Information Security News mailing list archives
Sophos Slams Simpsons Virus Scare
From: InfoSec News <isn () C4I ORG>
Date: Fri, 30 Jun 2000 00:45:58 -0500
http://www.computeruser.com/news/00/06/30/news18.html By: Steve Gold, Newsbytes June 30, 2000 Antivirus specialist Sophos today slammed warning reports issued by its rivals over the last 24 hours about a Simpsons virus doing the rounds. Head researcher Graham Cluley said that Computer Associates issued a media alert about a Trojan horse called Simpsons. Slamming Computer Associates, he said that the vast majority of computer users are extremely unlikely to ever encounter this virus. "It's disappointing that Computer Associates has started a panic about a piece of code which is incapable of even replicating itself," he said, adding that releasing alerts about low risk Trojans like this only serves to damage the credibility of the entire anti-virus industry. "It's important that security vendors act responsibly when deciding which threats to alert upon," he said. Computer Associates officials were not immediately available for comment. Sophos advised that in the unlikely event that you receive and launch the Simpsons Trojan, it attempts to delete all files on your hard drive. Unlike a virus or a worm, it does not replicate. Ironically, within minutes of Sophos issuing a press release slamming Computer Associates' media alert, Newsbytes received an automated customer alert from Sophos' UK headquarters, relating to the Simpsons trojan horse virus. Timed at 05:51 Eastern time from Sophos' Viking server, the alert describes the virus as a self-extractable ZIP file called SIMPSONS.EXE, which contains the files SIMPSONS.BAT and SIMPSONS.BMP. The report said that file icon has been altered so that it looks like an installation package. Sophos said that when the executable file is run, it extracts the files and automatically runs SIMPSONS.BAT. This attempts to delete all files from drives A: to D: using the DELTREE command. If the DELTREE command is on one of the drives being deleted then the Trojan will be unable to delete any further drives. Sophos added that the payload does not function on standard Windows NT and Windows 2000 installations because DELTREE.EXE is not available. The alert also said that SIMPSONS.BMP is not a bitmap image but a valid ZIP archive file containing the files README.TXT, FILE_ID.DIZ and SAMPLE.EXE. These files are not viral or malicious. More information on the Simpsons virus can be found on Sophos' Web site at http://www.sophos.com/virusinfo/analyses/trojsimpsons.html. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Sophos Slams Simpsons Virus Scare InfoSec News (Jul 01)