Path: utzoo!utgpu!jarvis.csri.toronto.edu!clyde.concordia.ca!uunet!samsung!think!ames!pacbell!att!chinet!edlee From: edlee@chinet.chi.il.us (Edward Lee) Newsgroups: comp.sys.ibm.pc Subject: Re: Trojan in Norton Summary: Cheap trojan masquerading as Norton utility, similar to AIDS Message-ID: <1989Dec27.041458.9809@chinet.chi.il.us> Date: 27 Dec 89 04:14:58 GMT References: <25317@cup.portal.com> <327@usna.MIL> Reply-To: edlee@chinet.chi.il.us (Edward Lee) Distribution: na Organization: Chinet - Chicago Public Access UNIX Lines: 93 Date: 10-17-89 (18:52) TECH Number: 6468 (Echo) To: ALL From: TONY MCNAMARA Read: 10-19-89 (06:13) Subj: Trojan Horse We at Peter Norton Computing would like to bring to your attention an unauthorized trojan horse named NortStop.ZIP or NortShot.ZIP (these files are the same). This file was NOT produced with the knowledge or permission of PNCI. This file is not a virus (it does not infect files). Instead, it is a trojan horse (it must be run explicitly to cause any damage). When run, it lists the directory and claims the system is virus-free. Between December 24th and December 31st, however, it will erase files in several directories based on their extensions. These files can be recognized by their sizes (NortStop.ZIP is 31744 bytes, NortStop.EXE is 38907 bytes), or by doing a text search for the strings "NORTSHOT.EXE" in the ZIP, "Norton Public" in the EXE. If you find or hear of these files, please contact us immediately through Tony McNamara, 213/319-2076 (voice), TMCNAMARA 381-9188 (MCI), or CompuServe (72477,2504). Again, these files are in no way associated with PNCI. Please help us track down and eliminate these files. Thank you, Peter Norton --- * QNet 1.04a1: InterLink: MicroSellar BBS ~ Verona ~ NJ ~ (201)239-1346 Msg#:32850 *Cedar Rapids* 10/27/89 17:30:17 (Read 26 Times) From: ROB RICHTER To: ALL Subj: TROJAN HORSE WARNING! ATTENTION! ATTENTION! ATTENTION! ================================ Trojan Update: NORTSTOP.ZIP NORTSHOT.ZIP ================================ The above files claim to be a product of Peter Norton Computing Inc. The sparse documentation claims that the program is a virus checker from Norton, and the EXE files contained in the ZIP files read: The Norton Public Domain Virus Utility, PD Edition 5.50, (C)1989 Peter Norton When the program is run, it has the following announcement: " Your System has been infected with a Christmas virus! Selected files were just eliminated! Without these files, you might as well use your computer as a damn, boat anchor! If you do NOT own a boat, you may want to replace the files which were just erased. Try to determine which files they were. HARDY HA! HA! HA! HOW DO YOU FEEL NOW; YOU IDIOT? MERRY CHRISTMAS AND HAPPY NEW YEAR!" Peter Norton has released a statement that these files are NOT a product of Norton Computing, but are cheap trojans that will delete files on your hard drive if you run it. The program is designed to do damage between the dates of December 24th and December 31st, and will delete certain files based extension and directory. The program does not seem to install a virus, and checks clear with the latest virus scanners. PKUNZIP reports the following information on the ZIP files: 1065 Implode 650 39% 10-04-89 12:26 9778978d --w READ-ME.NOW 38907 Implode 30156 23% 10-02-89 11:57 c333dec0 --w NORTSHOT.EXE ----- ------ --- ------- 39972 30806 23% 2 The files are easily identified by name and length. If the EXE files are examined, they will show "Norton Public". If the ZIP files are inspected, they will contain "NORTSHOT.EXE". NORTSTOP.ZIP is 31744 bytes, and NOTSTOP.EXE is 38907 bytes. Norton Computing is asking that all versions of these files be removed from distribution. Persons with any information regarding these files should contact Peter Norton Computing Inc: Tony McNamara (213) 319-2076 (voice) TMCNAMARA 381-9811 (MCI) 72477,2504 (CompuServe)