CIAC Bulletins and Advisories

U.S. Department of Energy Computer Incident Advisory Capability

The following virus-related information is excerpted from CIAC Bulletins and Advisories:

Columbus Day Virus

CIAC Bulletin Number 02: September 8, 1989

Notice of Columbus Day Virus Affecting IBM PCs and PC Clones

The DOE Computer Incident Advisory Capability (CIAC) has learned that there is a Columbus Day Virus which may attack MS-DOS (PC-DOS) personal computers on or after October 12 or October 13, 1989. Note that October 13 is a Friday the thirteenth. You should make the information in this notice available to appropriate personnel at your site so that the virus can be detected and eradicated.

The Columbus Day Virus has been isolated and may actually be one of a series of related viruses. It most closely resembles the DataCrime Virus. Contrary to speculation in a recent Federal Computing Weekly article, however, the Columbus Day Virus does not appear to be closely related to the Icelandic or West German virus. The Columbus Day Virus searches through the DOS directory for .COM files other than COMMAND.COM. It attaches to the end of a .COM file, which increases the size of the file by 1168 bytes. The virus infects any given .COM file only once. However, it will infect any uninfected .COM file that it encounters. If the virus executes, it will display the message:

    DATACRIME VIRUS

    RELEASED:l MARCH 1989

and then do a low-level format on track zero. Since this is the boot area of the disk, the hard disk will be unbootable.

Detection of this virus is difficult because ASCII strings in the virus code are encrypted. Therefore, utilities that search files for particular ASCII strings are useless. There are two methods you can use to detect this virus. The first method is to check for a size increase of 1168 bytes in .COM files. Another possible method is to use VIRUSCAN* (see below), which should report the existence of this virus as well as several other viruses. If a machine is infected, users must copy over all infected .COM files using their original .COM files. This must be accomplished at one sitting to prevent re-infection. You should also examine backups to see if they are infected. You should repeat whatever detection method you decide to use every time you load a new .COM file or database into your PC or PC clone.

If the boot sector is destroyed, it can be restored with Disk Doctor, a utility in Norton Utilities Version 4.5 (Advanced Edition). Note that a restoration is possible only if the Disk Doctor utility had been previously run.

The DOE Center for Computer Security at Los Alamos has recently published a pamphlet, Computer Viruses and the Personal Computer User (CCS-89-03). CIAC recommends that you read and follow the excellent guidelines contained in this pamphlet.

Because VIRUSCAN is produced and distributed by a commercial developer, CIAC cannot at this time send copies of this software directly to you. To obtain a copy of VIRUSCAN, you need to send $15 with your name, address and phone number to:

* The University of California neither endorses VIRUSCAN nor guarantees the effectiveness of this software package. CIAC will test this package in the near future to determine whether it provides adequate detection of the Columbus Day virus.


Jerusalem/Israeli/Friday the 13th Virus

CIAC Information Bulletin 04: June 5, 1989

The Computer Incident Advisory Capability (CIAC) has been helping several sites deal with a new strain of the Jerusalem/Israeli/Friday the 13th virus which infects IBM PC's and PC clones. This new strain, the "Little Black Box" virus, causes a small black box to appear in the lower left quadrant of the scrren. The virus adds 1808 bytes to an .exe file every time an application is executed until the executable image is too large to fit into memory or disk space is exhausted. This causes poor system performance. This virus will also add 1813 byes to .com files, one at a time. This causes parity errors which disrupt EGA and CGA screen.

This "Little Black Box" virus does not destroy files. It does, however, spread quickly. The most common way viruses are spread is through exchanging removable media. Please advise personnel at your site to follow your procedures which prevent virus infections.


Macintosh nVIR Virus

CIAC Advisory Notice Number 09

The nVIR virus has recently infected significant numbers of Macintosh systems at several DOE sites. There are different strains of this virus. Each strain causes somewhat different symptoms such as printing errors on laser printers, slow system response time, or unpredictable system crashes.

The exact mechanisms by which nVIR spreads have recently been determined. Removable media (e.g., disks) are the primary means by which nVIR spreads. Thus, if a disk used in an infected Macintosh is removed and inserted in a second Macintosh, the other machine will become infected if any application on that disk is executed in the second machine. In addition, any method used to transfer programs between Macintoshes will spread the nVIR virus. This includes transfer via shareware over a network. However, nVIR cannot spread via a print network's hardware.

nVIR is initially difficult to detect. It spreads quickly and frequently affects backups before eradication procedures can be initiated.

Disks brought in from off-site are the most common source of nVIR infections. Unauthorized copies of commercial software brought from off-site or exchanged within a site also present a substantial risk of nVIR infection. Vendor demonstration programs are another suspected source of the nVIR virus.

We urge you first of all to review your site's policy on sharing disks and using and distributing non-licensed software. Another essential damage prevention measure is to have good anti-viral software available at your site. CIAC recommends that you test any suspect disk with Disinfectant 1.2, a freeware package which also eradicates viruses. Virus Detective, a shareware package, also tests disks to see if they are clean of nVIR and several other viruses. Although it is tedious to use, Gatekeeper, another shareware program, will provide several protection mechanisms. It is important to educate users about the importance of using only software from trusted sources to reduce the possibility of virus infections. Finally, CIAC recommends that your site uses dedicated machines for on-site vendor demonstrations.


IBM PC Columbus Day (Datacrime) Virus

CIAC Information Bulletin Number 10: September 22, 1989

I. Executive Summary

On September 8, 1989 the DOE Computer Incident Advisory Capability (CIAC) issued a notice about the Columbus Day Virus, also known as the DATACRIME virus, which may attack MS-DOS (PC-DOS) personal computers. Since that time CIAC has gathered considerable information and has obtained and analyzed two versions of this virus.

The Columbus Day family of viruses will infect applications on IBM Personal Computers (PCs) and Compatibles. Execution of an infected program will cause the virus to replicate to other applications. When the system date is between October 13th and December 31st of any year and the computer has a hard disk, the virus strikes and displays the message:

    DATACRIME VIRUS

    RELEASED: 1 March 1989

Simultaneously, the virus makes the hard disk unreadable. Recovery after the virus has altered the disk is extremely difficult. The enclosed procedures will help to assure non-interrupted use of affected computers.

This memo contains recommendations that users of an IBM personal computer or compatible computers (PC) may follow to prevent loss of information due to this virus. Also included are technical procedures on how to detect, protect, eradicate and recover from the Columbus Day family of viruses. A survey form is provided to aid the CIAC team in collecting data concerning the spread of this virus. It is requested that this form be completed at each site and returned to CIAC as soon as possible.

II. Detailed Information on the Columbus Day (DATACRIME) Virus

DATACRIME-V1 (also known as the 1168 Virus, named for its length) and DATACRIME-V2 (also known as the 1280 virus) are both closely related Columbus Day Viruses with only minor changes. A related virus, DATACRIME II, is currently being examined. This bulletin gives details about what to expect from this family of viruses and makes further recommendations for protecting your systems.

You may have seen a report about this topic on CNN or read about it in your local newspaper. However, all indications at this time are that these viruses are not as widespread as other viruses affecting IBM PCs and PC compatibles. The Computer Virus Industry Association (CVIA) reports that infections have been minimal. This data is collected from reports by programs like VIRUSCAN, and represents a very large sampling of the community. However, as with all viruses we should be prepared. If the DATACRIME virus attacks your machine it could do serious damage. Good backups are essential.

The DATACRIME (V1 and V2) family of viruses will infect one .COM file each time an infected program is executed. DATACRIME II will infect both .COM and .EXE files. It does this by searching the current directory and all sub-directories on the "C:" drive for a file to infect. If it fails to find a file, it will search other drives on your machine for a candidate file. The virus will not infect any file with "D" as the seventh letter of its name; thus, COMMAND.COM will not be infected. Each time the virus is run it checks the current date. If the date is between October 13th and December 31st of any year and the computer has a hard disk it displays the message:

    DATACRIME VIRUS

    RELEASED: 1 March 1989

Simultaneously, the virus formats the first 8 tracks of cylinder 0 of the hard disk. This will effectively destroy the partition table, master boot track, the boot record, the File Allocation Table (FAT), and a portion of the root directory. Recovery at this point will be very difficult and will require a low level format. Due to the way the virus executes, it's behaviors range from no action, to complete data loss of the hard disk. We stated in the previous memo on the Columbus Day Virus that you may be able to do a partial recovery with, for example, Disk Doctor, in Norton Utilities Version 4.5. As we examined the virus we determined that there is only a very small chance of recovery by this method. Prevention and backups are the best course.

The CIAC recommends that each PC user follow the procedures below:

First Backup your hard-disk - most importantly the data. These viruses can't propagate through data files and you can always restore your applications from the distribution disks, but if your data is important to you, you should back it up now.

Now that you've backed up your data you can try to detect the virus. Utilities that search files for particular ASCII strings are ineffective, since the ASCII strings in the virus code are encrypted. There are several methods you can use to detect this virus. The first method, while labor intensive, doesn't require any special software. Check for any increase in the size of your .COM or .EXE files. The virus will not infect COMMAND.COM so examine other executable files, for example, FORMAT.COM, CHKDSK.COM, FIND.EXE and PRINT.COM.

Note that there are other reasons why the file size may not match. For example, you may have updated to a newer version of a program, or you are running Data Physician which changes the size of the file. However, a size change should signal that you need to investigate further.

Another possible method is to use a commercial product that will detect these viruses. This includes products like Flu-Shot+, VIRUSCAN, or Data Physician, which should report the existence of these viruses as well as certain other viruses.

If you find you are infected but DATACRIME hasn't struck yet DON'T PANIC. Do the following: Copy the infected files to a diskette and clearly label it as a virus and protect this disk. We need copies of all DATACRIME viruses that infect DOE machines so please call the CIAC for instructions on how to handle this sample. You must completely rid your machine of this virus. The procedure below is believed to be necessary because current eradication programs can not guarantee 100% recovery.

Again, make sure that you have backed up all your data. Ensure that there are no system or application files (any file that ends in .COM or .EXE) on your backup floppies. The next step will destroy all information on the hard disk, so ensure that your backups and distribution disks are safe. Follow the necessary procedures to format your hard-drive. Seek expert assistance if you are not familiar with how to carry out this procedure.

Now take out your original disks and write protect each one of them. If you have a virus detection program that works, run it on the application disks to ensure they are virus-free. Reinstall all of your applications from the original virus-free distribution disks. You should examine all of your floppies and backups that contain applications or system files to prevent reinfection. Remember, one infected file will reinfect your system.


Trojan horse in Norton Utilities for IBM PCs and clones

CIAC Information Bulletin Number A-6: November 7, 1989, 1730 PST

Information about a trojan horse in Norton Utilities for IBM PCs and clones

CIAC has been informed that a trojan horse has been found in a number of IBM PCs and PC clones which run Norton Computing utilities. This trojan horse appears superficially to be a legitimate file within Norton Utilities named either NORTSTOP.ZIP or NORTSHOT.ZIP. (The file contents are the same, regardless of the name used.) The trojan horse program must be run (i.e., the EXE file for the program must be executed) for any damage to occur to your system. If run, the program lists the directory and displays a message that one's machine is free of viruses. Damage resulting from running this program occurs only if the trojan horse program is executed between December 24 and December 31 inclusive. In this case, the program will erase files with selected file extensions.

Detection

You can detect this trojan horse by using Norton Utilities to examine the .EXE file for either of the .ZIP files listed above. The EXE file will contain the following message:
    The Norton Public Domain Virus Utility,  PD Edition 5.50,   (C) 1989

    Peter Norton



    Your System has been infected with a Christmas virus! Selected

    files were just eliminated!  Without these files, you might as well

    use your computer as a damn, boat anchor!  If you do NOT own a

    boat, you may want to replace the files which were just erased.

    Try to determine which files they were.  HARDY   HA!  HA!  HA!  HOW

    DO YOU FEEL NOW; YOU IDIOT?  MERRY CHRISTMAS AND HAPPY NEW YEAR!

