Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Sophos Slams Simpsons Virus Scare

From: InfoSec News <isn () C4I ORG>
Date: Fri, 30 Jun 2000 00:45:58 -0500
http://www.computeruser.com/news/00/06/30/news18.html

By: Steve Gold, Newsbytes
June 30, 2000

Antivirus specialist Sophos today slammed warning reports issued by
its rivals over the last 24 hours about a Simpsons virus doing the
rounds.

Head researcher Graham Cluley said that Computer Associates issued a
media alert about a Trojan horse called Simpsons.

Slamming Computer Associates, he said that the vast majority of
computer users are extremely unlikely to ever encounter this virus.

"It's disappointing that Computer Associates has started a panic about
a piece of code which is incapable of even replicating itself," he
said, adding that releasing alerts about low risk Trojans like this
only serves to damage the credibility of the entire anti-virus
industry.

"It's important that security vendors act responsibly when deciding
which threats to alert upon," he said.

Computer Associates officials were not immediately available for
comment.

Sophos advised that in the unlikely event that you receive and launch
the Simpsons Trojan, it attempts to delete all files on your hard
drive. Unlike a virus or a worm, it does not replicate.

Ironically, within minutes of Sophos issuing a press release slamming
Computer Associates' media alert, Newsbytes received an automated
customer alert from Sophos' UK headquarters, relating to the Simpsons
trojan horse virus.

Timed at 05:51 Eastern time from Sophos' Viking server, the alert
describes the virus as a self-extractable ZIP file called
SIMPSONS.EXE, which contains the files SIMPSONS.BAT and SIMPSONS.BMP.

The report said that file icon has been altered so that it looks like
an installation package.

Sophos said that when the executable file is run, it extracts the
files and automatically runs SIMPSONS.BAT. This attempts to delete all
files from drives A: to D: using the DELTREE command. If the DELTREE
command is on one of the drives being deleted then the Trojan will be
unable to delete any further drives.

Sophos added that the payload does not function on standard Windows NT
and Windows 2000 installations because DELTREE.EXE is not available.

The alert also said that SIMPSONS.BMP is not a bitmap image but a
valid ZIP archive file containing the files README.TXT, FILE_ID.DIZ
and SAMPLE.EXE. These files are not viral or malicious.

More information on the Simpsons virus can be found on Sophos' Web
site at http://www.sophos.com/virusinfo/analyses/trojsimpsons.html.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: