-----BEGIN PGP SIGNED MESSAGE-----

- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---

                  =======  ============    ======       ======
                  =======  ==============  =======     =======
                    ===      ===     ====    ======   ======
                    ===      ===========     ======= =======
                    ===      ===========     === ======= ===
                    ===      ===     ====    ===  =====  ===
                  =======  ==============  =====   ===   =====
                  =======  ============    =====    =    =====

                           EMERGENCY RESPONSE SERVICE
			OUTSIDE ADVISORY REDISTRIBUTION

21 August 1996 14:00 GMT                         Number: ERS-OAR-E01-1996:020.1
===============================================================================

The IBM-ERS Outside Advisory Redistribution is designed to provide customers
of the IBM Emergency Response Service with access to the security advisories
sent out by other computer security incident response teams, vendors, and
other groups concerned about security.

IBM makes no representations and assumes no responsibility for the contents or
accuracy of the advisories themselves.

IBM-ERS is forwarding the following information from AUSCERT.  Contact
information for AUSCERT is included in the forwarded text below; please
contact them if you have any questions or need further information.

===============================================================================

********************** FORWARDED INFORMATION STARTS HERE **********************

=============================================================================
AL-96.05                        AUSCERT Alert
		     Euthanasia/Hare/Krshna Virus Alert
                               21 August 1996
- -----------------------------------------------------------------------------

AUSCERT has received the following bulletin concerning a new virus that
is expected to cause damage to data on August 22 or September 22 of any
year.

The information contained has been reproduced with permission from
Leprechaun Software Pty. Ltd.

- -----------------------------------------------------------------------------

Virus Name: HDEuthanasia version 2 & 3

How to tell if you have it:

    Very difficult. The virus is highly stealth (it even bypasses the BIOS
    hard disk virus protection).  If you have a large network you might
    notice a few PCs that fail to boot from the hard drive. (This is due
    to a bug in the virus infection code that destroys the occasional boot
    record).  You might notice files have grown by 8K using some disk
    utilities or if you boot clean & do a DIR.  You might notice a slight
    slowing of the diskette on 95 machines.

    It has been reported that the virus has been distributed in free
    software available on the Internet.

What it does:

    The virus is large and highly developed. The most relevant point is
    that the virus will activate on the 22nd of August and the 22nd of
    September any year.  The virus activates when an infected program is
    run or an infected PC is booted. When the virus activates it displays
    a message on the screen "HDEuthanasia by Demon Emperor: Hare Krsna,
    hare, hare..." and then proceeds to write random data to every sector
    of the drive, starting at the end and working to the start.  This
    effectively destroys the entire disk contents.  There is no recovery.

    Note that this virus alternates between version 2 & 3 (there are NOT
    2 different versions as reported elsewhere, it is the one version that
    mutates itself.)  Only one of the versions is destructive so only half
    the machines infected (on average) will be destroyed.

Which systems are affected:

    Any Intel based machine.  Since the virus infects .COM files, .EXE
    files, and the Master Boot Record, it is possible that DOS, Windows,
    and Windows 95 systems are vulnerable, as well as Unix systems if they
    were booted from an infected floppy disk.

    It is unclear if OS/2 systems are vulnerable, but it is likely.

    It is believed that Novell Servers are not vulnerable.

How to prevent it:

Simple fix
    On or before the 21st of the month set the system date to the 23rd of
    the month.  On the 24th of the month set the system date to the 24th.

Better fix
    Download the latest version of VCHECK from Leprechaun (at the time of
    writing, this was VCHECK9.EXE).
    Boot with a clean floppy, run VCHECK & follow instructions.  
    VCHECK is available from:
	http://www.leprechaun.com.au/
    under the "Utilities and Free Software" link.

Long term fix
    Protect your systems with a quality anti-virus security system.  

- -----------------------------------------------------------------------------
AUSCERT thanks Jack Kenyon from Leprechaun Software Pty. Ltd. and Adam
Radford from UNSW for their assistance.
- -----------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures.  AUSCERT takes no responsibility for the
consequences of applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AUSCERT is located at The University of Queensland within the Prentice
Centre.  AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 4477
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA

*********************** FORWARDED INFORMATION ENDS HERE ***********************

===============================================================================

IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment.  By acting as an extension
of your own internal security staff, IBM-ERS's team of Internet security
experts helps you quickly detect and respond to attacks and exposures across
your Internet connection(s).

As a part of IBM's Business Recovery Services organization, the IBM Internet
Emergency Response Service is a component of IBM's SecureWay(tm) line of
security products and services.  From hardware to software to consulting,
SecureWay solutions can give you the assurance and expertise you need to
protect your valuable business resources.  To find out more about the IBM
Internet Emergency Response Service, send an electronic mail message to
ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4).

IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security alerts,
team contact information, and other items.

IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for
security vulnerability alerts and other distributed information.  The IBM-ERS
PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmerman.

IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams
(FIRST), a global organization established to foster cooperation and response
coordination among computer security teams worldwide.

The information in this document is provided as a service to customers of
the IBM Emergency Response Service.  Neither International Business Machines
Corporation, Integrated Systems Solutions Corporation, nor any of their
employees, makes any warranty, express or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or usefulness of
any information, apparatus, product, or process contained herein, or
represents that its use would not infringe any privately owned rights.
Reference herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring by IBM or
its subsidiaries.  The views and opinions of authors expressed herein do not
necessarily state or reflect those of IBM or its subsidiaries, and may not be
used for advertising or product endorsement purposes.

- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---

-----BEGIN PGP SIGNATURE-----
Version: 2.7.1

iQCVAwUBMhsMsPWDLGpfj4rlAQHRHAP9Fxlsqcj+AA0QGn60SILUccDFa+NdJjkw
++lorNThBlY2494yvw515kkxkh7CejHpSpqWyfvkDaoJj9XoqS34UJ/gb6rngawH
KawhhSYG4RYOuqMDBlyNK6BCHH3SfYY/kFyF8ZsASIX+r8gm1DWGAi3LdzjYfp9Q
68iUDYjRwa4=
=Jf+W
-----END PGP SIGNATURE-----