[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CIAC Notice - Virus with Crypto Tech...

Excerpted from CIAC, a report of a stealth virus that uses encryption as
part of its attack.

If the list thinks its of interest, I'll zap it over.

But briefly:

September 13, 1994 1600 PDT                                       Number E-34

PROBLEM:        A previously unknown computer virus is damaging systems.
PLATFORM:       All MS-DOS, PC-DOS, Windows systems, all versions.
DAMAGE:         Damages files, encrypts hard drive.
SOLUTION:       Update your Anti-Virus program to detect/remove the virus.

VULNERABILITY   While it is not epidemic, the virus has been seen at an East
ASSESSMENT:     coast site and it isn't detected by the current versions of
                most virus scanners (revised versions are upcoming.) The
                virus is intentionally damaging and all files on an infected
                machine are at risk.
                Warning: Removing the virus may make some files inaccessible
                (see below.)

The virus is intentionally damaging. Every time an infected machine boots,
the virus encrypts two cylinders of the DOS partition of the hard drive
starting with the highest numbered cylinder and progressing to lower numbered
ones. The virus then hides the fact that it is encrypting the hard drive by
decrypting any of the encrypted sectors whenever they are accessed by the
system. Only with the virus out of memory do you see the encrypted sectors.

WARNING: Because of the encryption the virus does, be sure you copy any
important files to a floppy disk or tape before removing the virus. The
CHK_HALF program described below does not decrypt any encrypted cylinders, so
when the virus is removed, the encryption key is lost with it and any files
in the encrypted cylinders are lost.