F-Secure Hoax Information Pages: Sheep

Main Index

Security Guide

F-Secure World Map

Security Alerts

Virus Statistics

Malware Removal Tools

Malware Code Glossary

Submit Malware Sample

Select local site

Main Index » Security Centre » Descriptions

F-Secure Hoax Information Pages: Sheep

[Summary] \| [Detailed Description]
Name :	Sheep
Alias:	Scmpoo
Type:	Hoax
Category:	Hoax
Platform:	Win32

Radar

Summary

This is a widespread false alarm on a demonstration program. There is no virus or trojan by this name. But this innocent program could be used as a disguise for trojans, viruses and remote access tools.

Back to the Top

Detailed Description

SHEEP.EXE is a program which creates a cute animation of a little sheep which wonders around the screen, eats, sleeps, jumps etc. There were several widespread warnings that this program was a trojan or a virus, but after SHEEP.EXE and SCMPOO16.EXE samples were analysed, the program was found to be innocent. However, during the analysis the original Japanese author of this program was contacted, and it was found out that SHEEP.EXE is a commercial program, and should not be passed on between users.

The confirmed-clean versions of this file have the following CRCs as displayed by PKUNZIP:

Length Method Size Ratio Date Time CRC-32 Attr Name
------ ------ ----- ----- ---- ---- -------- ---- ----
317088 DeflatN 116749 64% 03-12-96 22:17 3662678a --w- SCMPOO16.EXE
317792 DeflatN 117014 64% 09-12-96 08:25 683ae9da --w- SHEEP.EXE
------ ------ --- -------

Read this: As speculated above, a malicious person can easily infect any of these programs and make them harmful. In June, 1997, we received samples of the above SHEEP.EXE infected with the Windows-based Tentacle virus.

Here is the CRC of the infected version (as displayed by PKUNZIP):

Length Method Size Ratio Date Time CRC-32 Attr Name
------ ------ ----- ----- ---- ---- -------- ---- ----
319750 DeflatN 118568 63% 26-06-97 18:16 60a4617a --w- ESHEEP.EXE
------ ------ --- -------

Attention! If you receive SHEEP.EXE with the CRC information and the
size shown below, then it is a hacker's remote access tool called
'Web Ex' that uses SHEEP ScreenMate as a disguise. Do not run this
file - delete it. If you run SHEEP.EXE the server part of Web Ex
remote access tool will be installed to your system. It will allow
the hacker to easily access your data.

Length Method Size Ratio Date Time CRC-32 Attr Name
------ ------ ----- ----- ---- ---- -------- ---- ----
1099776 DeflatN 1084524 2% 09-03-99 13:03 ff7f6180 --w- SHEEP.EXE
------ ------ --- -------

If you receive this, please do not forward it around.

Back to the Top

F-Secure Corporation

Last Modified: January 01, 2006