-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Gert Meijerink Index : S-96-47 Distribution : World Page : 1 Classification: External Version: 1 Subject : Euthanasia/Hare/Krshna Virus Alert Date : 21-aug-96 =============================================================================== By courtesy of AUSCERT we received information on a virus alert CERT-NL recommends that this information be acted upon as soon as possible. ============================================================================== AUSCERT acknowledges that this bulletin may not be received by constituents in time to take remedial action. AUSCERT was made aware of the destructive nature of this virus late today (21-Aug-1996). ============================================================================= AL-96.05 AUSCERT Alert Euthanasia/Hare/Krshna Virus Alert 21 August 1996 - - --------------------------------------------------------------------------- AUSCERT has received the following bulletin concerning a new virus that is expected to cause damage to data on August 22 or September 22 of any year. The information contained has been reproduced with permission from Leprechaun Software Pty. Ltd. - - --------------------------------------------------------------------------- Virus Name: HDEuthanasia version 2 & 3 How to tell if you have it: Very difficult. The virus is highly stealth (it even bypasses the BIOS hard disk virus protection). If you have a large network you might notice a few PCs that fail to boot from the hard drive. (This is due to a bug in the virus infection code that destroys the occasional boot record). You might notice files have grown by 8K using some disk utilities or if you boot clean & do a DIR. You might notice a slight slowing of the diskette on 95 machines. It has been reported that the virus has been distributed in free software available on the Internet. What it does: The virus is large and highly developed. The most relevant point is that the virus will activate on the 22nd of August and the 22nd of September any year. The virus activates when an infected program is run or an infected PC is booted. When the virus activates it displays a message on the screen "HDEuthanasia by Demon Emperor: Hare Krsna, hare, hare..." and then proceeds to write random data to every sector of the drive, starting at the end and working to the start. This effectively destroys the entire disk contents. There is no recovery. Note that this virus alternates between version 2 & 3 (there are NOT 2 different versions as reported elsewhere, it is the one version that mutates itself.) Only one of the versions is destructive so only half the machines infected (on average) will be destroyed. Which systems are affected: Any Intel based machine. Since the virus infects .COM files, .EXE files, and the Master Boot Record, it is possible that DOS, Windows, and Windows 95 systems are vulnerable, as well as Unix systems if they were booted from an infected floppy disk. It is unclear if OS/2 systems are vulnerable, but it is likely. It is believed that Novell Servers are not vulnerable. How to prevent it: Simple fix On or before the 21st of the month set the system date to the 23rd of the month. On the 24th of the month set the system date to the 24th. Better fix Download the latest version of VCHECK from Leprechaun (at the time of writing, this was VCHECK9.EXE). Boot with a clean floppy, run VCHECK & follow instructions. VCHECK is available from: http://www.leprechaun.com.au/ under the "Utilities and Free Software" link. Long term fix Protect your systems with a quality anti-virus security system. - - --------------------------------------------------------------------------- AUSCERT thanks Jack Kenyon from Leprechaun Software Pty. Ltd. and Adam Radford from UNSW for their assistance. - - --------------------------------------------------------------------------- The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl Phone: +31 302 305 305 Fax: +31 302 305 329 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMhtdCGL2fnkJN/jpAQGZnwQAqkRb4MkHMVWd6JiNi/Gt5z6txTskjouy iK5fs9NqMfsVph9FrBH5WhJ3O9/bm8UCuDS68htfyhNnHj/ulxwl0bhSyd98lb30 aD6aI/FOzEZ8o6wRZAQ+vSVVTD7+4hUhLiO23AcS495BgsWM9L33jrSGAim+RJmW VpbQt2+tvNY= =I/VH -----END PGP SIGNATURE-----