home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Monster Media 1993 #2
/
Image.iso
/
text
/
hack9308.zip
/
FILETSTS.ZIP
/
SCANV103.RES
< prev
Wrap
Text File
|
1993-05-09
|
5KB
|
127 lines
=========================================================================
||
From the files of The Hack Squad: || by Lee Jackson, Moderator, FidoNet
|| Int'l Echos SHAREWRE & WARNINGS
The Hack Report || Volume 2, Number 5
File Test Results || Result Report Date: April 22, 1993
||
=========================================================================
*************************************************************************
* *
* The following test was performed by and the results are courtesy *
* of Jeff White and Bill Logan of the Pueblo Group in Tuscon, *
* Arizona. Their assistance is greatly appreciated. *
* *
*************************************************************************
Date: 04-22-1993
Time: 20:35
The Pueblo Group received the following file(s) for possible Virus/Troan
Testing:
Suspected File: SCANV103.ARJ
Validation Results:
===================
File Name: SCANV103.ARJ
File Size: 222,276
File Date: 4-8-1993
Check Method1 - 314F
Check Method2 - 1188
Contained within the SCANV103.ARJ archieve:
File Name: README.1ST
File Size: 1,684
File Date: 4-8-1993
Check Method1: - 488E
Check Method2: - 0927
File Name: SCANV103.CMX
File Size: 188,562
File Date: 4-7-1993
Check Method1: - BE66
Check Method2: - IE74
File Name: INSTSCAN.COM
File Size: 2,532
File Date: 4-7-1993
Check Method1: - 989E
Check Method2: - 00FF
File Name: VALIDATE.DAT
File Size: 28,959
File Date: 2-1-1993
Check Method1: - 4BC3
Check Method2: - 1718
Overview:
===========
Upon close examination this file proved to be a compiled and pklited batch
file. The author has used simple delete routines and a third party program
to accomplish their trojan activity. This is standard procedure among Trojan
writers as it does not inolve a working knowledge of ASM.
This file contains nothing really new nor special.
Trojan Structure:
==================
The program professes to be Scan from McAfee Associates and includes an
installation program, which according to the doc is a new method from McAfee
to thwart the growing Trojan activity. The Installation program, File Name:
INSTSCAN.COM is the compiled Batch file. It calls the file: VAILDATE.DAT,
which is actually renamed PKUNZIP 204G and renames it to "GETREADY.EXE".
PKZUNZIP calls SCANV103.CMX, utilizing a password, extrapolates the file:
Language.Doc and renames it to "BYEBYEHD.COM", and copies it to the root
directory. BYEBYEHD.COM is actually "NUKE.COM" a third party directory and
sub directory kill utility
The program then searches for and deletes the following directories:
C:\DOS (Default Operating System Directory)
C:\ARCHIEVES (Assumed Archiever Directory)
C:\FD (Front Door Directory)
C:\RA (Remote Access Directory)
C:\SF (SpitFire Directory)
C:\WP (Word Perfect Directory)
C:\PCTOOLS (Default PCTools Directory)
C:\WINDOWS (Default WIndows Directory)
The screen will display a status report of what it is SUPPOSED to be doing.
As it kills the directory it displays that it is decompressing a file from
the
SCAN103.CMX, then echoing the bytes it is supposed to contain and the
comment,
---done!.
At the completion of the Trojan it echos:
DONE, and your HD is GONE! Hope you have a backup!
Closing:
========
As I stated, this is not a new concept. Trojan programs are simple, and a
high level language (ASM) is not required for a person to put one together.
A basic knowledge of DOS and three commands, ECHO, DELETE and CHANGE
DIRECTORY will accomplish whatever they intend to do. What disturbs me is
the fact this originated in Tucson.
McAfee Associates were notified and they have skipped release number 103.
Bill Logan
AntiVirus/Data Security
Consultant
Licensed Agents for McAfee Associates The Pueblo Group
Licensed Agents for Integrity Master AntiViral - Data Security
Arizona Agents for PC-SENTRY-Security Sftwre (602) 321-2075
Member: NCSA (US) Tucson, AZ USA
[FidoNet: 1:300/22] [InterNet: blogan@solitud.fidonet.org]