Message: 3126643, 113 lines Posted: 5:47pm PDT, Mon May 13/91, imported: 7:46pm PDT, Mon May 13/91 Subject: Trojan version of VIRUSCAN version 78 To: userID=NHD0 From: aryehg%darkside.com@APPLE.COM TROJAN VERSION OF VIRUSCAN VERSION 78 We have received a trojan horse version of VIRUSCAN. The hacked SCAN has apparently been uploaded to BBSes in Michigan, USA under the filename SCANV78.ZIP. Running PKZIP -V on the file reveals: .PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90 .Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help .PKUNZIP Reg. U.S. Pat. and Tm. Off. . .Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882 . . Length Method Size Ratio Date Time CRC-32 Attr Name . ------ ------ ----- ----- ---- ---- ------ ---- ---- . 12816 Implode 5255 59% 04-08-91 14:28 08a87ed8 --w AGENTS.TXT . 9406 Stored 9406 0% 02-03-91 17:04 42cf9931 --w REGISTER.DOC . 23008 Implode 12550 46% 05-06-91 18:15 f9735dd5 --w SCAN.EXE . 6495 Implode 1895 71% 10-31-89 16:16 0449b09d --w VALIDATE.COM . 3626 Implode 1802 51% 11-29-90 01:59 ab76470f --w README.1ST . 21257 Implode 5767 73% 05-06-91 19:35 a0728a17 --w VIRLIST.TXT . 2844 Implode 1406 51% 02-14-91 14:25 aa330b57 --w VALIDATE.DOC . 24515 Implode 9188 63% 05-06-91 19:34 172a967f --w SCAN78.DOC . ------ ------ --- ------- . 103967 47269 55% 8 The number listed for the Fantasia BBS is NOT a BBS number and has no connection with the trojan horse. I have called the phone number and asked the party at the other end to contact me. Running PKUNZIP on the file reveals the following: .PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90 .Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help .PKUNZIP Reg. U.S. Pat. and Tm. Off. . .Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882 . Exploding: AGENTS.TXT -AV . Extracting: REGISTER.DOC -AV . Exploding: SCAN.EXE -AV . Exploding: VALIDATE.COM -AV . Exploding: README.1ST -AV . Exploding: VIRLIST.TXT -AV . Exploding: VALIDATE.DOC -AV . Exploding: SCAN78.DOC -AV . . Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES While the Authentic Files Verified Message appears, the Serial Number is NOT correct. McAfee Associate's Serial Number is NWM405. Examination of the AGENTS.TXT, README.1ST, VALIDATE.*, and VIRLIST.TXT files revealed that these are straight from VIRUSCAN Version 77--the version number in the VIRLIST.TXT file was still V77. The SCAN78.DOC file had been modified so that all occurrences of V77 were switched to V78. Additionally, the following text was added for the validation data: . The validation results for Version 77 should be: . . FILE NAME: SCAN.EXE . SIZE: 23,008 . DATE: 05-06-1991 . FILE AUTHENTICATION . Check Method 1: 2C21 . Check Method 2: 022E . For the What's New section, the following text was added: . WHAT'S NEW . Version 78 of SCAN removes a few small bugs and continues . to optimize the procedures SCAN uses to find viruses, as in Version 77, . as well as adding a few more to the list of known viruses. SCAN is now -much . more compressed than was previously thought possible, so please enjoy the . shortened file size, it should still work just fine. . Refer to the enclosed VIRLIST.TXT file for a schematic . description of the new viruses. For a complete description, please . refer to Patricia Hoffman's VSUM document. . Examination of the SCAN.EXE file has show that it contains the help message that VIRUSCAN displays as well as the program information message. However, the program does not contain any of the other messages that VIRUSCAN has in it. The REGISTER.DOC file distributed with the trojan version of VIRUSCAN is not a text file, but rather another .ZIP file containing a file named TB1.COM: . PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90 . Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help . PKUNZIP Reg. U.S. Pat. and Tm. Off. . . Searching ZIP: REGISTER.DOC . Extracting: TB1.COM -AV . . Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES . When unZIPped, the REGISTER.DOC file displays the same Authentic Files Verified Message as the SCANV78.ZIP file did. Examination of the of the TB1.COM file revealed that it contains the Whale virus. This is all I currently know about the SCANV78.ZIP trojan. If you see any copies of this file, please ask the system administrator or sysop to remove it and ask them to contact the uploader to warn them that it contains a virus. Aryeh Goretsky McAfee Associates Technical Support - - - aryehg@tacom-emh1.army.mil K6L6M6N6O6P6Q6R6S6T6V6W6Y6Z6[6\6]6^6_6`6a6b6c6d6e6g6h6i6k6l6m6n6o6p6q6r6s6t6x6y6z6{666666666666666666666666 Infected files can be easily identified as the text string "Eddie Lives." appears near the end of the infected file. These files will also be 651 bytes longer than expected when the virus is not present in memory. A side effect of the V651 virus is that lost clusters may occur on infected systems if the CHKDSK /F command is used. While this does not occur for all infected files, the number of errors reported by CHKDSK will be much higher stat