passes control to the original program. We call the combination of the prepended code, plus the original program, the Dropper.
The main purpose of the encryption, we would guess, is to evade detection by programs that check code for bombs and trojans. There are no suspicious strings or interrupt calls in the code until it is decrypted at run time.
As far as we can tell, it is not a virus, but a trojan. However, it is unlikely that all the patching to the original program was done by hand - it is far more likely that the trojan author wrote a prepender program (we would call this the Prepender), to automatically attack his code to the target executable. If this is the case, then there are two consequences. The first is that he might have trojanized other programs besides the one that we have examined. In other words, there might be other Droppers around besides the one we have examined. The second is that if that is the case, we cannot rely on the encryption having the same seed each time, as the Prepender might change the seed each time is operates. So it would be unsafe to assume we can use a search string based on the decryptor.
Indeed, a further possibility exists. The Prepender program might have been placed into circulation, and people running it would unwittingly be creating additional Droppers. There is absolutely no evidence to suggest that that is actually the case, but we would ask anyone who detects this Dropper in one of their files, to also examine all the others.
Detection
Here's a variety of ways to detect the trojan. The hexadecimal string e4 61 e0 0c 80 e6 61 is to be found in the MBR. This string will also be found in memory if you have booted from a trojanized MBR, at location 0:38b. You can use Debug to search in memory.
A useful search string to detect the Dropper is
be 64 02 31 94 42 01 d1 c2 4e 79 f7Getting rid of itIt's easy to get rid of Droppers; just delete them and replace them with a clean copy. If you find the string above in the MBR or in memory at 0:38b, you need to boot from a clean Dos diskette and replace the partition record. DO NOT use Fdisk to do this unless you are prepared for Fdisk to zero your FAT and directory; you will lose all your data that way. One way would be to do a file-by-file backup, low-level format to get rid of the trojan MBR, then Fdisk Format and restore your backup. We would recommend doing two backups using as different methods as possible if you use this route, in case one of them fails to restore.
The other way to replace the partition is to run a program that drops a clean partition record onto the MBR, but doesn't change the partitioning data. We are currently preparing one of these - please ask if you need it.
Damage done
The whole of the MBR is used for the code. Most normal MBRs don't use more than half the space, and a number of other programs have started using this space. For example Disk Manager, and the Western Digital WDXT-Gen controllers (but the Dropper doesn't work on the WDXT-Gen). This means that the Dropper might cause an immediate problem in some circumstances.
The main damage done, however, will be in the impression that this trojan creates that your hardware is suffering from a variety of faults, which usually go away when you reboot (only to be replaced by other faults). Also, the FAT gets progressively corrupted.
Name: MDEF
Types: Only one known variant
Platform: Apple Macintosh models 128K and 512K, 512KE, Mac Plus, SE, SE/30, II, IIx, IIcx, IIci and IIfx.
Damage: Possible removal of system menus.
Symptoms: The virus can cause:
MDEF actually refers to one of the resources on Macintosh computers. The MDEF virus is so named because this virus infects the MDEF resources. If you attempt to detect the MDEF virus using ResEdit or a similar tool and discover the MDEF resources, this does not indicate that your computer is infected by the MDEF virus.
Resource MDEF & Name "Garfield"
Resource MDEF & ID = 5378
Caution: CIAC has been advised that the use of Vaccine may have an
undesirable side effect. Vaccine will inform the user that the system file has
been infected, but is only partially effective in preventing this virus from
infecting the system file! The system file will be damaged as a result of
running Vaccine when an application containing the MDEF virus is executed.
Name: Steroid trojan horse
Types: Only one known variant
Platform: Apple Macintosh computers
Damage: Erases all mounted disks
Symptoms: Can be identified by:
Steroid is a trojan horse, not a virus, and thus is limited in ability to spread. This trojan horse is a genuine threat; however, because it is being posted to electronic bulletin boards, and has already been downloaded by unsuspecting users on the West Coast. If you use a bulletin board, make sure that you do not download any software claiming to improve QuickDraw performance or related in any way to "Steroid." Since "Steroid" is an INIT, you would have had to put it in your system folder to have this trojan horse. If you are unsure if you have installed "Steroid," look in your system folder for start-up documents with the name "Steroid" or "Quickdraw Accelerator." Another detection method is to use RESEDIT; look for documents in the system folder with the Creator: "QDAC," Type "INIT," and a code size of 1080 and a data size of 267.
If your Macintosh computer contains this INIT, please make a copy on a floppy before you do anything else and send that copy to CIAC at your earliest convenience. Then drag the Steroid INIT to the trash icon and empty the trash. If you unknowingly have used Steroid before July 1, 1990, no damage appears possible at this time. It is important, however, to determine if you have shared Steroid with anyone else, and, if so, to notify them of the information in this bulletin. If you use Steroid on or after July 1, 1990, CIAC has been advised that you can recover if you use the SUM II Disk Clinic tool to restore erased files. Do not use the machine until you have recovered the files using SUM. CIAC can provide more detailed procedures in this case.
The following is an excerpt from a bulletin board posting by Apple:
So far, we know that the code does the following:
OPERATIONS AT RESTART:
----------------------
DATE & TIME CHECK (Loop)
SYSENVIRONS CHECK
GETS VOLUME INFORMATION (probably checking for HFS)
GETS SOME ADRESSES (Toolbox traps)
DOES SOME HFS DISPATCH OPERATIONS
VOLUME IS REINITIALIZED to "Untitled"
INFORMATION:
------------
TYPE: INIT
CREATOR: qdac
CODE SIZE: 1080
DATA SIZE: 267
ID: 148
Name: QuickDraw Accelerator
File Name: " Steroid" (First 2 characters are ASCII 1)
WHAT TO DO:
-----------
If your disk becomes erased, you can use SUM II Disk Clinic to recover the
deleted files. We have tried this and it seems to work.
IF YOU HAVE STEROID ON YOUR SYSTEM, DISABLE IT IMMEDIATELY.
Name: Disk Killer virus (also known as the Ogre virus)
Types: Only one known variant
Platform: MS DOS computers
Damage: Overwrites mounted disks
Symptoms: Writes "COMPUTER OGRE 04/01/89" on screen and overwrites disk
Detection/Eradication: VIRALERT, VIRHUNT, RESSCAN, CodeSafe, CleanUp, F-Prot, IBM Scan, Pro-Scan, and others (contact CIAC for information about these products)
Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/89
Warning!!
Don't turn off the power or remove the diskette while Disk Killer
is Processing!
Next, the word "PROCESSING" will be displayed, followed by this message:
Now you can turn off the power. I wish you Luck!Disk Killer overwrites the boot sector, then the file allocation table (FAT), then the directory randomly with blocks of a single character.
The proper procedure depends upon when you detect Disk Killer:
Note: Because this virus modifies every byte in every sector on your disk, Norton Utilities not a feasible means of recovering from the Disk Killer virus. Note also that a considerable amount of incorrect information about responding to Disk Killer has already been distributed. If you follow this incorrect information, which advises you to turn your machine off as soon as Disk Killer begins to execute, it is extremely likely that you will not be able to fully recover from this virus.
Additional Note: The CIAC team first became aware of this virus early last Fall. At that time, however, we chose to briefly describe this virus in the CIAC Bulletin Board (FELIX) and CIAC Bulletin A-15, rather than to issue a separate bulletin; infections at that time appeared to be limited to MS DOS computers equipped with hard disks made by a particular manufacturer in Taiwan.
Name: Stoned virus (also known as the Marijuana or New Zealand virus)
Types: At least four known variants
Platform: MS DOS computers
Damage: Not deliberately destructive--however, this virus overwrites some of boot sector/master boot record on infected disks (see text)
Symptoms: May write "Your computer is now stoned. Legalize marijuana" or similar message on screen (one variant has this message removed); may create hard disk errors or the inability to boot
Detection: VIRALERT, VIRHUNT, RESSCAN, CodeSafe, F-PROT, IBM Scan
Eradication: VIRHUNT, RESSCAN, CodeSafe, CleanUp, F-PROT and others (contact CIAC for information about these products)
Your computer is now stoned. Legalize marijuana.Although the Stoned virus apparently was not programmed to do damage, this virus can nevertheless damage a system. The Stoned virus may overwrite parts of infected disks that contain directory information or portions of user data files, specifically the boot sector of floppy disks along with Head 0, Track 0, Sector 3 on a diskette or the master boot record and Head 0, Track 0, Sector 7 on hard disks. If hard disks have last been partitioned under DOS 2, this virus overwrites portions of the File Allocation Table (FAT) as well. The result is overwriting of data files and indications of disk errors by CHKDSK. Variants of the Stoned virus produce slightly different effects:
After you have cleaned your system, either with an eradication product or by formating the drive, scan again using a virus detection utility to ensure that the virus is not present. To ensure that your system does not immediately become re-infected, be sure to scan all of floppy disks for the virus as well. To clean floppies you may use one of the suggested products, or you may format new floppies on a clean system, then use the "copy" command to copy files from the infected floppies to the clean ones. Format the infected floppies to reuse them.
