home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.142
< prev
next >
Wrap
Text File
|
1995-01-03
|
24KB
|
557 lines
VIRUS-L Digest Monday, 26 Jun 1989 Volume 2 : Issue 142
Today's Topics:
Mac anti-viral archives
Documentation anti-viral archives
Re: Saveinfo.exe (PC)
Disk corrupting .exe virus
New Virus - Fu Manchu? (PC)
Re: New Virus - Fu Manchu? (PC)
VKILLER 2.20 (Atari ST) available on ssyx
Re: Saveinfo.exe (PC)
The Little Vaccine that Didn't (Mac)
WordPerfect Corp. on the Israeli Virus (PC)
Anti-viral software postings
Re: Virus policy
--------------------------------------------------------------------------------
Date: 22 Jun 89 12:25:58 GMT
From: jwright@atanasoff.cs.iastate.edu (Jim Wright)
Subject: Mac anti-viral archives
# Anti-viral archive sites for the Macindroids...
# Listing of 22 June 1989
cs.hw.ac.uk
Dave Ferbrache <davidf@cs.hw.ac.uk>
NIFTP from JANET sites, login as "guest".
Electronic mail to <info-server@cs.hw.ac.uk>.
Main access is through mail server.
The master index for the virus archives can be retrieved as
request: virus
topic: index
The Mac index for the virus archives can be retrieved as
request: mac
topic: index
For further details send a message with the text
help
The administrative address is <infoadm@cs.hw.ac.uk>
ifi.ethz.ch
Danny Schwendener <macman@ifi.ethz.ch>
Access is through SPAN/HEAPNET, but can also be reached using
X.25 and modem ports (no direct dialins, though).
Archives are in process of moving to a new machine.
pd-software.lancaster.ac.uk
Steve Jenkins <pdsoft@pd-software.lancaster.ac.uk>
I'm not sure of access, but you Brits ought to know by now. :-)
rascal.ics.utexas.edu
Werner Uhrig <werner@rascal.ics.utexas.edu>
Access is through anonymous ftp, IP number is ??.??.??.??.
Archives can be found in /mac/virus-tools.
Please retrieve the file 00.INDEX and review it offline.
Due to the size of the archive, online browsing is discouraged.
sumex.stanford.edu
Bill Lipa <info-mac-request@sumex-aim.stanford.edu>
Access is through anonymous ftp, IP numbers are 10.0.0.56
and 36.45.0.87.
Archives can be found in /info-mac/virus.
Administrative queries to <info-mac-request@sumex-aim.stanford.edu>.
Submissions to <info-mac@sumex-aim.stanford.edu>.
wsmr-simtel20.army.mil
Robert Thum <rthum@wsmr-simtel20.army.mil>
Access is through anonymous ftp, IP number 26.0.0.74.
Archives can be found in PD3:<MACINTOSH.VIRUS>.
Please get the file 00README.TXT and review it offline.
- --
Jim Wright
jwright@atanasoff.cs.iastate.edu
------------------------------
Date: 22 Jun 89 12:27:00 GMT
From: jwright@atanasoff.cs.iastate.edu (Jim Wright)
Subject: Documentation anti-viral archives
# Anti-viral archive sites for the scholarly crowd...
# Listing of 22 June 1989
cs.hw.ac.uk
Dave Ferbrache <davidf@cs.hw.ac.uk>
NIFTP from JANET sites, login as "guest".
Electronic mail to <info-server@cs.hw.ac.uk>.
Main access is through mail server.
The master index for the virus archives can be retrieved as
request: virus
topic: index
The index for the **GENERAL** virus archives can be retrieved as
request: general
topic: index
The index for the **MISC.** virus archives can be retrieved as
request: misc
topic: index
**VIRUS-L** entries are stored in monthly and weekly digest form from
May 1988 to December 1988. These are accessed as log.8804 where
the topic substring is comprised of the year, month and a week
letter. The topics are:
8804, 8805, 8806 - monthly digests up to June 1988
8806a, 8806b, 8806c, 8806d, 8807a .. 8812d - weekly digests
The following daily digest format started on Wed 9 Nov 1988. Digests
are stored by volume number, e.g.
request: virus
topic: v1.2
would retrieve issue 2 of volume 1, in addition v1.index, v2.index and
v1.contents, v2.contents will retrieve an index of available digests
and a extracted list of the the contents of each volume respectively.
