home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.183
< prev
next >
Wrap
Text File
|
1995-01-03
|
17KB
|
383 lines
VIRUS-L Digest Thursday, 31 Aug 1989 Volume 2 : Issue 183
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
Ping-Pong variants (PC)
Virus Report from Brazil
PC virus list; Swap virus; Israeli virus; Disassemblies
CVIA reports new virus at Ohio State (PC)
VirusScan updated for New Ohio Virus (PC)
nVIR A and nVIR B explained (Mac)
VACSINA ... why we called it so (PC)
Virus Collection (Mac)
Virus Collecting (Mac)
---------------------------------------------------------------------------
Date: 28 Aug 89 14:09:10 +0000
From: mcvax!rhi.hi.is!frisk@uunet.uu.net (Fridrik Skulason)
Subject: Ping-Pong variants (PC)
I have now seen three different variants of the ping-pong virus. The
only difference is the character that bounces around the screen.
The (original ?) version where the character is a dot is the most
common one, but a version that uses the "diamond" (character number 4)
is also fairly common here. Finally, I have seen a version that
displays a "smiley" (character number 2) at one site.
Are the two modified versions known elsewhere in the world or are they
just local mutations ?
Fridrik Skulason University of Iceland
frisk@rhi.hi.is
Guvf yvar vagragvbanyyl yrsg oynax .................
[Ed. ^(the above sentence) Huh? :-) ]
------------------------------
Date: Tue, 29 Aug 89 10:44:26 +0300
From: Geraldo Xexeo <COS20001@UFRJ.BITNET>
Subject: Virus Report from Brazil
I think that the netland could be interested in a Virus Report
from Brazil. It is important to say that in Brazil there aren't
big networks or lots of Lan's. Most of the virus are distributed
by disks.
Source: O Globo (nation-wide newspaper) from a research of Modulo
Consultants.(21/8/89)
Number of micro-computers researched: 550.
Viruses detected : disease
Brain, Israely : lost of files
Ping Pong : a bouncing ball in the video , no harm
sUMsDos : slows machine, uses memory, no harm detected
Alameda : harm winchester
Lehigh : harm any disks (Why Lehigh?)
Madonna : While Madonna sings in your video, you looseyour disk
Cookie : Shows "Give me a cookie" in the video
Water fall : fallof characters(translated from Cascata)
Mailson : inversion of characters in video and printer
: named after a Brazilian politician
Number of detections:
Jan: 2
Feb: 4
Mar: 6
Apr: 12
May: 22
Jun: 41
Jul: 66
Avaliation:
Most of the virus are harmfull, thenames could not be right but
are the used in Brazil.More than 10% are infected. Exponencial growing.
From Brazil,
Geraldo Xexeo
------------------------------
Date: Tue, 29 Aug 89 16:05:44 +0300
From: Y. Radai <RADAI1@HBUNOS.BITNET>
Subject: PC virus list; Swap virus; Israeli virus; Disassemblies
For several reasons, one of which is very irregular receipt of
VIRUS-L, I've been out of touch with it for several weeks now. So
please forgive me if some of the postings referred to below are a few
weeks old.
PC Virus List
-------------
Lan Nguyen asks whether a list of PC viruses, incl. date first dis-
covered and source(s), exists. I will soon be submitting to VIRUS-L a
considerably updated version of the list I first posted on May 16.
Meanwhile, Lan, I'm sending you my list as it currently stands (29
viruses, 70 strains).
The Swap Virus
--------------
Yuval Tal writes:
>I don't think that it is so important how we call the virus. I've
>decided to call it the swap virus becuase the message "The Swapping-
>Virus...' appears in it! ....... I think that calling it "The
>Dropping Letter Virus" will be just fine.
Well, "The Dropping Letter Virus" would be a poor choice since (as I
mentioned in an earlier posting) this also describes the Cascade and
Traceback viruses.
