USERGOLD%UALTAMTS.BITNET@vm.ucs.UAlberta.CA (Peter Johnston) (03/08/91)
We have observed in one of our PC computer labs in the last few days a piece of malicious code that places a message on the screen overwriting whatever is there. The text (in part) reads: "If we paid attention, if we cared, we would realize just how unethical this impending war with Iraq is, and how impure the American motives are for wanting to force it. I'm becoming a little confused as to where the "evil amoire" is these days." There is more but I do not have a complete printout of the text in front of me. Because of the way it overwrites things, it quite often overwrites itself. Other than displaying the message, we have not detected that the code performs any other function or causes any other damage. we do not know whether it reproduces or not, nor how it got on the machines. In fact, we have not yet been able to find it. Investigation of the hard disks of the affected machines via Norton Utilities Explore function yielded no matches to the actual wording, which suggests that the text has been enciphered or otherwise hidden. The message appears at random times, overwriting whatever is on the screen (including Norton Anti-Virus). My programmer feels that the periodicity is tied somehow to the number of sector accesses, and has clocked it at approcimately once every 700 accesses. However, this is not an exact number. None of the PC anti-viral packages we have (and we try to obtain a copy of the latest version of every package we can find) report or detect this malicious code. Is this something new? Is it home grown? Has anyone else seen anything like this? Any suggestions or assistance would be appreciated. Thanks for the help. If/when we get this beastie nailed down I'll forward appropriate info... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Peter Johnston | Voice : 403/492-2462 University Comput Systems | FAX : 403/492-1729 352 GenSvcBldg, | BitNET : usergold@ualtamts The University of Alberta | Internet : usergold@mts.ucs.ualberta.ca Edmonton, Alberta | QuickMail: Peter_Johnston@ Canada T6G 2H1 | quest.ucs.ualberta.ca - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -