Warning: new Mac trojan horse virus ALLEGED...

Michael Sattler (msattler@jungle.com)
Mon, 6 Feb 1995 20:27:21 -0500


Hello all. Someone sent the following message to me. I haven't verified
that the file exists, or that it really contains a virus, or that the virus
detectors mentioned don't actually detect it. If anyone has any
experiences with this please let me know.

______________________________________________________________________________

Hi there, I was gonna post this to CU-See-Me list, just to warn folks, but
figured that would be inappropriate. Anyway, since you're a totally cool
guy, I wanted to warn you about the new trojan horse posted to
comp.sys.mac.games -- just in case you hadn't heard about it yet:

______________________________________________________________________________
This alert if for Macintosh specific systems, but there may also be a
similar PC file circulating the net. Read on...

There is a file out called "Blood Bath demo 'Blood Patch'"

This file claims to enable some of the "blood and gore" features of a new
demo video game called "Blood Bath"

THIS FILE IS A TROJAN HORSE THAT WILL MODIFY YOUR SYSTEM SO THAT YOUR VOWEL
KEYS DO NOT WORK

The name of the trojan horse is called "Nvwl II" (i.e. No-vowel without the
vowels).

This trojan horse is NOT detected by the latest versions of VIREX, SAM, or
Disinfectant!

Do not install this patch!!!

If you have already installed this patch:

1) use a file like Disk Tools to search through your "Startup Items"
folder. You will find an "invisible" file with no name in your startup
items folder.

DESTROY THIS FILE (it is locked so you will have to unlock it first)

2) Re-install your System file and your System Enabler, and destroy the old
copies

I have not found that this patch corrupted any other system resources, but
I will repost if I find that anything else is wrong.

For those of you interested in discerning the origin of the files, they
were posted to the newsgroup comp.sys.mac.games on Feb 5, 1995 from the
following two addresses:

OLIVAS@delphi.com

and

PACC07A@prodigy.com

The trojan horse file can be downloaded from comp.sys.mac.games -- it is a
BinHex 4.0 posting and is NOT self extracting. Once you decode the BinHex,
you get a standard "Apple Installer" program that will NOT install the
patch until it is ran. (i.e. to my knowledge it is safe to download and
examine this file, it will not do anything until you run it).

Once you remove the trojan horse app from your startup items folder and
replace your corrupted system file, everything APPEARS to be running OK. I
have also been able to successfully run the Blood Bath demo program again,
without any adverse effects. The patch apparently did nothing to modify the
demo game, it only modified the system folder.

I have tried to contact the two individuals who have posted this file, to
request that they cancel their posting. They have not responded. If there
is any way to contact their system administrators, perhaps someone could do
that. I am not familiar with how to contact Delphi or Prodigy.

This information has been submitted to DATAWATCH (makers of Virex) and they
should have a patch out soon.

Thank you.

_______________________________________________________
C. R. Coberley carter@beta.inc.net
7900 Harwood Avenue, #110 (414)771-8453 phone
Wauwatosa, WI 53213 (414)771-8453 fax
_______________________________________________________

I know what's coming to me is never going to arrive

-----------------------------------------------------------------------+
Michael Sattler <msattler@jungle.com> San Francisco, California |
Digital Jungle Consulting Services http://www.jungle.com/msattler/ |
|
You couldn't get a clue during the clue mating season in |
a field full of horny clues if you smeared your body with clue musk |
and did the clue mating dance. - Edward Flaherty |