**COMP.RISKS** archives from v7.96 are available on line as:
request: comp.risks
topic: v7.96
where topic is the issue number, as above v7.index, v8.index and
v7.contents and v8.contents will retrieve indexes and contents lists.
For further details send a message with the text
help
The administrative address is <infoadm@cs.hw.ac.uk>
lehiibm1.bitnet
Ken van Wyk <LUKEN@LEHIIBM1.BITNET> new: <krvw@sei.cmu.edu>
This site has archives of VIRUS-L, and many papers of
general interest.
Access is through ftp, IP address 128.180.2.1.
The directories of interest are VIRUS-L and VIRUS-P.
There may also be mail access.
This archive may go away with the departure of Ken.
lll-winken.llnl.gov
Vijay Subramanian <????@???.???.???>
This site has archives of VIRUS-L, and many papers of
general interest.
Access is through ftp, IP address 128.115.14.1.
There are quite a number of subdirectories living under /virus-l.
I have been unable to get through for several months; I
understand they are having trouble upgrading their network.
pd-software.lancaster.ac.uk
Steve Jenkins <pdsoft@pd-software.lancaster.ac.uk>
I'm not sure of access, but you Brits ought to know by now. :-)
unma.unm.edu
Dave Grisham <dave@unma.unm.edu>
This site has a collection of ethics documents.
Included are legislation from several states and policies
from many institutions.
Access is through ftp, IP address 129.24.8.1.
Look in the directory /ethics.
- --
Jim Wright
jwright@atanasoff.cs.iastate.edu
------------------------------
Date: 22 Jun 89 07:45:28 GMT
From: jwright@atanasoff.cs.iastate.edu (Jim Wright)
Subject: Re: Saveinfo.exe (PC)
In article <0007.8906201731.AA26692@spot.CC.Lehigh.EDU>
VIRUS-L@IBM1.CC.Lehigh.EDU writes:
| I just downloaded a program named safeinfo.exe from a bbs
| at (201)473-1991. safeinfo (tm) is a trademark of
| safeware (TM) incorporated. the program is a clone of norton's
| sysinfo with more features.
|
| what makes it worthy of mention here is the fact that safeware (TM)
| runs an internal test upon itself each and every time it is loaded.
If you like this idea, you can use it with your own programs. A shareware
package ($10-$15) called CAware allows "your C programs to be self-aware".
The registration fee gets you source code. This is available from the
IBMPC anti-viral archive sites.
- --
Jim Wright
jwright@atanasoff.cs.iastate.edu
------------------------------
Date: Tue, 20 Jun 89 12:28:35 BST
Sender: Virus Alert List <VALERT-L@ibm1.cc.lehigh.edu>
From: "David.J.Ferbrache" <davidf%CS.HW.AC.UK@ibm1.cc.lehigh.edu>
Subject: Disk corrupting .exe virus
Original-From: Fridrik Skulason <frisk@is.hi.rhi>
I have just run into a virus, that does not fit the description of any
other virus that I know of.
It is an .EXE file infector and does not touch .COM files.
Every time an infected program is run, a random number is generated.
In most cases nothing happens, but sometimes the virus will select a
free cluster on the current drive, and mark it as bad. On the computer
where I found it originally, 10Mbytes out of 20 had been marked as
bad. This virus stays resident in memory, and hooks INT 21. When an
uninfected program is run, it is first infected.
This virus uses a few tricks to avoid detection, but I have not quite
finished disassembling it yet. It seems to refrain from infecting
programs, if disk protection software is installed.
This virus does not appear to be a modification of the other .EXE
infectors that I know of (Jerusalem & April-1), but I am not quite
sure of it, since I do not have a copy of those viruses.
If you have heard of this virus please let me know. I will distribute
a report, when I have finished disassembling the virus. (Quite a job,
since it is very large).
------------------------------
Date: Thu, 22 Jun 89 11:54:55 BST
Sender: Virus Alert List <VALERT-L@ibm1.cc.lehigh.edu>
From: LBA002%PRIME-A.TEES-POLY.AC.UK@ibm1.cc.lehigh.edu
Subject: New Virus - Fu Manchu? (PC)
Reference: Computer Guardian 22nd June 1989
A new virus? The first issue of Virus Bulletin (a newsletter
specialising in viruses) announces Fu Manchu. This new virus is said
to insert obscene comments into printed documents after the keying of
4 names:- Botha, Reagan, Waldheim & Thatcher. Any sitings (or
suggestions for new names, or the text of the obscene comments?)
Rgds, Iain Noble
PS I've discovered that GateKeeper won't work on our ancient 128/512k
Macs to stop reinfection with the dose of nVirB we have going around.
Am I right? If I am any helpful suggestions?
------------------------------
Date: Thu, 22 Jun 89 14:25:21 BST
Sender: Virus Alert List <VALERT-L@ibm1.cc.lehigh.edu>
From: "David.J.Ferbrache" <davidf%CS.HW.AC.UK@ibm1.cc.lehigh.edu>
Subject: Re: New Virus - Fu Manchu? (PC)
Iain,
Please find enclosed a brief description of the Fu Manchu virus:
Fu Manchu
Parasitic virus - resident
Type description:
The virus occurs attached to the beginning of a COM file, or the end of
an EXE file. It is a rewritten version of the Jerusalem virus, and
most of what is said for that virus applies here with the following
changes:
a. The code to delete programs, slow down the machine, and display
the black 'window' has been removed, as has the dead area at
the end of the virus and some sections of unused code.
b. The marker is now 'rEMHOr' (six bytes), and the preceeding 'sU'
is now 'sAX' (Sax Rohmer - creator of Fu Manchu).
c. COM files now increase in length by 2086 bytes & EXE files 2080
bytes. EXE files are now only infected once.
d. One in sixteen times on infection a timer is installed which
runs for a random number of half-hours (maximum 7.5 hours). At
the end of this time the message 'The world will hear from me
again!' is displayed in the centre of the screen and the
machine reboots. This message is also displayed every time
Ctrl-Alt-Del is pressed on an infected machine, but the virus
does not survive the reboot.
e. There is further code which activates on or after the first of
August 1989. This monitors the keyboard buffer, and makes
derogatory additions to the names of politicians (Thatcher,
Reagan, Botha & Waldheim), censors out two four-letter words,
and to 'Fu Manchu ' adds 'virus 3/10/88 - latest in the new fun
line!' All these additions go into the keyboard buffer, so
their effect is not restricted to the VDU. All messages are
encryted.
> PS
>
> I've discovered that GateKeeper won't work on our ancient 128/512k Macs
> to stop reinfection with the dose of nVirB we have going around. Am I right?
> If I am any helpful suggestions?
Hmm, the documentation for gatekeeper says that it should operate on
Mac with 128K Rom or better, including Mac 512Ke, Plus, SE, II etc. If this
does not apply to your Macs then I suspect that vaccine is the only
alternative (or possibly one of the watch inits if you only require
notice of possible infection without the comprehensive error checking applied
to resource writes by vaccine).
Sorry I can't be of more help
- ------------------------------------------------------------------------------
Dave Ferbrache Internet <davidf@cs.hw.ac.uk>
Dept of computer science Janet <davidf@uk.ac.hw.cs>
Heriot-Watt University UUCP ..!mcvax!hwcs!davidf
79 Grassmarket Telephone +44 31-225-6465 ext 553
Edinburgh, United Kingdom Facsimile +44 31-220-4277
EH1 2HJ BIX/CIX dferbrache
- ------------------------------------------------------------------------------
------------------------------
Date: 22 Jun 89 01:35:49 GMT
From: koreth@ssyx.ucsc.edu (Steven Grimm)
Subject: VKILLER 2.20 (Atari ST) available on ssyx
Version 2.20 of George Woodside's VKILLER virus killer program for the
Atari ST has been posted to comp.binaries.atari.st and is available
from the archive on ssyx.ucsc.edu. The archive can be accessed via
anonymous ftp to address 128.114.133.1, or by sending the message
send binaries/volume5/vkiller.220 part01 part02 part03 part04
to archive-server@ssyx.ucsc.edu.
- ---
These are my opinions, which you can probably ignore if you want to.
Steven Grimm Moderator, comp.{sources,binaries}.atari.st
koreth@ssyx.ucsc.edu uunet!ucbvax!ucscc!ssyx!koreth
------------------------------
Date: 21 Jun 89 23:06:58 GMT
From: stripes@wam.umd.edu
Subject: Re: Saveinfo.exe (PC)
In article <0007.8906201731.AA26692@spot.CC.Lehigh.EDU>
VIRUS-L@IBM1.CC.Lehigh.EDU writes:
[stuff deleted]
>safeware (TM) is a unique new concept in shareware. all safeware (TM)
>products run safeware's (TM) proprietary selftest (TM) module as soon
>as they are loaded.
[stuff deleted]
Of corse as soon as safeware's (TM) proprietary selftest gets too
popular (assumeing they intend to sell the selftest to other
programers, or that they become massavaly popular...) a new virus
could just remove the checking code. (same deal for Word Perf.)
To make a selftest strong you have to make them non-standard. (i.e.
change the code on every release even if the last release was fine,
make it diffrent for each product, and whenever else you can).
- --
stripes@wam.umd.edu "Security for Unix is like
Josh_Osborne@Real_World,The Mutitasking for MS-DOS"
"The dyslexic porgramer" - Kevin Lockwood
"Dammit Jim, I'm a Doctor not an Excorsist"
- One of Bones' lines in a previous ST:V script...
------------------------------
Date: Fri, 23 Jun 89 13:01:22 PDT
From: dplatt@coherent.com (Dave Platt)
Subject: The Little Vaccine that Didn't (Mac)
I recently had an interesting experience in which a network of Macs
was heavily infected by a virus, even though the Macs' owners had
installed Vaccine. The cause, it turned out, was due to the use of an
old (and arguably obsolete) version of TOPS! Y'all might want to be
alert for similar situations in your own areas.
I first found out about the infection when we had our corporate artwork
scanned at a local desktop-publishing service bureau, and converted to
EPS format. Out of curiousity, I took a look at the Mac EPS file's
resource fork, to see if it included a PICT resource. It did... and it
also had an INIT 29 resource. Uh oh. I called the service bureau and
talked to the woman who had done the scanning; she was surprised at
the infection, and said "We've got virus protection for all of our
machines".
I stopped by the service-bureau earlier this week to have our artwork
rescanned (not because I was afraid to use the infected copy, but
because I wanted it in portrait layout rather than in landscape form).
I also took along a diskette of antivirals and offered to clean up
their network; they were most willing to have me do so.
Their main network (which uses MacServe for file-sharing) was in good
shape. One application on the server's hard disk was infected by nVIR
A, but the systems were otherwise quite clean. All machines booted
with Vaccine, which was properly configured and appears to have been
effective in preventing virus-spread.
Their secondary network was another case entirely... it was _lousy_
with copies of INIT 29. Their Mass Micro file-server disk, and the
disk on the machine used for scanning, were riddled with this pest...
there must have been almost 100 infected files.
I cleaned up the infection with Disinfectant, and checked Vaccine. It
was configured with the "Always compile MPW INITs" option turned on; I
turned it off, having heard that some viruses could possibly sneak past
Vaccine when this option was selected. I then rebooted both machines
from their hard disks.
To my surprise, the Vaccine icon did not appear during startup, even
though the "Show icon" option was selected. Some fiddling with ResEdit
showed that Vaccine protection was not functioning... I could create
CODE resources without triggering an alert.
I suspected that the copies of Vaccine installed on these two machines
might have been damaged somehow, so I replaced them with a copy from
one of the MacServe client-machine startup disks, which I had
determined was functional. No good... Vaccine would not install itself
at boot time. I tried installing GateKeeper... same result... it would
not install at boot time.
At this point, a little light began to dawn. I took a look at the
System (6.0) and the other files in the System folder. Lo and behold,
the version of TOPS in use on these machines was dated 1987. Bingo.
This version of TOPS was released before Apple developed the "INIT 31"
mechanism that runs INIT resources stored outside of the System file.
The TOPS Installer program that comes with this version installs its
own version of INIT 31, which (I believe) runs the INIT resources in
INIT and RDEV (Chooser) files in the System folder.
However... the INIT 31 installed by TOPS does *NOT* run INIT resources
contained in Control Panel (cdev) files! As a result, neither Vaccine
nor GateKeeper was being installed at boot time. Vaccine showed up in
the Control Panel, but it wasn't functioning. [GateKeeper is smart
enough to keep itself out of the Control Panel display if its INIT has
not run... a nice touch, Chris!]
The fix for the problem was simple: I replaced the System files on
these machines with cleaner versions (with Apple's own INIT 31 intact),
and copied all of the fonts and desk-accessories from the old files to
the new ones. Vaccine now installs itself at boot time, and TOPS works
too. I've recommended that the service-bureau purchase a more
up-to-date version of TOPS, so that they don't run into this same
problem if they ever reinstall the out-of-date version that they're
using now.
The moral of the story: whether you're using Vaccine, GateKeeper, SAM,
or some other anti-viral shield INIT, you should double-check to make
sure that it's actually being installed at start-up time and is
providing the desired protection for your system. Simply dragging the
file into your System folder and rebooting is _not_ sufficient to
guarantee that your system is protected!
Dave Platt FIDONET: Dave Platt on 1:204/444 VOICE: (415) 493-8805
UUCP: ...!{ames,sun,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com
INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net
USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303
------------------------------
Date: Fri, 23 Jun 89 17:19:19 pdt
From: well!odawa@lll-winken.llnl.gov (Michael Odawa)
Subject: WordPerfect Corp. on the Israeli Virus (PC)
My colleague Derrick Shadel asked if I would post this note:
-----
I would like to add some information to the excellent analysis Y. Radai
reported regarding the Israeli virus and its effect on WordPerfect 4.2.
We would first like to concur that this is really a strain of the
Israeli virus which infects many other programs besides WordPerfect.
Thus the term "WordPerfect Virus" would not be an appropriate
appelation for this agent, and indeed would only add to the confusion.
Since that name also unfairly characterizes our product, we would
appreciate it not being used. Thank you.
Second, we have obtained a copy of the virus through the good offices
of Lance Nakata of Stanford University, and can confirm Radai's
description of how the infector interacts with our product.
When the Israeli virus infects an .EXE file, it reads the length field
of the header. WP 4.2, like a large class of similar programs, has
some additional information appended to the "normal" .EXE data. This
information includes the overlays and some text messages used during
the operation of the program. This is why the .EXE length was not
increased and why the virus was inserted into the middle of the
program. It was actually added to the end of the normal part of the
.EXE and overwrote a portion of the overlays that are appended.
When WP 4.2 starts up it searches for the .EXE so it can open and use
the overlays and text messages that are part of that file. In the
process of infecting the .EXE, data areas were changed that WP 4.2
uses to determine if the correct .EXE was found (we do this because it
might be someone's old WP 4.1 .EXE that was found). This results in
the error message about WP.EXE not being found. I hope this helps you
to better understand why WP 4.2 reacts differently when it is infected
with the Israeli virus.
With WP 5.0 the overlays and text messages are kept in a separate file
called WP.FIL. Since the .FIL and .EXE are separate, the floppy with
the .EXE can be write protected without adversely affecting the way
WordPerfect runs.
I hope this information is helpful to those who have investigated this
problem. We appreciate your work, and hope that together we can find
a way to free ourselves of these malicious and destructive viruses.
Derrick Shadel
WordPerfect Corp.
- -----
forwarded by:
Michael Odawa
Software Development Council
odawa@well.uucp
------------------------------
From: The Heriot-Watt Info-Server <infoadm@CS.HW.AC.UK>
Date: Mon, 26 Jun 89 10:31:31 BST
Subject: Anti-viral software postings
Just a quick note to let people know that the following anti-viral
software has been posted to USENET news.
comp.binaries.atari.st Virus killer version 2.20
Flu viral simulator
comp.binaries.mac Virus detective 3.0.1
Cheers
Dave Ferbrache
------------------------------
Date: Mon, 26 Jun 89 12:43:06 EDT
From: lmi312@leah.Albany.EDU (TheBabeWithThePwr)
Subject: Re: Virus policy
> Here at Old Dominion University, our internal auditors have asked that a
> virus policy be adopted. We are forming a working group, composed of a
> mainframe systems person, pc/lab person, and academic services person.
>
> I joined this list in the hopes of learning from those who have gone
> before! I am seeking any advice, or policies set up by other
> institutions which could help us define our own.
>
> I suppose we would like to address prevention, detection, and recovery, as
> well as procedures for dealing with anyone caught trying to infect any
> of our systems.
>
> Any responses would be GREATLY appreciated.
Although there is no real policy set at my school, SUNY Albany, there
was a student who did write and release a virus on our system. To the
best of my knowledge, he was fined and disusered...supposedly he is
now attending MIT.
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253