________________________________________________________________________ THE COMPUTER INCIDENT ADVISORY CAPABILITY CIAC INFORMATION BULLETIN ________________________________________________________________________ Information about a trojan horse in Norton Utilities for IBM PCs and clones November 7, 1989, 1730 PST Number A-6 CIAC has been informed that a trojan horse has been found in a number of IBM PCs and PC clones which run Norton Computing utilities. This trojan horse appears superficially to be a legitimate file within Norton Utilities named either NORTSTOP.ZIP or NORTSHOT.ZIP. (The file contents are the same, regardless of the name used.) The trojan horse program must be run (i.e., the EXE file for the program must be executed) for any damage to occur to your system. If run, the program lists the directory and displays a message that one's machine is free of viruses. Damage resulting from running this program occurs only if the trojan horse program is executed between December 24 and December 31 inclusive. In this case, the program will erase files with selected file extensions. Detection You can detect this trojan horse by using Norton Utilities to examine the .EXE file for either of the.ZIP files listed above. The EXE file will contain the following message: The Norton Public Domain Virus Utility, PD Edition 5.50, (C) 1989 Peter Norton Your System has been infected with a Christmas virus! Selected files were just eliminated! Without these files, you might as well use your computer as a damn, boat anchor! If you do NOT own a boat, you may want to replace the files which were just erased. Try to determine which files they were. HARDY HA! HA! HA! HOW DO YOU FEEL NOW; YOU IDIOT? MERRY CHRISTMAS AND HAPPY NEW YEAR! If your system has the trojan horse, you will obtain a report similar to the following when using PKUNZIP (a utility which separates and decompresses files): 1065 Implode 650 39% 10-04-89 12:26 9778978d --w READ-ME.NOW 38907 Implode 30156 23% 10-02-89 11:57 c333dec0 --w NORTSHOT.EXE ----- ------ ----- --------------- 39972 30806 23% 2 Eradication If you should discover this trojan horse, do not execute the file NORTSHOT.EXE. Please make a copy of the bogus .EXE and .ZIP files on a diskette before you do anything else. Eradicating the NORTSTOP.ZIP and NORTSHOT.ZIP trojan horse is straightforward; simply use your disk operating system to delete all files named NORTSHOT.EXE and the .ZIP file that created it. Please then send the diskette to CIAC at the address below as soon as possible. Note According to information provided to CIAC, this trojan horse is not found in the version of Norton Utilities sold in commercial software outlets. It is only found in versions of Norton Utilities available from public sources (e.g., bulletin boards). NORTSTOP.ZIP and NORTSHOT.ZIP are not viruses. They will not replicate themselves and spread from machine to machine. Once you have removed this trojan horse, it can only be reintroduced by copying the files once again from public sources. To send copies of the trojan horse, or to obtain further information about this problem, please contact: Tom Longstaff, CIAC Lawrence Livermore National Laboratory P.O. Box 808, L-540 Livermore, CA 94550 (415) 423-4416 or FTS 543-4416 Send electronic mail to: ciac@tiger.llnl.gov CIAC FAX: (415) 422-4294 FTS 532-4294