awpieper@CRDEC4.APGEA.ARMY.MIL (Anthony W. Pieper) (11/30/89)
[Ed. From the VALERT-L mailing list.]
TROJAN HORSE ALERT
( extracted from Info-IBMPC )
There is a file going around called either NORTSTOP.ZIP or
NORTSHOT.ZIP which, by it's (sparse) documentation and the copyrigh
inside the EXE file, claims to be from Norton Computing. Because of
the sparse and unprofessionally presented docs, I looked within the
EXE file and found:
The Norton Public Domain Virus Utility, PD Edition 5.50, (C)1989 Peter
Norton
Your System has been infected with a Christmas virus! Selected
files were just eliminated! Without these files, you might as well
use your computer as a damn, boat anchor! If you do NOT own a boat,
you may want to replace the files which were just erased. Try to
determine which files they were. HARDY HA! HA! HA! HOW DO YOU FEEL
NOW; YOU IDIOT? MERRY CHRISTMAS AND HAPPY NEW YEAR!
===================
PKUNZIP reports:
1065 Implode 650 39% 10-04-89 12:26 9778978d --w READ-ME.NOW
38907 Implode 30156 23% 10-02-89 11:57 c333dec0 --w NORTSHOT.EXE
- ----- ------ --- -------
39972 30806 23% 2
I spoke with Craig and Tony from Norton Computing and it sure ain't
their's. I DID run McAfee's SCANV on it, and it came up empty, so
either SCANV simply can't recognize it, or it's a prank, but either
way, it has no business being in circulation. Be on the look out!
To: ALL
From: TONY MCNAMARA
Subj: Trojan Horse
We at Peter Norton Computing would like to bring to your attention
an unauthorized trojan horse named NortStop.ZIP or NortShot.ZIP (these
files are the same). This file was NOT produced with the knowledge or
permission of PNCI.
This file is not a virus (it does not infect files). Instead, it
is a trojan horse (it must be run explicitly to cause any damage).
When run, it lists the directory and claims the system is virus-free.
Between December 24th and December 31st, however, it will erase files
in several directories based on their extensions.
These files can be recognized by their sizes (NortStop.ZIP is
31744 bytes, NortStop.EXE is 38907 bytes), or by doing a text search
for the strings "NORTSHOT.EXE" in the ZIP, "Norton Public" in the EXE.
If you find or hear of these files, please contact us immediately
through Tony McNamara, 213/319-2076 (voice), TMCNAMARA 381-9188 (MCI),
or CompuServe (72477,2504).
Again, these files are in no way associated with PNCI. Please
help us track down and eliminate these files.
Thank you,
Peter Norton
************** From the Desk of Mr. James M. Vavrina **************
* Comm 703-355-0010/0011 AV 345-0010-0011 *
* DDN SDSV@MELPAR-EMH1.ARMY.MIL *
*******************************************************************