- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Dec 21, 1998
  This issue of W2Knews™ contains:
Hi All,

My Techs walked in just a few seconds ago and told me I should
send this out to you A S A P. This is a _s p e c i f i c_ NT
Virus and one of the worst out there up to now. Normally we do 
not send these alerts but this one is bad enough to let you know 
about immediately.

The Network Associates website has much more info about it.

Warm regards,
Stu Sjouwerman

Alarm over new 'smart' virus

By Jim Kerstetter
12/21/98 01:55:00 PM

The computer network of a Fortune 100 company was obliterated 
last week by a new virus that one official called "the first 
legitimate incident of cyber-terrorism" he had ever seen.

Executives at Network Associates Inc. (NETA) were working the phones this
morning to warn users about this new "smart virus," which attacks Windows
NT-based networks and propagates over the network, said Gene Hodges, a
general manager at Network Associates in Santa Clara, Calif.

Although Hodges declined to name the attacked company, he said 10 sites 
several thousand servers and workstations had been infected. It was also
unclear whether the virus was downloaded from the Internet or planted on a
server internally.

"These guys were very smart," Hodges said. "They had a good enough idea of
where to put it in order to make it spread very quickly."

The virus compresses the executable files of servers and workstations that
it encounters, rendering them unusable. It also encrypts .DOC or .XLF 
with a cipher that researchers still have not identified, making it
impossible to gain access to those files, Hodges said.

"Clearly, we don't know who developed this virus," he said. "But it's 
as to how it was first planted and how it spreads and that this person was
very knowledgeable of network administration features and planned for this
virus to cause serious damage."

The virus itself, which is written in C and also partly encrypted, is a
savvy piece of programming, Hodges said. It logs itself in through domain
administrative controls and then copies itself over the network, attacking
other servers and even workstations that access those servers. It can use
any link that can identify NT resources. It cannot propagate in a Unix or
NetWare-based network.

It is also huge by virus standards at 120KB. Discovered Thursday, it was
operating on a timing mechanism so that it propagated faster between 3 
and 6 a.m. -- hours when network administration staffing is typically 
at the infected company. The company severed its WAN connections in order
to isolate the problem.

"It's clear that the virus writer has a good Unix and NT background,"
Hodges said.

Researchers at Network Associates say they have broken the compression
algorithm and will post a fixing technique that is specific to Network
Associates software by early this afternoon. A detector for the "smart
virus" should also be posted this afternoon.

Hodges said the company is working with Microsoft Corp., has also been in
touch with other anti-virus groups and is developing a formal warning. A
press conference is planned for 4:30 p.m. ET today.

"I don't think its hyperbole to call this an information time bomb," 

Network Associates can be reached at http://www.nai.com

(email me with feedback: [email protected])