LISTSERV at the University of Georgia
Menubar Imagemap
Home Browse Manage Request Manuals Register
Previous messageNext messagePrevious in topicNext in topicPrevious by same authorNext by same authorPrevious page (November 2002, week 2)Back to main SAS-L pageJoin or leave SAS-L (or change settings)ReplyPost a new messageSearchProportional fontNon-proportional font
Date:         Wed, 13 Nov 2002 10:55:55 -0700
Reply-To:     Jack Hamilton <JackHamilton@FIRSTHEALTH.COM>
Sender:       "SAS(r) Discussion" <SAS-L@LISTSERV.UGA.EDU>
From:         Jack Hamilton <JackHamilton@FIRSTHEALTH.COM>
Subject:      Re: Infected SAS files
Comments: To: evonich@EXCHANGE.CIS.PITT.EDU
Content-Type: text/plain; charset=us-ascii


The SAS DLL's can be infected, just like any other DLL's could be.


It's not the fact that they're SAS DLL's in particular that would make
them targets for infection - it's the fact that they're some kind of
executable.  After infection, a SAS DLL could do whatever any other
infected executable could do.


For what it's worth, there were some files in version 6 of SAS which
upset the virus checker here, and the only way to install SAS was to
turn off the virus checker.  Something similar could be happening to
your user - the SAS programs contain binary strings which look like
viruses, but aren't.


SAS can open ports, yes.  I asked at a SUGI Futures Forum whether
anyone had yet encountered a SAS virus, but no one had.  Perhaps it's
too difficult to persuade SAS users to run foreign SCL applications for
which they don't have the source code.






--
JackHamilton@FirstHealth.com
Manager, Technical Development
METRICS Department, First Health
West Sacramento, California USA




>>> George Evonich <evonich@EXCHANGE.CIS.PITT.EDU> 11/13/2002 9:03 AM
>>>
Greetings all,


I'd like to know if any one has come across a virus or trojan
infecting
their SAS files.  I have a user who believes that installing SAS has
infected her machine with a RAT trojan
(http://www.xploiter.com/security/rat.html) and that it infected the
following files:


 c:\Program Files\SAS Institute\Shared Files\SAS OLE DB DATA
PROVIDERS\sasejlib.dll
 c:\Program Files\SAS Institute\Shared Files\SAS OLE DB DATA
PROVIDERS\saseklib.dll
 c:\Program Files\SAS Institute\Shared Files\SAS OLE DB DATA
PROVIDERS\sasexlib.dll
 c:\Program Files\SAS Institute\SAS\V8\sashost.dll


I'm far from a security expert, but I don't really see how infecting
SAS
would do a hacker any good....  The user says a program called Tuscan
is
telling her that they are infected, but I have not been able to find
any
information on that product.  I've tried to explain to the user that no
one
in our software office put any malicious code, but she's not accepting
that.


Does SAS open any ports?  Would the files listed above, if infected,
gain a
hacker anything?  Any ideas or suggestions as to what to look for would
be
appreciated since I'm at a loss at the moment besides showing the user
that
the product installs clean from the media she received.


Thanks!!


George


-----------------------------------------------------------------------
                                          George M. Evonich
   ("\''/").___..--''"`-._                Electronic Data Services
   `9_ 9  )   `-.  (    ) .`-.__.`)       Academic Consulting - CSSD
   (_Y_.)`  ._   )  `._`.  ``-..-`        University of Pittsburgh
 _..`--'_..-_/  /--'_.' .'                evonich@cssd.pitt.edu
(il).-``  ((i).'  ((!.-'                  (412)648-7381
-----------------------------------------------------------------------
Back to: Top of message | Previous page | Main SAS-L page
listserv.uga.edu
Enterprise Information Technology Services
The University of Georgia
listhelp@uga.edu