|
|
The SARC AntiVirus News Update "The sun never sets on SARC" Volume 4 Issue 2 September 1999 |
|||||||||||
|
|
Windows viruses seem to be on the increase, with approximately one appearing per month. One such Windows virus is Termite.7800 which infects both DOS and Windows program files, this is featured in this issue along with W32.Kriz.3740, discovered late last month. You may be interested to know that issued with every set of virus definitions, for example through LiveUpdate, is a list of the new viruses detected and details of new technologies added to Norton AntiVirus. The file is called whatsnew.txt and can be found in the following directory; C:\Program Files\Common Files\Symantec Shared\VirusDefs\19990818.001 The last part of the directory name is the date and and release number of the virus definitions. Last month I posed the question. "should the same or similar legal penalties apply to people writing plugins to malicious code as apply to the original authors?". Well we had a very good response, with strong opinions and well presented arguments. Thanks to all those that took the time to compose a reply. The overwhelming feeling was yes they should. I've posted some extracts from the responses in an article below. This issue of the html version of the newsletter is in a different format, which I hope you like and will be easier to read. I have also removed links to remote graphics so your internet dialup connection doesn't startup on it's own to retrieve them. Keep sending me those comments and ideas on ways to improve the newsletter. David Banes, Editor, sarc.avnews@symantec.com |
|||||||||||
|
STOP PRESS - W97M.Thus.A Virus Word Macro Virus |
||||||||||||
|
||||||||||||
W32.Kriz.3740 is a Windows 9x/NT virus which infects Portable Executable (PE) Windows files. The virus goes resident into memory, attempting to infect any files that are opened by the user or applications. If infected with this virus, the user should verify they have "booted clean" before attempting to scan and repair files. The virus also modifies the KERNEL32.DLL. This file must be replaced with a known, clean backup. In addition, this virus may also corrupt some PE files, requiring them to be replaced by known, clean backups (or from the installation package). The W32.Kriz.3740 virus also contains a payload, which is executed on December 25th. The first time the virus is executed on a system, it will create an infected copy of KERNEL32.DLL in the Windows system directory. The file will be named KRIZED.TT6. If this file is found in the Windows system directory, it should be deleted. The next time Windows is started, this file will be copied over the original KERNEL32.DLL. Then the virus infects other files when certain Windows API functions are called by a program. There are variants of this virus and some of the differences between variants pertain to the payload. The 3863 variant will access more types of drives when overwriting files while other differences include the method of infection. The 3740 variant will create a new section named "..." and copy its viral code to that newly created section. The 3863 variant will simply append its code to the end of the last section. Currently only the 3863 variant has been found in the wild. There is a 3863.b version of this virus which is the same as the 3863 variant except that some of the unused text at the end of the virus has been corrupted. If the system date is December 25th, the virus will attempt to flash the BIOS of the computer. This will prevent the computer from booting up properly and may require a change of hardware. Information stored in the CMOS will be cleared. So the date, time, hard drive and floppy drive settings, peripheral configuration, etc. will need to be restored. The virus will also begin overwriting files on all available drives. This includes mapped network drives, floppy drives and RAM disks. This payload is very similar to W95.CIH and therefore warrants concern. Norton AntiVirus will detect this virus with the current virus definitions, available through LiveUpdate. by: Eric Chien SARC, Europe |
||||||||||||
|
||||||||||||
|
After executing the MONOPOLY.VBE file, the worm displays a message:
and displays the picture file MONOPOLY.JPG which you can view by clicking
the following link; http://www-cu.symantec.com/avcenter/graphics/bill_mnpy.jpg Please Note: The Norton AntiVirus definition set prior to August 9th
detects this worm as VBS.Freelink. |
||||||||||||
|
||||||||||||
|
A comprehensive list of viruses that DO NOT EXIST, despite rumor of their creation and distribution is located at; http://www.sarc.com/avcenter/hoax.html |
||||||||||||
|
||||||||||||
Symantec has announced the integration of IBM's patented neural network boot detection technology into Norton AntiVirus products. This neural network technology, which uses artificial intelligence to detect boot viruses, complements Symantec's revolutionary Bloodhound heuristic technology, which detects boot viruses by using expert systems to identify virus-like behavior. As a result, Norton AntiVirus customers receive two powerful heuristic technologies proven to detect up to 90 percent of new and unknown boot viruses. The technology is available to Norton AntiVirus customers at no cost via the LiveUpdate function built into the product. IBM's neural network boot detection technology provides additional security by mimicking human neurons in learning the difference between infected and uninfected boot records. By being shown many examples of viruses and non-viruses, the neural network learned to recognize viruses better than traditional heuristics hand-tuned by virus researchers. This neural network can detect an extremely high percentage of new and unknown boot record viruses automatically. Together, these technologies provide Norton AntiVirus customers superior protection against both known and unknown boot sector viruses. The full press release is here. |
||||||||||||
|
||||||||||||
Termite.7800 is an encrypted, non-memory resident, direct-infector, prepending file virus with a harmless payload that displays a message or a poem. It infects DOS and Windows executables. Infected Windows executables will be changed to DOS .exe's. It also utilizes the mIRC program or Pegasus Mail program to propagate. When an infected file is run at 17 minutes of any hour the virus will display: TOADiE v1.2 - Raid [SLAM] When the first generation infection is executed (for example, if received via DCC on IRC, from an infected Pegasus Mail user, or from the initial Usenet posting), the virus will display one of the following five poems: There once was a bud named B.C. He grew on a 7 foot tree Till one day I plucked him Rolled him and smoked him And now I can barely see! Ladies and gentlemen, I stand before you to stand behind you to tell you something I know nothing about. Thursday, which is Good Friday, we're having a Father's Day party for mothers only. Admission is free, pay at the door, pull out a chair and sit on the floor. Late one night in the middle of the day, two dead soldiers got up to fight. Back to back they faced each other, pulled out their swords and shot one another. A deaf policeman heard the noise, got up and shot the twice dead boys. If you don't believe me, ask the blind man who saw it all, through a knothole in a wooden brick wall. Question: If someone with multiple personalities tries to commit suicide, do the police consider it a hostage situation? One bong hit, Two bong hit, Three bong hit, Floor. Norton AntiVirus will detect this virus with the current virus definitions available through LiveUpdate. by: Eric Chien SARC, Europe |
||||||||||||
|
||||||||||||
In last month's newsletter I asked for your opinion on a sensitive topic. The question was: "should the same or similar legal penalties apply to people writing plugins to malicious code as apply to the original authors?". We received a lot of feedback to the question of which 99% of respondants agreed that they should face similar penalties. It is worth pointing out that The majority of those that did not agree to the idea, felt strongly that trojans like BO2K compared to commercially available and reputable remote control software. A few quotes from both sides follow. "If someone kicks open the door of my house and then runs away. He has committed a crime against me, ... If someone else comes along, sees my door wide open, walks in and robs me -- has he too not committed a crime..." "... I think those who write plugins for malicious code should be subject to the same penalties. I'm not a lawyer, but the phrase 'aiding & abetting' comes to mind." "I feel there should be extremely strong penalties(& enforcement) (Years in jail) for anyone writing any form of malicious code... Unlike human viruses, computer viruses don't just happen. This activity is malicious, bullying & should be severely punished..." "They [Cult of the Dead Cow] has not made anything illegal. They have simply made a piece of software that can be used to commit illegal activities." "Anyone who writes code that is malicious in nature, or that enhances the destructive ability of malicious code... should suffer the same consequences as the original code writer!" Many of you echoed the above thoughts, which simply put is that you feel the plugin writers should be treated in the same way as the authors, it seems that intent is the issue here and they should be held accountable for their actions. It will be interesting to see if this happens in the future. by: David Banes SARC, Asia Pacific. |
||||||||||||
|
||||||||||||
| Address all correspondence by email to: sarc.avnews@symantec.com or
in writing to; Symantec Corporation AntiVirus Research Center attn: AntiVirus News Update 2500 Broadway, Suite 200 Santa Monica, CA 90404, USA Archives of these newsletters are available for reading on the SARC WWW site at: http://www.symantec.com/avcenter/refa.html Please send virus samples to avsubmit@symantec.com |
||||||||||||
|
||||||||||||
| To be added to the subscription mailing list, please fill out the form available
on the SARC website at: http://www.symantec.com/avcenter/newsletter.html If you want to be removed from this mailing list, simply send an e-mail to listserv@lserver.symantec.com with the following on a line by itself in the body of the message: SIGNOFF SARC-L SARC AntiVirus News Update is published periodically by Symantec Corporation. Copyright © 1996-1999 Symantec Corporation. All rights reserved. No Reprint without Permission in writing, in advance. |
||||||||||||
|
|
SARC Glossary, what's the difference between a virus and a worm? |
|||||||||||
| All information contained in this newsletter is accurate and valid as of the date of issue. |
SARC Virus Hotline |
|||||||||||
|
|
|
|
|
|
|
|
|
|
|
|||
