Sheep: Fact or Fiction

By Sarah Gordon
[email protected]

Originally published at AntiVirus Online.

Upon my return from the EICAR conference, I found yet another possible hype had made its way to my mailbox.

This time, the subject was SHEEP. A Windows executable called SHEEP.EXE had been mailed to me as an e-mail attachment, along with a request for help!

Was this program BAAAAA BAAAAA BAAAD? (Sorry! Couldn't resist!)

Here, with permission, is the anatomy of this request for help. It parallels many of the scenarios which take place daily world-wide.

"I have a friend in a large law office here in (location removed) and we keep in touch via Internet email. Lots of people in the office bring in small programs, such as the Sheep one, and they circulate through the firm via office email. (Someone's Name), my friend, had sent me small programs over the Net before. I'd always sweep them before installing, as I did with the Sheep one, with usually two or more different AV scanners (McAffee, Intel, and F-Prot are the ones I'm using, and I try to keep the lists up to date). So I installed the Sheep program, first on a machine running Windows 95 (I received the file through AOL, but I'd accessed the service through someone else's machine), then I took it home on disk and put it on my machine. The next day I got the forwarded email that his sysop had sent out firm-wide and I deleted the program from both machines."

The e-mail he described stated that users should PLEASE DELETE FROM THE SYSTEM IMMEDIATELY these or any other programs which had been received via e-mail. It explained that there are "numerous warnings" that such programs are cleverly disguised viruses, and that if the warnings are true, the programs will seriously damage the PC. The GHOST.EXE program is mentioned, and described as doing its damage on a specific date at a specific time.

What prompted the SHEEP warning? The concerned user who contacted me offered these thoughts:

"Several possibilities come to mind. One, that this program is harmless but there are other versions out there that have been tampered with; two, that the firm was getting upset about all the loose shareware and programs that were going around and sent out virus warnings on this one to make everyone paranoid and keep them from installing any programs that came in through email; or three, they were just tired of everybody goofing off looking at the cute sheep."

The file I have examined appears to be clean. The SHEEP.EXE's examined by my colleagues appear to be clean. However, this does not mean we can guarantee there is not an infected SHEEP.EXE file in existence, any more than we can guarantee that there is not an infected GHOST.EXE out there. If you suspect you have a file infected with a virus which is not known to your vendor, you need to send a copy of that file to your vendor. No vendor can tell you if a virus resides in an executable file by hearing the name only of the file.

About the Author

Sarah Gordon's work in various areas of IT Security can be found profiled in various publications including the New York Times, Computer Security Journal and Virus Bulletin. She is a frequent speaker at such diverse conferences as those sponsored by NSA/NIST/NCSC and DEFCON. Recently appointed to the Wildlist Board of Directors, she is actively involved in the development of anti-virus software test criteria and methods. She may be reached as [email protected]









1061 East Indiantown Road · Suite 500
Jupiter · FL   33477