/-----------------------------\ | Xine - issue #3 - Phile 008 | \-----------------------------/ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ The story of the 2Trout and Lilith viruses in the wild ³ ³ ³ ³ Written by Dandler ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ To find the first case of the spread of the 2Trout virus we must look back at the 1995, at the geographical zone between Padania and Italy. An anonymous guy, whose identity has never been discovered, using a fake account connected to a minor Padanian and Italian BBS network that carried a virus area, like some major famous virus areas on networks like Fidonet or Virnet. This virus echo area was always considered marginal, especially when compared with other virus areas from Fidonet and Virnet that have a constant quite big message flow. Apart from the low message flow, this area was quite unconsidered because it wasn't followed by any major antivirus researcher, apart from a few minor virus experts called Ortolano and Colosi of the Italian antivirus ItavPro (Ortolano was the author of ItavPro while Colosi was his primary helper). This two 'experts' weren't considered too much by the Padanian and Italian antivirus communities, especially Colosi was disliked for his childish, annoying and egocentric behavior. But back to the virus. It was posted uuencoded in this virus message area with another virus, the Lilith. The first file was a do-nothing program infected by the 2Trout, while the second one was a dropper of the Lilith virus, in fact the Lilith is a boot sector virus. As already said this virus area was just marginal, so the usual readers were just extremely inexpert people that are undoubtedly an easy prey to fool, as it happened. The two messages carrying the viruses weren't deleted fastly enough by the persons in charge of the network, so a few of the readers, thinking they are dealing with antiviruses or some utilities, of the message area executed the viruses and infected themselves. After a few days the messages with the uuencoded viruses were in fact deleted, but too late, since messages that were asking for help with strange problems, like with QEMM, after the execution of the two uuencoded messages were already coming out from many users (QEMM noticed to the user that the total memory of the system was decreased, this due to the Lilith virus active in memory). After this facts a serious turmoil take place. Ortolano and Colosi tried to explain the situation and recommended not to run programs posted to the area by untrusted users. They even tried to contact the user that posted the message, but unluckily, since the used login was just a fake. Someone purposed to inform the legal authorities, but the purpose was fastly discarded. And finally new rules to improve the security of the BBS network were decided, like the impossibility to post a message in the public areas at the first login. After a while the situation came back to normality. The antivirus ItavPro written by Ortolano was soon able to detect both the 2Trout and the Lilith, and more likely all the users infected by the virus were soon able to remove the virus from their computers. After this story it doesn't seem that there were other infection in the wild of the 2Trout, while quite a lot of time ago an infection in the wild of the Lilith virus is known, even if it has a bug that seriously limits it's spreading (without this bug the virus should very likely have spreaded a lot). As up to today, January 1998, both the viruses seems to be just two more pieces of the collections of the various virus collectors. But both went to the history of the Padanian and Italian virusing. As for the protagonists of this story, Ortolano sold the ItavPro antivirus and he seems not to be interested anymore in viruses, while Colosi, after a short and stormy presence on the Italian speaking newsgroup dedicated to the viruses it.comp.sicurezza.virus, seems to be vanished totally from the antivirus scene. No one will miss him.