User`s guide

ManualsBrandsAMSTRAD ManualsComputer equipmentPC-ECD

/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted

by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.

Page 9

VIRUS BULLETINAugust 1991

➤ Broadcasts the login information in the login request via

IPX if the proper login request occurs. The socket number

(2A9FH) in the broadcast packet is a value not likely to be

used by any other program. The code to perform this task is

non-functional in the samples, but could easily be corrected.

Socket numbers in broadcast packets control which machines

on the LAN will accept the broadcast. NetWare file-servers

accept requests addressed to socket 0451H. A workstation’s

IPX device driver monitors broadcasts, accepting packets

addressed to sockets opened by workstation applications.

Workstations discard broadcasts with unopened socket

numbers.

GP1 is designed for use on a specific network where a

separate non-viral application is operating on a workstation.

This non-viral application would collect the broadcasts from

the GP1 virus in other workstations and store the login

information from these workstations. Figure 1. illustrates the

situation, with the workstation running the non-viral applica-

tion labelled ‘EARS’. The owner of the ‘EARS’ workstation is

also the creator of GP1. The ‘EARS’ part of the GP1 virus

application was not provided with our GP1 samples.

NetWare supports the login function call checked for by GP1

when ‘allow unencrypted passwords’ is on. NetWare 2.xx and

3.xx NetWare login utilities do not use this function.

GP1 is not known to have spread beyond its original location.

In the absence of an ‘EARS’ workstation, this virus is limited

in the damage it can cause. Possible damage may include

spreading to other files, using up memory in workstations and

slighly increasing network traffic.

NOVELL UPDATE

Eric Babcock

Novell Inc., Provo, Utah, USA

Novell’s Analysis of the GP1 Virus

[As indicated in Jim Bates’ article on the GP1 virus (VB, June

1991, pp. 5-7), further investigation into the functioning of

this virus continues. VB is grateful to Eric Babcock, Novell’s

software security manager at the company’s US head offices,

for supplying the following updated and amended report on

GP1 which clarifies its NetWare-specific functioning.]

In June of this year UK virus researcher Jim Bates provided

Novell with a copy of the original GP1 code and a thorough

analysis and disassembly. A GP1 sample from McAfee

Associates confirms that we are talking about the same code

as everyone else. The code is a Jerusalem virus derivative

with the trigger and file deletion code (and a few other odds

and ends) replaced by code designed to provide someone in an

organisation with other peoples’ password information; hence

the name ‘Get Password One’ and the NetWare-specific code.

The NetWare-specific code in the GP1 virus:

➤ tests for the presence of a NetWare shell at the workstation.

➤ checks for a specific form of login request by the

workstation. This form of login request does not use

encrypted passwords.

LAN

Workstation (‘EARS’)

Workstation (GP1 infected)

File-server

Workstation (GP1 infected)

Figure 1. Login information exchange with a GP1 infected LAN