levin@BBN.COM (Joel B. Levin) (06/07/90)
Paul has asked me to forward this to usenet. Would you consider this for c.s.m.announce (and maybe crossposted to an appropriate set of groups)? I have already sent it to Internet info-mac. /JBL - - - - - Paul Cozza, author of SAM, has asked me to post the following information. /JBL ********** For SAM 2.0 users: As recently reported, a new Trojan horse named Steroid has recently been discovered. It is set to go off on July 1st, 1990, at which time it zeroes your volume directories (it is possible to recover files on hard disks with utilities such as SUM II). Before that time the Trojan remains dormant. This Trojan is shipped with the file name (Steroid) preceded by 2 invisible characters along with a warning not to change the file name. These 2 invisible characters are there to make it load before SAM (or other INITs). If you leave this file in your system folder, then you are in danger (especially if have not renamed it). If you have renamed the file so that it runs after SAM (in general, NO unknown INITs should ever be allowed to run before SAM), then in advanced or custom modes you will get SAM alerts saying "There is an attempt to bypass the file system" when this Trojan attacks your volumes. Denying these attempts prevents the Trojan from doing any damage. You can enter the following virus definition in Virus Clinic to allow both SAM Intercept and Virus Clinic to detect this Trojan during scans. Virus Name: Steroid Trojan Resource Type: INIT Resource ID: 148 Resource Size: 1080 Search String: ADE9 343C 000A 4EFA FFF2 4A78 (hexadecimal) String Offset: 96 If you have entered this definition and have renamed the Trojan to run after SAM, then SAM Intercept will also notify you when this INIT is run at startup time. Paul Cozza SAM Author