The Stoned virus typically spreads wherever floppy disks are shared. Infections can be easily prevented by adopting sound protection procedures. The Stoned virus infects hard disks when a PC is booted from an infected floppy. This virus does not infect applications, however. If you must boot from a floppy disk, ensure with a virus scan package that this disk is not infected, and write-protect this disk. This will prevent your boot disk from becoming infected. (Warning: under some circumstances the Stoned-infected floppy disk can infect a machine even if the computer does not have a bootable operating system on it.)
Additional Note: Basic information about the Stoned virus has been available through the CIAC Bulletin Board (FELIX) and CIAC Bulletin A-15 since the beginning of this year.
The assistance of Ken Van Wyk and Dave Chess is gratefully acknowledged.
Name: 4096 virus (also known as the 4k, Stealth, IDF--Israel Defense Forces, 100 years, Century, and Frodo virus)
Types: Two known versions (also see note 1 about Fish virus)
Platform: MS-DOS computers running DOS 3.x or 4.x; does not appear to infect files in DOS 2.x
Damage: Can damage files by destructive cross-linking
Symptoms: May slow system performance somewhat; may cause the system to crash/hang, or may create hard disk errors; may write "FRODO LIVES" on screen on or after September 22, 1990 (one variant only)
Detection: VIRHUNT, RESSCAN, CodeSafe, Vi-Spy, IBM Scan, FPROT
Eradication: VIRHUNT, CodeSafe, FPROT, and others (contact CIAC for information about these products)
Allocation error - File size adjustedThere is a trigger date of September 22, 1990. On or after this date the virus attempts to replace the original boot record with another boot record. Other reports indicate that the 4096 virus is unsuccessful in attempting to write the boot record. The result, however, is that the system may crash. In one version of the 4096 virus the following message is also displayed on or after the trigger date:
FRODO LIVESThe 4096 virus is very difficult to detect, even if it has infected many files. There is logic to defeat detection on the basis of increased file size, virus-initiated interrupts, and/or checksums. The most current versions of virus detection packages such as VIRHUNT, RESSCAN, CodeSafe, Vi-Spy, and IBM Scan are effective against the 4096 virus. If you find that your computer is infected by this virus, you should turn your machine off, then boot from a clean floppy. Now run a virus eradication program (e.g., VIRHUNT, CodeSafe, etc.) from a non-infected, write-protected floppy disk. Alternately, you can use DOS COPY to change the extension of an executable version of a virus eradication program from .EXE to .DAT or some other similar extension. This will assure that your renamed anti-virus program cannot become infected. Virus Bulletin recommends an additional detection method for DOS 3.x systems---set the time stamp ahead to January 1, 2044, create a small file, then enter the DIR command. If the 4096 virus is present, the file size will be 4K and the date will be January 1 of the year 100 (see note 3 below). In DOS 4.x systems the displayed date will be January 1 of the year 99. Another detection method is to use Norton Utilities or a similar disk management utility to show the actual size of suspected files.
Note 1: The Fish virus is a modified, more sophisticated version of the 4096 virus. It increases file sizes by either 8K or 4K.
Note 2: Other phase two viruses include the Alabama, Virus 101, 1260, and Fish virus.
Note 3: The 4096 virus adds 100 to the year of file creation, but since MS-DOS normally displays only the last two digits of the year, the virus is not normally detectable on the basis of year of file creation. MS-DOS time stamps cannot exceed December 31, 2107. If the user sets the date to January 1, 2044, the virus code increases the year by 100, causing an illegal date. The number 100 is displayed instead.
Note 4: Basic information about the 4096 virus has been available through the CIAC Bulletin Board (FELIX) and CIAC Bulletin A-15 since the beginning of this year.
Ray Glath and Bill Kinney furnished a portion of the information in this bulletin.
Problem: Virus propagation on write-protected file systems
Types: Many known viruses, most frequently variants of the Jerusalem (Israeli) virus
Platform: MS-DOS computers
Damage: Files that use software write-protection schemes cannot be assumed safe from damage due to virus infection
Symptoms: Virus infection on write-protected files
Detection: VIRHUNT, RESSCAN, CodeSafe, Vi-Spy, IBM Scan, FPROT
Eradication: VIRHUNT, CodeSafe, FPROT, and others (see text in p. 2 of this bulletin for recommended procedures)
The following is a common scenario reported to CIAC: a floppy infected with the Jerusalem-B virus is inserted into a user's PC attached to a Novell network. Once this virus is executed, it resides in the PC's memory. When the user attempts to logon to the file server (running the program login.exe), the virus infects this program, even though the program is write-protected. Login.exe is a shared program that is executed by each user as s/he connects to the Novell network. Thus, each time a user logs in to the network, his/her machine immediately becomes infected with the Jerusalem-B virus. The network allows the Jerusalem-B virus to spread considerably more quickly than if it had spread through exchange of floppy disks.
When someone disinfects a system of PCs or PC clones on a Novell or similar file system, CIAC recommends the following procedures:
During the twelve months of this fiscal year, CIAC team members have engaged in a number of activities. One of the main activities has been assisting sites in recovering from incidents. Our involvement has led to a number of valuable lessons learned--things that can improve your site's computer security as well as enhance the DOE community's coordination and handling of incidents.
Viruses. The major viruses with which we have dealt in the MS-DOS arena during the last 12 months are Jerusalem, Stoned, Cascade (1701/1704), Ohio, Ping Pong, and Disk Killer. Of these viruses, Jerusalem and Disk Killer are most likely to produce damage. In the Macintosh arena, nVIR and WDEF are most prevalent, although neither is likely to damage a system. For a summary of the major viruses, refer to CIAC Bulletin A-15. In addition to frequently obtaining reports of viruses spreading through exchange of removable media (disks), we are also hearing about viruses spreading rapidly through Novelle and other microcomputer networks (see CIAC Bulletin A-33). Vendor demonstrations and shrink wrap software are increasingly becoming a source of virus outbreaks.
We have found that sites with implemented procedures for detecting and eradicating viruses have significantly decreased the time and effort involved in recovering from this type of incident. Users of PCs, PC clones, and Macintoshes frequently do not know exactly whom to call if there is a suspected virus infection--the number of a support person should be posted on every small system! This is particularly important with users of classified systems. Finally, Disinfectant 2.1 and FPROT (freeware detection/eradication packages for Macintosh and MS-DOS computers, respectively) are available from CIAC for the asking.
CIAC periodically issues bulletins about specific computer viruses. These bulletins, however, do not cover all the computer viruses that affect the PC-DOS/MS-DOS and Macintosh platforms. The purpose of this bulletin is to identify most of the known viruses for these platforms, and give an overview of the effects of each virus. This bulletin supersedes CIAC Bulletin A-15 issued last year, and includes (at least by name) more than 100 new viruses. As we continue to gather more information, we will add it to future editions of this document.
Click here to read CIAC Bulletin B-16.
Name: Brunswick virus
Aliases: Brunswick, 910129
Types: Two known variants
Platform: MS-DOS computers
Damage: May overwrite Master Boot Record
Symptoms: Not apparent until attack phase when Master Boot Record is destroyed and disk will not boot
First Discovered: January 1991
Detection: VIRHUNT v. 1.3D-1, VIRSCAN v.2.0.2 and others (contact CIAC for information about these products)
Eradication: VIRHUNT v. 1.3D-1, VIRSCAN v.2.0.2 and others
Brunswick usually enters a machine through the boot-up of an infected floppy. (This entry method is similar to that employed by the "Stoned" virus described in CIAC Advisory A-28.) The virus immediately infects the Master Boot Record through Interrupt 13. Thereafter, all disks placed in floppy A: or B: will become infected until the machine is re-booted from a clean disk. Infection occurs differently for hard disks and floppies. On hard disks, the original boot record is moved to Cylinder 0 Sector 16 Head 0. On floppy drives, the original boot record is relocated to Cylinder 0 Sector 3 Head 1. If hard disks have last been partitioned under DOS 2.0, the virus will overwrite portions of the File Allocation Table. The virus contains logic to prevent re-infection of disks and code to save the BIOS Parameter block so that 3.5 inch 1.44 MB floppies will remain readable after infection (unlike "Stoned").
