SYMANTEC.

SARC Home Page

The SARC AntiVirus News Update

"The sun never sets on SARC"

Volume 4 Issue 2 September 1999

 
   


The following is a list of the top reported viruses, trojans and worms to SARC's regional offices.


Asia Pacific

W95.CIH
W97M.Ethan.A
W97M.Marker.A


Europe

Happy99.Worm
W97M.Ethan.A
W97M.Marker.A


Japan

Happy99.Worm
XM.Laroux
O97M.Tristate


USA

XM.Laroux
W95.CIH
W97M.Class

     

Windows viruses seem to be on the increase, with approximately one appearing per month. One such Windows virus is
Termite.7800 which infects both DOS and Windows program files, this is featured in this issue along with W32.Kriz.3740, discovered late last month.

You may be interested to know that issued with every set of virus definitions, for example through LiveUpdate, is a list of the new viruses detected and details of new technologies added to Norton AntiVirus. The file is called whatsnew.txt and can be found in the following directory;

C:\Program Files\Common Files\Symantec Shared\VirusDefs\19990818.001

The last part of the directory name is the date and and release number of the virus definitions.

Last month I posed the question. "should the same or similar legal penalties apply to people writing plugins to malicious code as apply to the original authors?". Well we had a very good response, with strong opinions and well presented arguments. Thanks to all those that took the time to compose a reply. The overwhelming feeling was yes they should. I've posted some extracts from the responses in an article below.

This issue of the html version of the newsletter is in a different format, which I hope you like and will be easier to read. I have also removed links to remote graphics so your internet dialup connection doesn't startup on it's own to retrieve them. Keep sending me those comments and ideas on ways to improve the newsletter.

David Banes,
Editor, sarc.avnews@symantec.com
   
     

 STOP PRESS - W97M.Thus.A Virus Word Macro Virus

 
       
Viruses in the News

Rare

PC

   
       
W32.Kriz.3740
is a Windows 9x/NT virus which infects Portable Executable (PE) Windows files. The virus goes resident into memory, attempting to infect any files that are opened by the user or applications. If infected with this virus, the user should verify they have "booted clean" before attempting to scan and repair files.

The virus also modifies the KERNEL32.DLL. This file must be replaced with a known, clean backup. In addition, this virus may also corrupt some PE files, requiring them to be replaced by known, clean backups (or from the installation package).

The W32.Kriz.3740 virus also contains a payload, which is executed on December 25th.

The first time the virus is executed on a system, it will create an infected copy of KERNEL32.DLL in the Windows system directory. The file will be named KRIZED.TT6. If this file is found in the Windows system directory, it should be deleted. The next time Windows is started, this file will be copied over the original KERNEL32.DLL. Then the virus infects other files when certain Windows API functions are called by a program.

There are variants of this virus and some of the differences between variants pertain to the payload. The 3863 variant will access more types of drives when overwriting files while other differences include the method of infection. The 3740 variant will create a new section named "..." and copy its viral code to that newly created section. The 3863 variant will simply append its code to the end of the last section.

Currently only the 3863 variant has been found in the wild. There is a 3863.b version of this virus which is the same as the 3863 variant except that some of the unused text at the end of the virus has been corrupted.

If the system date is December 25th, the virus will attempt to flash the BIOS of the computer. This will prevent the computer from booting up properly and may require a change of hardware. Information stored in the CMOS will be cleared. So the date, time, hard drive and floppy drive settings, peripheral configuration, etc. will need to be restored. The virus will also begin overwriting files on all available drives. This includes mapped network drives, floppy drives and RAM disks. This payload is very similar to W95.CIH and therefore warrants concern.

Norton AntiVirus will detect this virus with the current virus definitions, available through LiveUpdate.

by: Eric Chien
SARC, Europe
   
                   
         
Trojans and Worms in the News

Rare

PC

 
         


VBS.Monopoly
is an encrypted worm that will work under Windows operating systems supporting Visual Basic Script 4.0 and above. The worm utilises Microsoft Outlook to send a copy of itself to all the recipients in the user's MS Outlook Address Book. The worm usually appears as 'MONOPOLY.VBS' in the email named Bill Gates Joke.

Similar to VBS.Freelink, the worm is written in Visual Basic Script. When launched, the worm drops a picture named 'MONOPOLY.JPG' in the temporary folder. It also creates 'MONOPOLY.WSH' and 'MONOPOLY.VBE' files.

The 'MONOPOLY.WSH' executes the 'MONOPOLY.VBE' which sends out an email to everyone in the user's MS Outlook Address Book. The email has the following subject and message:

Subject: Bill Gates joke
Message:
Bill Gates is guilty of monopoly. Here is the proof. :-)

After executing the MONOPOLY.VBE file, the worm displays a message:

Bill Gates is guilty of monopoly. Here is the proof.

and displays the picture file MONOPOLY.JPG which you can view by clicking the following link; http://www-cu.symantec.com/avcenter/graphics/bill_mnpy.jpg

To remove this worm, one should simply delete the 'MONOPOLY.VBS', 'MONOPOLY.VBE', and 'MONOPOLY.WSH' files. You can use the find option on the Windows Start menu to locate these files.

Norton AntiVirus users may protect themselves from this worm by downloading the current virus definitions available through LiveUpdate.

Please Note: The Norton AntiVirus definition set prior to August 9th detects this worm as VBS.Freelink.

by:Raul Elnitiarta
SARC, USA

   
                   
         
New Hoaxes

Common

ALL

   
         


Hoaxes seem to be more common than ever. Although there are thousands of viruses discovered each year, there are still some that only exist in peoples imaginations. This is a list of the newer hoaxes,

Matrix Virus Hoax
ZZ331 Virus Hoax
Jan1st20.exe Virus Hoax
CELLSAVER Virus Hoax
Phantom Menace Virus Hoax
Work Virus Hoax
Norman Virus Hoax

A comprehensive list of viruses that DO NOT EXIST, despite rumor of their creation and distribution is located at;

http://www.sarc.com/avcenter/hoax.html

Please ignore any messages regarding these supposed "viruses" and do not pass on any messages about them. Passing on messages about these hoaxes only serves to further propagate them.

   
                   
         
Neural Net Boot Detection

PC

   
         
Symantec has announced the integration of IBM's patented neural network boot detection technology into Norton AntiVirus products. This neural network technology, which uses artificial intelligence to detect boot viruses, complements Symantec's revolutionary Bloodhound heuristic technology, which detects boot viruses by using expert systems to identify virus-like behavior. As a result, Norton AntiVirus customers receive two powerful heuristic technologies proven to detect up to 90 percent of new and unknown boot viruses. The technology is available to Norton AntiVirus customers at no cost via the LiveUpdate function built into the product.

IBM's neural network boot detection technology provides additional security by mimicking human neurons in learning the difference between infected and uninfected boot records. By being shown many examples of viruses and non-viruses, the neural network learned to recognize viruses better than traditional heuristics hand-tuned by virus researchers. This neural network can detect an extremely high percentage of new and unknown boot record viruses automatically. Together, these technologies provide Norton AntiVirus customers superior protection against both known and unknown boot sector viruses.

The full press release is here.
   
                   
         
Termite.7800 (Alias Toadie)

Common

PC

   
         
Termite.7800
is an encrypted, non-memory resident, direct-infector, prepending file virus with a harmless payload that displays a message or a poem. It infects DOS and Windows executables. Infected Windows executables will be changed to DOS .exe's. It also utilizes the mIRC program or Pegasus Mail program to propagate.

When an infected file is run at 17 minutes of any hour the virus will display:

TOADiE v1.2 - Raid [SLAM]

When the first generation infection is executed (for example, if received via DCC on IRC, from an infected Pegasus Mail user, or from the initial Usenet posting), the virus will display one of the following five poems:



There once was a bud named B.C.
He grew on a 7 foot tree
Till one day I plucked him
Rolled him and smoked him
And now I can barely see!

Ladies and gentlemen, I stand before you to
stand behind you to tell you something I know
nothing about. Thursday, which is Good Friday,
we're having a Father's Day party for mothers only.
Admission is free, pay at the door, pull out a chair
and sit on the floor.

Late one night in the middle of the day, two dead
soldiers got up to fight. Back to back they faced
each other, pulled out their swords and shot one
another. A deaf policeman heard the noise, got up
and shot the twice dead boys. If you don't believe
me, ask the blind man who saw it all, through a
knothole in a wooden brick wall.

Question: If someone with multiple personalities tries
to commit suicide, do the police consider it a hostage
situation?

One bong hit, Two bong hit, Three bong hit, Floor.

Norton AntiVirus will detect this virus with the current virus definitions available through LiveUpdate.

by: Eric Chien
SARC, Europe
   
                   
         
Responses to last months question
   
         
In last month's newsletter I asked for your opinion on a sensitive topic. The question was: "should the same or similar legal penalties apply to people writing plugins to malicious code as apply to the original authors?".

We received a lot of feedback to the question of which 99% of respondants agreed that they should face similar penalties. It is worth pointing out that The majority of those that did not agree to the idea, felt strongly that trojans like BO2K compared to commercially available and reputable remote control software.

A few quotes from both sides follow.

"If someone kicks open the door of my house and then runs away. He has committed a crime against me, ... If someone else comes along, sees my door wide open, walks in and robs me -- has he too not committed a crime..."

"... I think those who write plugins for malicious code should be subject to the same penalties. I'm not a lawyer, but the phrase 'aiding & abetting' comes to mind."

"I feel there should be extremely strong penalties(& enforcement) (Years in jail) for anyone writing any form of malicious code... Unlike human viruses, computer viruses don't just happen. This activity is malicious, bullying & should be severely punished..."

"They [Cult of the Dead Cow] has not made anything illegal. They have simply made a piece of software that can be used to commit illegal activities."

"Anyone who writes code that is malicious in nature, or that enhances the destructive ability of malicious code... should suffer the same consequences as the original code writer!"


Many of you echoed the above thoughts, which simply put is that you feel the plugin writers should be treated in the same way as the authors, it seems that intent is the issue here and they should be held accountable for their actions. It will be interesting to see if this happens in the future.

by: David Banes
SARC, Asia Pacific.
   
                   
         
Contacts
   
          Address all correspondence by email to: sarc.avnews@symantec.com or in writing to;

Symantec Corporation
AntiVirus Research Center
attn: AntiVirus News Update
2500 Broadway, Suite 200
Santa Monica, CA 90404, USA

Archives of these newsletters are available for reading on the SARC WWW site at:
http://www.symantec.com/avcenter/refa.html

Please send virus samples to avsubmit@symantec.com
   
                   
         
Subscribe and Unsubscribe
   
          To be added to the subscription mailing list, please fill out the form available on the SARC website at: http://www.symantec.com/avcenter/newsletter.html

If you want to be removed from this mailing list, simply send an e-mail to

listserv@lserver.symantec.com

with the following on a line by itself in the body of the message:

SIGNOFF SARC-L

SARC AntiVirus News Update is published periodically by Symantec Corporation. Copyright © 1996-1999 Symantec Corporation. All rights reserved. No Reprint without Permission in writing, in advance.
   
       

 

SARC Glossary, what's the difference between a virus and a worm?

   
          All information contained in this newsletter is accurate and valid as of the date of issue.  

SARC Virus Hotline
sarc.asia@symantec.com