krvw@CERT.SEI.CMU.EDU (Kenneth R. van Wyk) (07/13/90)
VALERT-L/VIRUS-L Readers: CERT/CC received the following email message from Jon David, an independent security consultant in the New York area. The message details a PC virus which apparently infects Novell LANs - regardless of Novell file protections. The virus has a trigger date of Friday the 13th. Also included here is a (typed in) FAX message from Novell Vice President, Richard King, which presents Novell's official stance on this issue at this time. Mr. King's message was sent over Novell's NetWire messaging system. Please read both messages, as they present differing viewpoints, and then draw your own conclusions. IT IS IMPORTANT TO NOTE THAT THE EXTENT OF THIS VIRUS IS AS YET UNKNOWN. Therefore caution, not panic, is advisable. Scanners that detect the Jerusalem B virus may be effective at finding infections of this virus. Infected files should be deleted and restored from trusted backups (such as original write-protected distribution disks). Regards, Ken Kenneth R. van Wyk Technical Coordinator, Computer Emergency Response Team Software Engineering Institute Carnegie Mellon University cert@CERT.SEI.CMU.EDU (monitored during business hours) (412) 268-7090 (answers 24 hour a day) ===== Date: Thu, 12 Jul 90 From: Jon David <David@DOCKMASTER.NCSC.MIL> Subject: LAN virus!!! I received a call recently from an authorized Novell distributor about what looked to them like a LAN virus. It sounded to me like a Jerusalem B, and I gave them what help I could over the phone regarding proper treatment. They, in turn, send me diskettes with infected files. Of 14 files, all .EXE, 1 was a DOS utility, 3 were Norton Utility programs and the remaining 10 were NetWare programs which shouldn't have been open to public access. The infected system was running NetWare 2.15. All 14 of the files were identified as 1813 by IBM's scanner, and as Friday the 13th - Version 1 by DDI's VIRHUNT. In cooperation with Jay Nickson, author of Quarantine (a LAN anti-virus product) and Greg Drusdow (president on NUI - NetWare Users International), I today started testing the virus under NetWare 2.15C. (The system, and a ton of support, was provided by Novell.) The virus infects both EXE and COM files, adding a bit more than 1800 hundred bytes to their length. It will reinfect both types. (One file on the disks I received had been infected 56 times.) It is a TSR that hooks INT 21 if loaded before the LAN TSRs, and both 21 and 08 if loaded after. It will Alter date-time stamps locally or on the server, even if rights to do so have not been granted. Increase file lengths locally or on the server, even if rights to do so have not been granted. Delete, on being triggered, any EXE or COM invoked for execution before execution (Bad Command of file name message ... Note upper case "C" in Command) locally or on the server, even if rights to do so have not been granted. THE VIRUS WILL TRIGGER ON FRIDAY, 7/13/90 !!!!! No testing has been done on NetWare versions other than 2.15C. It is a pure guess as to the virus having the same effect on other versions. ALL USERS OF ALL NETWARE VERSIONS ARE URGED TO ADVANCE THEIR SYSTEM DATE TO 7/14/90 AT THE END OF SYSTEM USAGE - BOTH SERVERS AND NODES - ON 7/12/90. CHKDSK can be used at nodes after booting and before and after program execution to indicate loss of available RAM or disk space (on dates other than 7/13/90); on 7/13 (A DATE WHICH SHOULD NOT BE THERE FOR ANY NETWARE SYSTEMS!!!) the Bad Command or file name message should have you calling for immediate help/shutting your system down/notifying other LAN users/etc. Novell technical personnel and all levels of management are completely involved in the further analysis and treatment of this problem. Both NUI and Novell will be sending out appropriate notices on this matter today, and both are doing everything I could think of in both technical and administrative areas. While Jay, Greg and I are, and for some time will be involved in further analyses and treatments, I hope further information will be forthcoming from official/proper channels. (As I can't say other NetWare versions are likely targets or are exempt, neither can I say either for other network operating systems. I personally urge all LAN and stand-alone PC users to advance their system dates on 7/12 - today - to 7/14; it's not nice having a virus do your disk cleanup for you.) Jon David ===== NetWire Message July 12, 1990 NetWare Users International (NUI) with the support of Novell has conducted tests that have concluded that a variant f a Jerusalem B computer virus has been discovered in at least one NetWare user site. The virus infects DOS executable files. In order to be exposed to the virus one must import an infected DOS program from the outside. NETWARE FILES ARE NOT INFECTED AS THEY SHIP IN THE RED BOX FROM NOVELL. The virus operates as a TSR. Once an infected program is run at a DOS PC, the virus takes residence in the PC memory as a TSR. Subsequently, the virus, upon executing any other DOS program on the PC, will attempt to infect the disk resident copy of that program. The infection can occur on local drives as well as network drives provided the workstation has appropriate acess rights to write and modify the file. Files on network operating systems other than NetWare could also be infected by this virus. Files infected with the virus will show an increase in size of about 1800 bytes. The real negative effects of the virus will not show itself until certain preprogrammed dates. One confirmed date is July 13, 1990. There is a risk that an infected workstation will delete program images on disk that are requested for execution on that date. A "Bad command or file name" message will result. Under NetWare, the SALVAGE command will restore a deleted file if executed properly. If infection is suspect, it is recommended that you advance the server system date at the close of the working day of July 12, 1990 to July 14, 1990. It is also recommended that professional assistance be consulted. These facts and report were prompted by a report to NUI. Novell and NUI in their concern for responsible leadership felt it necessary to verify these conditions and notify its users so they could act accordingly. Richard King Vice President Novell, Inc.