home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Magnum One
/
Magnum One (Mid-American Digital) (Disc Manufacturing).iso
/
d23
/
scan78.war
< prev
next >
Wrap
Text File
|
1991-05-15
|
6KB
|
142 lines
Msg # 109
Date: 15 May 91 03:34:19
From: Christopher Baker
To: All
Subj: Trojan Warning!!
____________________________________________________________________________
the following is a verbatim capture direct from the McAfee BBS. pass this to
all boards:
Msg#: 2645 *viru*
05-14-91 10:44:50
From: ARYEH GORETSKY
To: ALL
Subj: VIRUSCAN TROJAN WARNING
Organization: McAfee Associates
TROJAN VERSION OF VIRUSCAN VERSION 78
We have received a trojan horse version of VIRUSCAN. The hacked SCAN has
apparently been uploaded to BBSes in Michigan, USA under the filename
SCANV78.ZIP. Running PKZIP -V on the file reveals:
.PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
.Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
.PKUNZIP Reg. U.S. Pat. and Tm. Off.
.
.Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882
.
. Length Method Size Ratio Date Time CRC-32 Attr Name
. ------ ------ ----- ----- ---- ---- ------ ---- ----
. 12816 Implode 5255 59% 04-08-91 14:28 08a87ed8 --w AGENTS.TXT
. 9406 Stored 9406 0% 02-03-91 17:04 42cf9931 --w REGISTER.DOC
. 23008 Implode 12550 46% 05-06-91 18:15 f9735dd5 --w SCAN.EXE
. 6495 Implode 1895 71% 10-31-89 16:16 0449b09d --w VALIDATE.COM
. 3626 Implode 1802 51% 11-29-90 01:59 ab76470f --w README.1ST
. 21257 Implode 5767 73% 05-06-91 19:35 a0728a17 --w VIRLIST.TXT
. 2844 Implode 1406 51% 02-14-91 14:25 aa330b57 --w VALIDATE.DOC
. 24515 Implode 9188 63% 05-06-91 19:34 172a967f --w SCAN78.DOC
. ------ ------ --- -------
. 103967 47269 55% 8
The number listed for the Fantasia BBS is NOT a BBS number and has no
connection with the trojan horse. I have called the phone number and asked
the party at the other end to contact me.
Running PKUNZIP on the file reveals the following:
.PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
.Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
.PKUNZIP Reg. U.S. Pat. and Tm. Off.
.
.Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882
. Exploding: AGENTS.TXT -AV
. Extracting: REGISTER.DOC -AV
. Exploding: SCAN.EXE -AV
. Exploding: VALIDATE.COM -AV
. Exploding: README.1ST -AV
. Exploding: VIRLIST.TXT -AV
. Exploding: VALIDATE.DOC -AV
. Exploding: SCAN78.DOC -AV
.
. Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES
While the Authentic Files Verified Message appears, the Serial Number is NOT
correct. McAfee Associate's Serial Number is NWM405.
Examination of the AGENTS.TXT, README.1ST, VALIDATE.*, and VIRLIST.TXT files
revealed that these are straight from VIRUSCAN Version 77--the version number
in the VIRLIST.TXT file was still V77.
The SCAN78.DOC file had been modified so that all occurrences of V77 were
switched to V78. Additionally, the following text was added for the
validation data:
. The validation results for Version 77 should be:
.
. FILE NAME: SCAN.EXE
. SIZE: 23,008
. DATE: 05-06-1991
. FILE AUTHENTICATION
. Check Method 1: 2C21
. Check Method 2: 022E
.
For the What's New section, the following text was added:
. WHAT'S NEW
. Version 78 of SCAN removes a few small bugs and continues
. to optimize the procedures SCAN uses to find viruses, as in Version 77,
. as well as adding a few more to the list of known viruses. SCAN is now
. much more compressed than was previously thought possible, so please enjoy
. the shortened file size, it should still work just fine.
. Refer to the enclosed VIRLIST.TXT file for a schematic
. description of the new viruses. For a complete description, please
. refer to Patricia Hoffman's VSUM document.
.
Examination of the SCAN.EXE file has show that it contains the help message
that VIRUSCAN displays as well as the program information message. However,
the program does not contain any of the other messages that VIRUSCAN has in
it.
The REGISTER.DOC file distributed with the trojan version of VIRUSCAN is not
a text file, but rather another .ZIP file containing a file named TB1.COM:
. PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
. Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
. PKUNZIP Reg. U.S. Pat. and Tm. Off.
.
. Searching ZIP: REGISTER.DOC
. Extracting: TB1.COM -AV
.
. Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES
.
When unZIPped, the REGISTER.DOC file displays the same Authentic Files
Verified Message as the SCANV78.ZIP file did. Examination of the of the
TB1.COM file revealed that it contains the Whale virus.
This is all I currently know about the SCANV78.ZIP trojan. If you see any
copies of this file, please ask the system administrator or sysop to remove
it and ask them to contact the uploader to warn them that it contains a
virus.
Aryeh Goretsky McAfee Associates Technical Support
--------------------------------------------------------------------
aryeh@tacom-emh1.army.mil
\\\\\\\\\\\\\\\\\\\\\\\//////////////////////////
needless to say if this turns up on your system, DON'T open it and DON'T use
it or pass it on. advise McAfee where and when you got it.
TTFN.
Chris
--- D'Bridge B1046/00R
* Origin: Rights On! - Sysops of 374, Unite! - Titusville_FL_USA (1:374/14)