>From: aware@netcom.com (Network Services) >To: PC-Telephony@netcom.com >Subject: URGENT! NEW VIRUS ALERT! >Date: Mon, 08 May 1995 18:30:40 -0700 >Lines: 112 >Sender: owner-pc-telephony@netcom.com >Precedence: list >Reply-To: owner-pc-telephony@netcom.com > >>From Richard De A'Morelli, Editor, PC-Telephony > >URGENT!!! VIRUS ALERT!!! > >Please read carefully -- this is not a prank. A new virus >has appeared on the Internet. It infected all eight of my >networked PC's, and I have spent the past 72 hours trying >to figure this thing out and get rid of it. (no sleep, >really tired, excuse the typos). I have managed to disinfect >my network, and this letter explains what I have learned about >this virus and how it works. > >During the past week, I downloaded 10-12 from three very popular >Internet sites and one busy BBS (6 or 7 of those files came from >a Simtel mirror). I can say that the virus originated from one >of those files. It is therefore an imminent threat to the Net >community. > >Here is how the virus works... > >At about 5pm, a dumb-looking sprite (ASCII graphic) of a phallus >appears at the bottom of the screen, scrolling slowly from the >left. (about 6 columns wide, maybe 8 rows high) It stops at >the center of the screen, beeps over and over, and then "shoots" >an "!" up the screen in slow motion, beeping loudly all the >while (damned annoying); this repeats three times, and then >the graphic scrolls to the right and disappears off the screen. >Immediately below the drawing appears the words "Big Caibua!" >whatever the hell that means. > >This happens more and more often as you are working. Then, >mysteriously, it stops -- until the next evening. By setting >my system clock to 9pm, I was able to stop the stupid graphic >from appearing (however, the virus was continuing to replicate >in the background). > >Here is what I have learned about this virus, which I've named >BUTTHEAD in honor of the juvenile jackass that wrote it... > >It is evidently NEW. During the past 72 hours, I tried at >least a dozen different anti-virus programs, including McAfee's >latest, IBM, ThunderByte, etc -- ALL FAILED TO DETECT THIS >VIRUS. In addition, the BBS canning programs do not detect >this virus. I upload a zip'ed file containing this virus to >the IBM Anti-Virus BBS this morning (with their knowledge and >consent of course), and their BBS scanned it and accepted it >as being fine. Until a disinfectant for this becomes from >McAfee and others, DO NOT ASSUME THAT FILES ARE SAFE SIMPLY >BECAUSE YOUR LOCAL BBS IS RUNNING AN ANTI-VIRUS SCAN PROGRAM! > >BUTTHEAD affects *ONLY* .COM files. It does not seem to >affect the hard disk boot sector and it does not reside in >memory. It is extremely dangerous, however, because simply >running one infect .COM file will cause ALL OTHER COM files >in that directory to become infected. Running any of those >files will then infect all .COM files in the next directory, >and on and on. nearly 200 files all across my network were >infected within minutes. > >Also important -- the stupid animation only runs at 5pm and >stops after a few hours -- but the virus keeps right on >working and infecting other .COM files regardless of the time. > >How to spot an infected .COM file... > > (1) It will be 2,280 or 2,285 bytes LARGER than the clean > file started out. > > (2) The FIRST CHARACTER in the file will be an ASCII 231. > > (3) The 2K-plus packet that contains the virus is tacked on > at the end of your infected .COM file. All infected > files will contain the same unique "signature" or > character sequence within those last bytes -- "NGiK" > If you use a file searcher program, you will find > this same signature can also be found in a .ZIP file > that contains an infected .COM file. I scanned close > to 20,000 files on eight machines and that character > sequence turned up in 178 .COM files -- all infected. > It did NOT appear in the any other file. > > (Note that case-sensitive does matter -- "ngik" will > appear in some .WAV files is not a virus; "NGiK" is > the character grouping to watch out for. > > >What to do if this virus infects your machine... > > I have contacted IBM and McAfee about BUTTHEAD and I > am sure that they will have disinfectants for this > virus shortly. Until then, > > DO NOT RUN ANY .COM FILES AT ALL. This thing spreads > quickly, and you will infect all other .COM files > wherever you go. I was able to run .EXE files, how- > ever, with no problem, and without infecting any > other files. > > BE CAREFUL downloading files from Internet and other > BBS sources. As I mentioned, the BBS scanning programs > are NOT catching this virus at the present time. > > If you do find this annoying virus on your system... > > I was able to completely purge BUTTHEAD off my network > using a text searching utility to find the infected > files and then replacing them with clean files -- > I will put this utility and some instructions in my > FTP directory if anyone needs it -- after I get some > sleep -- 72 hours non-stop of this is enough. > > Richard De A'Morelli <<<< o(0-0)o Jim NOT politically correct, never have been, never will be!! ( Views expressed do not represent the views of SDSU etc. etc.) James Edwards Instructional Computing Consultant Faculty Room, Media technology Services, MC 8114 San Diego State University, San Diego, CA. USA 92182-0524 jedwards@Mail.sdsu.edu ------ Forwarded by JLRCU@CUVMB.