1994-09-14 - CIAC Notice - Virus with Crypto Tech…

Header Data

From: NetSurfer <jdwilson@gold.chem.hawaii.edu>
To: cypherpunks@toad.com
Message Hash: 64dc646280abfd75aece195c70cde865ea143248abe2b8072a4a7de9bb3d42ac
Message ID: <Pine.3.07.9409132037.m18888-c100000@gold.chem.hawaii.edu>
Reply To: N/A
UTC Datetime: 1994-09-14 06:31:25 UTC
Raw Date: Tue, 13 Sep 94 23:31:25 PDT

Raw message

From: NetSurfer <jdwilson@gold.chem.hawaii.edu>
Date: Tue, 13 Sep 94 23:31:25 PDT
To: cypherpunks@toad.com
Subject: CIAC Notice - Virus with Crypto Tech...
Message-ID: <Pine.3.07.9409132037.m18888-c100000@gold.chem.hawaii.edu>
MIME-Version: 1.0
Content-Type: text/plain




Excerpted from CIAC, a report of a stealth virus that uses encryption as
part of its attack.

If the list thinks its of interest, I'll zap it over.

But briefly:

September 13, 1994 1600 PDT                                       Number E-34
_____________________________________________________________________________

PROBLEM:        A previously unknown computer virus is damaging systems.
PLATFORM:       All MS-DOS, PC-DOS, Windows systems, all versions.
DAMAGE:         Damages files, encrypts hard drive.
SOLUTION:       Update your Anti-Virus program to detect/remove the virus.
_____________________________________________________________________________

VULNERABILITY   While it is not epidemic, the virus has been seen at an East
ASSESSMENT:     coast site and it isn't detected by the current versions of
                most virus scanners (revised versions are upcoming.) The
                virus is intentionally damaging and all files on an infected
                machine are at risk.
                Warning: Removing the virus may make some files inaccessible
                (see below.)
_____________________________________________________________________________


The virus is intentionally damaging. Every time an infected machine boots,
the virus encrypts two cylinders of the DOS partition of the hard drive
starting with the highest numbered cylinder and progressing to lower numbered
ones. The virus then hides the fact that it is encrypting the hard drive by
decrypting any of the encrypted sectors whenever they are accessed by the
system. Only with the virus out of memory do you see the encrypted sectors.

WARNING: Because of the encryption the virus does, be sure you copy any
important files to a floppy disk or tape before removing the virus. The
CHK_HALF program described below does not decrypt any encrypted cylinders, so
when the virus is removed, the encryption key is lost with it and any files
in the encrypted cylinders are lost.
===========================================================================









Thread