Yuval has explained that he originally called it the Swap virus
because it writes the following string into bytes B7-E4 of track 39,
sector 7 (if sectors 6 and 7 are empty):
The Swapping-Virus. (C) June, 1989 by the CIA
However, he has not publicly explained how the words SWAP VIRUS FAT12
got into the boot sector of some of the diskettes infected by this
virus, so let me fill in the details. As David Chess and John McAfee
both pointed out quite correctly, these words are not part of the
virus. What happened was that Yuval wrote a volume label SWAP VIRUS
onto each infected diskette for identification. Had his system been
DOS 3 the label would have been written only into the root directory.
But since he was apparently using DOS 4, it was also written into
bytes 2Bh-35h of the boot sector. (That still leaves the string FAT12
in bytes 36h-3Ah to be explained. Under DOS4, the field 36h-3Dh is
supposed to be "reserved". Anyone got any comments on that?) So
although I didn't know at the time that the words SWAP VIRUS came from
Yuval, it seems that my (and his original) suggestion to call it the
Swap virus is still the best choice.
The Israeli/Friday-13/Jerusalem Virus
-------------------------------------
In response to a query from Andrew Berman, David Rehbein gave a
quite accurate description of the virus, except for one small point:
>(It will infect and replicate itself in ANY executible, no matter
>the extension..check especially .OVL and .SYS)
To the best of my knowledge, no strain of this virus (or, for that
matter, of any other virus that I know of) infects overlay or SYS
files.
Andrew Berman writes concerning this virus:
> She think's
>she's cleaned it out by copying only the source codes to new disks,
>zapping the hard drives, and recompiling everything on the clean hard
>disks.
It's a pity that so many people try to eradicate the virus by such
difficult means when (as has been mentioned on this list and else-
where) there is a file named UNVIR6.ARC on SIMTEL20 (in <MSDOS.TROJAN-
PRO>) containing a program called UNVIRUS which will easily eradicate
this virus and 5-6 others as well, plus a program IMMUNE to prevent
further infection.
Disassembling of Viruses
------------------------
In response to a posting by Alan Roberts, David Chess replied:
>I think it's probably a Good Thing if at least two or three people do
>independant disassemblies of each virus, just to make it less likely
>that something subtle will be missed. I know my disassemblies (except
>the ones I've spent lots of time on) always contain sections marked
>with vaguenesses like "Does something subtle with the EXE file header
>here". .... I probably tend to lean towards "the more the merrier"!
I can appreciate David's point. However, I would like to point out
that the quality of (commented) disassemblies differs greatly from one
person to another. As Joe Hirst of the British Computer Virus Re-
search Centre writes (V2 #174):
>Our aim will be to produce disassemblies which cannot be improved upon.
And this isn't merely an aim. In my opinion, his disassemblies are an
order of magnitude better than any others I've seen. He figures out
and comments on the purpose of *every* instruction, and vagueness or
doubt in his comments is extremely rare.
What I'm suggesting is this: If you have the desire, ability, time
and patience to disassemble a virus yourself, then have fun. But
unless you're sure it's a brand new virus, you may be wasting your
time from the point of view of practical value to the virus-busting
community. And even if you are sure that it's a new virus, take into
account that there are pros like Joe who can probably do the job much
better than you.
So what about David's point that any given disassembler may miss
something subtle? Well, I'm not saying that Joe Hirst should be the
*only* person to disassemble viruses. Even he is only human, so there
should be one or two other good disassemblers to do the job indepen-
dently. But no more than 1 or 2; I can't accept David's position of
"the more the merrier".
Btw, disassemblers don't always get the full picture. Take, for
example, the Merritt-Alameda-Yale virus, of which I have seen three
disassemblies. They all mentioned that the POP CS instruction is
invalid on 286 machines, yet none of them mentioned the important fact
that when such a machine hangs the virus has already installed itself
in high RAM and hooked the keyboard interrupt, so that the infection
can spread if a warm boot is then performed! That fact seems to have
been noticed only by ordinary humans.
