LISTSERV 16.0 - PARKINSN Archives

Here is something I copied from the internet, What do you gurus think, are
they using a scare tactic to sell their product ) are they sayin Eudra and
other programs can carry the virus?)

" Win.RedTeam


This virus infects Windows EXE files (NewExe) and sends itself to Internet
by
using Eudora e-mail - it is the first known virus that infects Windows and
spreads via Internet. To infect files the virus stays in Windows memory, it
then
infects NE-files that are executed. To infect Eudora e-mail the virus parses
internal format of mail database and adds "infected" messages. The virus is
able
to spread to the Internet only if the Eudora e-mail system is installed on
the
computer, but recipients of infected messages may use any standard e-mail
system, not only Eudora.

Of course, the virus is not able to run itself automatically from an
infected
message. It is not able to infect the system when an infected message is
opened
and read. To spread the virus, the infected EXE attachment has to be
extracted
and executed. To do exactly that (to extract and execute the attached file)
the
text of the message convinces the user.

The virus was not found in-the-wild, but being released it can appear as a
real
danger to the global computer network because to spread itself is uses the
most
popular OS (Windows) and one of most popular e-mail systems (Eudora).

The length of virus code and data is 4766 bytes. The virus was named after
text
strings present in virus body (they are encrypted in infected files):

 <<-RED TEAM->> (C) The Soul Manager.
 Made in Australia - 06.97.
 So, so, Herr Kurtzhals - Is F/Win able to follow The Red Team?

Infecting EXE

While infecting NewEXE files the virus does not create new segment in
there - it
calculates the address of the code segment, moves the rest of file down and
writes itself to that cave. The virus increases the size of the code segment
and as
a result stays as a part of legal program's code. The virus also fixes
necessary
fields in NE header and relocation tables. The virus then modifies initial
address
of entry point, or patches addresses of system routines in case of
KRNL286/386.EXE.

When an infected file is executed under not infected environment, the virus
takes
control and looks for Win16 Kernel module (KRNL286.EXE or
KRNL386.EXE). When this file is located, the virus opens and infects it. The
virus does not alter entry point address, it changes addresses of WINEXEC or
INITTASK routines instead. In case of Windows 3.xx the virus sets new
address of WINEXEC routine, in case of Windows95/NT the virus do the same
with INITTASK routine (because Windows95/NT do not call WINEXEC).

To separate KRNL?86.EXE modules (Windows 3.xx or Windows95/NT) the
virus uses the name if exported CALLPROC32W function, it presents only in
32-bit Windows95/NT.

The virus then returns control to host program and does not perform any
other
actions. As a result being executed for the first time the virus does not
leave any
code in system memory - it only infects Windows' Kernel16 module.

Going memory resident

When Windows is loaded with infected Kernel, the virus stays in the system
memory as a part of Kernel - no special action is necessary to do that
because
code of virus is placed in the same code segment as original Kernel's
routines.
The virus also does not perform any action to hook system events because
they
were already hooked while infection - address of WINEXEC or INITTASK
already points to virus handler.

Under Windows 3.xx the virus hooks WINEXEC, so it infects files that are
executed. The virus does that in quite clever way - it immediately passes
control
to original WINEXEC handler and then infects a file in background, i.e.
there is
no delay when application are executed under infected environment. That is
quite
important for the virus because usually Windows 3.xx is installed on old
slow
PC, and delays on execution may warn a user.

Under Windows95/NT the virus hooks INITTASK, so it intercepts control
when programs are registering themselves in the system. The virus then with
a
help of GetExePtr function gets Module Handles for all NE-application that
are
active and infects them.

Infecting E-mail

While infecting a file with probability 1/8 (depending on the key that is
used to
encrypt text strings) the virus modifies its code so that this-time infected
file will
activate a routine that drops infected E-mail messages to Eudora outbox.
When
such file is executed in directory where Eudora databases are placed, the
virus
opens Eudora data files: NNDBASE.TOC, OUT.TOC, OUT.MBX. The first
file ("Nick names database") is used by virus to get names of recipients to
whom
the virus will send an infected message. The infected message is placed to
OUT.MBX (Outbox database) and necessary references are placed to
OUT.TOC file.

The message itself has a subject "Red Team", contains the text and attached
EXE file. The text looks as follows:

 ----------------------------------------------------------------------
 Hiya!

 Just thought I'd warn you about a destructive new e-mail virus.
 Here is some info:

 > The "Red Team" virus is a complex new computer virus that spreads via
 > the Microsoft Windows operating system, and Internet E-Mail. Although
 > it is not the first virus to spread via E-Mail (that was "Good Times"),
 > the Red Team virus is unparalelled in its destructive capabilities.
 > Further more, the virus is exceedingly common - it has already been
 > reported in much of western Europe, the USA, Russia, Australia, and
 > Japan. In short, everywhere.
 >
 > We at QUEST, have spent several weeks analysing this virus, and are proud
 > to anounce that we finally have a cure! The program, named "K-RTEAM"
 > (Kill Red Team), can be executed in any Microsoft Windows environment,
and
 > will reliably detect (and remove if nescessary) the Red Team virus from
 > your system buffers.
 >
 > --
 > Julia Blumin
 > QUALCOMM Enterprise Software Technologies
 > World Wide Web: http://www.qualcomm.com

 The reason I thought I should warn you, is that we recently had a run in
 with this beast.  Luckily we managed to get a copy of the excellent
 'K-RTEAM' programme before the destruction really started. Just in case
 you should suffer the same misfortune, I have included this programme for
 you too.

 Bye!

 P.S. Make sure you warn all your friends of this new threat!
 ----------------------------------------------------------------------

This text in the virus body is compressed, so the virus decompresses it
before
saving to Eudora outbox. The attached EXE file has NE header and is named as
K-RTEAM.EXE ("Kill Red Team"), it has 6351 bytes of length. It is an
infected
do-nothing program (the virus creates it on the C: drive - C:\K-RTEAM.EXE)
that only spreads the virus on computer. At the header and end of this file
there
are the text strings:

 K-RTEAM - Red Team Anti-Virus
 K-RTEAM
 Red Team Virus Found!
 Remove Virus?
 Virus Removed!
 Could not Remove Virus!

The virus does not send messages twice from the same infected computer. To
do that the virus creates the RTBASE.TOC file while sending infected
messages.
Next time the virus will look for that file and terminate E-mail infection
routine, if
this file presents in directory.

In-lab

The virus replicates itself under Windows 3.xx and had no side effects
during
experiments in lab - all files were infected correctly, the programs were
not
corrupted and Windows did not display any warning/error messages.

The virus also stored its dropper in the Eudora outbox with no problems. The
infected messages then were sent via Internet and correctly received.

Under Windows95/NT the virus has a problem - it cannot infect
KRNL386.EXE and as a result cannot install itself memory resident. The bug
is
quite stupid - the virus reserves Word (DW) for variable "NE Header Offset",
but uses it as DoubleWord (DD). The second Word of that DoubleWord is
Windows version flag: 0 if Windows3.xx, FFFFh if Windows95/NT. So under
Windows95/NT the virus gets wrong value from that variable.

Despite this, the files that were infected under Windows 3.xx do work under
Windows95/NT without any problem and may infect Eudora database as well
as under Windows 3.xx. Moreover, that stupid bug may be easily fixed and a
Windows95 compatible version might be released by the virus author. "

I found this at      http://www.avp.ch/


Hangin' on the ropes, waitin' for the bell to ring.

Bob Chapman 65/2
[log in to unmask]
Sun Lakes, AZ