krvw@CERT.SEI.CMU.EDU (Kenneth R. van Wyk) (07/13/90)
VALERT-L/VIRUS-L Readers:
CERT/CC received the following email message from Jon David, an
independent security consultant in the New York area. The message
details a PC virus which apparently infects Novell LANs - regardless
of Novell file protections. The virus has a trigger date of Friday
the 13th. Also included here is a (typed in) FAX message from Novell
Vice President, Richard King, which presents Novell's official stance
on this issue at this time. Mr. King's message was sent over Novell's
NetWire messaging system. Please read both messages, as they present
differing viewpoints, and then draw your own conclusions.
IT IS IMPORTANT TO NOTE THAT THE EXTENT OF THIS VIRUS IS AS YET
UNKNOWN. Therefore caution, not panic, is advisable.
Scanners that detect the Jerusalem B virus may be effective at finding
infections of this virus. Infected files should be deleted and
restored from trusted backups (such as original write-protected
distribution disks).
Regards,
Ken
Kenneth R. van Wyk
Technical Coordinator, Computer Emergency Response Team
Software Engineering Institute
Carnegie Mellon University
cert@CERT.SEI.CMU.EDU (monitored during business hours)
(412) 268-7090 (answers 24 hour a day)
=====
Date: Thu, 12 Jul 90
From: Jon David <David@DOCKMASTER.NCSC.MIL>
Subject: LAN virus!!!
I received a call recently from an authorized Novell distributor about
what looked to them like a LAN virus. It sounded to me like a Jerusalem
B, and I gave them what help I could over the phone regarding proper
treatment. They, in turn, send me diskettes with infected files.
Of 14 files, all .EXE, 1 was a DOS utility, 3 were Norton Utility
programs and the remaining 10 were NetWare programs which shouldn't have
been open to public access. The infected system was running NetWare
2.15. All 14 of the files were identified as 1813 by IBM's scanner, and
as Friday the 13th - Version 1 by DDI's VIRHUNT.
In cooperation with Jay Nickson, author of Quarantine (a LAN
anti-virus product) and Greg Drusdow (president on NUI - NetWare Users
International), I today started testing the virus under NetWare 2.15C.
(The system, and a ton of support, was provided by Novell.)
The virus infects both EXE and COM files, adding a bit more than 1800
hundred bytes to their length. It will reinfect both types. (One
file on the disks I received had been infected 56 times.) It is a TSR
that hooks INT 21 if loaded before the LAN TSRs, and both 21 and 08 if
loaded after. It will
Alter date-time stamps locally or on the server, even if rights to
do so have not been granted.
Increase file lengths locally or on the server, even if rights to do
so have not been granted.
Delete, on being triggered, any EXE or COM invoked for execution
before execution (Bad Command of file name message ... Note upper
case "C" in Command) locally or on the server, even if rights to do
so have not been granted.
THE VIRUS WILL TRIGGER ON FRIDAY, 7/13/90 !!!!!
No testing has been done on NetWare versions other than 2.15C. It is
a pure guess as to the virus having the same effect on other versions.
ALL USERS OF ALL NETWARE VERSIONS ARE URGED TO ADVANCE THEIR SYSTEM
DATE TO 7/14/90 AT THE END OF SYSTEM USAGE - BOTH SERVERS AND NODES -
ON 7/12/90.
CHKDSK can be used at nodes after booting and before and after program
execution to indicate loss of available RAM or disk space (on dates
other than 7/13/90); on 7/13 (A DATE WHICH SHOULD NOT BE THERE FOR ANY
NETWARE SYSTEMS!!!) the Bad Command or file name message should have
you calling for immediate help/shutting your system down/notifying
other LAN users/etc.
Novell technical personnel and all levels of management are completely
involved in the further analysis and treatment of this problem. Both
NUI and Novell will be sending out appropriate notices on this matter
today, and both are doing everything I could think of in both
technical and administrative areas.
While Jay, Greg and I are, and for some time will be involved in
further analyses and treatments, I hope further information will be
forthcoming from official/proper channels.
(As I can't say other NetWare versions are likely targets or are
exempt, neither can I say either for other network operating systems.
I personally urge all LAN and stand-alone PC users to advance their
system dates on 7/12 - today - to 7/14; it's not nice having a virus
do your disk cleanup for you.)
Jon David
=====
NetWire Message
July 12, 1990
NetWare Users International (NUI) with the support of Novell has
conducted tests that have concluded that a variant f a Jerusalem B
computer virus has been discovered in at least one NetWare user site.
The virus infects DOS executable files. In order to be exposed to the
virus one must import an infected DOS program from the outside.
NETWARE FILES ARE NOT INFECTED AS THEY SHIP IN THE RED BOX FROM
NOVELL.
The virus operates as a TSR. Once an infected program is run at a DOS
PC, the virus takes residence in the PC memory as a TSR.
Subsequently, the virus, upon executing any other DOS program on the
PC, will attempt to infect the disk resident copy of that program.
The infection can occur on local drives as well as network drives
provided the workstation has appropriate acess rights to write and
modify the file. Files on network operating systems other than
NetWare could also be infected by this virus. Files infected with the
virus will show an increase in size of about 1800 bytes.
The real negative effects of the virus will not show itself until
certain preprogrammed dates. One confirmed date is July 13, 1990.
There is a risk that an infected workstation will delete program
images on disk that are requested for execution on that date. A "Bad
command or file name" message will result. Under NetWare, the SALVAGE
command will restore a deleted file if executed properly. If
infection is suspect, it is recommended that you advance the server
system date at the close of the working day of July 12, 1990 to July
14, 1990. It is also recommended that professional assistance be
consulted.
These facts and report were prompted by a report to NUI. Novell and
NUI in their concern for responsible leadership felt it necessary to
verify these conditions and notify its users so they could act
accordingly.
Richard King
Vice President
Novell, Inc.