Copy Link
Add to Bookmark
Report
Xine - issue #3 - Phile 008
/-----------------------------\
| Xine - issue #3 - Phile 008 |
\-----------------------------/
Ú----------------------------------------------------------¿
| The story of the 2Trout and Lilith viruses in the wild |
| |
| Written by Dandler |
À----------------------------------------------------------Ù
To find the first case of the spread of the 2Trout virus we must look
back at the 1995, at the geographical zone between Padania and Italy. An
anonymous guy, whose identity has never been discovered, using a fake
account connected to a minor Padanian and Italian BBS network that carried
a virus area, like some major famous virus areas on networks like Fidonet
or Virnet. This virus echo area was always considered marginal, especially
when compared with other virus areas from Fidonet and Virnet that have a
constant quite big message flow. Apart from the low message flow, this
area was quite unconsidered because it wasn't followed by any major
antivirus researcher, apart from a few minor virus experts called Ortolano
and Colosi of the Italian antivirus ItavPro (Ortolano was the author of
ItavPro while Colosi was his primary helper). This two 'experts' weren't
considered too much by the Padanian and Italian antivirus communities,
especially Colosi was disliked for his childish, annoying and egocentric
behavior.
But back to the virus. It was posted uuencoded in this virus message area
with another virus, the Lilith. The first file was a do-nothing program
infected by the 2Trout, while the second one was a dropper of the Lilith
virus, in fact the Lilith is a boot sector virus.
As already said this virus area was just marginal, so the usual readers
were just extremely inexpert people that are undoubtedly an easy prey to
fool, as it happened. The two messages carrying the viruses weren't deleted
fastly enough by the persons in charge of the network, so a few of the
readers, thinking they are dealing with antiviruses or some utilities, of
the message area executed the viruses and infected themselves.
After a few days the messages with the uuencoded viruses were in fact
deleted, but too late, since messages that were asking for help with
strange problems, like with QEMM, after the execution of the two uuencoded
messages were already coming out from many users (QEMM noticed to the user
that the total memory of the system was decreased, this due to the Lilith
virus active in memory).
After this facts a serious turmoil take place. Ortolano and Colosi tried
to explain the situation and recommended not to run programs posted to
the area by untrusted users. They even tried to contact the user that
posted the message, but unluckily, since the used login was just a fake.
Someone purposed to inform the legal authorities, but the purpose was
fastly discarded. And finally new rules to improve the security of the BBS
network were decided, like the impossibility to post a message in the
public areas at the first login.
After a while the situation came back to normality. The antivirus ItavPro
written by Ortolano was soon able to detect both the 2Trout and the
Lilith, and more likely all the users infected by the virus were soon able
to remove the virus from their computers.
After this story it doesn't seem that there were other infection in the
wild of the 2Trout, while quite a lot of time ago an infection in
the wild of the Lilith virus is known, even if it has a bug that seriously
limits it's spreading (without this bug the virus should very likely have
spreaded a lot).
As up to today, January 1998, both the viruses seems to be just two more
pieces of the collections of the various virus collectors. But both went
to the history of the Padanian and Italian virusing. As for the
protagonists of this story, Ortolano sold the ItavPro antivirus and he
seems not to be interested anymore in viruses, while Colosi, after a short
and stormy presence on the Italian speaking newsgroup dedicated to the
viruses it.comp.sicurezza.virus, seems to be vanished totally from the
antivirus scene.
No one will miss him.
