Copy Link
Add to Bookmark
Report
CIAC A-06
FOR OFFICIAL DEPARTMENT OF ENERGY USE ONLY
________________________________________________________________________
THE COMPUTER INCIDENT ADVISORY CAPABILITY
CIAC
INFORMATION BULLETIN
________________________________________________________________________
Information about a trojan horse in Norton Utilities for IBM
PCs and clones
November 7, 1989, 1730 PST Number A-6
CIAC has been informed that a trojan horse has been found in a number
of IBM PCs and PC clones which run Norton Computing utilities. This
trojan horse appears superficially to be a legitimate file within
Norton Utilities named either NORTSTOP.ZIP or NORTSHOT.ZIP. (The file
contents are the same, regardless of the name used.) The trojan horse
program must be run (i.e., the EXE file for the program must be
executed) for any damage to occur to your system. If run, the program
lists the directory and displays a message that one's machine is free
of viruses. Damage resulting from running this program occurs only if
the trojan horse program is executed between December 24 and December
31 inclusive. In this case, the program will erase files with
selected file extensions.
Detection
You can detect this trojan horse by using Norton Utilities to examine
the .EXE file for either of the.ZIP files listed above. The EXE file
will contain the following message:
The Norton Public Domain Virus Utility, PD Edition 5.50, (C) 1989
Peter Norton
Your System has been infected with a Christmas virus! Selected
files were just eliminated! Without these files, you might as well
use your computer as a damn, boat anchor! If you do NOT own a
boat, you may want to replace the files which were just erased.
Try to determine which files they were. HARDY HA! HA! HA! HOW
DO YOU FEEL NOW; YOU IDIOT? MERRY CHRISTMAS AND HAPPY NEW YEAR!
If your system has the trojan horse, you will obtain a report similar
to the following when using PKUNZIP (a utility which separates and
decompresses files):
1065 Implode 650 39% 10-04-89 12:26 9778978d --w READ-ME.NOW
38907 Implode 30156 23% 10-02-89 11:57 c333dec0 --w NORTSHOT.EXE
----- ------ ----- ---------------
39972 30806 23% 2
Eradication
If you should discover this trojan horse, do not execute the file
NORTSHOT.EXE. Please make a copy of the bogus .EXE and .ZIP files on
a diskette before you do anything else. Eradicating the NORTSTOP.ZIP
and NORTSHOT.ZIP trojan horse is straightforward; simply use your disk
operating system to delete all files named NORTSHOT.EXE and the .ZIP
file that created it. Please then send the diskette to CIAC at the
address below as soon as possible.
Note
According to information provided to CIAC, this trojan horse is not
found in the version of Norton Utilities sold in commercial software
outlets. It is only found in versions of Norton Utilities available
from public sources (e.g., bulletin boards).
NORTSTOP.ZIP and NORTSHOT.ZIP are not viruses. They will not
replicate themselves and spread from machine to machine. One you have
removed this trojan horse, it can only be reintroduced by copying the
files once again from public sources.
To send copies of the trojan horse, or to obtain further information
about this problem, please contact:
Tom Longstaff, CIAC
Lawrence Livermore National Laboratory
P.O. Box 808, L-540
Livermore, CA 94550
(415) 423-4416 or FTS 543-4416
Send electronic mail to: ciac@tiger.llnl.gov
CIAC FAX: (415) 422-4294 FTS 532-4294