The Brunswick virus mechanics are fairly straightforward. It retains a generation counter which is decremented within each new infection. Upon boot-up, the virus compares this counter to an internal constant. If the counter is larger than the constant, no action is taken; else the virus destroys the master boot record by overwriting it with random characters. This generation counter is never changed within a particular infection; therefore, if an infection and a successful boot-up have occurred, this particular infection will NEVER destroy the Master boot record (although infections will still take place).
Newer versions of anti-viral products mentioned above will detect the virus. An unauthorized write attempt to a write-protected floppy is another indication that this virus may be resident. Removal is a simple process of running any of the previously mentioned virus removal utilities. If none of these are available, contact CIAC to obtain manual removal instructions.
Infections can be easily prevented by adopting sound protection procedures, such as write-protecting all floppies and checking all diskettes before use with a trusted scanning utility. Also, always open the floppy door before booting a PC because booting with an infected NON-BOOTABLE floppy WILL CAUSE INFECTION to the hard disk.
Platform: MS-DOS computers
Software: Sun PCNFS software fix PCNFS 3.5b, file NET.EXE
Damage: File deletion, file corruption, system slowdown
Detection: File size of newly distributed PCNFS 3.5b file NET.EXE not equal to 100181 bytes; or use of VIRHUNT, VIRSCAN, FPROT, and others
Eradication: VIRHUNT, VIRSCAN and others; replacement of NET.EXE
CIAC has been notified of the inadvertent distribution of a virus in a Sun Microsystems PCNFS software fix for MS-DOS computers. This distribution, which was sent to a limited user community, contained a file NET.EXE which may have been infected with the Jerusalem-B virus. This fix, entitled "PCNFS 3.5b," was distributed between July and August, 1991 to those requesting a patch for PCNFS 3.5. Sun has contacted all customers who had received the suspect file, and has distributed a new virus-free NET.EXE to all parties. If NET.EXE from PCNFS 3.5b does not have a file size of 100181, this file is probably infected with the Jerusalem-B virus.
It is very important to execute a virus detection/eradication package if a suspect NET.EXE file is located. If your site has received the suspect file and follow-up letter, call CIAC, Sun's support number (1-800-USA-4SUN), or your local Sun office for assistance.
NOTE: For more information on the Jerusalem virus, see CIAC bulletin "Virus Propagation in Novell and Other Networks" (A-33) or "Little Black Box (Jerusalem) virus alert" (un-numbered series, 1989). CIAC recommends anti-viral scanning of all software (including new software and upgrades to existing software) before installation is initiated.
Thanks to Sun Microsystems for assistance in providing information described in this bulletin.
During this fiscal year, CIAC team members have engaged in a number of activities, including assisting sites in recovering from incidents and helping sites prepare for future incidents by presenting the CIAC workshops. Our involvement has led to a number of valuable lessons learned--things that can improve your site's computer security as well as enhance the DOE community's coordination and handling of incidents.
Viruses. During the past year, viruses on MS-DOS and Macintosh computers continued to infect a small but significant number of systems throughout DOE. In the MS-DOS arena, the Jerusalem-B, Cascade, and Disk-Killer viruses continued to be most prevalent. Of these viruses, Disk Killer and Jerusalem-B were most likely to cause damage to systems. During this last fiscal year, the Stoned-2, Horse, and Horse-2 viruses emerged as new threats. In the Macintosh arena, WDEF and nVIR continued to be the major source of threat, but with the advent of Macintosh System-7, the WDEF threat has been reduced since this virus will not run on this version of the operating system. Networked file systems and demonstration software continues to be the main source of these virus infections, and we continued to receive reports of infected vendor software (see CIAC Bulletin B-40). CIAC Bulletin B-16 provided an updated list of viruses and their symptoms (updated from information provided in A-15).
CIAC assisted DOE in evaluating an anti-viral product to be purchased and licenced throughout DOE. This product, "Data Physician Plus," is very effective in finding and eradicating viruses on MS-DOS platforms. For the Macintosh, Disinfectant (the latest version is 2.5.2) continues to be a good anti-viral freeware package. Contact CIAC for assistance in obtaining anti-virus packages.
Aliases: Dir-2, MG series II, Creeping Death, DRIVER-1024, Cluster
Virus Type: Directory infector with stealth characteristics
Variants: Unsubstantiated reports exist for two variants
Platform: MS-DOS computers
Damage: May destroy all .EXE and .COM files and backup diskettes, crash some lookalike systems, CHKDSK /F destroys all executible files
Symptoms: CHKDSK reports many cross-linked files and lost file chains can corrupt backups, copied files are only 1024 bytes long, more (see below)
First Discovered: May 1991 in Bulgaria
Eradication: Perform a series of simple DOS commands (see below)
The Dir II virus presents a new type of MS-DOS virus called a directory infector. This virus modifies entries in the directory structure, causing the computer to jump to the virus code before execution of a program begins. Also, this virus utilizes stealth techniques to hide its existence in memory.
The most damaging characteristic of this virus occurs if a user boots from a clean diskette and attempts to run a disk optimizer program such as CHKDSK /F, Norton Disk Doctor, or other similar utility programs. When such a program attempts to "fix" the disk, all infected executibles will "become" the virus, effectively destroying the original file!
Upon initial infection, the virus links itself into the device driver chain, copying itself to the last cluster (or last two clusters, if cluster size is less than 1024 bytes) on the disk and infects the directory structure of all .EXE and .COM files residing in the current directory and all directories defined in the path. The virus infects all files with .EXE or .COM as an extension whether or not they are executible, EXCEPT if the size of the file is less than 2K, larger than 256K, or has an attribute of System, Volume, or Directory set. Therefore it does not infect the two hidden system files, but it DOES infect command.com.
Following the supplied eradication steps will simply remove all "live" pointers to the viral code. After eradication you may wish to use a direct disk access utility (such as Norton Utilities) to directly access the viral code existing on the last cluster on the disk and overwrite it with blanks. Another recommended final clean-up entails running a disk optimizer program that will clean out all unnecessary deleted files. It is important to remember that this virus has infected all .COM and .EXE files, even if they are tagged as deleted. Therefore if an undelete utility is used on these files, the virus can resurface.
Other Facts About Dir II:
Virus Inadvertently Distributed in Novell Network Support Encyclopedia Update
Problem: 5 1/4 inch diskettes sent from Novell to customers from December 9-16, 1991 contain the Stoned-3 virus.
Platform: PC/MS-DOS systems running Novell Netware software.
Damage: Potential to overwrite boot sector of fixed and floppy disks; potential to create infected floppyless boot image files and thereby propagate the virus via the network.
Solution: Scan all incoming software.
Detection/Eradication: Data Physician Plus, other antiviral packages.
The Stoned-3 virus is a minor variation of the Stoned virus. This virus infects the boot sector of a hard disk or diskette and will sometimes display the message (sic):
"Your PC is now Stoned!.....LEGALISE MARIJUANA!"This virus becomes memory resident and will infect any other disks accessed by the PC while the virus is memory resident. For additional information, please see CIAC Bulletin A-28 for more information on the Stoned virus family, and B-16 for a summary of known viruses.
If you discover that the Stoned virus has infected your PC, it may be removed using the VIRHUNT package licensed to DOE by Digital Dispatch Incorporated. CIAC also recommends that you follow a policy of scanning all new software before using or installing it on your PC. This policy should be followed for all vendor-supplied shrink-wrapped software as well as bulletin board or shareware software, since a few other vendors have inadvertently distributed viruses with packaged software in the past. CIAC recommends that if you are from a DOE site and are not already using an effective anti-viral scanner, you should contact your site's computer security department to obtain a free copy of Data Physician PLUS! (which contains VIRHUNT and several other useful packages). In addition, since new viruses are constantly being discovered, we recommend that you ensure that your anti-viral scanner has been updated to the most recent version. The most recent version of Data Physician PLUS! is V 3.0C.