If your system has the trojan horse, you will obtain a report similar to the following when using PKUNZIP (a utility which separates and decompresses files):
 1065  Implode    650   39%  10-04-89  12:26  9778978d  --w  READ-ME.NOW

38907  Implode  30156   23%  10-02-89  11:57  c333dec0  --w  NORTSHOT.EXE

-----          ------ -----                                  ------------

39972          30806   23%                                         2

Eradication

If you should discover this trojan horse, do not execute the file NORTSHOT.EXE. Please make a copy of the bogus .EXE and .ZIP files on a diskette before you do anything else. Eradicating the NORTSTOP.ZIP and NORTSHOT.ZIP trojan horse is straightforward; simply use your disk operating system to delete all files named NORTSHOT.EXE and the .ZIP file that created it. Please then send the diskette to CIAC at the address below as soon as possible.

Note

According to information provided to CIAC, this trojan horse is not found in the version of Norton Utilities sold in commercial software outlets. It is only found in versions of Norton Utilities available from public sources (e.g., bulletin boards).

NORTSTOP.ZIP and NORTSHOT.ZIP are not viruses. They will not replicate themselves and spread from machine to machine. Once you have removed this trojan horse, it can only be reintroduced by copying the files once again from public sources.


Information about the WDEF virus

CIAC Information Bulletin Number A-9: December 18, 1989, 1400 PST

Summary

A new Macintosh virus called WDEF is spreading rapidly. It is not necessary to run a program for the virus to spread. The WDEF virus is not programmed to damage a system, but due to software errors in this virus, it can cause serious problems such as system crashes, poor performance, and damage to disks. Disinfectant 1.5, VirusDetective and GateKeeper Aid V1.0 can be used to detect and eradicate this virus.

Critical WDEF Facts

Name: WDEF

Types: WDEF A, WDEF B

Platform: Apple Macintosh

Damage: No intentional damage, see symptoms.

Symptoms: The virus can cause:

Detection/Eradication: GateKeeper Aid, Disinfectant 1.5; others should be available in the next few weeks.

Introduction

A new form of computer virus called WDEF has been released into the Macintosh world. WDEF only infects the invisible "Desktop" files used by the Macintosh operating system's "Finder." WDEF does not infect applications, document files, or other system files. Unlike the other viruses, it does not at this time appear to spread through the sharing of applications, but rather through the sharing of diskettes. WDEF spreads from disk to disk very rapidly. It is not necessary to run a program for the virus to spread. WDEF has been in existence since mid-October of this year and has been found at many locations throughout the United States.

At this time their appears to be two strains of WDEF, WDEF A and WDEF B. These strains are similar except WDEF B beeps every time it infects a new Desktop file.

Symptoms

The WDEF virus is not programmed to damage a system. However, due to errors in the virus code itself, it can cause serious problems. Below is a list of known symptoms:

Prevention

With AppleShare servers you do not need a Desktop. If you are comfortable using a software developers' package called ResEdit, you should remove the Desktop. You should also not allow the "make changes" privilege to the root directory on the server. This should eliminate any possibility that this virus from spreading to an AppleShare server.

Detection

Packages which claim to detect WDEF are Disinfectant 1.5 and GateKeeper Aid V1.0 (to be used in conjunction with GateKeeper 1.11). Virus Detective 3.1 can also be used to find the WDEF virus. You will, however, have to add the search string: Creator=ERIK & Resource WDEF & Any

Disinfectant 1.3 , Vaccine 1.0.1, GateKeeper 1.1.1, Symantec's SAM Intercept 1.10, and HJC's Virex INIT 1.12 do not detect WDEF, although new versions of many of these products which claim to be able to detect WDEF are rapidly being developed. Please also note that Disinfectant 1.4 detects only one strain of the WDEF virus.

Eradication

Disinfectant 1.5 should be used to eradicate WDEF. When using Disinfectant to repair WDEF infections, you must use Finder instead of MultiFinder. Otherwise Disinfectant cannot write to the normally 'Busy' Desktop file. If you do not prefer use Disinfectant 1.5, CIAC can advise you of alternate eradication procedures using ResEdit.


Information about the PC CYBORG (AIDS) trojan horse

CIAC Information Bulletin Number A-10: December 19, 1989, 1600 PST

There recently has been considerable attention in the news media about a new trojan horse which advertises that it provides information on the AIDS virus to users of IBM PC computers and PC clones. Once it enters a system, the trojan horse replaces AUTOEXEC.BAT, and may count the number of times the infected system has booted until a criterion number (90) is reached. At this point PC CYBORG hides directories, and scrambles (encrypts) the names of all files on drive C: There exists more than one version of this trojan horse, and at least one version does not wait to damage drive C:, but will hide directories and scramble file names upon the first boot after the trojan horse is installed.

At first PC CYBORG was distributed only in Europe, although several PC CYBORG infections have recently been reported in the U.S. No DOE site has been affected yet, and the probability of a widespread infection of this trojan horse throughout DOE is extremely small. This trojan horse is introduced into systems through a disk called the AIDS Information Introductory Diskette, which has been mailed to a mailing list which the author(s) of this trojan horse obtained. PC CYBORG is a trojan horse, not a virus, and thus is limited in ability to spread. This information bulletin is being distributed in response to questions raised because of the considerable media attention the trojan horse has received, more than because of a genuine threat to systems.

If you receive a disk in the mail which purports to provide information on AIDS, do not load the disk into your computer. Please save the disk, and contact CIAC immediately. If you have already run this disk, please also call CIAC as soon as possible. It is important to leave your PC on if it is currently on, or leave it off if it is currently off. Failure to do so may result in loss of your data, or make recovery more difficult. CIAC has developed recovery procedures, which are too lengthy to publish in this bulletin.


Virus Information Update

CIAC Information Bulletin Number A-15

CIAC information bulletin A-15 describes vulnerabilities within Apple MACs. Please contact CIAC for further information.

Note: This bulletin has been superseded by CIAC Bulletin B-16.


Eradicating WDEF using Disinfectant 1.5 or 1.6

CIAC Information Bulletin Number A-17: February 2, 1990, 1400 PST

CIAC Information Bulletin A-9 reported the existence of the WDEF virus on Macintosh computers. The purpose of this bulletin is to provide additional information about eradicating this virus.

Disinfectant 1.5 and the most recent version, Disinfectant 1.6, are capable of detecting and eradicating WDEF, but are not designed to prevent the spread of WDEF during its execution. If an infected disk is inserted into the Macintosh while Disinfectant is running (for the purposes of eradicating WDEF), WDEF will infect ANY OTHER UNLOCKED MOUNTED VOLUMES. If Disinfectant is to be used to eradicate a WDEF infection, CIAC recommends the following procedure:

  1. Prepare a system disk using LOCKED originals. Use the instructions provided with the Macintosh documentation if you require assistance in preparing this system disk. If possible, you should not use your hard disk to prepare this system disk. Copy Disinfectant version 1.5 or version 1.6 to this disk. Lock the disk and shut down the system.
  2. Reboot the Macintosh using the prepared system disk. Launch Disinfectant off the floppy and use the SCAN function to check your hard disk for the WDEF virus. If found, use the DISINFECT function to remove WDEF from your hard disk. Quit Disinfectant.
  3. Reboot the Macintosh using this prepared system disk. You should drag any hard disks that automatically appear on the desktop to trash to unmount them. Launch the copy of Disinfectant on the system disk. Use the SCAN facility of Disinfectant to verify that WDEF has not infected the system disk. If it has, you will have to eject the system disk, unlock it, and insert it again. Use the DISINFECT function of Disinfectant to eradicate WDEF. Next, you should eject the system disk and lock it again. Reinsert the system disk.
  4. Use Disinfectant to scan ALL of your floppy disks. WDEF will infect both system and non-system disks; to completely eradicate WDEF you will have to disinfect all of your disks (including backup disks). DO NOT USE YOUR HARD DRIVE DURING THIS PROCEDURE.
  5. Once all of your floppy disks are disinfected, reboot your system using the locked system disk. Now run Disinfectant and disinfect your hard disk. Once WDEF has been eradicated from all floppies and your hard disk, the eradication procedure is complete.
The most recent versions of other tools such as SAM, VIREX, GATEKEEPER, and GATEKEEPER AID may also be used to eradicate or prevent the spread of the WDEF virus. If you have questions concerning these tools, contact CIAC for assistance.


The Twelve Tricks Trojan Horse

CIAC Information Bulletin Number A-20: March 8, 1990, 1300 PST

Summary

CIAC has been informed of a possible new trojan horse called the Twelve Tricks Trojan Horse. The intention of this bulletin is to rapidly inform the DOE community about this possible threat and to help eliminate confusion and false rumors. However, CIAC has been able neither to obtain a copy of this trojan horse, nor to confirm the information received to date. This trojan horse affects computers running the MS DOS operating system or common variants (IBM PC-DOS etc.). It can produce a variety of disruptions and/or damage as described below.

Critical Facts about Twelve Tricks Trojan Horse

Name: Twelve Tricks Trojan

Types: Only one known variant: CORETEST.COM VERSION 2.6, 32469 bytes, timestamp 6-6-86 9:44

Platform: IBM PC and PC clones running MS DOS or IBM-PC DOS

Damage: Varies from slow program execution to low level formatting of disk

Symptoms: A variety of disruptions and/or damage, based on a random number between one and twelve. Affects system performance, writing to screen, clock, printer and/or keyboard malfunctions, random disk writes, garbled printer output, boot sector, File Allocation Table (FAT) or directory overwrites, and a low level format of select tracks on the hard disk. Other symptoms include the floppy disk motor continuously running, FAT, directory and/or boot sector damaged diskettes.

Detection: Examine the Master Boot Record (MBR) for the message:

    SOFTLOK+ V3.0 SOFTGUARD SYSTEMS INC

    2840 St. Thomas Expwy, Suite 201

    Santa Clara, CA 95051

(see important note below) or search the MBR and memory for the following hex string:
    e4 61 8a e0 0c 80 e6 61.

If you suspect a program, you can use the search string:
    64 02 31 94 42 01 d1 c2 4e 79 f7

Caution: These search strings are based on the trojan program examined by the discoverer. If there are modifications to this program, the above search strings may not work.

Eradication: Remove trojan program by deleting. To recover from a corrupt MBR, back-up current data files and programs, perform a low level format and restore data files and programs from a recent backup.

CIAC has been alerted that there may be a new trojan horse called the Twelve Tricks Trojan Horse. CIAC has not been able to obtain a copy of this program, and cannot at this time confirm the information contained in this bulletin. This trojan program affects computers running the MS DOS operating system or common variants (IBM PC-DOS etc.). It can produce a variety of disruptions and/or damage, including a slowdown of system performance, blanking or jerky motion in the scrolling window, clock, printer and/or keyboard malfunctions, random disk writes, garbled printer output, boot sector, File Allocation Table (FAT) or directory overwrites, and a low level format of select tracks on the hard disk. Other symptoms include the floppy disk motor continuously running, FAT, directory and/or boot sector damaged diskettes. The particular damage which occurs depends on a random number between 1 and 12 that the trojan program generates.

Detection

Detecting this trojan horse is straightforward. Using Debug or a similar utility, inspect your machine's hard disk at cylinder zero, head zero, sector one. If this trojan horse has infected your machine, the following will be displayed near the start of the master boot record:
    SOFTLOK+ V3.0 SOFTGUARD SYSTEMS INC

    2840 St. Thomas Expwy, Suite 201

    Santa Clara, CA 95051

Important Note: There is absolutely no evidence to link the origin of this trojan horse to any company or organization, such as the one mentioned above. The motivation of the author of this trojan horse to mention the company listed above is currently unknown.

There are several additional ways to detect the trojan. The following hexadecimal string can be found in the MBR of infected machines:

    e4 61 e0 0c 80 e6 61

The above string can also be found at location 0:38b in memory if you have booted from a corrupted MBR. You can use Debug as a search tool.

A useful search string to detect the source program (containing the trojan horse) is

    be 64 02 31 94 42 01 d1 c2 4e 79 f7

Eradication

Trojan programs can be removed by simply deleting them. To recover from a corrupt MBR, back-up current data files and programs, perform a low level format and restore data files and programs. Note: FDISK will erase other directory information as well as replace the MBR. Thus, we recommend that you do not use FDISK alone to eradicate the trojan unless you are prepared to lose directory information from other partitions. Because the file system may be corrupted, CIAC recommends a full backup, low level format, and recovery.

Trojan programs can be removed by simply deleting them. If you find the string above in the MBR or in memory at 0:38b, you need to boot from a clean DOS diskette and replace the partition record. DO NOT use Fdisk to do this unless you are prepared for Fdisk to zero your FAT and directory; you will lose all your data that way. One way would be to do a file-by-file backup, low-level format to get rid of the trojan MBR, then Fdisk Format and restore your data files and programs from your backup.

Additional Information

There is currently no evidence that anything similar to the Tweleve Tricks Trojan has affected any machines in the United States. It is possible, however that there will be attempts to introduce this malicious code in the United States. (This trojan horse is not self-replicating, and cannot spread the way viruses do.) In particular CIAC urges you to carefully check any software distributed through trade shows, U.S. mail, or electronic bulletin boards, and to use only licensed copies of software. Please contact CIAC if you become aware of any machines infected by this malicious code.

Appended message

Excerpt from a message from Dr. Alan Solomon posted to virus-l.
We have recently received and analyzed a trojan that we believe warrants an urgent alert. We are calling it the Twelve Tricks trojan, and it is very interesting, very nasty, and quite complex. This message is not meant to be a complete description of the trojan - we feel that it is important to get a warning out quickly, rather than aim for completeness. It is not a virus.

The trojan consists of a program (more about this aspect later) which you run; running the program, as well as the obvious things that the program is expected to do, also replaces the partition record (also called the Master Boot Record, or MBR) on your hard disk with its own version. This can easily be recognized by inspecting the hard disk at cylinder zero, head zero, sector one, which can be done with a disk sector editor such as Peeka. If the partition has this trojan in place, it will contain the following text near the beginning:

    SOFTLoK+ V3.0 SOFTGUARD SYSTEMS INC

    2840 St. Thomas Expwy, Suite 201

    Santa Clara, CA 95051 (408) 970-9420

At this point, let us state that we believe that the company mentioned above has nothing whatsoever to do with the trojan; perhaps the trojan author has a grudge against them.

The trojan uses a far call to the hard disk Bios code in order to plant this partition. To do this, it must know the location in memory of the entry point; it tries five different ones, one of which is the one documented in the IBM PC-XT Technical reference manual, and the other four are presumably fairly common alternatives.

The purpose of planting the trojan with a far call is, we believe, to escape detection by Active Monitor programs that protect a computer by monitoring the interrupt table, and preventing unauthorized writes to system areas on the hard disk. Since the Twelve Tricks doesn't use an interrupt to plant the MBR, such programs won't be able to prevent it. We tested this using Flushot+, probably the most successful of the Active Monitors, and Twelve Tricks went straight through it - the same would be true, we think, of any other Active Monitor.

The Replacement MBR

When the MBR is run, which is every time you boot from the hard disk, Twelve Tricks copies 205 (d7h) bytes of itself onto locations 0:3000h to 0:3d6h. This overwrites part of the interrupt vector table, but it is a part that doesn't get used very much. This means that these d7h bytes are memory resident without having to use any of the TSR calls of Dos, and without having to reserve part of high memory. Reserving part of high memory is the usual ploy used by Boot Sector Viruses, but the drawback of that route is that you might notice that a few kb from your 640 kb has disappeared (CHKSK would reveal this). The method used by Twelve Tricks would not show up as a loss from your 640 kb.

When the computer is started up, a random number generator determines which of the Twelve Tricks will be installed. It does the installation by replacing one of the interrupt vectors with a vector that points to the Twelve Tricks own code, and then chains on to the original code. The twelve tricks are:

  1. Insert a random delay loop in the timer tick, so that 18.2 times per second, the computer executes a loop that is randomly between 1 and 65536 long (different each time it is executed). This slows the machine down, and makes it work rather jerkily.
  2. Insert an End-of-Interupt in the timer tick. This interferes with the servicing of hardware interrupts, so for example, the clock is stopped, TSRs that depend on the timer tick don't work, and the floppy motor is permanently on.
  3. Every time a key is pressed or released, the timer tick count is incremented by a random number between 0 and 65535. This has a variety of effects; programs sometimes won't run, when you type "TIME" you get "Current time is divide overflow", and copying files sometimes doesn't work."
  4. Every time interrupt 0dh is executed, only do the routine three times out of four. Interrupt 0dh is used on PCs and XTs for the fixed disk, on ATs for the parallel port.
  5. Every time interrupt 0eh is executed, only do the routine three times out of four. Interrupt 0eh is used for the floppy disk.
  6. Every time interrupt 10h is called (this is the video routine), insert a delay loop that is randomly between 1 and 65536 long (different each time it is executed). This slows the video down, and makes it work rather jerkily and/or slowly.
  7. Every time the video routine to scroll up is called, instead of the requested number of lines being scrolled, the entire scrolling window is blanked.
  8. Every time a request is made to the diskette handler, it is converted into a write request. This means that the first time you try to read or write to a diskette, whatever happens to be in the buffer will be written to the diskette, and will probably overwrite the boot sector, FAT or directory, as these must be read before anything else can be done. If you try to read a write protected diskette, you get "Write protect error reading drive A.". If you do a DIR of a write enabled diskette, you get "General Failure...", and if you inspect the diskette using a sector editor, you'll find that the boot and FAT have been zeroed or over-written.
  9. Every time interrupt 16h is called (READ THE KEYBOARD) the keyboard flags (Caps lock, Num lock, shirt states etc) are set randomly before the keystroke is returned. This means that at the Dos prompt, the keyboard will only work occasionally. Programs that poll interrupt 16h will be unusable. Holding down the Del key will trigger a Ctrl-Alt-Del.
  10. Everything that goes to the printer is garbled by xoring it with a byte from the timer tick count.
  11. Every letter that is sent to the printer has its case reversed by xoring it with 20h. Also, non-alpha characters are xored, so a space becomes a null, and line feeds don't feed lines.
  12. Whenever the Time-of-Day interrupt (lah) is executed, do an End-of-Interrupt instead. This means that you can't set the system clock, and the time is set permanently to one value.
These are the twelve tricks. In addition there are two more things that the trojan does. It uses a random number generator; one time out of 4096, it does a low level format of the track that contains the active boot sector; this will also destroy part of the first copy of the FAT. You can recover from this by creating a new boot sector, and copying the second copy of the FAT back over the first copy. After it does the format, it will display the message "SOFTLoK+ " etc. as above, and hang the computer.

If it doesn't do the format, it makes a random change to a random word in one of the first 16 sectors of the FAT, which will make a slight and increasing corruption in the file system. This is perhaps the worst of the things that it does, as it will cause an increasing corruption of the files on the disk.

The Dropper program

The program that drops the trojan was, in the specimen that we analyzed, a hacked version of CORETEST, a program to benchmark hard disk performance. The file is CORETEST.COM, it is version 2.6, (dated 1986 in the copyright message) had a length of 32469 bytes, and it was timestamped 6-6-86, 9:44. When we looked in more detail at this program, we found some interesting things.

It looks as if the original CORETEST program was an EXE file, and the trojan author prepended his code to it. This code consists of some relocation stuff, then a decryptor, to decrypt the following 246h bytes. The description is a double xor with a changing byte. Those 246h bytes, when run, examine the memory to try to find one of five sets of hard disk handler code (presumably corresponding to five Bioses). When it finds one of them, (we have identified the first one as being the IBM XT Bios) it plants the trojan MBR in place, using a far call to the Bios code. The trojan MBR is 200h of the 246h bytes. The trojan is patched so that it also does disk accesses using a far call to the same location. Finally, the prepended trojan passes control to the original program. We call the combination of the prepended code, plus the original program, the Dropper.

The main purpose of the encryption, we would guess, is to evade detection by programs that check code for bombs and trojans. There are no suspicious strings or interrupt calls in the code until it is decrypted at run time.

As far as we can tell, it is not a virus, but a trojan. However, it is unlikely that all the patching to the original program was done by hand - it is far more likely that the trojan author wrote a prepender program (we would call this the Prepender), to automatically attack his code to the target executable. If this is the case, then there are two consequences. The first is that he might have trojanized other programs besides the one that we have examined. In other words, there might be other Droppers around besides the one we have examined. The second is that if that is the case, we cannot rely on the encryption having the same seed each time, as the Prepender might change the seed each time is operates. So it would be unsafe to assume we can use a search string based on the decryptor.

Indeed, a further possibility exists. The Prepender program might have been placed into circulation, and people running it would unwittingly be creating additional Droppers. There is absolutely no evidence to suggest that that is actually the case, but we would ask anyone who detects this Dropper in one of their files, to also examine all the others.

Detection

Here's a variety of ways to detect the trojan. The hexadecimal string e4 61 e0 0c 80 e6 61 is to be found in the MBR. This string will also be found in memory if you have booted from a trojanized MBR, at location 0:38b. You can use Debug to search in memory.

A useful search string to detect the Dropper is

    be 64 02 31 94 42 01 d1 c2 4e 79 f7

Getting rid of it

It's easy to get rid of Droppers; just delete them and replace them with a clean copy. If you find the string above in the MBR or in memory at 0:38b, you need to boot from a clean Dos diskette and replace the partition record. DO NOT use Fdisk to do this unless you are prepared for Fdisk to zero your FAT and directory; you will lose all your data that way. One way would be to do a file-by-file backup, low-level format to get rid of the trojan MBR, then Fdisk Format and restore your backup. We would recommend doing two backups using as different methods as possible if you use this route, in case one of them fails to restore.

The other way to replace the partition is to run a program that drops a clean partition record onto the MBR, but doesn't change the partitioning data. We are currently preparing one of these - please ask if you need it.

Damage done

The whole of the MBR is used for the code. Most normal MBRs don't use more than half the space, and a number of other programs have started using this space. For example Disk Manager, and the Western Digital WDXT-Gen controllers (but the Dropper doesn't work on the WDXT-Gen). This means that the Dropper might cause an immediate problem in some circumstances.

The main damage done, however, will be in the impression that this trojan creates that your hardware is suffering from a variety of faults, which usually go away when you reboot (only to be replaced by other faults). Also, the FAT gets progressively corrupted.


The MDEF or Garfield Virus on Macintosh Computers

CIAC Information Bulletin Number A-25: May 23, 1990, 1000 PST

Summary

A new Macintosh virus called MDEF or the Garfield virus is spreading rapidly. This virus is not a variant of the WDEF virus, and should not be confused with WDEF. The MDEF virus spreads through system and application files, and may cause serious damage to the menu system. Disinfectant 1.8, GateKeeper, Virus Detective DA are effective against this virus, but Vaccine can cause undesirable side effects.

Name: MDEF

Types: Only one known variant

Platform: Apple Macintosh models 128K and 512K, 512KE, Mac Plus, SE, SE/30, II, IIx, IIcx, IIci and IIfx.

Damage: Possible removal of system menus.

Symptoms: The virus can cause:

Detection/Eradication: Disinfectant 1.8, GateKeeper, Virus Detective DA; others should be available shortly.

Introduction

CIAC has learned of a new Macintosh virus called the MDEF or Garfield virus. Although its name is similar to WDEF, MDEF is an entirely different virus. Currently, the MDEF virus is known to infect the Macintosh 128K and 512K, 512KE, Mac Plus, SE, SE/30, II, IIx, IIcx, IIci and IIfx. This virus will not spread from 128K or 512K Macintoshes, but will cause these models to crash.

MDEF actually refers to one of the resources on Macintosh computers. The MDEF virus is so named because this virus infects the MDEF resources. If you attempt to detect the MDEF virus using ResEdit or a similar tool and discover the MDEF resources, this does not indicate that your computer is infected by the MDEF virus.

Symptoms

Preliminary indications are that after performing a currently unspecified set of actions, the virus will remove itself from the system along with the code to control the menu system. This will result in the loss of all menus generated by the system. Regardless of the particular model of Macintosh computer subject to infections by the MDEF virus, this virus infects the system file and applications. Typically, the finder and DA handler also become infected. However, neither the desktop nor the document files become infected. The MDEF virus infects the system file when an infected application is run, and infects other applications when they are executed on an infected system. On the Macintosh IIci and IIfx, the MDEF virus spreads from infected applications to uninfected system files, but does not propagate from infected systems to uninfected applications.

Detection and Eradication

Disinfectant 1.8 has recently been released to detect and eradicate the MDEF virus. GateKeeper also prevents the MDEF virus from infecting the system file. To use the Virus Detective DA, add the following search strings:
    Resource MDEF & Name "Garfield"

    Resource MDEF & ID = 5378

Caution: CIAC has been advised that the use of Vaccine may have an undesirable side effect. Vaccine will inform the user that the system file has been infected, but is only partially effective in preventing this virus from infecting the system file! The system file will be damaged as a result of running Vaccine when an application containing the MDEF virus is executed.


A New Macintosh Trojan Horse Threat--STEROID

CIAC Information Bulletin Number A-26: June 7, 1990, 1100 PST

Name: Steroid trojan horse

Types: Only one known variant

Platform: Apple Macintosh computers

Damage: Erases all mounted disks

Symptoms: Can be identified by:

Detection/Eradication: Examine system folder; if Steroid is there, save a copy and then drag the icon to the trash folder and empty trash.

Critical Steroid Facts

A Macintosh trojan horse called "Steroid" has been discovered. The purported purpose of Steroid is to make QuickDraw run faster on computers with 9 inch screens. Steroid is actually an INIT that contains malicious code to check for the system date and to erase all mounted disks if this date is July 1, 1990 or afterwards. (Note: earlier reports indicated that June 6, 1990 is the trigger date, but the sources of these reports now claim that July 1 is the trigger date.)

Steroid is a trojan horse, not a virus, and thus is limited in ability to spread. This trojan horse is a genuine threat; however, because it is being posted to electronic bulletin boards, and has already been downloaded by unsuspecting users on the West Coast. If you use a bulletin board, make sure that you do not download any software claiming to improve QuickDraw performance or related in any way to "Steroid." Since "Steroid" is an INIT, you would have had to put it in your system folder to have this trojan horse. If you are unsure if you have installed "Steroid," look in your system folder for start-up documents with the name "Steroid" or "Quickdraw Accelerator." Another detection method is to use RESEDIT; look for documents in the system folder with the Creator: "QDAC," Type "INIT," and a code size of 1080 and a data size of 267.

If your Macintosh computer contains this INIT, please make a copy on a floppy before you do anything else and send that copy to CIAC at your earliest convenience. Then drag the Steroid INIT to the trash icon and empty the trash. If you unknowingly have used Steroid before July 1, 1990, no damage appears possible at this time. It is important, however, to determine if you have shared Steroid with anyone else, and, if so, to notify them of the information in this bulletin. If you use Steroid on or after July 1, 1990, CIAC has been advised that you can recover if you use the SUM II Disk Clinic tool to restore erased files. Do not use the machine until you have recovered the files using SUM. CIAC can provide more detailed procedures in this case.

The following is an excerpt from a bulletin board posting by Apple:

    So far, we know that the code does the following:



    OPERATIONS AT RESTART:

    ----------------------

     DATE & TIME CHECK (Loop)

     SYSENVIRONS CHECK

     GETS VOLUME INFORMATION (probably checking for HFS)

     GETS SOME ADRESSES (Toolbox traps)

     DOES SOME HFS DISPATCH OPERATIONS

     VOLUME IS REINITIALIZED to "Untitled"



    INFORMATION:

    ------------

    TYPE:      INIT

    CREATOR:   qdac

    CODE SIZE: 1080

    DATA SIZE: 267

    ID:        148

    Name:      QuickDraw Accelerator

    File Name: "  Steroid" (First 2 characters are ASCII 1)



    WHAT TO DO:

    -----------

    If your disk becomes erased, you can use SUM II Disk Clinic to recover the

    deleted files.  We have tried this and it seems to work.



    IF YOU HAVE STEROID ON YOUR SYSTEM, DISABLE IT IMMEDIATELY.


The Disk Killer (Orge) Virus on MS DOS Computers

CIAC Information Bulletin Number A-27: June 28, 1990, 1000 PST

Name: Disk Killer virus (also known as the Ogre virus)

Types: Only one known variant

Platform: MS DOS computers

Damage: Overwrites mounted disks

Symptoms: Writes "COMPUTER OGRE 04/01/89" on screen and overwrites disk

Detection/Eradication: VIRALERT, VIRHUNT, RESSCAN, CodeSafe, CleanUp, F-Prot, IBM Scan, Pro-Scan, and others (contact CIAC for information about these products)

Critical Disk Killer Facts

The Disk Killer virus is a destructive virus affecting MS DOS computers. This virus infects the boot sector, then hides itself by marking unused blocks on floppy or hard disks as bad. After remaining dormant for approximately 48 hours of operation (not calendar) time after the initial infection, Disk Killer executes upon the first boot or reboot after this period. Upon execution, this virus displays the following message:
    Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/89



    Warning!!



    Don't turn off the power or remove the diskette while Disk Killer

    is Processing!

Next, the word "PROCESSING" will be displayed, followed by this message:
    Now you can turn off the power.  I wish you Luck!

Disk Killer overwrites the boot sector, then the file allocation table (FAT), then the directory randomly with blocks of a single character.

The proper procedure depends upon when you detect Disk Killer:

  1. If your machine is infected before it executes and you detect this virus through a scan package (such as CodeSafe, RESSCAN, VIRHUNT, or IBM Scan)---TURN YOUR MACHINE OFF. Then use a write-protected bootable floppy disk to boot your system; otherwise, you will have disk Killer in memory, causing re-infection. Remove Disk Killer by installing and executing a PC virus eradication package such as VIRHUNT.
  2. If the message shown above appears on your computer's screen, Disk Killer has already executed---LEAVE YOUR MACHINE ON AND ALLOW THIS VIRUS TO EXECUTE WITHOUT INTERRUPTION (i.e., until "Now you can turn off the power..." is displayed). It is true that Disk Killer will overwrite your disk, but don't worry---you can restore all data and files from your disk (floppy or hard disk) using a recovery package such as UNKILL. Reboot from a write-protected master floppy, and remove the virus using virus eradication software.
Regardless of which particular procedure (1 or 2) you use, be sure to scan any disks (in particular, bootable floppies) before resuming normal activity with your computer.

Note: Because this virus modifies every byte in every sector on your disk, Norton Utilities not a feasible means of recovering from the Disk Killer virus. Note also that a considerable amount of incorrect information about responding to Disk Killer has already been distributed. If you follow this incorrect information, which advises you to turn your machine off as soon as Disk Killer begins to execute, it is extremely likely that you will not be able to fully recover from this virus.

Additional Note: The CIAC team first became aware of this virus early last Fall. At that time, however, we chose to briefly describe this virus in the CIAC Bulletin Board (FELIX) and CIAC Bulletin A-15, rather than to issue a separate bulletin; infections at that time appeared to be limited to MS DOS computers equipped with hard disks made by a particular manufacturer in Taiwan.


The Stoned (Marijuana or New Zealand) Virus on MS DOS Computers

CIAC Information Bulletin Number A-28: July 12, 1990, 1200 PST

Name: Stoned virus (also known as the Marijuana or New Zealand virus)

Types: At least four known variants

Platform: MS DOS computers

Damage: Not deliberately destructive--however, this virus overwrites some of boot sector/master boot record on infected disks (see text)

Symptoms: May write "Your computer is now stoned. Legalize marijuana" or similar message on screen (one variant has this message removed); may create hard disk errors or the inability to boot

Detection: VIRALERT, VIRHUNT, RESSCAN, CodeSafe, F-PROT, IBM Scan

Eradication: VIRHUNT, RESSCAN, CodeSafe, CleanUp, F-PROT and others (contact CIAC for information about these products)

Critical Stoned Virus Facts

The Stoned (Marijuana or New Zealand) virus is now one of the most common viruses among MS-DOS systems. The Stoned virus infects the boot sector/master boot record of floppy and hard disks. Once resident in memory, this virus may display a message similar to the following:
    Your computer is now stoned.  Legalize marijuana.

Although the Stoned virus apparently was not programmed to do damage, this virus can nevertheless damage a system. The Stoned virus may overwrite parts of infected disks that contain directory information or portions of user data files, specifically the boot sector of floppy disks along with Head 0, Track 0, Sector 3 on a diskette or the master boot record and Head 0, Track 0, Sector 7 on hard disks. If hard disks have last been partitioned under DOS 2, this virus overwrites portions of the File Allocation Table (FAT) as well. The result is overwriting of data files and indications of disk errors by CHKDSK. Variants of the Stoned virus produce slightly different effects: You can detect the Stoned virus with a variety of scan packages such as VIRALERT, VIRHUNT, RESSCAN, CodeSafe, F-PROT, IBM Scan. You can eradicate this virus by using packages such as VIRHUNT, RESSCAN, CodeSafe, CleanUp, F-PROT. If you cannot obtain a virus removal utility, we suggest you back up your applications and data from your hard disk, and then low-level format the disk to ensure that the master boot record is removed. Boot from a clean, writeprotected operating system disk, restore your system, and then restore the application and data files.

After you have cleaned your system, either with an eradication product or by formating the drive, scan again using a virus detection utility to ensure that the virus is not present. To ensure that your system does not immediately become re-infected, be sure to scan all of floppy disks for the virus as well. To clean floppies you may use one of the suggested products, or you may format new floppies on a clean system, then use the "copy" command to copy files from the infected floppies to the clean ones. Format the infected floppies to reuse them.

The Stoned virus typically spreads wherever floppy disks are shared. Infections can be easily prevented by adopting sound protection procedures. The Stoned virus infects hard disks when a PC is booted from an infected floppy. This virus does not infect applications, however. If you must boot from a floppy disk, ensure with a virus scan package that this disk is not infected, and write-protect this disk. This will prevent your boot disk from becoming infected. (Warning: under some circumstances the Stoned-infected floppy disk can infect a machine even if the computer does not have a bootable operating system on it.)

Additional Note: Basic information about the Stoned virus has been available through the CIAC Bulletin Board (FELIX) and CIAC Bulletin A-15 since the beginning of this year.

The assistance of Ken Van Wyk and Dave Chess is gratefully acknowledged.


The 4096 (4k, Stealth, IDF, etc.) Virus on MS DOS Computers

CIAC Information Bulletin Number A-29: July 18, 1990, 1200 PST

Name: 4096 virus (also known as the 4k, Stealth, IDF--Israel Defense Forces, 100 years, Century, and Frodo virus)

Types: Two known versions (also see note 1 about Fish virus)

Platform: MS-DOS computers running DOS 3.x or 4.x; does not appear to infect files in DOS 2.x

Damage: Can damage files by destructive cross-linking

Symptoms: May slow system performance somewhat; may cause the system to crash/hang, or may create hard disk errors; may write "FRODO LIVES" on screen on or after September 22, 1990 (one variant only)

Detection: VIRHUNT, RESSCAN, CodeSafe, Vi-Spy, IBM Scan, FPROT

Eradication: VIRHUNT, CodeSafe, FPROT, and others (contact CIAC for information about these products)

Critical 4096 Virus Facts

The 4096 (4k, Stealth, IDF--Israel Defense Forces, 100 years, Century, or Frodo) virus is one of a new breed of viruses ("Phase II" viruses--see note 2) that are so effective in masking their presence that they are nearly invisible to the user. The 4096 virus infects MS-DOS systems running DOS 3.x and 4.x. (Tests show that the 4096 virus is memory resident in DOS 2.x, but it will not infect files). This virus infects programs when a user runs or closes an executable file. The result is that the 4096 virus adds 4096 bytes to any .EXE or .COM files that have been opened, as well as to COMMAND.COM. (However, this virus disguises the size of infected files by causing the original file length to be displayed.) After initial infection, there are usually only subtle slowdowns in system performance. As more files become infected by this virus, it can disrupt the File Allocation Table (FAT), causing system crashes. The hard disk may also approach its storage capacity, causing CHKDSK to indicate the following when an infected executable file is run:
    Allocation error - File size adjusted

There is a trigger date of September 22, 1990. On or after this date the virus attempts to replace the original boot record with another boot record. Other reports indicate that the 4096 virus is unsuccessful in attempting to write the boot record. The result, however, is that the system may crash. In one version of the 4096 virus the following message is also displayed on or after the trigger date:
    FRODO LIVES

The 4096 virus is very difficult to detect, even if it has infected many files. There is logic to defeat detection on the basis of increased file size, virus-initiated interrupts, and/or checksums. The most current versions of virus detection packages such as VIRHUNT, RESSCAN, CodeSafe, Vi-Spy, and IBM Scan are effective against the 4096 virus. If you find that your computer is infected by this virus, you should turn your machine off, then boot from a clean floppy. Now run a virus eradication program (e.g., VIRHUNT, CodeSafe, etc.) from a non-infected, write-protected floppy disk. Alternately, you can use DOS COPY to change the extension of an executable version of a virus eradication program from .EXE to .DAT or some other similar extension. This will assure that your renamed anti-virus program cannot become infected. Virus Bulletin recommends an additional detection method for DOS 3.x systems---set the time stamp ahead to January 1, 2044, create a small file, then enter the DIR command. If the 4096 virus is present, the file size will be 4K and the date will be January 1 of the year 100 (see note 3 below). In DOS 4.x systems the displayed date will be January 1 of the year 99. Another detection method is to use Norton Utilities or a similar disk management utility to show the actual size of suspected files.

Note 1: The Fish virus is a modified, more sophisticated version of the 4096 virus. It increases file sizes by either 8K or 4K.

Note 2: Other phase two viruses include the Alabama, Virus 101, 1260, and Fish virus.

Note 3: The 4096 virus adds 100 to the year of file creation, but since MS-DOS normally displays only the last two digits of the year, the virus is not normally detectable on the basis of year of file creation. MS-DOS time stamps cannot exceed December 31, 2107. If the user sets the date to January 1, 2044, the virus code increases the year by 100, causing an illegal date. The number 100 is displayed instead.

Note 4: Basic information about the 4096 virus has been available through the CIAC Bulletin Board (FELIX) and CIAC Bulletin A-15 since the beginning of this year.

Ray Glath and Bill Kinney furnished a portion of the information in this bulletin.


Virus Propagation in Novell and Other Network

CIAC Informational Bulletin Number A-33: September 21, 1990, 1000 PST

Problem: Virus propagation on write-protected file systems

Types: Many known viruses, most frequently variants of the Jerusalem (Israeli) virus

Platform: MS-DOS computers

Damage: Files that use software write-protection schemes cannot be assumed safe from damage due to virus infection

Symptoms: Virus infection on write-protected files

Detection: VIRHUNT, RESSCAN, CodeSafe, Vi-Spy, IBM Scan, FPROT

Eradication: VIRHUNT, CodeSafe, FPROT, and others (see text in p. 2 of this bulletin for recommended procedures)

Critical Virus Propagation Facts

This bulletin is to warn of a virus threat to networks for MS-DOS systems. File servers (e.g., Novell file servers) use attribute bits to perform write protection on files stored on server machines. Many viruses will clear these attribute protection bits before they attempt infection, thus circumventing the write protection scheme. Thus, write-protecting a program does not guarantee that the file is not infected with the virus.

The following is a common scenario reported to CIAC: a floppy infected with the Jerusalem-B virus is inserted into a user's PC attached to a Novell network. Once this virus is executed, it resides in the PC's memory. When the user attempts to logon to the file server (running the program login.exe), the virus infects this program, even though the program is write-protected. Login.exe is a shared program that is executed by each user as s/he connects to the Novell network. Thus, each time a user logs in to the network, his/her machine immediately becomes infected with the Jerusalem-B virus. The network allows the Jerusalem-B virus to spread considerably more quickly than if it had spread through exchange of floppy disks.

When someone disinfects a system of PCs or PC clones on a Novell or similar file system, CIAC recommends the following procedures:

  1. Detect the virus using one of the recommended packages for detecting and identifying the virus. Determine exactly which virus has infected the system, and that all virus types have been detected. Contact CIAC if you need assistance.
  2. Deactivate the network connecting the PCs/PC clones together. This includes shutting down the file servers and unmounting the partitions from the users' PCs/PC clones.
  3. Disinfect the server machines using an anti-virus package known to be effective against the detected virus. Alternately, reformat the server disks and re-install the system from original diskettes, then restore the data files from a recent backup. Do not attempt to restore programs (i.e., executable files) from a backup, as this is likely to reinfect your system.
  4. Disinfect each user's PC/PC clone using the same procedure as in step 2.
  5. Verify that the virus does not reside on the file server or any user's PC/PC clone.
  6. Bring the network file system back up.

End of FY90 Update

CIAC Informational Bulletin Number A-34: September 30, 1990, 1300 PST

During the twelve months of this fiscal year, CIAC team members have engaged in a number of activities. One of the main activities has been assisting sites in recovering from incidents. Our involvement has led to a number of valuable lessons learned--things that can improve your site's computer security as well as enhance the DOE community's coordination and handling of incidents.

Viruses. The major viruses with which we have dealt in the MS-DOS arena during the last 12 months are Jerusalem, Stoned, Cascade (1701/1704), Ohio, Ping Pong, and Disk Killer. Of these viruses, Jerusalem and Disk Killer are most likely to produce damage. In the Macintosh arena, nVIR and WDEF are most prevalent, although neither is likely to damage a system. For a summary of the major viruses, refer to CIAC Bulletin A-15. In addition to frequently obtaining reports of viruses spreading through exchange of removable media (disks), we are also hearing about viruses spreading rapidly through Novelle and other microcomputer networks (see CIAC Bulletin A-33). Vendor demonstrations and shrink wrap software are increasingly becoming a source of virus outbreaks.

We have found that sites with implemented procedures for detecting and eradicating viruses have significantly decreased the time and effort involved in recovering from this type of incident. Users of PCs, PC clones, and Macintoshes frequently do not know exactly whom to call if there is a suspected virus infection--the number of a support person should be posted on every small system! This is particularly important with users of classified systems. Finally, Disinfectant 2.1 and FPROT (freeware detection/eradication packages for Macintosh and MS-DOS computers, respectively) are available from CIAC for the asking.


Virus Information Update

CIAC Information Bulletin Number B-16: March 1, 1991

CIAC periodically issues bulletins about specific computer viruses. These bulletins, however, do not cover all the computer viruses that affect the PC-DOS/MS-DOS and Macintosh platforms. The purpose of this bulletin is to identify most of the known viruses for these platforms, and give an overview of the effects of each virus. This bulletin supersedes CIAC Bulletin A-15 issued last year, and includes (at least by name) more than 100 new viruses. As we continue to gather more information, we will add it to future editions of this document.

Click here to read CIAC Bulletin B-16.


Brunswick Virus on MS DOS Computers

CIAC Information Bulletin Number B-35: August 1, 1991, 1430 PDT

Name: Brunswick virus

Aliases: Brunswick, 910129

Types: Two known variants

Platform: MS-DOS computers

Damage: May overwrite Master Boot Record

Symptoms: Not apparent until attack phase when Master Boot Record is destroyed and disk will not boot

First Discovered: January 1991

Detection: VIRHUNT v. 1.3D-1, VIRSCAN v.2.0.2 and others (contact CIAC for information about these products)

Eradication: VIRHUNT v. 1.3D-1, VIRSCAN v.2.0.2 and others

Critical Brunswick Virus Facts

The Brunswick virus infects the boot sector/master boot record of hard disks and floppies in drives A: and B: only. Once resident, this virus covertly infects all floppies and hard disks it contacts. An infected machine does not display any obvious indications of infection; therefore it can be very difficult to determine if your system is infected until the attack phase commences.

Brunswick usually enters a machine through the boot-up of an infected floppy. (This entry method is similar to that employed by the "Stoned" virus described in CIAC Advisory A-28.) The virus immediately infects the Master Boot Record through Interrupt 13. Thereafter, all disks placed in floppy A: or B: will become infected until the machine is re-booted from a clean disk. Infection occurs differently for hard disks and floppies. On hard disks, the original boot record is moved to Cylinder 0 Sector 16 Head 0. On floppy drives, the original boot record is relocated to Cylinder 0 Sector 3 Head 1. If hard disks have last been partitioned under DOS 2.0, the virus will overwrite portions of the File Allocation Table. The virus contains logic to prevent re-infection of disks and code to save the BIOS Parameter block so that 3.5 inch 1.44 MB floppies will remain readable after infection (unlike "Stoned").

The Brunswick virus mechanics are fairly straightforward. It retains a generation counter which is decremented within each new infection. Upon boot-up, the virus compares this counter to an internal constant. If the counter is larger than the constant, no action is taken; else the virus destroys the master boot record by overwriting it with random characters. This generation counter is never changed within a particular infection; therefore, if an infection and a successful boot-up have occurred, this particular infection will NEVER destroy the Master boot record (although infections will still take place).

Newer versions of anti-viral products mentioned above will detect the virus. An unauthorized write attempt to a write-protected floppy is another indication that this virus may be resident. Removal is a simple process of running any of the previously mentioned virus removal utilities. If none of these are available, contact CIAC to obtain manual removal instructions.

Infections can be easily prevented by adopting sound protection procedures, such as write-protecting all floppies and checking all diskettes before use with a trusted scanning utility. Also, always open the floppy door before booting a PC because booting with an infected NON-BOOTABLE floppy WILL CAUSE INFECTION to the hard disk.


Virus distributed in PCNFS software fix for MS-DOS computers

CIAC Information Bulletin Number B-40: September 9, 1991, 1030 PDT

Critical Information about Virus in PCNFS software fix

Problem: The Jerusalem-B Virus has inadvertently been distributed with some copies of one version of PCNFS software fix.

Platform: MS-DOS computers

Software: Sun PCNFS software fix PCNFS 3.5b, file NET.EXE

Damage: File deletion, file corruption, system slowdown

Detection: File size of newly distributed PCNFS 3.5b file NET.EXE not equal to 100181 bytes; or use of VIRHUNT, VIRSCAN, FPROT, and others

Eradication: VIRHUNT, VIRSCAN and others; replacement of NET.EXE

CIAC has been notified of the inadvertent distribution of a virus in a Sun Microsystems PCNFS software fix for MS-DOS computers. This distribution, which was sent to a limited user community, contained a file NET.EXE which may have been infected with the Jerusalem-B virus. This fix, entitled "PCNFS 3.5b," was distributed between July and August, 1991 to those requesting a patch for PCNFS 3.5. Sun has contacted all customers who had received the suspect file, and has distributed a new virus-free NET.EXE to all parties. If NET.EXE from PCNFS 3.5b does not have a file size of 100181, this file is probably infected with the Jerusalem-B virus.

It is very important to execute a virus detection/eradication package if a suspect NET.EXE file is located. If your site has received the suspect file and follow-up letter, call CIAC, Sun's support number (1-800-USA-4SUN), or your local Sun office for assistance.

NOTE: For more information on the Jerusalem virus, see CIAC bulletin "Virus Propagation in Novell and Other Networks" (A-33) or "Little Black Box (Jerusalem) virus alert" (un-numbered series, 1989). CIAC recommends anti-viral scanning of all software (including new software and upgrades to existing software) before installation is initiated.

Thanks to Sun Microsystems for assistance in providing information described in this bulletin.


End of FY91 Update

CIAC Information Bulletin Number B-45: September 30, 1991, 1700 PST

During this fiscal year, CIAC team members have engaged in a number of activities, including assisting sites in recovering from incidents and helping sites prepare for future incidents by presenting the CIAC workshops. Our involvement has led to a number of valuable lessons learned--things that can improve your site's computer security as well as enhance the DOE community's coordination and handling of incidents.

Viruses. During the past year, viruses on MS-DOS and Macintosh computers continued to infect a small but significant number of systems throughout DOE. In the MS-DOS arena, the Jerusalem-B, Cascade, and Disk-Killer viruses continued to be most prevalent. Of these viruses, Disk Killer and Jerusalem-B were most likely to cause damage to systems. During this last fiscal year, the Stoned-2, Horse, and Horse-2 viruses emerged as new threats. In the Macintosh arena, WDEF and nVIR continued to be the major source of threat, but with the advent of Macintosh System-7, the WDEF threat has been reduced since this virus will not run on this version of the operating system. Networked file systems and demonstration software continues to be the main source of these virus infections, and we continued to receive reports of infected vendor software (see CIAC Bulletin B-40). CIAC Bulletin B-16 provided an updated list of viruses and their symptoms (updated from information provided in A-15).

CIAC assisted DOE in evaluating an anti-viral product to be purchased and licenced throughout DOE. This product, "Data Physician Plus," is very effective in finding and eradicating viruses on MS-DOS platforms. For the Macintosh, Disinfectant (the latest version is 2.5.2) continues to be a good anti-viral freeware package. Contact CIAC for assistance in obtaining anti-virus packages.


Dir II Virus on MS DOS Computers

CIAC Information Bulletin Number C-2: October 18, 1991, 15:30 PDT

Critical Dir II Virus Facts

Name: Dir II virus

Aliases: Dir-2, MG series II, Creeping Death, DRIVER-1024, Cluster

Virus Type: Directory infector with stealth characteristics

Variants: Unsubstantiated reports exist for two variants

Platform: MS-DOS computers

Damage: May destroy all .EXE and .COM files and backup diskettes, crash some lookalike systems, CHKDSK /F destroys all executible files

Symptoms: CHKDSK reports many cross-linked files and lost file chains can corrupt backups, copied files are only 1024 bytes long, more (see below)

First Discovered: May 1991 in Bulgaria

Eradication: Perform a series of simple DOS commands (see below)

The Dir II virus presents a new type of MS-DOS virus called a directory infector. This virus modifies entries in the directory structure, causing the computer to jump to the virus code before execution of a program begins. Also, this virus utilizes stealth techniques to hide its existence in memory.

How Infection Occurs

Initial hard disk infection occurs when a file with an infected directory is executed. The virus establishes itself in memory and puts a copy of itself on the last cluster of the disk. Once the virus is active in memory, executing any file (infected or not) will cause the virus to infect the directory entry of ALL .EXE and .COM files in the current directory and in the directories listed in the PATH variable. Additional detailed information on the infection technique is included in the appendix at the end of this bulletin.

Potential Damage

If there is currently information residing on the last cluster of the disk, this virus will overwrite it upon installation. Since most backup utilities fill diskettes to capacity, backups are prone to immediate corruption upon initial infection.

The most damaging characteristic of this virus occurs if a user boots from a clean diskette and attempts to run a disk optimizer program such as CHKDSK /F, Norton Disk Doctor, or other similar utility programs. When such a program attempts to "fix" the disk, all infected executibles will "become" the virus, effectively destroying the original file!

Detection

Although current versions of many common anti-viral utilities will not detect this virus and are unable to remove it, manual detection can be performed using the following methods:
  1. Boot from the suspect infected hard disk. With the suspected virus active in memory, execute the command CHKDSK with NO arguments. Then reboot from a clean, write protected diskette (such as the original DOS diskette), and execute the command CHKDSK with no arguments again. If many cross-linked files and lost file chains are reported during the second CHKDSK and not the first, it is an indication of infection.
  2. Boot from the suspected infected hard disk. With the suspected virus active in memory, use the COPY command to copy suspect files with the extension .EXE or .COM. Examine the file length of these copied files by using the DIR command, then reboot from a clean, write protected diskette and perform the same copy command(s). If the file length of the second copy is very small (around 1K) but the file length of the first copy is much larger, you may be infected with the Dir II virus.

Eradication

To manually eradicate this virus, follow these steps for every infected disk and diskette:
  1. While Dir II is active in memory, use the COPY command to copy all .EXE and .COM files to files with a different extension. Example: COPY filename.com filename.vom
  2. Reboot system from a clean, write protected diskette to ensure the system does not have the virus in memory.
  3. Delete all files with extensions of .EXE and .COM. This will remove all pointers to the virus.
  4. Rename all executibles to their original names. Example: RENAME filename.vom filename.com
  5. Examine all these executibles you have just restored. If any are 1K in length, they probably are a copy of the virus. Destroy any executibles of this size.
CIAC would like to thank Bill Kenny of DDI for his help with this bulletin.


Appendix: Detailed DIR II Information

The DOS directory structure contains the following entries: filename, extension, attribute, time, date, cluster, filesize, and an unused area; the cluster entry is the pointer to where the actual file exists on the disk. Dir II infects the directory structure by scrambling the original cluster entry and storing it in part of the unused area, then placing a pointer to the viral code in the cluster entry. Thus when a program is executed, the computer executes the viral code, the virus decrypts the original cluster entry, then the virus allows the original program to proceed.

Upon initial infection, the virus links itself into the device driver chain, copying itself to the last cluster (or last two clusters, if cluster size is less than 1024 bytes) on the disk and infects the directory structure of all .EXE and .COM files residing in the current directory and all directories defined in the path. The virus infects all files with .EXE or .COM as an extension whether or not they are executible, EXCEPT if the size of the file is less than 2K, larger than 256K, or has an attribute of System, Volume, or Directory set. Therefore it does not infect the two hidden system files, but it DOES infect command.com.

Following the supplied eradication steps will simply remove all "live" pointers to the viral code. After eradication you may wish to use a direct disk access utility (such as Norton Utilities) to directly access the viral code existing on the last cluster on the disk and overwrite it with blanks. Another recommended final clean-up entails running a disk optimizer program that will clean out all unnecessary deleted files. It is important to remember that this virus has infected all .COM and .EXE files, even if they are tagged as deleted. Therefore if an undelete utility is used on these files, the virus can resurface.

Other Facts About Dir II:


Novell Network Support Encyclopedia Update Virus

CIAC Advisory Notice Number C-11: December 18, 1991 1000 PST

Virus Inadvertently Distributed in Novell Network Support Encyclopedia Update

Problem: 5 1/4 inch diskettes sent from Novell to customers from December 9-16, 1991 contain the Stoned-3 virus.

Platform: PC/MS-DOS systems running Novell Netware software.

Damage: Potential to overwrite boot sector of fixed and floppy disks; potential to create infected floppyless boot image files and thereby propagate the virus via the network.

Solution: Scan all incoming software.

Detection/Eradication: Data Physician Plus, other antiviral packages.

Critical Facts about Inadvertent Virus Distribution

CIAC has learned that Novell, Inc. has inadvertently sent diskettes infected with the Stoned-3 virus to Novell Netware customers. These diskettes are labelled "Network Support Encyclopedia - Standard Volume Update." The Novell part number for these disks is 883-001495-004. Infected diskettes were distributed from December 9-16, 1991.

The Stoned-3 virus is a minor variation of the Stoned virus. This virus infects the boot sector of a hard disk or diskette and will sometimes display the message (sic):

    "Your PC is now Stoned!.....LEGALISE MARIJUANA!"

This virus becomes memory resident and will infect any other disks accessed by the PC while the virus is memory resident. For additional information, please see CIAC Bulletin A-28 for more information on the Stoned virus family, and B-16 for a summary of known viruses.

If you discover that the Stoned virus has infected your PC, it may be removed using the VIRHUNT package licensed to DOE by Digital Dispatch Incorporated. CIAC also recommends that you follow a policy of scanning all new software before using or installing it on your PC. This policy should be followed for all vendor-supplied shrink-wrapped software as well as bulletin board or shareware software, since a few other vendors have inadvertently distributed viruses with packaged software in the past. CIAC recommends that if you are from a DOE site and are not already using an effective anti-viral scanner, you should contact your site's computer security department to obtain a free copy of Data Physician PLUS! (which contains VIRHUNT and several other useful packages). In addition, since new viruses are constantly being discovered, we recommend that you ensure that your anti-viral scanner has been updated to the most recent version. The most recent version of Data Physician PLUS! is V 3.0C.


Michelangelo Virus on MS DOS Computers

CIAC Information Bulletin Number C-15: February 6, 1992, 1400 PDT

Name: Michelangelo virus

Platform: MS-DOS computers

Damage: On March 6 will destroy all files on infected disks and diskettes that are accessed.

Symptoms: CHKDSK reports "total bytes memory" 2048 bytes less than expected

Detection: DDI Data Physician Plus! v 3.0C, FPROT 2.01, other anti-viral packages updated since late September 1991

Eradication: DDI Data Physician Plus! v 3.0C, FPROT 2.01, other anti-viral packages updated since late September 1991

Critical Facts about Michelangelo Virus

The Michelangelo virus, one of the most widespread viruses among MS DOS systems, infects the Master Boot Record of hard disks and the boot sector of floppy disks. This virus will destroy infected disks on March 6 (Michelangelo's birthday). It infects very rapidly and quietly, usually showing no indication of its presence until a virus detection utility notes its existence.

Infection Mechanism

This virus is very similar to the Stoned family of viruses (see CIAC Bulletin A-28 for a description of the Stoned virus). When a Michelangelo-infected diskette is placed in the A: drive and the machine is booted, the virus is loaded into memory from the infected floppy disk. It then quickly infects the machine by moving the hard disk's original boot sector to another location on the disk, and installs itself as the boot sector. From then on, any access to another disk spreads the virus to that disk. The disk which infects the hard disk does NOT have to be a bootable system diskette to spread the infection. Also, all boot infector viruses, such as this one, do NOT affect user files, therefore, a backup prior to eradication will enable full recovery of all user data and programs.

Potential Damage

On March 6 of any year this virus will destroy all data on any disk from which the machine is booted. This occurs by overwriting hard disk sectors 1-17, heads 0-3, tracks 0-255, or the entire diskette with random characters, thus making recovery questionable at best. Note that if your hard disk is partitioned and contains another operating system, such as UNIX, in the area overwritten, that data will be destroyed as well. On all other days of the year this virus lays dormant, merely copying itself to other disks. The infection mechanism of this virus may also cause read errors to occur upon some high density (1.2 M) diskettes.

A problem can occur if a disk is infected by both the Michelangelo and the Stoned viruses AT THE SAME TIME. Both move the 'original' boot sector to the same location on the disk, so when the second infection occurs, the original clean boot sector is destroyed by being overwritten by the first virus. CIAC recommends a low-level format of the disk if this double-infection occurs, although performing the DOS SYS operation may repair a damaged diskette, and performing the undocumented FDISK/MBR operation (in DOS 5.0 only) may repair a damaged hard disk.

Detection and Eradication

Because the Michelangelo virus has been discovered relatively recently, only anti-virus products updated since early autumn of 1991 will detect it. If you suspect your PC has this virus and do not have an updated version of a virus scanner, running CHKDSK will report a "total bytes memory" value 2048 bytes less than expected. For example, a PC with 640 KBytes of memory will normally return a value of 655,360 bytes, with Michelangelo that value would be 653,312. Of course, having less "total bytes memory" does not necessarily mean a virus is resident on your machine, as some valid memory resident programs can affect this value as well.

CIAC is aware of at least two publicized cases of this virus being inadvertently distributed by vendors. The vendors involved are Leading Edge and DaVinci Systems; both vendors have made an attempt to contact all recipients of the software involved.

CIAC stresses the importance of checking all incoming diskettes with an anti-viral utility, such as VIRHUNT from DDI's Data Physician Plus! package. CIAC recommends that once a system has had a virus eradicated, it be powered down. The computer should then be observed closely throughout the entire boot-up process. Another virus scan should be performed on the machine to ensure that it is devoid of any virus.


