IBECC NEWS AND RUMOR CONTROL RELEASE 22 August 1996 Contact: Marshall Barry (mbarry at IBECC.Org) RE: Don't connect to the Internet Or Your Computer may be destroyed by an "Internet Virus" OR: "It's more real than 'Good Times' but you can't get it simply by connecting to 'The Net'" LEVEL: Don't Panic! Note: In order to have this virus on your system you must have: 1) Downloaded (to your computer) an "infected program" (see later for list of known programs) AND 2) Executed (run) one of those programs! You can NOT be infected by: 1) Reading your mail 2) Reading Internet Newsgroup(s) 3) Simply Being Connected to the Internet 4) Viewing Pictures 5) Visiting Web Sites 6) Downloading legitimate software from the official software distribution sites. TECHNICAL VIRUS INFORMATION AND "ENGLISH" EXPLANATION: NAME: Hare ALIAS: HDEuthanasia, Krsna TYPE: Stealth OS Boot MBR Boot Resident COM/EXE -files ORIGIN:Slovenia This is a resident stealth multipartite virus with antiheuristics and antiemulation tricks, encrypted with a slow polymorphic encryption layer. (Translation: It hides itself well, knows about the "tricks" used by scanners and other "anti-infectors", and "encrypts" itself, changing over time. In other words, "It's a smart virus and hides easily... treat it as you would a colony of roaches.") Krsna infects COM and EXE files, MBRs of hard drives and floppy boot sectors. Infected files and boot sectors are encrypted with a slowly changing polymorphic encryption layer. Infected files are marked by setting the seconds field of the time stamp to 34. Krnsa will not infect files starting with 'TB' or 'F-'. (Translation: It infects executable files and the boot record of your hard drive. If your system supports "virus detection" you should use it. Do NOT (unless you're VERY sure of what you're doing) allow any software to "write" the "boot sectors" of any disk or diskette. It also knows about "ThunderByte" and "F-Protect" antivirus software (TB and F-) and will specifically NOT infect them.) When an infected file is run, the virus first infects the MBR of the hard drive. When the machine is rebooted, the virus will install itself to memory from the MBR and it starts to infect also floppy boot sectors during floppy access as well as COM and EXE files. (Translation: The virus infects the "boot record" of your hard drive. When you reboot your computer (turn it on, or use the "Alt-Ctrl-Del" sequence to warm boot) it gets loaded into memory and begins the cycle of infection.) When resident, the virus occupies over 9kB of memory. Infected files will grow around 7-8kB in size, depending on the polymorphic decryptor. The polymorphic decryptor contains several conditional and unconditional jumps and several calls to do-nothing interrupts to confuse heuristics and emulation. Polymorphic encryption changes slowly, trying to make it difficult to create a large sample set with variable decryptors. (Translation: Here's its "smarts"... Although it is a relatively large program (7-10K depending on variant) it "modifies" itself regularly. It uses "tricks" to "make-believe" it is a legitimate program, both by making use of low-level "INT" calls (which actually do nothing, but are not harmful) and by changing its code so that it doesn't look the same twice. As Virus "scanners" look for certain "sequences" of code, this makes it much more difficult to find, not to mention eradicate. To much of the available software, it would appear to be a "resistant strain" (i.e. hard to spot, and when you do find it, hard to cure). Don't Panic, though!) Krsna will attempt to hide itself in files, but it will sometimes report the infected files to be little bigger or smaller than they originally were. Krsna is Windows 95 -aware: it will delete the floppy disk driver file to make make itself capable of spreading to floppy disks used from Win95. (Translation: If you're running Windows 95, you can still be infected, and it can infect floppy disks as well by altering the operating system.) Krsna activates when the machine is booted on the 22nd of August and 22nd of September. At this time it displays this text: "HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare... After this the virus attempts to overwrite the hard drive and A: and B: drives. This produces a 'Non-system disk' error, but the virus stays resident after the destruction is done - so it can still replicate if a boot floppy is inserted to start up the machine. (Translation: It will damage the software of your computer making it impossible to boot from the hard drive. If you then place a "bootable" (AND NOT "write-protected") floppy in the drive to boot from, it will infect that diskette as well. ALSO NOTE: When in doubt, it is ALWAYS safer to turn the computer OFF, put a KNOWN CLEAN (uninfected AND "write-protected") diskette in the drive and THEN power-on BOOT!) Krsna was found in the wild in USA in May 1996 and it was apparently distributed over the internet, as infections were soon found from Canada, UK, Switzerland, Russia and The Netherlands. VARIANT:Hare.7750 This is a newer variant which has some bugs corrected. The text message in the virus has been changed to: "HDEuthanasia-v2" by Demon Emperor: Hare, Krsna, hare, hare... Otherwise the virus is like the original variant. This variant was spread in faked posts in usenet news on 26th and 29th of June, 1996. Infected files included: vpro46c.exe in alt.cracks agent99e.exe in alt.cracks agent99e.exe in alt.crackers lviewc.exe in alt.crackers red_4.exe in alt.sex pkzip300.exe in alt.comp.shareware (Translation: It was distributed in the "hacking" and "cracked software" newsgroups, the "adult" newsgroups and as a "supposed new version" of the popular "PKZip" compression software. If you've received copies of these recently - suspect them! The programs that are known to be infected via "news groups" are: vpro46c, agent99e, lviewc, red_4, and pkzip300 NOTE: THE SOFTWARE AVAILABLE FROM THE ORIGINAL (LEGITIMATE) DISTRIBUTION SITES IS **NOT** INFECTED... only the "cracked" versions are suspect!) VARIANT:Hare.7786 The text message in this variant has been changed to: "HDEuthanasia-v3" by Demon Emperor: Hare, Krsna, hare, hare... ============================================================ NOTES: This virus ***WILL*** Trigger again on SEPTEMBER 22 as well! NOT ONLY THIS YEAR, BUT EVERY AUGUST and SEPTEMBER 22 FROM NOW ON! Michealangelo, for example, "went off" this year and "took out" at least 30 computers that we know of! THEY DON'T JUST GO AWAY! BASIC RULE: SCAN ALL NEW SOFTWARE BEFORE USING IT - and don't forget to scan the "install software"! === While it *IS* possible that other software was/is suspect, MOST "infected" programs are "cracks" and "warez" or other "trojans" (note esp. "Pkzip300") which would only likely be decoded by people looking for "free software." It was also distributed via the "adult" and "sex" newsgroups as "hot software" and "hot viewers." People who have been "caught" are (understandably) "embarassed" to report it. Also note: If you feel you have been infected, please be safe rather than sorry. There are a number of places that "detection" and "disinfection" software can be obtained! F-Prot (from DataFellows.Com), for example, has a program available called "F-Hare" (check for the current version) which can properly detect and "clean" this little(!) nightmare. Dr. Solomon's has had updates and scanning software available for several months and has sent warnings out to its customers as well as via the internet newsgroups. Symantec, and McAfee, also have software available (and have for several weeks). Other antivirus sites are claiming to have similar programs ... REMEMBER TO ONLY ACQUIRE THE ANTIVIRUS SOFTWARE DIRECTLY FROM THE "MANUFACTURER" or VERY TRUSTED SITE !!! Remember, your friends may be infected, and getting "EXE" files from them may pass the infection on! ================================================================ For further information, please feel free to contact: IBECC -- a non-profit corporation founded in the public interest in 1991. We do News, Information, Rumor Control, Education and Support of the Public and End-User Community. email: IBECC@IBECC.Org Voice: 1-719-685-nnnn