"David D. Kelley" <daviddk@...

I believe this may be legitimate!


------- Forwarded Message Follows -------
Date sent: Mon, 21 Dec 1998 18:25:20
To: "Latest Win NT News" <nt-list@...-software.com>
From: nt-list-admin@...-software.com
Send reply to: comments@...-software.com

[ Double-click this line for list subscription options ]


Hi All,

My Techs walked in just a few seconds ago and told me I should
send this out to you A S A P. This is a _s p e c i f i c_ NT
Virus and one of the worst out there up to now. Normally we do
not send these alerts but this one is bad enough to let you know
about immediately.

The Network Associates website has much more info about it.

Warm regards,

Alarm over new 'smart' virus

By Jim Kerstetter
12/21/98 01:55:00 PM

The computer network of a Fortune 100 company was obliterated
last week by a new virus that one official called "the first
legitimate incident of cyber-terrorism" he had ever seen.

Executives at Network Associates Inc. (NETA) were working the phones this
morning to warn users about this new "smart virus," which attacks Windows
NT-based networks and propagates over the network, said Gene Hodges, a
general manager at Network Associates in Santa Clara, Calif.

Although Hodges declined to name the attacked company, he said 10 sites
several thousand servers and workstations had been infected. It was also
unclear whether the virus was downloaded from the Internet or planted on a
server internally.

"These guys were very smart," Hodges said. "They had a good enough idea of
where to put it in order to make it spread very quickly."

The virus compresses the executable files of servers and workstations that
it encounters, rendering them unusable. It also encrypts .DOC or .XLF
with a cipher that researchers still have not identified, making it
impossible to gain access to those files, Hodges said.

"Clearly, we don't know who developed this virus," he said. "But it's
as to how it was first planted and how it spreads and that this person was
very knowledgeable of network administration features and planned for this
virus to cause serious damage."

The virus itself, which is written in C and also partly encrypted, is a
savvy piece of programming, Hodges said. It logs itself in through domain
administrative controls and then copies itself over the network, attacking
other servers and even workstations that access those servers. It can use
any link that can identify NT resources. It cannot propagate in a Unix or
NetWare-based network.

It is also huge by virus standards at 120KB. Discovered Thursday, it was
operating on a timing mechanism so that it propagated faster between 3
and 6 a.m. -- hours when network administration staffing is typically
at the infected company. The company severed its WAN connections in order
to isolate the problem.

"It's clear that the virus writer has a good Unix and NT background,"
Hodges said.

Researchers at Network Associates say they have broken the compression
algorithm and will post a fixing technique that is specific to Network
Associates software by early this afternoon. A detector for the "smart
virus" should also be posted this afternoon.

Hodges said the company is working with Microsoft Corp., has also been in
touch with other anti-virus groups and is developing a formal warning. A
press conference is planned for 4:30 p.m. ET today.

"I don't think its hyperbole to call this an information time bomb,"

Network Associates can be reached at http://www.nai.com

[d.kelley@...] This is a posting from the
nt-list, To unsubscribe, send a blank email
to leave-nt-list-123234T@...-software.com
For killer servers at unbelievable prices check out:

David D. Kelley, CMD
Dynamic Software, Inc.
Developers of the QPII Gold Purchasing Management System!
1621 Lake Murray Blvd. Suite 3
Columbia, SC 29212-8626 USA
Phone: 803-407-1018 Fax: 803-407-0466
email: d.kelley@...