New Virus on Macintosh Computers: MBDF A

CIAC Information Bulletin Number C-17: February 25, 1992, 1130 PST

Name: MBDF A virus

Platform: Macintosh computers-except MacPlus and SE (see below)

Damage: May cause program crashes

Symptoms: Claris applications indicate they have been altered; some shareware may not work, unexplained system crashes

Detection & Eradication: Disinfectant 2.6,Gatekeeper 1.2.4, Virex 3.6, VirusDetective 5.0.2, Rival 1.1.10, SAM 3.0

Critical Facts about MBDF A

A new Macintosh virus, MBDF A, (named for the resource it exploits) has been discovered. This virus does not appear to maliciously cause damage, but simply copies itself from one application to another. MBDF A was discovered at two archive sites in newly posted game applications, and has a high potential to be very widespread.

Infection Mechanism

This virus is an "implied loader" virus, and it works in a similar manner to other implied loader viruses such as CDEF and MDEF. Once the virus is active, clean appliacation programs will become infected as soon as they are executed. MBDF A infects only applications, and does not affect data files. This virus replicates under both System 6 and System 7. While MBDF A may be present on ALL types of Macintosh systems, it will not spread if the infected system is a MacPlus or a Mac SE (although it does spread on an SE/30).

Potential Damage

The MBDF A virus has no malicious damaging characteristics, however, it may cause programs to inexplicably crash when an item is selected from the menu bar. Some programs, such as the shareware "BeHierarchic" program, have been reported to not operate correctly when infected. Applications written with self-checking code, such as those written by the Claris corporation, will inform the user that they have been altered.

When MBDF A infects the system file, it must re-write the entire system file back to disk; this process may take two or three minutes. If the user assumes the system has hung, and reboots the Macintosh while this is occuring, the entire system file will be corrupted and an entire reload of system software must then be performed.

This virus can be safely eradicated from most infected programs, although CIAC recommends that you restore all infected files from an uninfected backup.

Detection and Eradication

Because MBDF A has been recently discovered, only anti-viral packages updated since February 20, 1992 will locate and eradicate this virus. All the major Macintosh anti-viral product vendors are aware of this virus and have scheduled updates for their products. These updates have all been available since February 24, 1992. The updated versions of some products are Disinfectant 2.6, Gatekeeper 1.2.4, Virex 3.6, SAM 3.0, VirusDetective 5.0.2, and Rival 1.1.10. Some Macintosh applications (such as the Claris software mentioned above) may contain self-verification procedures to ensure the program is valid before each execution; these programs will note unexpected alterations to their code and will inform the user.

MBDF A has been positively identified as present in two shareware games distributed by reliable archive sites: "Obnoxious Tetris" and "Ten Tile Puzzle". The program "Tetricycle" (sometimes named "Tetris-rotating") is a Trojan Horse program which installs the virus. If you have downloaded these or any other software since February 14, 1992 (the day these programs were loaded to the archive sites), CIAC recommends that you acquire an updated version of an anti-viral product and scan your system for the existence of MBDF A.

CIAC would like to thank Gene Spafford and John Norstad, who provided some of the information used in this bulletin.


PKZIP Trojan Alert

CIAC Information Bulletin Number C-27: July 8, 1992, 1700 PT

Problem: Bogus versions of the PKZIP archiving software have been released to Bulletin Board Systems (BBS).

Platform: PCs running PC-DOS, or MS-DOS

Damage: One version attempts to erase the hard disk.

Detection: Look for the files: PKZ201.ZIP, PKZ201.EXE, PKZIPV2.ZIP, or PKZIPV2.EXE

Removal: Save a copy of the files for CIAC, then delete the files. Do not extract or run these files.

Critical Facts about the PKZIP Trojan

CIAC has learned that two bogus versions of the popular archiving utility PKZIP for PC-DOS and MS-DOS machines are being circulated on several BBSs around the country. The two bogus versions of PKZIP are, 2.01 (PKZ201.ZIP and PKZ201.EXE) and 2.2 (PKZIPV2.ZIP and PKZIPV2.EXE). If you have downloaded any of these files, do not attempt to use them. You risk the destruction of all the data on your hard disk if you do.

At the current time, the released version of PKZIP is version 1.10. A new version of PKZIP is expected to be released in the next few months. Its version number was planned to be 2.00, but may be increased to a number greater than 2.2 to prevent confusion with the bogus versions. PKWARE Inc. has indicated it will never issue a version 2.01 or 2.2 of PKZIP. A good copy of the latest version of PKZIP can always be gotten from the PKWARE BBS listed below.

According to PKWARE Inc. version 2.01 is a hacked version of PKZIP 1.93 Alpha. While this version does not intentionally do any damage, it is alpha level software, and may have serious bugs in it.

Version 2.2 is a simple batch file that attempts to erase your C:\ and C:\DOS directories. If your hard disk has been erased by this program, you may be able to recover it using hard disk undelete utilities such as those in Norton Utilities, or PCTools. Don't do anything that might create or expand a file on your hard disk until you have undeleted the files, as you may overwrite the deleted files which will destroy them. To examine a file to see if it is version 2.2, type it to the screen with the DOS TYPE command. If the file that prints on the screen is a short batch file with commands such as DEL C:\*.*, or DEL C:\DOS\*.* then you have the bogus file.

If you should happen to see any of these files on a BBS, please contact the sysop of that BBS immediately, and ask him to remove them. If you have downloaded one of these files, please save a copy for CIAC, and then delete the files from your hard disk. PKWARE Inc. has also asked to be informed of any occurrences of these files, and can be reached at,

or by mail: CIAC would like to acknowledge the contribution of: PKWARE Inc.


November 17 Virus on MS DOS Computers

CIAC Information Bulletin Number D-10: March 15, 1993 1000 PST

Name: November 17 virus

Aliases: NOV 17, 855

Platform: MS DOS Computers

Damage: On November 17 will destroy hard disk contents

Symptoms: Files grow by 855, 768, 880, or 800 bytes

Detection/Eradication: FPROT 207, Scan V102, Novi

Critical Facts about the November 17 virus

The November 17 virus is a simplistic file infector virus which has recently been discovered to be fairly widespread. This virus will overwrite the hard disk on November 17 of any year.

Infection Mechanism

This virus is a file infector virus (see CIAC bulletins A-20, A-27, A-29, B-35, and 3 bulletins from Fiscal Year 1989 for information on similar file infector viruses). Upon execution of a virus-infected program, NOV 17 will become memory resident at the top of memory and inhabit 896 bytes of memory.

Once resident, it will infect any .COM and .EXE programs when the file attributes are set or read, when the file is opened for READ, and upon loading and execution. Therefore, if the virus is resident in memory, and a new disk with clean executibles is copied, the original disk's .EXE and .COM files will become infected if the disk is not write-protected. It can easily be transferred via LAN's anytime an executible file is opened or executed over the LAN. This virus will not infect files with a filename of SCAN.EXE or CLEAN.EXE, and it will not infect files that have the system bit set. It does not affect data files.

Potential Damage

On November 17 of any year this virus will overwrite portions of the C: drive or current drive, depending on the variant. On any other day of the year this virus will simply replicate. Some variants will cause this overwrite process to occur on days after November 17.

Detection and Eradication

Many recent versions of antivirus products will detect this virus. Another method of direct detection is to search for the string "SCAN.CLEAN.COMEXE", which can be found within the virus code of every infection.

Until March of 1993, there had been no reports of this virus in the United States. Because of this fact, some anti-virus products do not detect the presence of it by name. Some products, such as Data Physician Plus!, do detect when it they themselves become infected, at which point a message such as "A virus has been detected, would you like to continue?" may appear on the screen. This message means that the antivirus product's self check mechanism has detected a modification to itself, and at this point CIAC recommends that you check the machine with a different antivirus product, or call CIAC for additional information on virus handling.

Virus Variants

There are four known variants to this virus, all increase file lengths by a different amount and take up a different amount of resident memory. The variants increase file lengths of infected files by 768, 800, 880, and 855 bytes. The 768 variant is almost identical to the original virus but takes up 800 bytes of memory; it was discovered in May of 1992. The variant which adds 800 bytes to files takes up 832 bytes of memory, was discovered in March of 1993, and activates November 17-30 of any year. The 880 variant, which uses 928 bytes of memory, first seen in November, 1992, will activate on any date from November 17-December 31 of any year. The 855 variant, also called Nov17B, first seen in September of 1992, causes infected .EXE files to hang the system when executed.

Due to the nature of this virus's infection mechanism, it is sometimes not possible to remove the infection from a host program. CIAC recommends that if this virus is discovered a copy be kept and then all infected files be deleted and restored from backup.


Satan Bug Virus on MS-DOS computers

CIAC Information Bulletin Number D-22: September 4, 1993 1000 PDT

Name: Satan Bug virus

Platform: MS-DOS/PC-DOS Computers

Type: Memory resident, polymorphic, encrypted

Damage: Infects .COM, .EXE, .SYS, and .OVL files. Damages infected files, makes LANs inaccessible by damaging the LAN drivers.

Symptoms: Files grow at each infection, file dates change, files on LAN file servers become inaccessible.

Detection: DataPhysician Plus 4.0B, Scan V106, Norton AntiVirus 2.1 with August 1993 virus definitions.

Critical Facts about the Satan Bug Virus

CIAC has been alerted that the Satan Bug virus, a new virus previously thought to be contained, has been located at multiple sites in the "wild." The Satan Bug virus is an encrypted, polymorphic virus that infects all .COM, .EXE, .SYS, and .OVL files on MS-DOS/PC-DOS computers.

Infection Mechanism

When an infected file is run, the virus installs itself in memory, and then infects COMMAND.COM. Thereafter, whenever an executable file is opened or executed it is infected with the virus. Infected files grow in size from 2.9K to 5.4K bytes, and the creation date is increased by 100 years.

Potential Damage

It does not appear that this virus does any intentional damage, but infected files may be inoperative. In addition, the virus is not easily removed from infected files, requiring that they be replaced with uninfected copies from backup disks (See Appendix). The virus damages network drivers, making it impossible for a machine to connect to a network and use network services.

Detection

Anti-virus scanners dated before August 1993 that use virus signature scanning will not be able to recognize this virus. Anti-virus scanners that use file signature scanning should be able to detect that the files have been changed, but will not be able to name the virus. Most anti-virus scanner vendors are updating their programs at this time, so scanners dated after August 1993 should be able to detect the virus by name. As of the release of this bulletin, McAfee's SCANV 106 and Norton AntiVirus version 2.1 with the August 1993 virus definitions update are known to detect it. The DataPhysician Plus package (VirHunt, ResScan) version 4.0B is in final testing and will be available soon.

Warning

If you run an infected anti-virus scanner, nearly every executable file on your disk will be infected. Virus scanners must open a file to scan it, and if this virus is in memory, the act of opening the file for scanning will infect it. Most scanners first check themselves to see if they are infected with a virus, and display a "Virus Found" or "File Damaged" message when they start up. If this happens, do not scan your disk with this scanner. Even if the scanner claims that it can remove the virus from itself, don't scan your disk with it. The memory resident portion of the virus will still infect your disk.

To scan a computer infected with a memory resident virus like the Satan Bug virus, you must boot the computer with a clean (uninfected), locked floppy that contains a clean version of the virus scanner software. Delete any infected files the scanner finds, and replace them with fresh copies. See the Appendix for more information.

CIAC wishes to thank Bill Kenny of DDI, Joe Wells of Symantec and David Proulx of NAVCERT for their help in preparing this bulletin.


Appendix: Scanners, Encrypted Viruses and Removing Memory Resident Viruses

The following appendix answers some frequently asked questions about virus scanners, encrypted viruses, and disinfecting hard disks.

Anti-Virus Scanners

Virus scanners use two different methods for detecting infected files; scanning for virus signatures, and scanning for changes in executable files. A signature scanner must have a string of bytes or signature that it can detect in a file that uniquely identifies a virus. If a virus does not contain a known signature, then the scanner will not detect it. File scanners look at a files attributes, creation date and time, length, checksum, file header, and other properties to determine if a file has changed. A file scanner can detect a new virus, but can not tell what virus it is. Actually, a file scanner can not tell if a file is infected by a virus only that a file has changed in some way. However, any changes in executable files should be viewed with a lot of suspicion. Few executable files rewrite themselves after installation. None of the DOS utility programs (FORMAT, ASSIGN, etc.) should ever change during normal use, so view changes there as a probable virus infection.

Problems Removing Encrypted Viruses

Encrypted viruses like the Satan Bug are particularly difficult to remove from an infected program. Most viruses of this type attach themselves to the end of a program, and then remove a small piece from the beginning of the program and insert code there that causes the virus code to be run first. When the virus code completes running, it executes the small piece of code it removed from the beginning of the program and then continues with the original program. That way, when you run an infected program, you will only notice a slight hesitation at the beginning when the virus code runs, and then the infected program runs like normal.

Encrypted viruses store this piece of the normal program within the virus code and then encrypt the virus code. For an anti-virus program to be able to patch an infected program, it must be able to decrypt the encrypted virus to find the piece of missing code so that it can be put back where it belongs. The Satan Bug virus has up to nine levels of encryption, the level being different for each infection. Decrypting this much code is a very difficult process, so most anti-virus programs are not expected to be able to repair programs infected with the Satan Bug virus.

On the other hand, some file signature scanning programs may save enough of the scanned files to be able to repair an infected program. The Data Physician Plus package does save a sufficient amount of information to be able to repair a program infected with the Satan Bug virus. However, you must have created the file signature file before your program was infected. Again, if at all possible, you should always replace infected files rather than repairing them to insure that you have undamaged copies.

Disinfecting Hard Disks Infected With a Memory Resident Program Virus

In order to disinfect a disk infected with a memory resident program virus, you first need to get the virus out of memory, then you need to scan the disk with an uninfected copy of the Virus Scanner. To get the virus out of memory, boot your computer with a clean, locked boot disk. Then you can scan the hard disk using an anti-virus scanner, also located on a locked disk. The following steps can be used to disinfect systems infected with memory resident program viruses such as the Satan Bug. It is also applicable to non-memory resident program viruses, but is not applicable to boot sector viruses and partition table viruses which need additional steps.
  1. You need a locked, uninfected emergency boot floppy disk that contains the virus scanner, FORMAT.EXE, SYS.COM, and FDISK.COM, any disk management software needed to access your hard disk such as DiskManager. You also need simple CONFIG.SYS and AUTOEXEC.BAT files that let you bring up your system in a limited way, and any backup/restore software you may use. You need to have made this disk before your system gets infected, or make it on some other uninfected machine.
  2. Boot the infected computer with the locked, uninfected floppy.
  3. Run the copy of the virus scanner on the uninfected floppy and scan the hard disks on the infected computer.
  4. Once the scan has completed, delete any infected files the scanner found and scan the disk again. Repeat this step until no more infected or changed files are found. Alternately, you can let the scanner disinfect all the files if it can, but this is not always possible or preferable.
  5. When the scanner indicates that the hard disk is clean: Restore the system using the SYS command. This step replaces the invisible system files, COMMAND.COM, and the boot sector.
  6. Restore any deleted executables from your locked master disks or backup sets.
  7. Scan the disk again with your virus scanner. Note that at this point, the scanner may detect changes in some files because you have copied in new versions. If the scanner detects a virus, then delete the infected file. Later you will need to scan your source disk for that infected file, to see if it is infected as well.
  8. Remove the emergency floppy and reboot the computer. Your computer should boot up correctly.
  9. Insert the emergency floppy and run the scanner again just to be sure you have gotten every infected file.
  10. Start scanning any floppy disks that may have been infected by your computer. Keep in mind that the virus could have been active for months before you discovered it.

nVir A Virus Found on CD-ROM

CIAC Advisory Notice Number E-19: May 5, 1994 1500 PDT

Problem: The Macintosh nVir A virus has been found in the "README." file on the Journal of Vacuum Science & Technology CD-ROM Vol.12 1Q94.

Platform: Macintosh, all versions of the operating system. This virus has no effect on the MS-DOS files also on the disk.

Damage: The virus can easily infect your computer.

Solution: Check with publisher, do not execute "README." file.

Vulnerability Assessment: This CD-ROM is included as part of the American Vacuum Society's (AVS) journal distribution, and is distributed to members of the AVS. The virus is not overtly damaging, but does damage the system and applications during infection.

Critical Information about the CD-ROM distribution, and the nVir A Virus

CIAC has investigated a report of a virus in the CD-ROM distribution of a technical journal. The Journal of Vacuum Science & Technology A&B (Second Series Volume 12, 1994), which apparently was inadvertently infected with the nVir A virus before production of the CD-ROM. All known copies of this CD-ROM distribution are infected with this Macintosh virus.

The CD-ROM can be identified by the following titles printed on the disk: A title in large bold type: "JVST A&B Vol. 12 1Q94" A subtitle in small type: "JVST-A Vol 12(1) and 12(2) JVST-B, Vol 12(1)"

The infected file is "README." in the root directory of the CD-ROM, which is a DOCMaker Stand-Alone document reader application. This file is the one referred to in the instruction manual to run for viewing or printing the user manual, however doing so will infect the system file of your Macintosh.

This disk can also be read via a PC using DOS or Windows, but those systems will be unaffected, because the nVir A virus is specific to the Macintosh operating system.

The nVir A virus is a virus that at first only replicates, but after a certain amount of executions it has a small chance of saying "Don't Panic" if MacinTalk is installed, or having the computer beep if MacinTalk is not installed. It is not an intentionally destructive virus, but does damage the system and applications during the infection process. Infected systems occasionally crash, and printing is often delayed or damaged.

CIAC recommends that if you have received this CD-ROM, you immediately mark it as containing a Macintosh computer virus, and do not run the "README." file in the root directory. If you are using this disk on a PC system, you do not need to worry as the PC files on this disk are not infected. If you have already run this infected file, get a copy of an anti-virus program such as Disinfectant, and scan your hard disk for infected files. Replace all the infected files that you can, and repair those that you cannot replace. If your hard disk has been infected, you must scan every floppy disk that has been in your system since the infection occurred.

Even though the CD-ROM contains an infected file, the file can only infect your system if it is executed. The other files on the disk can still be installed and used without causing an infection. To install the Adobe Acrobat document reader on your Macintosh, run the Installer program in the JVST_94:install:mac:reader folder. To install the search utility, run the JVST_INSTALL;1 program in the JVST_94:install:mac:wordkeep directory. You can also view the README.DOC file, which contains the instructions for using the PC and Windows versions of the reader, using a word processor. Only the "README." file must be avoided.

If you must access the data in the infected "README." file, carefully copy the file to a floppy disk and repair it using an anti-virus utility such as Disinfectant, and then scan it again to insure it has been repaired. If the repaired file is no longer infected, you may then run it to view the document. Again, do not run the copy of the "README." file that is on the CD-ROM, as it is still infected, and cannot be repaired due to the write-only nature of the CD-ROM.

The publisher has sent a letter to all known recipients of this CD-ROM distribution explaining this problem.

CIAC wishes to thank Judy Lim, Rick Stulen and Art Pontau of Sandia National Labs for first bringing this to our attention and for supplying us with a copy of the CD-ROM. CIAC also wishes to thank the ASSIST team for helping us to contact the publishers of this journal.


Trojan Attack on Chinon CD-ROM Drives

CIAC Information Bulletin Number E-20: May 6, 1994 1200 PDT

Problem: A Trojan-horse program, CD-IT.ZIP, masquerading as an improved driver for Chinon CD-ROM drives, corrupts system files and the hard disk.

Platform: All MS-DOS and PC-DOS machines.

Damage: Once in memory, the program destroys system files, requiring a format of the infected drive to correct.

Solution: Do not execute the program in CD-IT.ZIP.

Vulnerability Assessment: The program is not dangerous if not run, but can cause serious damage to a hard drive if it is. As of this date, we don't know of any anti-virus software that recognizes it.

Critical Information about the CD-IT.ZIP Trojan

CIAC has received information from Chinon America regarding a Trojan-horse program masquerading as an improved driver for Chinon CD-ROM drives. The following text is the press release from Chinon America:
TORRANCE, CALIFORNIA, U.S.A., 1994 APR 29 (NB) -- A new "Trojan Horse" computer virus is on the Internet and is labeled with the name of the fourth largest manufacturer of compact disc read-only memory (CD-ROM) drives. Chinon America, Incorporated, the company whose name has been improperly used on the rogue program, is warning IBM and compatible personal computer (PC) users to beware of the program known as "CD-IT.ZIP."

A Chinon CD-ROM drive user brought the program to the company's attention after downloading it from a Baltimore, Maryland Fidonet server. One of the clues that the virus, masquerading as a utility program, wasn't on the up-and-up was that it purports "to enable read/write to your CD-ROM drive," a physically impossible task.

CD-IT is listed as authored by Joseph S. Shiner, couriered by HDA, and copyrighted by Chinon Products. Chinon America told Newsbytes it has no division by that name. Other clues were obscenities in the documentation as well as a line indicating that HDA stands for Haven't Decided a Name Yet.

David Cole, director of research and development for Chinon, told Newsbytes that the company knows of no one who has actually been infected by the program. Cole said the virus isn't particularly clever or dynamic, but none of the virus software the company tried was able to eradicate the rogue program. Chinon officials declined to comment on what antivirus software programs were used.

If CD-IT is actually run, it causes the computer to lock up, forcing a reboot, and then stays in memory, corrupting critical system files on the hard disk. Nothing but a high-level reformat of the hard disk drive will eradicate the virus at this point, a move that sacrifices all data on the drive. It will also corrupt any network volumes available.

"We felt that it was our responsibility as a member of the computing community to alert Internet users of this dangerous virus that is being distributed with our name on it. Even though we have nothing to do with the virus is it particularly disturbing for us to think that many of our loyal customers could be duped into believing that the software is ours," Cole explained.

Chinon is encouraging anyone who might have information that could lead to the arrest and prosecution of the parties responsible for CD-IT to call the company at 310-533-0274. In addition, the company has notified the major distributors of virus protection software, such as Symantec and McAfee Associates, so they may update their programs to detect and eradicate CD-IT.

(Linda Rohrbough/19940429/Press Contact: Rolland Going, The Terpin Group for Chinon, tel 310-798-7875, fax 310-798-7825; Public Contact: Chinon, CD-IT Information, 310-533-0274)

CIAC recommends that if you find a copy of the file CD-IT.ZIP, that you do not install it on your computer. If you have already installed and run the file, shut down your machine immediately. Check with your anti-virus vendor to see if they have a scanner/repair utility available. If not, boot from a clean, locked floppy. If you can still access your hard disk, backup any important files that were not included in your last backup, reformat the drive and restore it from your last backup.

CIAC is currently obtaining a copy of this Trojan from Chinon, and will make any new information about this Trojan available in a future copy of CIAC Notes.

CIAC would like to thank Chinon America for the information contained in this advisory and Brian Lev of NASIRC for forwarding it to us.


KAOS4 Virus

CIAC Information Bulletin Number E-32a: August 2, 1994 1600 PST

Problem: A new computer virus is preventing systems from booting.

Platform: All MS-DOS, PC-DOS, Windows systems.

Damage: May damage executable files and make systems unbootable.

Solution: Update your Anti-Virus program to detect/remove the virus.

Vulnerability Assessment: The KAOS4 virus is becoming widespread after being posted to a USNET newsgroup. The virus has been seen at multiple locations within the DOE community. The virus does not appear to be intentionally damaging, but does render systems unbootable until the system files can be replaced. Most current virus scanners must be revised to detect it.

Critical Information about the KAOS4 Virus

CIAC has received information that a new computer virus named KAOS4 was posted to a USENET newsgroup, which resulted in its wide distribution. Our research indicates the virus is not intentionally damaging, but it does tend to make systems unbootable until the virus is removed. Most virus scanners do not detect this virus without being updated, however most file change detectors should detect it now.

The most common symptom of an infection from this virus is that infected machines become unbootable. Unfortunately, that is a common symptom of many other problems, including hardw