Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Hacking Techniques :: scan78tj.txt

McAfee Scan 78 is a trojan!




 
 Message: 3126643, 113 lines
 Posted: 5:47pm PDT, Mon May 13/91, imported: 7:46pm PDT, Mon May 13/91
 Subject: Trojan version of VIRUSCAN version 78
 To: userID=NHD0
 From: aryehg%darkside.com@APPLE.COM
 
 TROJAN VERSION OF VIRUSCAN VERSION 78
 
 We have received a trojan horse version of VIRUSCAN.  The hacked SCAN
 has apparently been uploaded to BBSes in Michigan, USA under the
 filename SCANV78.ZIP.  Running PKZIP -V on the file reveals:
 
  .PKUNZIP (R)    FAST!    Extract Utility    Version 1.1    03-15-90
  .Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
  .PKUNZIP Reg. U.S. Pat. and Tm. Off.
  .
  .Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882
  .
  . Length  Method   Size  Ratio   Date    Time   CRC-32  Attr  Name
  . ------  ------   ----- -----   ----    ----   ------  ----  ----
  .  12816  Implode   5255  59%  04-08-91  14:28  08a87ed8 --w  AGENTS.TXT
  .   9406  Stored    9406   0%  02-03-91  17:04  42cf9931 --w  REGISTER.DOC
  .  23008  Implode  12550  46%  05-06-91  18:15  f9735dd5 --w  SCAN.EXE
  .   6495  Implode   1895  71%  10-31-89  16:16  0449b09d --w  VALIDATE.COM
  .   3626  Implode   1802  51%  11-29-90  01:59  ab76470f --w  README.1ST
  .  21257  Implode   5767  73%  05-06-91  19:35  a0728a17 --w  VIRLIST.TXT
  .   2844  Implode   1406  51%  02-14-91  14:25  aa330b57 --w  VALIDATE.DOC
  .  24515  Implode   9188  63%  05-06-91  19:34  172a967f --w  SCAN78.DOC
  . ------          ------  ---                                 -------
  . 103967           47269  55%                                       8
 
 The number listed for the Fantasia BBS is NOT a BBS number and has no
 connection with the trojan horse.  I have called the phone number and
 asked the party at the other end to contact me.
 
 Running PKUNZIP on the file reveals the following:
 
  .PKUNZIP (R)    FAST!    Extract Utility    Version 1.1    03-15-90
  .Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
  .PKUNZIP Reg. U.S. Pat. and Tm. Off.
  .
  .Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882
  .  Exploding: AGENTS.TXT    -AV
  . Extracting: REGISTER.DOC  -AV
  .  Exploding: SCAN.EXE      -AV
  .  Exploding: VALIDATE.COM  -AV
  .  Exploding: README.1ST    -AV
  .  Exploding: VIRLIST.TXT   -AV
  .  Exploding: VALIDATE.DOC  -AV
  .  Exploding: SCAN78.DOC    -AV
  .
  . Authentic files Verified!   # TJB859   Zip Source: McAFEE ASSOCIATES
 
 While the Authentic Files Verified Message appears, the Serial Number is
 NOT correct.  McAfee Associate's Serial Number is NWM405.
 
 Examination of the AGENTS.TXT, README.1ST, VALIDATE.*, and VIRLIST.TXT
 files revealed that these are straight from VIRUSCAN Version 77--the
 version number in the VIRLIST.TXT file was still V77.
 
 The SCAN78.DOC file had been modified so that all occurrences of V77
 were switched to V78.  Additionally, the following text was added for
 the validation data:
 
  .     The validation results for Version 77 should be:
  .
  .              FILE NAME: SCAN.EXE
  .                   SIZE: 23,008
  .                   DATE: 05-06-1991
  .    FILE AUTHENTICATION
  .         Check Method 1: 2C21
  .         Check Method 2: 022E
  .
 
 For the What's New section, the following text was added:
 
  . WHAT'S NEW
  .         Version 78 of SCAN removes a few small bugs and continues
  . to optimize the procedures SCAN uses to find viruses, as in Version 77,
  . as well as adding a few more to the list of known viruses. SCAN is now 
-much
  . more compressed than was previously thought possible, so please enjoy the
  . shortened file size, it should still work just fine.
  .    Refer to the enclosed VIRLIST.TXT file for a schematic
  . description of the new viruses.  For a complete description, please
  . refer to Patricia Hoffman's VSUM document.
  .
 
 Examination of the SCAN.EXE file has show that it contains the help
 message that VIRUSCAN displays as well as the program information
 message.  However, the program does not contain any of the other
 messages that VIRUSCAN has in it.
 
 The REGISTER.DOC file distributed with the trojan version of VIRUSCAN is
 not a text file, but rather another .ZIP file containing a file named
 TB1.COM:
 
  . PKUNZIP (R)    FAST!    Extract Utility    Version 1.1    03-15-90
  . Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
  . PKUNZIP Reg. U.S. Pat. and Tm. Off.
  .
  . Searching ZIP: REGISTER.DOC
  .  Extracting: TB1.COM       -AV
  .
  . Authentic files Verified!   # TJB859   Zip Source: McAFEE ASSOCIATES
  .
 
 When unZIPped, the REGISTER.DOC file displays the same Authentic Files
 Verified Message as the SCANV78.ZIP file did.  Examination of the of the
 TB1.COM file revealed that it contains the Whale virus.
 
 This is all I currently know about the SCANV78.ZIP trojan.  If you see
 any copies of this file, please ask the system administrator or sysop to
 remove it and ask them to contact the uploader to warn them that it
 contains a virus.
 
 Aryeh Goretsky
 McAfee Associates Technical Support
 - - -
 aryehg@tacom-emh1.army.mil



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH