Re: STOP THIS! (was: Internet Virus)

Gessler, Nicholas (gessler@ANTHRO.SSCNET.UCLA.EDU)
Tue, 21 Jun 1994 10:57:00 PDT

Hello all.

Here's a double case when a "seal" of authenticity could be
important on the internet: In the first instance, a virus disguising itself
as a "virus alert" might be a particularly bold and effective strategy. I
hope we don't see that. In the second case, a benign "text-based" virus
which replicates by convincing the reader of its urgency and causing that
reader to re-post it, might stay around for years, lurking in corners and
waiting for a new population to infect. Apparently, we have just seen that.
Either the "Internet Virus" post is correct and current, or the following
"STOP THIS" post is correct and current. ISN'T CYBERSPACE WONDERFUL?

Nick Gessler
gessler@anthro.sscnet.ucla.edu

------------------------------------------------------------------------------
FORWARDED FROM: Gessler, Nicholas (G) ANTHRO
Return-Path: <gessler@alife.santafe.edu>
Albbs: MIT Press Artificial Life ONLINE Bulletin Board System
Date: Tue, 21 Jun 94 00:28:30 MDT
From: gessler@alife.santafe.edu
Message-Id: <9406210628.AA22474@albbs>
To: gessler@anthro.sscnet.ucla.edu (frisk@complex.is (Fridrik Skulason))
Subject: Re: STOP THIS! (was: Internet Virus)
Newsgroups: misc.misc,comp.misc,rec.misc,sci.misc,comp.bbs.misc,comp.multimedi
a,comp.os.misc,comp.os.msdos.misc,comp.security.misc
X-Newsreader: TIN [version 1.2 PL2]
In article <2084@complex.complex.is> you wrote:
: >>>I received the following virus warning and thought it should be
: >>>passed along
: >>>>>----------------------------------------------------------------------
: >>>>----- >A Virus has been discovered on Internet that is disguised as
: >>>>CD-ROM >shareware.

: 1) This is a stupid, overwriting Trojan, not a virus

: 2) It was NOT discovered on the Internet...but rather on some obscure
BBS.

: 3) This Trojan is old...several programs have been detecting it for
many
: years, under the name "Warpcom.2" (just in case anybody is
interested,
: I am appending the original ('90) documentation for the Trojan

: 4) So, please...please...stop reposting this piece of musinformation...

:
______________________________________________________________________________
_
: ***** *****
: *** WARPCOM II Trojan Horse ***
: * Programmed by Flash Force! *
: ***** ***** RABID N'tnl Development Corp ***** *****
: *** *** Copyright (c) 1990 RABID! *** ***
: * * * *
:
______________________________________________________________________________
_

: This is the second version of the WARPCOM trojan. The original, I
hear,
: has been the demise of many deserving hard drives. Frankly, that surprised
me
: since the first one has so many shortcomings. This version is much
improved.
: Okay, here's the scenario. Your victim runs WARPCOM II and nothing
: happens but disk access. So he just deletes what he thinks is a screwed up
: program. Later he turns off the computer and goes to sleep, or whatever.
Next
: morning, he turns it on, and it appears to hang. "Funny," he thinks. He
tries
: again and it says "Non-system disk error"...At this point everything on his
: hard drive is in data heaven. Goodbye, loser.
: Now for a more detailed description of what happens:

: 1) WARPCOM II finds the COMMAND.COM used to boot up the computer.
: 2) Deletes it, even if it is read-only.
: 3) Creates another that is the same size with the same creation/modification
: dates and same attributes.

: The COMMAND.COM that is created appears to be the same old copy that is
: always used to boot up the computer, but in reality it has instructions to
: format the drive and nothing else. Since the damage occurs at boot time,
and
: the trojan is run before that, most stupid people will not be able to make
the
: connection between the trojan and their hard drive getting annihilated.
Also,
: WARPCOM II makes no screen writes so it can be easily concealed in a
batchfile
: or something similar (Sierra game loader?) Use your imagination on this
part.
: The one problem with WARPCOM II is that Flushot will detect it. If
your
: victim is running Flushot, I wouldn't bother them with this. The only known
: program that can get around Flushot is the Twelve Tricks Trojan.

: This program and textfile are provided for educational purposes only,
of
: course. I wouldn't want anyone using this for any malicious purpose or
: anything. (not!)

: Flash Force
: RABID