USERGOLD@UALTAMTS.BITNET (Peter Johnston) (02/07/90)
Since my first posting of the two trojans we have detected here at the University of Alberta, a few things have occurred. This update is an attempt to share what we have learned so far: On a suggestion from Paul Cozza, we determined that both the trojans we detected are stopped by SAM (Symantec Anti-viral for the Macintosh) Intercept. The version tested was quite an old one, but Paul suggests that all commercially released versions should also stop the trojan from doing its nastiness. When we tested SAM, the Mac was invariably left hung when we "Denied" the permission SAM was requesting, but upon re-booting, the disks were found to be undamaged. Several of the anti-viral software developers have contacted us for further information on this trojan, and we have assisted them wherever possible. I would expect versions of many of their packages able to detect this trojan to start appearing in the near future. I have received as of this date no reports of infection from any other sites. Remember, though the trigger date of 10 Feb 90. I'll feel a little more relaxed after that date. University Computing Systems has prepared a client hand-out that describes in relatively non-technical terms what both of these trojans do and what users can do to combat them. Unfortunately, a lot of the information is specific to the University of Alberta, but if anyone is interested, we would be pleased to provide copies of both for your use, or upload them to VIRUS-L, depending on the demand. Please contact me if this would be of assistance to you. We are continuing our investigations, and will report additional information as we uncover it. You will also likely start receiving informational reports from some of the anti-viral software developers as to the internal characteristics and structure of these trojans. The one gratifying aspect of this whole episode is the speed with which the warning was spread, and the prompt and professional response we here in the far north received from the anti-virus community as a whole. This trojan is dangerous, no question about it. But not nearly as dangerous as a full fledged viral version having the same type of destructive tendancies. Having a mechanism in place to react to these attacks is a pretty powerful deterrant force. In the meantime, please continue to recommend that your Mac users make regular backups and to practice "safe computing". I still feel that user education is one of the most powerful weapons we have to combat malicious code attacks... Peter Johnston, P. Eng. Senior Analyst, University Computing Systems, 352 - GenSvcBldg, The University of Alberta Edmonton, Alberta CANADA T6G 2H1 Phone: 403/492-2462 FAX: 403/492-7219 EMAIL: usergold@ualtamts.bitnet