rwp@cup.portal.com (Roger William Preisendefer) (12/24/89)
I recently have heard a nasty rumor concerning a possible Trojan Horse in the Nortan Utilities. This trojan will erase your hard disk sometime around the end of December, while displaying some sort of message. The source for this rumor is Computing News, a newsletter from the US Naval Academy. Does anyone have any information confirming (or debunking) this? It is supposed to be in the commercial release, not some pirated version floating around the boards.
poffen@molehill (Russ Poffenberger) (12/26/89)
In article <25317@cup.portal.com> rwp@cup.portal.com (Roger William Preisendefer) writes: >I recently have heard a nasty rumor concerning a possible Trojan Horse >in the Nortan Utilities. This trojan will erase your hard disk sometime >around the end of December, while displaying some sort of message. The >source for this rumor is Computing News, a newsletter from the US Naval >Academy. Does anyone have any information confirming (or debunking) this? >It is supposed to be in the commercial release, not some pirated version >floating around the boards. GOOD GOD! I hope not! Is there any info about which one? There is a standard and advanced edition. I have a recent copy of the advanced edition, no sign of a problem yet (12/25/89, yeah I know, nothing better to do on X-mas than read netnews). Maybe I better back up my disk just in case. Damn I wish I had gotten that tape backup for X-mas that I wanted, hate to do it to floppies. Russ Poffenberger DOMAIN: poffen@sj.ate.slb.com Schlumberger Technologies UUCP: {uunet,decwrl,amdahl}!sjsca4!poffen 1601 Technology Drive CIS: 72401,276 San Jose, Ca. 95110 (408)437-5254
baldwin@usna.MIL (J.D. Baldwin) (12/27/89)
In article <25317@cup.portal.com>, Roger William Preisendefer writes: >I recently have heard a nasty rumor concerning a possible Trojan Horse >in the Nortan Utilities. This trojan will erase your hard disk sometime >around the end of December, while displaying some sort of message. The >source for this rumor is Computing News, a newsletter from the US Naval >Academy. Does anyone have any information confirming (or debunking) this? The source for the "Computing News" article was this department. We received a copy of a memorandum from the Department of Energy's CIAC (Computer Incident Advisory Committee) describing this trojan. I do not personally know anything about this supposed trojan, but do have a copy of that memorandum. >It is supposed to be in the commercial release, not some pirated version >floating around the boards. Half right. The original memorandum (I have not seen the "Computing News" article) says, "According to information provided to CIAC, this trojan horse is not found in the version of Norton Utilities sold in commercial software outlets. It is only found in versions of Norton Utilities available from public sources (e.g., bulletin boards)." This and other parts of the memo imply that there is a PD version of Norton Utilities around some- where. I was not aware of this. In any case, your pirated and commercial copies are supposedly safe. If you use this PD version of Norton Utilities, check for the files NORTSHOT.EXE and NORTSHOT.ZIP. DO NOT EXECUTE THIS .EXE FILE! It will erase files with selected extensions if it determines the system date to be between 24 and 31 December. No information is provided about how widespread the trojan is or how much damage is anticipated. There is some other stuff in the memo about what *exactly* to look for in your .EXE or .ZIP files--I do not intend to reproduce this entire memo here, unless there is a lot of interest. If you have further questions or any information to contribute, the guy to call is: Tom Longstaff, CIAC Lawrence Livermore Nat'l Labs PO Box 808, L-540 Livermore, CA 94550 415-423-4416 (VOX) 415-422-4294 (FAX) e-mail: ciac@tiger.llnl.gov -- From the catapult of: |+| "If anyone disagrees with anything I _, J. D. Baldwin, Comp Sci Dept |+| say, I am quite prepared not only to __||____:::)=}- U.S. Naval Academy|+| retract it, but also to deny under \ / baldwin@cad.usna.navy.mil |+| oath that I ever said it." --T. Lehrer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
edlee@chinet.chi.il.us (Edward Lee) (12/27/89)
Date: 10-17-89 (18:52) TECH Number: 6468 (Echo)
To: ALL
From: TONY MCNAMARA Read: 10-19-89 (06:13)
Subj: Trojan Horse
We at Peter Norton Computing would like to bring to your attention
an unauthorized trojan horse named NortStop.ZIP or NortShot.ZIP (these
files are the same). This file was NOT produced with the knowledge or
permission of PNCI.
This file is not a virus (it does not infect files). Instead, it
is a trojan horse (it must be run explicitly to cause any damage).
When run, it lists the directory and claims the system is virus-free.
Between December 24th and December 31st, however, it will erase files
in several directories based on their extensions.
These files can be recognized by their sizes (NortStop.ZIP is
31744 bytes, NortStop.EXE is 38907 bytes), or by doing a text search
for the strings "NORTSHOT.EXE" in the ZIP, "Norton Public" in the EXE.
If you find or hear of these files, please contact us immediately
through Tony McNamara, 213/319-2076 (voice), TMCNAMARA 381-9188 (MCI),
or CompuServe (72477,2504).
Again, these files are in no way associated with PNCI. Please
help us track down and eliminate these files.
Thank you,
Peter Norton
---
* QNet 1.04a1: InterLink: MicroSellar BBS ~ Verona ~ NJ ~ (201)239-1346
Msg#:32850 *Cedar Rapids*
10/27/89 17:30:17 (Read 26 Times)
From: ROB RICHTER
To: ALL
Subj: TROJAN HORSE WARNING!
ATTENTION! ATTENTION! ATTENTION!
================================
Trojan Update: NORTSTOP.ZIP
NORTSHOT.ZIP
================================
The above files claim to be a product of Peter Norton Computing Inc. The
sparse documentation claims that the program is a virus checker from Norton,
and the EXE files contained in the ZIP files read:
The Norton Public Domain Virus Utility, PD Edition 5.50, (C)1989 Peter Norton
When the program is run, it has the following announcement:
" Your System has been infected with a Christmas virus! Selected files
were just eliminated! Without these files, you might as well use your computer
as a damn, boat anchor! If you do NOT own a boat, you may want to replace the
files which were just erased.
Try to determine which files they were. HARDY HA! HA! HA! HOW DO YOU FEEL
NOW;
YOU IDIOT? MERRY CHRISTMAS AND HAPPY NEW YEAR!"
Peter Norton has released a statement that these files are NOT a product of
Norton Computing, but are cheap trojans that will delete files on your hard
drive if you run it. The program is designed to do damage between the dates of
December 24th and December 31st, and will delete certain files based extension
and directory. The program does not seem to install a virus, and checks clear
with the latest virus scanners.
PKUNZIP reports the following information on the ZIP files:
1065 Implode 650 39% 10-04-89 12:26 9778978d --w READ-ME.NOW
38907 Implode 30156 23% 10-02-89 11:57 c333dec0 --w NORTSHOT.EXE
----- ------ --- -------
39972 30806 23% 2
The files are easily identified by name and length. If the EXE files are
examined, they will show "Norton Public". If the ZIP files are inspected, they
will contain "NORTSHOT.EXE". NORTSTOP.ZIP is 31744 bytes, and NOTSTOP.EXE is
38907 bytes.
Norton Computing is asking that all versions of these files be removed from
distribution.
Persons with any information regarding these files should contact Peter Norton
Computing Inc:
Tony McNamara
(213) 319-2076 (voice)
TMCNAMARA 381-9811 (MCI)
72477,2504 (CompuServe)fredex@cg-atla.UUCP (Fred Smith) (12/27/89)
In article <1989Dec25.194207.22573@sj.ate.slb.com> poffen@sj.ate.slb.com (Russ Poffenberger) writes: >In article <25317@cup.portal.com> rwp@cup.portal.com (Roger William Preisendefer) writes: >>I recently have heard a nasty rumor concerning a possible Trojan Horse >>in the Nortan Utilities. This trojan will erase your hard disk sometime >>around the end of December, while displaying some sort of message. The >>source for this rumor is Computing News, a newsletter from the US Naval >>Academy. Does anyone have any information confirming (or debunking) this? >>It is supposed to be in the commercial release, not some pirated version >>floating around the boards. > >GOOD GOD! I hope not! I think what Roger is writing about is the program named NORTSTOP, which was written about here a month or so ago. I just looked to see if I still had the article in question, but I have deleted it in the interim. Nortstop was a program which purported to be from Norton Computing and supposedly performed some useful function (sorry, I don't remember the details) but which instead would trash your hard disk, or some such unfriendly behavior. I don't think it is worthwhile to spread further rumors about a trojan from Norton, as it was pretty clear that this thing was NOT from Norton! Fred Smith uunet!samsung!cg-atla!fredex