Excerpted from CIAC, a report of a stealth virus that uses encryption as part of its attack. If the list thinks its of interest, I'll zap it over. But briefly: September 13, 1994 1600 PDT Number E-34 _____________________________________________________________________________ PROBLEM: A previously unknown computer virus is damaging systems. PLATFORM: All MS-DOS, PC-DOS, Windows systems, all versions. DAMAGE: Damages files, encrypts hard drive. SOLUTION: Update your Anti-Virus program to detect/remove the virus. _____________________________________________________________________________ VULNERABILITY While it is not epidemic, the virus has been seen at an East ASSESSMENT: coast site and it isn't detected by the current versions of most virus scanners (revised versions are upcoming.) The virus is intentionally damaging and all files on an infected machine are at risk. Warning: Removing the virus may make some files inaccessible (see below.) _____________________________________________________________________________ The virus is intentionally damaging. Every time an infected machine boots, the virus encrypts two cylinders of the DOS partition of the hard drive starting with the highest numbered cylinder and progressing to lower numbered ones. The virus then hides the fact that it is encrypting the hard drive by decrypting any of the encrypted sectors whenever they are accessed by the system. Only with the virus out of memory do you see the encrypted sectors. WARNING: Because of the encryption the virus does, be sure you copy any important files to a floppy disk or tape before removing the virus. The CHK_HALF program described below does not decrypt any encrypted cylinders, so when the virus is removed, the encryption key is lost with it and any files in the encrypted cylinders are lost. ===========================================================================