Name: Michelangelo virus
Platform: MS-DOS computers
Damage: On March 6 will destroy all files on infected disks and diskettes that are accessed.
Symptoms: CHKDSK reports "total bytes memory" 2048 bytes less than expected
Detection: DDI Data Physician Plus! v 3.0C, FPROT 2.01, other anti-viral packages updated since late September 1991
Eradication: DDI Data Physician Plus! v 3.0C, FPROT 2.01, other anti-viral packages updated since late September 1991
A problem can occur if a disk is infected by both the Michelangelo and the Stoned viruses AT THE SAME TIME. Both move the 'original' boot sector to the same location on the disk, so when the second infection occurs, the original clean boot sector is destroyed by being overwritten by the first virus. CIAC recommends a low-level format of the disk if this double-infection occurs, although performing the DOS SYS operation may repair a damaged diskette, and performing the undocumented FDISK/MBR operation (in DOS 5.0 only) may repair a damaged hard disk.
CIAC is aware of at least two publicized cases of this virus being inadvertently distributed by vendors. The vendors involved are Leading Edge and DaVinci Systems; both vendors have made an attempt to contact all recipients of the software involved.
CIAC stresses the importance of checking all incoming diskettes with an anti-viral utility, such as VIRHUNT from DDI's Data Physician Plus! package. CIAC recommends that once a system has had a virus eradicated, it be powered down. The computer should then be observed closely throughout the entire boot-up process. Another virus scan should be performed on the machine to ensure that it is devoid of any virus.
Name: MBDF A virus
Platform: Macintosh computers-except MacPlus and SE (see below)
Damage: May cause program crashes
Symptoms: Claris applications indicate they have been altered; some shareware may not work, unexplained system crashes
Detection & Eradication: Disinfectant 2.6,Gatekeeper 1.2.4, Virex 3.6, VirusDetective 5.0.2, Rival 1.1.10, SAM 3.0
When MBDF A infects the system file, it must re-write the entire system file back to disk; this process may take two or three minutes. If the user assumes the system has hung, and reboots the Macintosh while this is occuring, the entire system file will be corrupted and an entire reload of system software must then be performed.
This virus can be safely eradicated from most infected programs, although CIAC recommends that you restore all infected files from an uninfected backup.
MBDF A has been positively identified as present in two shareware games distributed by reliable archive sites: "Obnoxious Tetris" and "Ten Tile Puzzle". The program "Tetricycle" (sometimes named "Tetris-rotating") is a Trojan Horse program which installs the virus. If you have downloaded these or any other software since February 14, 1992 (the day these programs were loaded to the archive sites), CIAC recommends that you acquire an updated version of an anti-viral product and scan your system for the existence of MBDF A.
CIAC would like to thank Gene Spafford and John Norstad, who provided some of the information used in this bulletin.
Problem: Bogus versions of the PKZIP archiving software have been released to Bulletin Board Systems (BBS).
Platform: PCs running PC-DOS, or MS-DOS
Damage: One version attempts to erase the hard disk.
Detection: Look for the files: PKZ201.ZIP, PKZ201.EXE, PKZIPV2.ZIP, or PKZIPV2.EXE
Removal: Save a copy of the files for CIAC, then delete the files. Do not extract or run these files.
At the current time, the released version of PKZIP is version 1.10. A new version of PKZIP is expected to be released in the next few months. Its version number was planned to be 2.00, but may be increased to a number greater than 2.2 to prevent confusion with the bogus versions. PKWARE Inc. has indicated it will never issue a version 2.01 or 2.2 of PKZIP. A good copy of the latest version of PKZIP can always be gotten from the PKWARE BBS listed below.
According to PKWARE Inc. version 2.01 is a hacked version of PKZIP 1.93 Alpha. While this version does not intentionally do any damage, it is alpha level software, and may have serious bugs in it.
Version 2.2 is a simple batch file that attempts to erase your C:\ and C:\DOS directories. If your hard disk has been erased by this program, you may be able to recover it using hard disk undelete utilities such as those in Norton Utilities, or PCTools. Don't do anything that might create or expand a file on your hard disk until you have undeleted the files, as you may overwrite the deleted files which will destroy them. To examine a file to see if it is version 2.2, type it to the screen with the DOS TYPE command. If the file that prints on the screen is a short batch file with commands such as DEL C:\*.*, or DEL C:\DOS\*.* then you have the bogus file.
If you should happen to see any of these files on a BBS, please contact the sysop of that BBS immediately, and ask him to remove them. If you have downloaded one of these files, please save a copy for CIAC, and then delete the files from your hard disk. PKWARE Inc. has also asked to be informed of any occurrences of these files, and can be reached at,
Name: November 17 virus
Aliases: NOV 17, 855
Platform: MS DOS Computers
Damage: On November 17 will destroy hard disk contents
Symptoms: Files grow by 855, 768, 880, or 800 bytes
Detection/Eradication: FPROT 207, Scan V102, Novi
Once resident, it will infect any .COM and .EXE programs when the file attributes are set or read, when the file is opened for READ, and upon loading and execution. Therefore, if the virus is resident in memory, and a new disk with clean executibles is copied, the original disk's .EXE and .COM files will become infected if the disk is not write-protected. It can easily be transferred via LAN's anytime an executible file is opened or executed over the LAN. This virus will not infect files with a filename of SCAN.EXE or CLEAN.EXE, and it will not infect files that have the system bit set. It does not affect data files.
Until March of 1993, there had been no reports of this virus in the United States. Because of this fact, some anti-virus products do not detect the presence of it by name. Some products, such as Data Physician Plus!, do detect when it they themselves become infected, at which point a message such as "A virus has been detected, would you like to continue?" may appear on the screen. This message means that the antivirus product's self check mechanism has detected a modification to itself, and at this point CIAC recommends that you check the machine with a different antivirus product, or call CIAC for additional information on virus handling.
Due to the nature of this virus's infection mechanism, it is sometimes not possible to remove the infection from a host program. CIAC recommends that if this virus is discovered a copy be kept and then all infected files be deleted and restored from backup.
Name: Satan Bug virus
Platform: MS-DOS/PC-DOS Computers
Type: Memory resident, polymorphic, encrypted
Damage: Infects .COM, .EXE, .SYS, and .OVL files. Damages infected files, makes LANs inaccessible by damaging the LAN drivers.
Symptoms: Files grow at each infection, file dates change, files on LAN file servers become inaccessible.
Detection: DataPhysician Plus 4.0B, Scan V106, Norton AntiVirus 2.1 with August 1993 virus definitions.
To scan a computer infected with a memory resident virus like the Satan Bug virus, you must boot the computer with a clean (uninfected), locked floppy that contains a clean version of the virus scanner software. Delete any infected files the scanner finds, and replace them with fresh copies. See the Appendix for more information.
CIAC wishes to thank Bill Kenny of DDI, Joe Wells of Symantec and David Proulx of NAVCERT for their help in preparing this bulletin.
Encrypted viruses store this piece of the normal program within the virus code and then encrypt the virus code. For an anti-virus program to be able to patch an infected program, it must be able to decrypt the encrypted virus to find the piece of missing code so that it can be put back where it belongs. The Satan Bug virus has up to nine levels of encryption, the level being different for each infection. Decrypting this much code is a very difficult process, so most anti-virus programs are not expected to be able to repair programs infected with the Satan Bug virus.
On the other hand, some file signature scanning programs may save enough of the scanned files to be able to repair an infected program. The Data Physician Plus package does save a sufficient amount of information to be able to repair a program infected with the Satan Bug virus. However, you must have created the file signature file before your program was infected. Again, if at all possible, you should always replace infected files rather than repairing them to insure that you have undamaged copies.
Problem: The Macintosh nVir A virus has been found in the "README." file on the Journal of Vacuum Science & Technology CD-ROM Vol.12 1Q94.
Platform: Macintosh, all versions of the operating system. This virus has no effect on the MS-DOS files also on the disk.
Damage: The virus can easily infect your computer.
Solution: Check with publisher, do not execute "README." file.
Vulnerability Assessment: This CD-ROM is included as part of the American Vacuum Society's (AVS) journal distribution, and is distributed to members of the AVS. The virus is not overtly damaging, but does damage the system and applications during infection.
The CD-ROM can be identified by the following titles printed on the disk: A title in large bold type: "JVST A&B Vol. 12 1Q94" A subtitle in small type: "JVST-A Vol 12(1) and 12(2) JVST-B, Vol 12(1)"
The infected file is "README." in the root directory of the CD-ROM, which is a DOCMaker Stand-Alone document reader application. This file is the one referred to in the instruction manual to run for viewing or printing the user manual, however doing so will infect the system file of your Macintosh.
This disk can also be read via a PC using DOS or Windows, but those systems will be unaffected, because the nVir A virus is specific to the Macintosh operating system.
The nVir A virus is a virus that at first only replicates, but after a certain amount of executions it has a small chance of saying "Don't Panic" if MacinTalk is installed, or having the computer beep if MacinTalk is not installed. It is not an intentionally destructive virus, but does damage the system and applications during the infection process. Infected systems occasionally crash, and printing is often delayed or damaged.
CIAC recommends that if you have received this CD-ROM, you immediately mark it as containing a Macintosh computer virus, and do not run the "README." file in the root directory. If you are using this disk on a PC system, you do not need to worry as the PC files on this disk are not infected. If you have already run this infected file, get a copy of an anti-virus program such as Disinfectant, and scan your hard disk for infected files. Replace all the infected files that you can, and repair those that you cannot replace. If your hard disk has been infected, you must scan every floppy disk that has been in your system since the infection occurred.
Even though the CD-ROM contains an infected file, the file can only infect your system if it is executed. The other files on the disk can still be installed and used without causing an infection. To install the Adobe Acrobat document reader on your Macintosh, run the Installer program in the JVST_94:install:mac:reader folder. To install the search utility, run the JVST_INSTALL;1 program in the JVST_94:install:mac:wordkeep directory. You can also view the README.DOC file, which contains the instructions for using the PC and Windows versions of the reader, using a word processor. Only the "README." file must be avoided.
If you must access the data in the infected "README." file, carefully copy the file to a floppy disk and repair it using an anti-virus utility such as Disinfectant, and then scan it again to insure it has been repaired. If the repaired file is no longer infected, you may then run it to view the document. Again, do not run the copy of the "README." file that is on the CD-ROM, as it is still infected, and cannot be repaired due to the write-only nature of the CD-ROM.
The publisher has sent a letter to all known recipients of this CD-ROM distribution explaining this problem.
CIAC wishes to thank Judy Lim, Rick Stulen and Art Pontau of Sandia National Labs for first bringing this to our attention and for supplying us with a copy of the CD-ROM. CIAC also wishes to thank the ASSIST team for helping us to contact the publishers of this journal.
Problem: A Trojan-horse program, CD-IT.ZIP, masquerading as an improved driver for Chinon CD-ROM drives, corrupts system files and the hard disk.
Platform: All MS-DOS and PC-DOS machines.
Damage: Once in memory, the program destroys system files, requiring a format of the infected drive to correct.
Solution: Do not execute the program in CD-IT.ZIP.
Vulnerability Assessment: The program is not dangerous if not run, but can cause serious damage to a hard drive if it is. As of this date, we don't know of any anti-virus software that recognizes it.
TORRANCE, CALIFORNIA, U.S.A., 1994 APR 29 (NB) -- A new "Trojan Horse" computer virus is on the Internet and is labeled with the name of the fourth largest manufacturer of compact disc read-only memory (CD-ROM) drives. Chinon America, Incorporated, the company whose name has been improperly used on the rogue program, is warning IBM and compatible personal computer (PC) users to beware of the program known as "CD-IT.ZIP."CIAC recommends that if you find a copy of the file CD-IT.ZIP, that you do not install it on your computer. If you have already installed and run the file, shut down your machine immediately. Check with your anti-virus vendor to see if they have a scanner/repair utility available. If not, boot from a clean, locked floppy. If you can still access your hard disk, backup any important files that were not included in your last backup, reformat the drive and restore it from your last backup.A Chinon CD-ROM drive user brought the program to the company's attention after downloading it from a Baltimore, Maryland Fidonet server. One of the clues that the virus, masquerading as a utility program, wasn't on the up-and-up was that it purports "to enable read/write to your CD-ROM drive," a physically impossible task.
CD-IT is listed as authored by Joseph S. Shiner, couriered by HDA, and copyrighted by Chinon Products. Chinon America told Newsbytes it has no division by that name. Other clues were obscenities in the documentation as well as a line indicating that HDA stands for Haven't Decided a Name Yet.
David Cole, director of research and development for Chinon, told Newsbytes that the company knows of no one who has actually been infected by the program. Cole said the virus isn't particularly clever or dynamic, but none of the virus software the company tried was able to eradicate the rogue program. Chinon officials declined to comment on what antivirus software programs were used.
If CD-IT is actually run, it causes the computer to lock up, forcing a reboot, and then stays in memory, corrupting critical system files on the hard disk. Nothing but a high-level reformat of the hard disk drive will eradicate the virus at this point, a move that sacrifices all data on the drive. It will also corrupt any network volumes available.
"We felt that it was our responsibility as a member of the computing community to alert Internet users of this dangerous virus that is being distributed with our name on it. Even though we have nothing to do with the virus is it particularly disturbing for us to think that many of our loyal customers could be duped into believing that the software is ours," Cole explained.
Chinon is encouraging anyone who might have information that could lead to the arrest and prosecution of the parties responsible for CD-IT to call the company at 310-533-0274. In addition, the company has notified the major distributors of virus protection software, such as Symantec and McAfee Associates, so they may update their programs to detect and eradicate CD-IT.
(Linda Rohrbough/19940429/Press Contact: Rolland Going, The Terpin Group for Chinon, tel 310-798-7875, fax 310-798-7825; Public Contact: Chinon, CD-IT Information, 310-533-0274)
CIAC is currently obtaining a copy of this Trojan from Chinon, and will make any new information about this Trojan available in a future copy of CIAC Notes.
CIAC would like to thank Chinon America for the information contained in this advisory and Brian Lev of NASIRC for forwarding it to us.
Problem: A new computer virus is preventing systems from booting.
Platform: All MS-DOS, PC-DOS, Windows systems.
Damage: May damage executable files and make systems unbootable.
Solution: Update your Anti-Virus program to detect/remove the virus.
Vulnerability Assessment: The KAOS4 virus is becoming widespread after being posted to a USNET newsgroup. The virus has been seen at multiple locations within the DOE community. The virus does not appear to be intentionally damaging, but does render systems unbootable until the system files can be replaced. Most current virus scanners must be revised to detect it.
The most common symptom of an infection from this virus is that infected machines become unbootable. Unfortunately, that is a common symptom of many other problems, including hardware problems. If a machine has become unbootable from its hard disk, but can boot from a floppy, compare the size of COMMAND.COM with the original copy. If it has changed, suspect a virus. If you examine COMMAND.COM with a disk editor and find the text KAOS4 in the last sector, you know you have the KAOS4 virus.
The KAOS4 virus is a variant of the Vienna virus that has been extended to infect .EXE files as well as .COM files. The virus is direct acting (it runs once whenever an infected program is run) and randomly infects one .COM and one .EXE file every time it is run. It attacks COMMAND.COM first and then attacks other files. During our testing, it seemed to prefer the \DOS and the \NU (Norton Utilities) directories, but that may be coincidental.
The virus adds 697 bytes to the length of both .COM and .EXE files, but the modification date of the files does not change. The following text is in the clear in the last sector of an infected program file.
KAOS4 / KohntarkIt is not detected by DDI's DataPhysician Plus version 4.0D or McAfee's SCAN version 116.
A virus signature file is available from DDI named KAOS4.PRG that works with version 4.0C of DataPhysician Plus, giving it the capability to detect this virus.
NOTE: DO NOT use this file with version 4.0D of DataPhysician Plus; use it with version 4.0C instead. There is a problem with version 4.0D that prevents the user installed virus signature file from working correctly.
There are two ways to install the KAOS4.PRG file into the VirHUNT program in DataPhysician Plus: you can load it on the command line or you can install it with a program menu command. To start VirHUNT, and load the signature file on the command line, type the following at the DOS prompt:
VIRHUNT USC:\DDI\KAOS4.PRGThis assumes that the KAOS4.PRG file is in the DDI directory on the C drive. If the file is stored somewhere else, change the path to point to the appropriate location. The file will be loaded into VirHUNT and VirHUNT can be used to scan any attached disks for the virus.
To load the file in a running version of VirHUNT, select the Options menu and the E: User specified search/remove command. In the dialog box that is displayed, type KAOS4.PRG. Include a path with the file name if the file is not in the default directory. You may now scan files like normal and if the KAOS4 virus is detected, it is reported as an "Unknown Virus". The signature file also contains sufficient information to remove the virus from an infected program, but programs should be replaced whenever possible.
The file KAOS4.PRG is available on the CIAC file servers. You can use anonymous FTP to ciac.llnl.gov (128.115.19.53) and find the file in the /pub/ciac/sectools/pcvirus directory. It can also be obtained from the CIAC BBS in the File Transfer:Downloads: PC Virus section.
A special version of McAfee's SCAN program named SCN-KAOS.ZIP is available that only removes the KAOS4 virus. It is available on the McAfee BBS (408-988-4004), Compuserve, or via anonymous FTP to mcafee.com.
A new version of the Norton Anti-Virus, Virus Definitions file is available to make NAV 3.0 detect and remove KAOS4. The file is 30a09b.zip and is available on the Symantec BBS (503-484-6669), and Compuserve.
CIAC wishes to thank Bill Kenny of DDI for so quickly getting us a signature file for this new virus.
With new viruses appearing almost weekly, it seems almost impossible to keep an up-to-date scanner available on every vulnerable machine. In the time it takes to distribute a new scanner, several new viruses are already in the wild. So how do you protect a machine against new viruses?
First, not all machines need to be protected. If a machine never shares floppy disks with anyone and never downloads an executable file (documents are OK) over a network, that machine is highly unlikely to ever encounter a new virus. While that machine should be scanned occasionally, the risk of virus infection does not warrant more extensive checking.
For the rest of us that do exchange files and executables, most current anti-virus programs have ways to protect against a new virus. Actually, there are two capabilities in most anti-virus programs to protect against new viruses: TSR (Terminate and Stay Resident) suspicious activity detectors and program change detectors.
In the DataPhysician Plus package, available to all DOE sites, the suspicious activity detector is the VirALERT program. VirALERT is loaded as a device driver in your CONFIG.SYS file. Normally, the DataPhysician Plus installer program takes care of installing VirALERT for you. VirALERT has several options that set the type of suspicious activity to watch for. Each of the options is explained in the installer program. While you might think that you should set the options to detect all suspicious activity, that might not be a good idea. If the suspicious activity detector alarms all the time, you will probably start ignoring it and won't notice when a truely suspicious activity indicates a virus is present. A reasonable setup from the CONFIG.SYS file is the following:
DEVICE=C:\DDI\VIRALERT.SYS TV Z=RESSCAN.COM, WIN-RS.COMWith this setup, VirALERT checks for any attempts to write an executable file, (T) watches for other TSR programs attempting to install themselves, (V) warns you when it is off, and (Z=...) ignores the TSR programs in RESSCAN.COM and WIN-RS.COM. In general, the installer does all this setup for you.
If you are performing an activity that sets off the suspicious activity detector, such as copying a directory full of executable files, you don't want to have to sit there pressing C (Continue) every time the dialog pops up. In this case, you can disable VirALERT by pressing I (Inactivate) to turn VirALERT off for the duration of this command. VirALERT automatically turns back on again when the command completes. You can also toggle VirALERT off by pressing Alt-V to see the VirALERT dialog, press the space bar until OFF appears and press Esc to continue. You must repeat this sequence to turn VirALERT back on again.
The VirHUNT program in the DataPhysician Plus package contains both a virus scanner and a program scanner. The virus scanner searches for known viruses in your executable files, and the program scanner is the program change detector. The program scanner must be run once with the create new signature file option set to store the program signatures. It is then run later to scan for changes in the protected programs. The installer program does this initial scan for you if you request it.
As with virus scanners, a problem with a signature scanner is that it takes a lot of time to scan a hard disk. If the scanner is set up in the AUTOEXEC.BAT file to run every time a machine is booted, it extends the amount of time it takes to boot a machine. A large hard disk can take several minutes to scan, significantly trying a user's patience. Scanning the whole hard disk for viruses or for program changes every time you boot is probably unreasonable for all but the front door and open machines in your organization. A front door machine is one reserved by an organization specifically for scanning disks coming into an organization. Open machines are those made available for anyone to use and, because of their uncontrolled nature, are very susceptible to viruses.
A better strategy is to scan the whole hard disk at times convenient to the user (at night, at lunch, etc) and to only scan a few particularly sensitive files at boot time. By always scanning those files most likely to be infected by a new virus, you should catch most new infections before they have gone very far. In most cases, the root directory of the C drive and the DOS directory are the most likely places for a new infection to occur. Of course, you should always scan any floppies brought into your area, including those in shrink wrapped containers and any new executable files copied onto your hard disk.
To use the program signature scanner in an efficient manner, you need to make two program signature scans: one of the whole hard disk and one of the directories you are going to scan at every boot. Before creating the program signature file, you must insure that your disk is free from virus infections, otherwise the scanner will include the virus as part of the signature for a program. Assuming your disk is well scanned and as clean of infections as you can make it, perform the following steps to create the initial program signature file.
With all the options set as in the steps above, perform the following steps.
If the new files are legitimate and you want to not alarm every time you run a scan, you must create a new signature file for those directories as you did above.
To do the same run of VirHUNT every time the machine is booted, place the following command in the AUTOEXEC.BAT file.
C:\DDI\VIRHUNT.EXE C:\ C:\DOS USC:\DDI\KAOS4.PRG SCN SFC:\DDI\VIRHUNT2.SIG LIC:\DDI\SCAN.OUT SISN QUThis command assumes that the files VIRHUNT.EXE, KAOS4.PRG, and VIRHUNT2.SIG are all in the C:\DDI directory. Started with this command VirHUNT scans the C:\ and C:\DOS directories. The US option loads the KAOS4.PRG virus signature file. The SCN option sets scan subdirectories to No. The SISN does a program signature scan and reports new files found. The QU option makes the program quit after it finishes a successful scan. The SF option sets the file name of the program signature file to use and the LI option sets the file to use to store the results of the scan.
Unfortunately, some virus infected hard drives cannot be mounted by a system without the virus in memory. Monkey is of this type. Because they move the partition table to a different place on the disk, the virus must be in memory in order to access the partition data so that the drive can be mounted. Luckily, most virus scanners know how to locate and remove these viruses.
Note that KAOS4 is not a stealth virus.
Problem: A previously unknown computer virus is damaging systems.
Platform: All MS-DOS, PC-DOS, Windows systems, all versions.
Damage: Damages files, encrypts hard drive.
Solution: Update your Anti-Virus program to detect/remove the virus.
Vulnerability Assessment: While it is not epidemic, the virus has been seen at an East coast site and it isn't detected by the current versions of most virus scanners (revised versions are upcoming). The virus is intentionally damaging and all files on an infected machine are at risk. Warning: Removing the virus may make some files inaccessible (see below).
Dis is one half.
Press any key to continue ...
Did you leave the room ?
The virus also contains the names of several prominent antivirus products;
SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAVThe virus is multipartite, infecting .COM and .EXE files as well as the master boot record. The virus adds 3544 bytes to .COM and .EXE files.
The virus is polymorphic and changes its appearance with every infection by inserting different do-nothing instructions between the actual commands in the virus code.
The virus is a stealth virus and actively hides the infection in the first track. With the virus in memory, any examination of the first track on the hard drive will see only the normal master boot record in the first sector and empty sectors for the rest of the track.
The virus is intentionally damaging. Every time an infected machine boots, the virus encrypts two cylinders of the DOS partition of the hard drive starting with the highest numbered cylinder and progressing to lower numbered ones. The virus then hides the fact that it is encrypting the hard drive by decrypting any of the encrypted sectors whenever they are accessed by the system. Only with the virus out of memory do you see the encrypted sectors.
DDI has made a detection/removal utility available named CHK_HALF. This program must be run from a machine that was booted with a KNOWN, CLEAN, LOCKED floppy to insure that the virus is not in memory. When CHK_HALF is run, it scans the current drive and master boot record and removes any virus infections it finds. The utility does not scan memory first and will not work correctly with the virus in memory, so be sure the system was booted with a clean, locked floppy. The utility also does not decrypt any encrypted cylinders, so be sure to copy any important files before removing the virus.
Version 4.0E of the Department of Energy's site licensed antiviral product, Data Physician Plus!, will be available the week of Sept. 12, 1994 and will detect and remove this virus. Other antivirus software which detect this virus include Dr. Solomon's Antivirus Toolkit version 6.65 (currently available), Norton's AntiVirus October 1 monthly update, and McAfee Scan version 2.11, which is scheduled for shipping in mid-September, F-PROT version 2.14a, scheduled for the end of September.
CIAC wishes to thank Bill Kenny of DDI for spending his Labor day weekend laboring to write a detection/removal package for this virus so we would have it on Tuesday morning.
Problem: A trojan program is being distributed around America Online and other networks called AOLGOLD.ZIP.
Platform: DOS-based PCs
Damage: When the INSTALL.EXE program is executed, most files on users C: drive are deleted.
Solution: See the descriptions below
Vulnerability Assessment: Users who download the AOLGOLD.ZIP or INSTALL.EXE trojaned programs, and who unpack, and execute them may destroy files on their DOS C: drive.
Apparently, an e-mail message is being circulated that contains an attached archive file named AOLGOLD.ZIP. A README file that is in the archive describes it as a new and improved interface for the AOL online service. Note that there is no such program as AOLGOLD. Also, simply reading an e-mail message or even downloading an included file will not do damage to your machine. You must execute (or run) the downloaded file to release the Trojan and have it cause damage.
If you unzip the archive, you get two files: INSTALL.EXE and README.TXT. The README.TXT file again describes AOLGOLD as a new and improved interface to the AOL online service. The INSTALL.EXE program is a self-extracting ZIP archive. When you run the install program, it extracts 18 files onto your hard drive:
MACROS.DRV
VIDEO.DRV
INSTALL.BAT
ADRIVE.RPT
SUSPEND.DRV
ANNOY.COM
MACRO.COM
SP-NET.COM
SP-WIN.COM
MEMBRINF.COM
DEVICE.COM
TEXTMAP.COM
HOST.COM
REP.COM
EMS2EXT.SYS
EMS.COM
EMS.SYS
README.TXT
This file list includes another README.TXT file. If you examine the new
README.TXT file, it starts out with "Ever wanted the Powers of a Guide" and
continues with some crude language. The README.TXT file indicates that the
included program is a guide program that can be used to kick other people off
of AOL.
If you stop at this point and do nothing but examine the unzipped files with the TYPE command, your machine will not be damaged. The following three files contain the Trojan program:
MACROS.DRV
VIDEO.DRV
INSTALL.BAT
The rest of the files included in the archive appear to have been grabbed at
random to simply fill up the archive and make it look official.
The Trojan program is started by running the INSTALL.BAT file. The INSTALL.BAT file is a simple batch file that renames the VIDEO.DRV file to VIRUS.BAT and then runs it. VIDEO.DRV is an amateurish DOS batch file that starts deleting the contents of several critical directories on your C: drive, including:
c:\
c:\dos
c:\windows
c:\windows\system
c:\qemm
c:\stacker
c:\norton
It also deletes the contents of several other directories, including those for
several online services and games, such as:
c:\aol20
c:\prodigy
c:\aol25
c:\mmp169
c:\cserve
c:\doom
c:\wolf3d
When the batch file completes, it prints a crude message on the screen and
attempts to run a program named DoomDay.EXE. Bugs in the batch file prevent the
DOOMDAY.EXE program from running. Other bugs in the file cause it to delete
itself if it is run from any drive but the C: drive. The programming style and
bugs in the batch file indicates that the Trojan writer appears to have little
programming experience.
The files are deleted with the DOS del command, and can be recovered with the DOS undelete command. The files are still on your disk, only the directory entries have been removed. If you copy any new files onto your hard disk, they will likely be written over the deleted files, making it impossible to recover the deleted files.
If you have delete protection installed on your system, recovery will be relatively easy. If not, the DOS undelete command can be used, but you will have to supply the first letter of each file name as it is recovered. In many cases, you will probably want to restore the directories by reinstalling them from the original installation disks, but do that last. You must recover any unreplaceable files first using undelete and then replace any others by copying or reinstalling them from the distribution disks.
To recover the system:
If you are using only the DOS undelete command, type:
undelete directorywhere directory is the name of the directory to examine. To undelete the files in the dos directory, use:
undelete c:\dosThe undelete program will present you with a list of deleted files with the first letter replaced with a question mark. Without delete protection, you will have to supply this letter in order to undelete the file.
--BEGIN MESSAGE--
Dear Member:--END MESSAGE--As you know, we strive to keep you informed on various issues regarding online safety.
We want to take this opportunity to remind you about potential computer viruses and Trojan horses and how to protect your computer. First, a virus is a program that is designed to spread and usually attaches itself to a program with the goal of spreading to other computers. A Trojan horse is a program that is intended to corrupt your computer but has to be activated before it can be executed. For example, a Trojan horse can be distributed as an attached file to an email but the file has to be downloaded and executed before harm is done.
If you receive email from unknown senders with an attached file, it is a good rule of thumb not to download the files. In addition, if you ever receive a file in email you believe could cause problems, please forward it immediately to TOSEMAIL1, and explain your concerns to our Terms of Service staff.
We have received recent inquiries regarding a Trojan horse that is sent as an attached file in an email message entitled "AOLGOLD" and "Install.exe". It is important to understand that no virus or Trojan horse can be passed along by simply reading email. However, we strongly urge that if you receive email with an attached file with this name not to download it.
Due to the private nature of electronic mail, we cannot scan files in email for viruses as we do with files in public areas of the service.
We have never had an occurrence of a virus or Trojan horse being spread through simply reading email. In order for one to spread to your computer, you would have to proactively select the attached file and download it to your hard drive. It is therefore advisable never to download attached files from an unknown sender.
AOL incorporates virus protection throughout the service and scans all posted software, text, and sound files in public areas. We also offer our members the Virus Information Center on AOL where you'll find information about the latest virus or Trojan horse, along with updates to all the popular commercial, shareware, and freeware anti-virus tools. Keyword: VIRUS.
Thank you for taking an active role in maintaining a safe online environment.
Sincerely,
AOL Operations Staff
CIAC wishes to thank the staff of America Online, especially Mr. Don Bigelow for their assistance in providing the information necessary to prepare this bulletin.
Problem: Word macro viruses are no longer an isolated threat, but they are a significant hazard to the information on a computer.
Platform: Any platform that can run Microsoft Word 6.0 or later: Windows 3.1, WFW 3.11, Win 95, Windows NT, and Macintosh.
Damage: Files can be deleted and may not be recoverable.
Solution: Scan all new Word documents before opening them in the same way that you now scan all executable files before running them. Install version 2 of the Microsoft macro virus detection tool.
Vulnerability Assessment: The vulnerability of systems to this type of virus is high, because most users are not in the habit of scanning documents. Documents are much more mobile than executable files in an organization, passing from machine to machine as different people write or edit them.
WARNING: The new macro virus detector from Microsoft only scans files if they are opened with the File-Open command in Word and not if they are opened by double-clicking the document or by selecting the document from the recent documents list at the bottom of the File menu. You must use the File-Open command to activate the protection.
In Microsoft Word there are three types of hazardous, auto-executing macros: auto-execute macros, auto-macros, and macros with command names. There is one auto-execute macro in Word named AutoExec. If a macro named AutoExec is in the "normal.dot" template or in a global template stored in Word's startup directory, it is executed whenever Word is started. The only way to disable the execution of AutoExec is to insert the flag /m in the command line used to start Word.
The second type of dangerous macros are auto-macros.
Name Runs when you
------------------------------------
AutoNew create a new document.
AutoOpen open a document.
AutoClose close a document.
AutoExit quit Word.
The auto-macros can be disabled by executing the Word.Basic command
"DisableAutoMacros" in a macro. Note that the example in Word's online help of
executing this command in the command line when starting Word does not work.
The command must be executed in a macro. Auto-macros are also disabled by
holding down the shift key while opening a document.
The third type of dangerous macros are those named for an existing Word command. If a macro in the global macro file or in an attached, active template has the name of an existing Word command, the macro command replaces the Word command. For example, if you create a macro named FileSave in the "normal.dot" template, that macro is executed whenever you choose the Save command on the File menu. There is no way to disable this feature.
Macro viruses spread by having one or more auto-execute macros in a document. By opening or closing the document or using a replaced command, you activate the virus macro. As soon as the macro is activated, it copies itself and any other macros it needs to the global macro file "normal.dot". After they are stored in normal.dot they are available in all opened documents.
At this point, the macro viruses try to spread themselves to other documents, usually by including an AutoClose macro that attaches the virus macros to the document and saves it. The macro viruses that cause damage contain a trigger that starts the damage routines and those routines do the actual damage. The trigger is some event that the virus writer has programmed his virus to watch for such as a date or the number of days since the infection occurred.
An important point to make here is that Word documents (.DOC files) can not contain macros, only Word templates (.DOT files) can contain macros. However, it is a relatively simple task to mask a template as a document by changing the file name extension from .DOT to .DOC.
AAAZAO AutoOpen
AAAZFS Payload
When an infected file is opened the AutoOpen macro is run and copies the virus
files to the global macro file. During the copying process, it changes the name
of AAAZFS to FileSaveAs. Whenever a document is saved, the FileSaveAs command
copies the virus macros into it and saves it. The AAAZAO macro becomes the
AutoOpen macro on the saved document file. The Payload macro does nothing. The
first time the macro runs a dialog box appears with the single digit "1"
contained in it.
AutoExec AutoOpen DropSuriv
FileExit FilePrint FilePrintDefault
FileSaveAs InsertPayload Payload
All of these are copied to the global macro file when an infected document is
opened. When any document is saved, the virus copies all the macros onto it and
saves it. Printing a document during the last 5 seconds of any minute causes
the following text to appear at the top of the printed page:
"And finally I would like to say:"
"STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!"
After April 5th, it attempts to delete your system files but fails because of a
bug in the virus. The virus also attempts to infect a system with the Suriv
binary virus, but fails again because of a bug.
AutoClose AutoExec AutoOpen
FileExit FileNew FileSave
FileSaveAs ToolsMacro
The virus changes many of the menu items to make it difficult to delete. For
example, it effectively removes the Tools Macros command so you can't list or
delete the macros in a program with that command.
After being accessed 300 times, Colors activates and randomly changes the system colors in the win.ini file making the screen look strange.
WARNING: The format command in most modern versions of DOS can be reversed. If this virus strikes, get some knowledgeable help before doing anything to your system. Don't do anything that might write something on the hard drive until you get knowledgeable help. You may need only boot from a floppy and run unformat to recover the whole drive. What you do depends on what utility programs (Norton Utilities, PCTools, and so forth) you have installed on your system.
An infected document contains the following macros:
AutoOpen DrawBringInFrOut InsertPBreak ToolsRepaginatWhen the virus infects the Word program, these macros are copied to "normal.dot" and renamed in the same order to:
StartOfDoc AutoOpen InsertPageBreak FileSaveThe virus adds the item: "OLHot=nnnnn" to the winword.ini file where nnnnn is a date 14 days in the future. The virus uses this date to determine when it is going to trigger. The virus also checks for the existence of the file: "c:\dos\ega5.cpi" and does not infect a machine if the file exists. This was apparently a feature to protect the virus writer.
Microsoft has released a new version of its macro virus protection program (see below) that checks all Word documents as you open them with the File-Open command and tells you if they contain a macro or not. It can only detect the Concept virus by name, but any document with a macro attached should be considered suspect.
You can use the Organizer dialog box (see below) to check for strange macros attached to your documents. The Organizer can open a document in the background (without running any attached macros) and let you see what macros are attached to it. You can also use it to delete macros from a document.
You can watch for virus activity when opening or saving a document, but it is generally preferable to detect a virus before it gets installed. If you have already opened a document that suspect has a virus, use the Tools Macro command to see a list of the macros attached to Word. If you can't open the Macro dialog box, try the Organizer dialog box instead.
Currently, the best protection is to install Microsoft's macro virus protection template. The template is available directly from Microsoft's web site or from the CIAC archive. A description of the scanner is available at:
WARNING: The new macro virus detector from Microsoft only scans files if they are opened with the File-Open command in Word and not if they are opened by double-clicking the document or by selecting the document from the recent documents list at the bottom of the File menu. You must use the File-Open command to activate the protection.
To install the macro virus protection, simply open the template file with Word and follow the instructions. The macros automatically install themselves in your global macro file (just like the virus). A protected version of Word should have the following four macros attached to the "normal.dot" file:
AutoExit FileOpen InstVer ShellOpenFileOpen calls ShellOpen whenever a document is opened. ShellOpen checks each newly opened document to see if it has any macros attached. If there are macros in the document that is being opened, ShellOpen displays a dialog box giving you the choice to open the document anyway, remove the macros and open it, or cancel the open command.
If, for some reason, you can't use Microsoft's protection macro, you can disable auto-macros. You have three options:
MAIN
DisableAutoMacros 1
MsgBox "Auto-macros are disabled."
End Sub
All auto-macros are disabled but a virus could still infect a system if it is
activated by a command that replaces a normal command.
To disable auto-macros and the auto-execute macro, create the following macro in the global macro file (normal.dot) and name it "DisableMyAutoMacros".
MAIN
DisableAutoMacros 1
MsgBox "Auto-macros are disabled."
End Sub
In the Program Manager or the Explorer in Windows 95, select the Word icon and
choose the Properties command on the File menu. Add the following switch to the
command line for Word.
/mDisableMyAutoMacrosThis command disables the AutoExec macro and runs the DisableMyAutoMacros procedure when Word starts up. Again, this does not disable macros with command names from replacing the commands. This also only works if you start Word by double clicking on the Word icon. If you start Word by double clicking on a document, it will not see the switch and will not run the DisableMyAutoMacros procedure.
When you hold down the Shift key while opening or double clicking a document, the AutoOpen macro is prevented from running. Other auto-macros may still run so you must check for a virus before doing anything else.
WARNING: The three methods of disabling auto-macros and the auto-execute macro do not fully protect you from a virus. While they prevent the auto-execute and auto-macro commands from running, they do not prevent any macros named the same as commands from replacing those commands. Any virus that uses replaced commands to initiate an infection will not be stopped. Only an external scanner or the Microsoft template will detect a document containing macros before it is opened.
If you have Microsoft's virus macro protection installed, it will give you the option to remove any attached macros when you open the document. If you save the document with the same name, it will overwrite the infected document.
If you don't have a scanner or the protection macro, you can use the Organizer to find and remove macro viruses without infecting your system. The first step is to start Word and open the Organizer dialog box. There are two ways to open the Organizer: 1. use the Tools Macro command and press the Organizer button; 2. use the File Templates command and press the Organizer button. In the Organizer dialog box click the macros tab, click the Open File button, select the infected document and click OK. Back in the Organizer dialog box, select all the macros listed in the file and click the Delete button to remove them. Click the Close File button to close and save the file. The file can now be opened normally.
If you have just infected yourself by opening an infected document, don't close the document or quit Word. If you close the infected file or quit Word, you run the risk of running another of the auto-execute macros. See if you can get to the Organizer dialog box. Once in the Organizer you can delete the virus macros from the infected document and from the "normal.dot" file. Save those files, quit Word and restart it. You can then use the Organizer to check other documents for a virus infection.
If you can't get to the Organizer, quit Word without saving anything, find the "normal.dot" file and delete it. When you restart Word, it will create a new, empty "normal.dot" file. Note that you will also lose any custom styles which were stored in the "normal.dot" file and will have to redefine them.
The second thing to do is to install the Microsoft macro virus protection template to warn you if a document contains macros before you open it.
Keep in mind that while Microsoft products are being targeted by these viruses, they are not the only products which have a macro capability which could be exploited. Hopefully, in the next release of software programs which include extensive macro capabilities, there will be an easy way to disable macro execution and warn the user if documents contain macros. This change will make the problem of macro viruses go away very quickly.
CIAC wishes to acknowledge the help of Michael Messuri and Charles Renert of Symantec Corp. and Chuck Noble of Digital Equipment Corp. for valuable assistance in the preparation of this bulletin.
CIAC is located at Lawrence Livermore National Laboratory in Livermore, California, and is a part of its Computer Security Technology Center. Further information can be found at CIAC. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. See FIRST for more details.
Previous CIAC notices, anti-virus software, pgp public key, and other information are available from the CIAC Computer Security Archive: