aryehg%darkside.com@apple.com (Aryeh Goretsky) (05/14/91)
TROJAN VERSION OF VIRUSCAN VERSION 78 We have received a trojan horse version of VIRUSCAN. The hacked SCAN has apparently been uploaded to BBSes in Michigan, USA under the filename SCANV78.ZIP. Running PKZIP -V on the file reveals: .PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90 .Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help .PKUNZIP Reg. U.S. Pat. and Tm. Off. . .Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882 . . Length Method Size Ratio Date Time CRC-32 Attr Name . ------ ------ ----- ----- ---- ---- ------ ---- ---- . 12816 Implode 5255 59% 04-08-91 14:28 08a87ed8 --w AGENTS.TXT . 9406 Stored 9406 0% 02-03-91 17:04 42cf9931 --w REGISTER.DOC . 23008 Implode 12550 46% 05-06-91 18:15 f9735dd5 --w SCAN.EXE . 6495 Implode 1895 71% 10-31-89 16:16 0449b09d --w VALIDATE.COM . 3626 Implode 1802 51% 11-29-90 01:59 ab76470f --w README.1ST . 21257 Implode 5767 73% 05-06-91 19:35 a0728a17 --w VIRLIST.TXT . 2844 Implode 1406 51% 02-14-91 14:25 aa330b57 --w VALIDATE.DOC . 24515 Implode 9188 63% 05-06-91 19:34 172a967f --w SCAN78.DOC . ------ ------ --- ------- . 103967 47269 55% 8 The number listed for the Fantasia BBS is NOT a BBS number and has no connection with the trojan horse. I have called the phone number and asked the party at the other end to contact me. Running PKUNZIP on the file reveals the following: .PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90 .Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help .PKUNZIP Reg. U.S. Pat. and Tm. Off. . .Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882 . Exploding: AGENTS.TXT -AV . Extracting: REGISTER.DOC -AV . Exploding: SCAN.EXE -AV . Exploding: VALIDATE.COM -AV . Exploding: README.1ST -AV . Exploding: VIRLIST.TXT -AV . Exploding: VALIDATE.DOC -AV . Exploding: SCAN78.DOC -AV . . Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES While the Authentic Files Verified Message appears, the Serial Number is NOT correct. McAfee Associate's Serial Number is NWM405. Examination of the AGENTS.TXT, README.1ST, VALIDATE.*, and VIRLIST.TXT files revealed that these are straight from VIRUSCAN Version 77--the version number in the VIRLIST.TXT file was still V77. The SCAN78.DOC file had been modified so that all occurrences of V77 were switched to V78. Additionally, the following text was added for the validation data: . The validation results for Version 77 should be: . . FILE NAME: SCAN.EXE . SIZE: 23,008 . DATE: 05-06-1991 . FILE AUTHENTICATION . Check Method 1: 2C21 . Check Method 2: 022E . For the What's New section, the following text was added: . WHAT'S NEW . Version 78 of SCAN removes a few small bugs and continues . to optimize the procedures SCAN uses to find viruses, as in Version 77, . as well as adding a few more to the list of known viruses. SCAN is now much . more compressed than was previously thought possible, so please enjoy the . shortened file size, it should still work just fine. . Refer to the enclosed VIRLIST.TXT file for a schematic . description of the new viruses. For a complete description, please . refer to Patricia Hoffman's VSUM document. . Examination of the SCAN.EXE file has show that it contains the help message that VIRUSCAN displays as well as the program information message. However, the program does not contain any of the other messages that VIRUSCAN has in it. The REGISTER.DOC file distributed with the trojan version of VIRUSCAN is not a text file, but rather another .ZIP file containing a file named TB1.COM: . PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90 . Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help . PKUNZIP Reg. U.S. Pat. and Tm. Off. . . Searching ZIP: REGISTER.DOC . Extracting: TB1.COM -AV . . Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES . When unZIPped, the REGISTER.DOC file displays the same Authentic Files Verified Message as the SCANV78.ZIP file did. Examination of the of the TB1.COM file revealed that it contains the Whale virus. This is all I currently know about the SCANV78.ZIP trojan. If you see any copies of this file, please ask the system administrator or sysop to remove it and ask them to contact the uploader to warn them that it contains a virus. Aryeh Goretsky McAfee Associates Technical Support - - - - aryehg@tacom-emh1.army.mil
PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) (05/15/91)
aryehg%darkside.com@apple.com (Aryeh Goretsky) writes: > We have received a trojan horse version of VIRUSCAN... > > Running PKUNZIP on the file reveals the following: > > . Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES > > While the Authentic Files Verified Message appears, the Serial Number is > NOT correct. McAfee Associate's Serial Number is NWM405. This worries me. Could somebody explain what good the PKUNZIP authentication system should be, as it obviously isn't providing enough warning here. (Who would know, and think of looking at, the serial number? Probably few people). Mark Aitchison, Physics, University of Canterbury, New Zealand.
p1@arkham.wimsey.bc.ca (Rob Slade) (05/17/91)
PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) writes: > > NOT correct. McAfee Associate's Serial Number is NWM405. > > This worries me. Could somebody explain what good the PKUNZIP > authentication system should be, as it obviously isn't providing > enough warning here. (Who would know, and think of looking at, the > serial number? Probably few people). Exactly the point ~made in one recent posting that examined the various mathods McAfee Associates uses to try to maintain the integrity of the programs. The "authentic verification" only attaches a code which (more or less) confirms that the archive was packed up by an identifiable person. I am sure that McAfee Associates is even now burning up the phone lines to Phil Katz demanding what twit registered a copy of PKZIP under the name of their company with that serial number. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security