Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Hacking Techniques :: ciaca6.txt

Information about a trojan horse in Norton Utilities for IBM PCs and clones



                     INFORMATION BULLETIN

    Information about a trojan horse in Norton Utilities for IBM 
                         PCs and clones

November 7, 1989, 1730 PST                                 	Number A-6

CIAC has been informed that a trojan horse has been found in a number
of IBM PCs and PC clones which run Norton Computing utilities.  This
trojan horse appears superficially to be a legitimate file within
Norton Utilities named either NORTSTOP.ZIP or NORTSHOT.ZIP.  (The file
contents are the same, regardless of the name used.)  The trojan horse
program must be run (i.e., the EXE file for the program must be
executed) for any damage to occur to your system.  If run, the program
lists the directory and displays a message that one's machine is free
of viruses.  Damage resulting from running this program occurs only if
the trojan horse program is executed between December 24 and December
31 inclusive.  In this case, the program will erase files with
selected file extensions.


You can detect this trojan horse by using Norton Utilities to examine
the .EXE file for either of the.ZIP files listed above.  The EXE file
will contain the following message:

	The Norton Public Domain Virus Utility,  PD Edition 5.50,   (C) 1989
	Peter Norton

	Your System has been infected with a Christmas virus! Selected
	files were just eliminated!  Without these files, you might as well
	use your computer as a damn, boat anchor!  If you do NOT own a
	boat, you may want to replace the files which were just erased.
	Try to determine which files they were.  HARDY   HA!  HA!  HA!  HOW

If your system has the trojan horse, you will obtain a report similar
to the following when using PKUNZIP (a utility which separates and
decompresses files):

1065   Implode   650    39%    10-04-89   12:26   9778978d  --w  READ-ME.NOW
38907  Implode   30156  23%    10-02-89   11:57   c333dec0  --w  NORTSHOT.EXE
-----           ------ -----                                  ---------------
39972           30806   23%                                            2


If you should discover this trojan horse, do not execute the file
NORTSHOT.EXE.  Please make a copy of the bogus .EXE and .ZIP files on
a diskette before you do anything else.  Eradicating the NORTSTOP.ZIP
and NORTSHOT.ZIP trojan horse is straightforward; simply use your disk
operating system to delete all files named NORTSHOT.EXE and the .ZIP
file that created it.  Please then send the diskette to CIAC at the
address below as soon as possible.


According to information provided to CIAC, this trojan horse is not
found in the version of Norton Utilities sold in commercial software
outlets.  It is only found in versions of Norton Utilities available
from public sources (e.g., bulletin boards).

NORTSTOP.ZIP and NORTSHOT.ZIP are not viruses.  They will not
replicate themselves and spread from machine to machine.  One you have
removed this trojan horse, it can only be reintroduced by copying the
files once again from public sources.

To send copies of the trojan horse, or to obtain further information
about this problem, please contact:

Tom Longstaff,  CIAC
Lawrence Livermore National Laboratory
P.O. Box 808, L-540
Livermore, CA  94550
(415) 423-4416 or FTS 543-4416 
Send electronic mail to:

CIAC FAX: (415) 422-4294 FTS 532-4294

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH