home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.150
< prev
next >
Wrap
Text File
|
1995-01-03
|
23KB
|
536 lines
VIRUS-L Digest Wednesday, 12 Jul 1989 Volume 2 : Issue 150
Today's Topics:
Antique Systems and Vaccine (Mac)
Icelandic virus
German DOS62 Virus
Macintosh system folder looks suspect
Comments on SENTRY and VIRUSCAN
on protecting Appleshare (Mac - from comp.sys.mac)
IEEE code of ethics and computer viruses
RE: nVir and Scores on Appletalk
[Ed. Sorry about the overwhelming quantity of mail, folks, but I have
quite a backlog now that we're back on-line (read: if you think
*YOU'VE* got it bad, you should see my inbox!). :-) ]
---------------------------------------------------------------------------
Date: Sat, 08 Jul 89 08:19:21 -0400
From: Joe McMahon <XRJDM@SCFVM.BITNET>
Subject: Antique Systems and Vaccine (Mac)
System 3.2 (which Mac 128K users are probably running) does not support
cdev's. To get Vaccine protection, it is necessary to do the following:
1) Copy your startup disk.
2) Boot the disk containing ResEdit, and open the Vaccine file. Copy
everything except the BNDL and cdev resources.
3) Open the System file on the copy of the startup disk.
4) Paste.
Reboot with the copy of the startup disk. To verify installation, run an
infected application, or run the "System Update" program. Either should
get violations. The dialogs will not show the file name properly,
however.
Disclaimer: I didn't have a 128K machine to try this on; I tested it on
a Plus running 3.2 and had no trouble.
--- Joe M.
------------------------------
Date: Mon, 10 Jul 89 14:52:48 +0000
From: Fridrik Skulason <frisk%RHI.HI.IS@ibm1.cc.lehigh.edu>
Subject: Icelandic virus
Some time ago I reported a new virus, the Icelandic "disk-crunching" virus. I
have now finished disassembling it, and a report follows ("Brunnstein"-format)
frisk@rhi.hi.is
or
...mcvax!hafro!rhi!frisk
- ------ Computer Virus Catalog 1.1: "Icelandic" July 8, 1989 --------
Entry...............: "Icelandic disk-crunching virus"
Alias(es)...........: One-in-ten, Disk-eating virus
Virus Strain........:
Virus detected when.: Mid-June '89
where.: Iceland
Classification......: .EXE file infecting virus/Extending/Resident
Length of Virus.....: 1. 656-671 bytes added to file
2. 2048 bytes in RAM
- --------------------- Preconditions -----------------------------------
Operating System(s).: MS-DOS
Version/Release.....: 2.0 or higher
Computer model(s)...: IBM PC,XT,AT and compatibles
- --------------------- Attributes -------------------------------------
Identification......: .EXE Files: Infected files end in 4418 5F19 (hex).
System: Byte at 0:37F contains FF (hex)
Type of infection...: Extends .EXE files. Adds 656-671 bytes to the end of
the file. Length MOD 16 will always be 0.
Stays resident in RAM, hooks INT 21 and infects other
programs when they are executed via function 4B. It will
remove the Read-Only attribute if necessary. .COM files
are not infected.
Infection Trigger...: Every tenth program run is checked. If it is an
uninfected .EXE file it will be infected.
Storage media affected: None
Interrupts hooked...: INT 21
Damage..............: If the current drive is a hard disk larger than 10M
bytes, the virus will select one cluster and mark it
as bad in the first copy of the FAT. Diskettes and 10M
byte disks are not affected.
Damage Trigger......: The damage is done whenever a file is infected.
Particularities.....: The virus modifies the MCBs in order to hide
from detection. It will not be activated if INT 13
contains something other than 0070:xxxx or F000:xxxx
when an infected program is run.
Similarities........: None.
- --------------------- Agents ------------------------------------------
Countermeasures.....: All programs which check for .EXE file length changes
will detect infections.
Any virus prevention program that changes INT 13 will
prevent the activation of the virus.
F-SYSCHK (by the author of this article) will detect
the system infection.
F-FCHK will identify infected files.
Countermeasures successful: See above.
Standard means......: Use DEBUG to check the byte at 0:37F.
Running any program which stays resident and modifies
INT 13 (like PRINT) will prevent the virus from being
activated.
- --------------------- Acknowledgement ---------------------------------
Location............: University of Iceland/Computing Services
Classification by...: Fridrik Skulason (frisk@rhi.hi.is)
Documentation by....: Fridrik Skulason
Date................: July 8, 1989
Information Source..:
- --------------------------End of "Icelandic"-Virus---------------------
------------------------------
Date: Tue, 04 Jul 89 20:12:13 -0700
From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM
Subject: German DOS62 Virus
The virus reported by Chris Fischer is clearly the DOS62
virus. This virus will replace the firts five bytes of every eighth
infected file with the system initialization routine. Clearly,
COMMAND.COM was the eighth file infected within his system - hence at
power-on the system will continuously cycle through the re-boot
sequence. We have had numerous reports of similar synptoms from this
virus.
Alan Roberts
HomeBase/CVIA 408 988 4004
------------------------------
Date: Wed, 12 Jul 89 11:52:48 -0500
From: Lee Brannon <CCREBEL@INDST.BITNET>
Subject: Macintosh system folder looks suspect
Hello,
I am a Mac user who has already run across two virus programs on my
system, and I now suspect that I may have found a third. Any of you
who are using a macinto sh and have come across the following symptons
please drop me a line (especiall y if you know the cause):
Like the scores virus...My System, Finder, Clipboard
and scrapbook icons have changed.
Unlike the scores virus...they have changed to better
drawings of the mac plus with shaded screens
I have run several detection programs which do not show anything
wrong, but it is beginning to get on my nerves.
There maybe something other than a virus making the change, but I
really would like to know what?
Thank you in advance..... CCREBEL at INDST
------------------------------
Date: Mon, 10 Jul 89 21:12:36 -0000
From: A.SIGFUSSON@ABERDEEN.AC.UK
Subject: Comments on SENTRY and VIRUSCAN
Hi out there,
I am new on this list, although I have followed the
discussions on the Lancaster Pdsoft archives, and I have
two points which I would like to raise.
After being hit by the Brain virus I decided to get some
protection and after reading both the VIRUS-L and some
reviews on protection software I decided to go for
SENTRY. It seems to work fine except for the CONFIG.SYS
file. The manual claims that sentry would pick up if you
added or changed a device driver but it did not when I
tried it. Another thing about SENTRY is that the manual
does not state clearly enough for the novice PC user that
you have to reinstall SENTRY when you add a new .COM,
.EXE or .SYS file to your disk. If this is not made
clear people who are not aware of this might be led to
think they are safe when they are not.
I also got a copy of VIRUSCAN which has been discussed
here recently. When I tried it on few diskettes I
noticed that the program told me that they all had
same number of directories and files. On inspection I
found that this was not the case. For some reason if you
scan few diskettes, one after another, the program always
thinks it is reading the first one. Only if you do
something like "A:>DIR" after inserting a new diskette
for scanning does the program do it properly. I suspect
that if the first disk only contains 1 or 2 files the
remaining disks will not be scanned properly because I
found that my DOS disk, which contains lots of files took
a very short time if scanned following a disk with only 2
files on.
I wanted to point these two things out because lots of PC
users could be given false security by protection
programs if their use and function is not properly
explained.
Best wishes,
Arnor Sigfusson
------------------------------
Date: Tue, 11 Jul 89 11:55:13 -0000
From: The Heriot-Watt Info-Server <infoadm@CS.HW.AC.UK>
Subject: on protecting Appleshare (Mac - from comp.sys.mac)
[Ed. The following is a discussion taken from comp.sys.mac regarding
the protection of Appleshare file servers from viruses.]
From: mmccann@hubcap.clemson.edu (Mike McCann)
Newsgroups: comp.sys.mac
Subject: Virus Protection for AppleShare File Servers?
Date: 9 Jul 89 07:00:29 GMT
Organization: Clemson University, Clemson, SC
Lines: 14
How does one protect the AppleShare file server from viruses? Will
running Vaccine on it work? Or will the dialog box produced upon
detection of a virus hang the server?
Also as a new administrator of a small AppleShare network, any other
helpful hints will be welcomed.
Thanks for the help,
Mike McCann (803) 656-3714 Internet = mmccann@hubcap.clemson.edu
Poole Computer Center (Box P-21) UUCP = gatech!hubcap!mmccann
Clemson University Bitnet = mmccann@clemson.bitnet
Clemson, S.C. 29634-2803 DISCLAIMER = I speak only for myself.
From: mithomas@bsu-cs.bsu.edu (Michael Thomas Niehaus)
Newsgroups: comp.sys.mac
Subject: Re: Virus Protection for AppleShare File Servers?
Date: 10 Jul 89 05:06:56 GMT
Organization: CS Dept, Ball St U, Muncie, IN, USA
In article <5956@hubcap.clemson.edu>, mmccann@hubcap.clemson.edu (Mike McCann)
writes:
> How does one protect the AppleShare file server from viruses? Will
> running Vaccine on it work? Or will the dialog box produced upon
> detection of a virus hang the server?
I debated this with myself before, and came to this conclusion: You do not
need to protect an AppleShare File Server from viruses. How can I make such
a statement? Well, install the AppleShare software and maybe the
Print Server software as well. Use something like Virus Rx and make sure
that you did not install a virus (very unlikely if you are using original,
locked disks).
Now that your software is installed, you are safe because *THAT IS THE
ONLY SOFTWARE EVER RUN* from the server. All of the other files on the
network are data files. Viruses cannot be spread from these data files.
Now, if you were to shut down your server, boot with another disk, and run
some of the software that is on that server's disk *ON THE SAME SERVER
MACHINE* then you could infect the server. But, I recommend against
doing this.
The stations on the network that are using the software from the servers
are the ones that need to be protected. If one of them put a virus in one
of the oft-used applications on the server, it would spread to all of the
stations in a matter of days (or less). But since the server never runs
this software, it will remain unscathed.
> Also as a new administrator of a small AppleShare network, any other
> helpful hints will be welcomed.
Put your applications in locked folders so that viruses cannot be installed
into them. Put Vaccine or something like it on all of the workstation's
system disks. Check the workstation disks regularly.
> Mike McCann (803) 656-3714 Internet = mmccann@hubcap.clemson.edu
> Poole Computer Center (Box P-21) UUCP = gatech!hubcap!mmccann
> Clemson University Bitnet = mmccann@clemson.bitnet
> Clemson, S.C. 29634-2803 DISCLAIMER = I speak only for myself.
- -Michael
- --
Michael Niehaus UUCP: <backbones>!$iuvax,pur-ee*!bsu-cs!mithomas
Apple Student Rep ARPA: mithomas@bsu-cs.bsu.edu
Ball State University AppleLink: ST0374 (from UUCP: st0374@applelink.apple.com
)
From: chris@accuvax.nwu.edu (Chris Krohn)
Newsgroups: comp.sys.mac
Subject: Re: Virus Protection for AppleShare File Servers?
Message-ID: <852@accuvax.nwu.edu>
Date: 10 Jul 89 17:14:04 GMT
Organization: Northwestern Univ. Evanston, Il.
Lines: 84
In article <8148@bsu-cs.bsu.edu> mithomas@bsu-cs.bsu.edu (Michael Thomas
Niehaus) writes:
##> How does one protect the AppleShare file server from viruses? Will
##> running Vaccine on it work? Or will the dialog box produced upon
##> detection of a virus hang the server?
##
##I debated this with myself before, and came to this conclusion: You do not
##need to protect an AppleShare File Server from viruses.
Having been an AppleShare net administrator for a couple years, and
having witnessed several viral infections on various types of server
configurations, I must strongly disagree with this statement.
##How can I make such
##a statement? Well, install the AppleShare software and maybe the
##Print Server software as well. Use something like Virus Rx and make sure
##that you did not install a virus (very unlikely if you are using original,
##locked disks).
Nevertheless, it can happen. For example, Adobe shipped many copies
of it's popular Illustrator program complete with a virus. Even if you
did use the orginal, locked disks, you were still vulnerable to infection.
##Now that your software is installed, you are safe because *THAT IS THE
##ONLY SOFTWARE EVER RUN* from the server.
Well, the server system *itself* is safe, but (as you point out
below) the client workstations are not.
##All of the other files on the
##network are data files. Viruses cannot be spread from these data files.
Not true. The Init29 virus, for example, will infect data files
as well as applications.
##Now, if you were to shut down your server, boot with another disk, and run
##some of the software that is on that server's disk *ON THE SAME SERVER
##MACHINE* then you could infect the server. But, I recommend against
##doing this.
I agree with this. If you do need to do this, (run a disk
optimization package or partition utility or something), make sure you
have Vaccine installed and turned on for the system disk which you use
to boot the machine.
##The stations on the network that are using the software from the servers
##are the ones that need to be protected. If one of them put a virus in one
##of the oft-used applications on the server, it would spread to all of the
##stations in a matter of days (or less). But since the server never runs
##this software, it will remain unscathed.
##Put your applications in locked folders so that viruses cannot be installed
##into them. Put Vaccine or something like it on all of the workstation's
##system disks. Check the workstation disks regularly.
##
This is excellent advice. This will not necessarily protect you
from spreading viruses off the server, but will do a good job. It is
necessary to check the workstation disks regularly, as people often will
turn vaccine off, or delete it, or whatever. Additionally, do what you can
to ensure your users are educated about viruses, because even if Vaccine
is installed, they may not understand what is going on, and may through
ignorance allow a virus to spread.
Certain software packages will not run in locked folders, however.
(E.G. FileMaker II, CricketDraw, WriteNow 1.0) and are therefore always
vulnerable. The only real solution is not to allow such software packages
to be installed on the file server, but this may not be possible.
Because no virus prevention technique is foolproof, you will *always*
be in danger of viral infections. Check your server with a virus detection/
removal program like Disinfectant on a regular basis.
##Michael Niehaus UUCP: <backbones>!$iuvax,pur-ee*!bsu-cs!mithomas
##Apple Student Rep ARPA: mithomas@bsu-cs.bsu.edu
##Ball State University AppleLink: ST0374 (from UUCP:
st0374@applelink.apple.com)
Chris Krohn
Academic Computing and Network Services
Northwestern University
From: johnroc@ucsco.UCSC.EDU (John Rocchio)
Newsgroups: comp.sys.mac
Subject: AppleShare and virus
Date: 10 Jul 89 18:10:13 GMT
Organization: UCSC Computing and Telecommunications Services
Lines: 26
Here is some info I retrived from AppleLink:
AppleShare Security: How Secure Against Viruses Is It?
This article last reviewed: 23 March 1989
Q: How secure is AppleShare from viruses? Users recognize the threat to
folders where others have write access and the ability to affect others
using applications contained in those folders, but what about the Server
Folder itself? Is the running of VACCINE on an AppleShare server
indicated? Is there something better? Is it possible to issue low-level
I/O calls (PBWrite and lower?) to server volumes (bypassing any AppleShare
built-in security) from other Macintosh systems on the network?
A: The AppleShare server folder itself is quite secure when the
server is running. Is it not accessible by any system call, whether
high-level or low-level. A virus would only be able to attack folders
and files that it has access to. It is not necessary or recommended to
install Vaccine in the Server folder on the AppleShare server. If the
server is running at the Finder level, it is just as susceptible to
viruses as any system.
Copyright 1989 Apple Computer, Inc.
disclaimer disclaimer disclaimer disclaimer disclaimer disclaimer disclaimer...
------------------------------
Date: Wed, 12 Jul 89 14:38:26 -0400
From: Mark Paulk <mcp@SEI.CMU.EDU>
Subject: IEEE code of ethics and computer viruses
An article in the Computer Society News section of IEEE Computer,
July, 1989, pp. 83-84, discusses a draft position paper on software
vandalism, specifically computer viruses. I had some comments, which
I mailed to the acting chair of the Committee on Public Policy:
Ralph J. Preiss
12 Colburn Drive
Poughkeepsie, NY 12603
I think the article, and possibly my comments, will be of interest to
the VIRUS-L readers. Letter text follows:
- - -------
I have just finished reading the article in the July 1989 issue of
IEEE Computer on the code of ethics and computer viruses position
paper. First, let me compliment your group on their statement. It
seems so obvious what the correct ethical position with regard to
these issues is, yet I have communicated with all too many "unethical"
people where computer viruses and Trojan horses are concerned. I
support having the IEEE take a very clear and explicit stand in these
matters.
I have a minor interest in these matters. Although not of direct
professional interest, I just gave a presentation on "Computer Fauna:
Viruses, Worms, and Trojan Horses" where I discussed the differences
between these entities. I have some qualms about the definitions
given in the sidebar.
The second sentence in the definition of a "worm" is an overstatement.
Although worm programs @i(may) overlay or erase other programs or
data, in the original work with worm programs by J.F. Shoch and J.A.
Hupp ("The 'Worm' Programs - Early Experience with a Distributed
Computation," Communications of the ACM, Vol. 25, No. 3, March, 1982,
pp. 172-180) the worm model is "a program or a computation that can
move from machine to machine, harnessing resources as needed, and
replicating itself when necessary" aka distributed computation, a
program which spans machine boundaries. They quote the science
fiction writer John Brunner: a worm adds to itself; a phage wipes out
(Shockwave Rider).
The same problem of assuming malicious behavior holds with viruses.
In Cohen's work, he gives an example of a beneficient "compression" virus.
Although I agree that for all practical purposes, there are no benign
viruses, worm programs hold a great deal of promise as a distributed
computing technology.
The two different definitions of computer virus are also problematic.
Computer virus-A seems to be an attempt to address programs such as
the Christmas worm which propagate by the (inadvertent) action of humans.
This is NOT a computer virus. Terms which have been used for this
class of programs includes "rabbit" and "bacterium," although the emphasis
tends to be on denial of service rather than the infection mechanism.
I think the Trojan horse definition covers the class of program
described adequately.
Computer virus-B is a "reasonable" virus definition, although I have some
slight qualms about the assumption of malicious instructions as mentioned
earler.
Good definitions for these classes of programs are rather nebulous at
this time, and there are a number of candidates running around. Most
notably Fred Cohen and Peter Freeman have supplied readily available
definitions, although there are no rigorous ones yet. The discussions
on the VIRUS-L (Comp.virus) group, moderated by Ken van Wyk, covers
this ground now and again. I might suggest that you solicit some
discussion from the group. I will take the liberty of cross-posting
this missive to direct attention to the article.
All in all, my compliments. Keep up the good work.
------------------------------
Date: Wed, 05 Jul 89 13:05:00 -0400
From: <ACSAZ@SEMASSU.BITNET>
Subject: RE: nVir and Scores on Appletalk
ACSAZ@SEMASSU, 5-JUL-1989
To the best of my knowledge and experience, nVir and Scores do not
spread over appletalk. At least they didn't spread over ours.
Alex Z... . . .
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253