Thanks for your thoughts Mr. Hamilton and Mr. Seeliger. I'm still waiting to meet with the user to show her all of this as well as the excellent information that SAS support gave me as well. This is a students home computer, so I can't blame Microsoft Outlook this time.... As soon as I get my $35 million from Mr. Wilson M. Chukwuka, Chief Accountant with the First Bank PLC in Nigeria, I'll send you guys a token of my appreciation.

Thanks,

George

----------------------------------------------------------------------- George M. Evonich ("\''/").___..--''"`-._ Electronic Data Services `9_ 9 ) `-. ( ) .`-.__.`) Academic Consulting - CSSD (_Y_.)` ._ ) `._`. ``-..-` University of Pittsburgh _..`--'_..-_/ /--'_.' .' evonich@cssd.pitt.edu (il).-`` ((i).' ((!.-' (412)648-7381 -----------------------------------------------------------------------

-----Original Message----- From: Jack Hamilton [mailto:JackHamilton@FIRSTHEALTH.COM] Sent: Wednesday, November 13, 2002 12:56 PM To: SAS-L@LISTSERV.UGA.EDU Subject: Re: Infected SAS files

The SAS DLL's can be infected, just like any other DLL's could be.

It's not the fact that they're SAS DLL's in particular that would make them targets for infection - it's the fact that they're some kind of executable. After infection, a SAS DLL could do whatever any other infected executable could do.

For what it's worth, there were some files in version 6 of SAS which upset the virus checker here, and the only way to install SAS was to turn off the virus checker. Something similar could be happening to your user - the SAS programs contain binary strings which look like viruses, but aren't.

SAS can open ports, yes. I asked at a SUGI Futures Forum whether anyone had yet encountered a SAS virus, but no one had. Perhaps it's too difficult to persuade SAS users to run foreign SCL applications for which they don't have the source code.

-- JackHamilton@FirstHealth.com Manager, Technical Development METRICS Department, First Health West Sacramento, California USA

>>> George Evonich <evonich@EXCHANGE.CIS.PITT.EDU> 11/13/2002 9:03 AM >>> Greetings all,

I'd like to know if any one has come across a virus or trojan infecting their SAS files. I have a user who believes that installing SAS has infected her machine with a RAT trojan (http://www.xploiter.com/security/rat.html) and that it infected the following files:

c:\Program Files\SAS Institute\Shared Files\SAS OLE DB DATA PROVIDERS\sasejlib.dll c:\Program Files\SAS Institute\Shared Files\SAS OLE DB DATA PROVIDERS\saseklib.dll c:\Program Files\SAS Institute\Shared Files\SAS OLE DB DATA PROVIDERS\sasexlib.dll c:\Program Files\SAS Institute\SAS\V8\sashost.dll

I'm far from a security expert, but I don't really see how infecting SAS would do a hacker any good.... The user says a program called Tuscan is telling her that they are infected, but I have not been able to find any information on that product. I've tried to explain to the user that no one in our software office put any malicious code, but she's not accepting that.

Does SAS open any ports? Would the files listed above, if infected, gain a hacker anything? Any ideas or suggestions as to what to look for would be appreciated since I'm at a loss at the moment besides showing the user that the product installs clean from the media she received.

Thanks!!

George

----------------------------------------------------------------------- George M. Evonich ("\''/").___..--''"`-._ Electronic Data Services `9_ 9 ) `-. ( ) .`-.__.`) Academic Consulting - CSSD (_Y_.)` ._ ) `._`. ``-..-` University of Pittsburgh _..`--'_..-_/ /--'_.' .' evonich@cssd.pitt.edu (il).-`` ((i).' ((!.-' (412)648-7381 -----------------------------------------------------------------------