Y. Radai
Hebrew Univ. of Jerusalem
------------------------------
Date: Tue, 29 Aug 89 12:49:52 -0700
From: portal!cup.portal.com!garyt@Sun.COM
Subject: CVIA reports new virus at Ohio State (PC)
Forwarded message from John McAfee on the Homebase BBS:
A new boot sector virus has been turned in to the CVIA. The virus
was first discovered at Ohio State University by Terry Reeves in May
of this year. It is a floppy-only variety. It will infect any new
diskette as soon as the diskette is accessed (COPY, DIR, DEL, Program
Load, etc.), similar to the Pakistani Brain. The virus will freeze
the system if a <ctrl><alt><del> is pressed and a cold boot is then
required. When the virus activates, the first copy of the FAT becomes
corrupted. No other sysmptoms have been reported. More information
will be supplied after a detailed analysis.
------------------------------
Date: Tue, 29 Aug 89 21:24:18 -0700
From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM
Subject: VirusScan updated for New Ohio Virus (PC)
ViruScan V36 now identifies the new virus found at Ohio State
University. The scanner identifies the virus as the 'Ohio Virus'. This
name was discussed with Terry Reeves at Ohio State (the discoverer) and
he has assented to its use.
Alan
------------------------------
Date: Wed, 30 Aug 89 14:41:53 -0000
From: LBA002%PRIME-A.TEES-POLY.AC.UK@IBM1.CC.Lehigh.Edu
Subject: nVIR A and nVIR B explained (Mac)
I spotted this in the August issue of Apple2000 (a UK Mac user group
magazine.) It first appeared on the Infomac network and the author is
John Norstad of Academic Computing & Network Services, Northwestern
University (hope it's OK with you to reproduce this John?)
It may be old-hast to all the virus experts but I found it
interesting & informative.
nVIR A & B
There has been some confusion over exactly what the nVIR A & nVIR B
viruses actually do. In fact, I don't believe the details have ever
been published. I just finished spending a few days researching the
two nVIR viruses. This report presents my findings.
As with all viruses, nVIR A & B replicate. When you run an infected
application on a clean system the infection spreads from the
application to the system file. After rebooting the infection in turn
spreads from the system to other applications, as they are run.
At first nVIR A & B only replicate. When the system file is first
infected a counter is initialized to 1000. The counter is decremented
by 1 each time the system is booted, and it is decremented by 2 each
time an infected application is run.
When the counter reaches 0 nVIR A will sometimes either say "Don't
Panic" (if MacinTalk is installed in the system folder) or beep (if
MacinTalk is not installed in the system folder.) This will happen on
a system boot with a probability of 1/16. It will also happen when an
infected application is launched with a probability of 31/256. In
addition when an infected application is launched nVIR A may say
"Don't Panic" twice or beep twice with a probability of 1/256.
When the counter reaches 0 nVIR B will sometimes beep. nVIR B does
not call MacinTalk. The beep will happen on a system boot with a
probability of 1/8. A single beep will happen when an infected
application is launched with a probability of 15/64. A double beep
will happen when an application is launched with a probability of
1/64.
I've discovered that it is possible for nVIRA and nVIRB to mate and
sexually reproduce, resulting in new viruses combining parts of their
parents.
For example if a system is infected with nVIRA and if an application
infected with nVIRB is tun on that system, part of the nVIRB
infection is replaced by part of the nVIRA infection from the system.
The resulting offspring contains parts from each of its parents,
and behaves like nVIRA.
Similarly if a system is infected with nVIRB and if an application
infected with nVIRA is run on that system, part of the nVIRA
infection in the application is replaced by part of the nVIRB
infection from the system. The resulting offspring is very similar
to its sibling described in the previous paragraph except that it has
the opposite "sex" - each part is from the opposite parent. it
behaves like nVIRB.
These offspring are new viruses. if they are taken to a clean system
they will infect that system, which will in turn infect other
applications. The descendents are identical to the original
offspring.
I've also investigated some of the possibly incestual matings of these
two kinds of children with each other and with their parents. Again
the result is infections that contain various combinations of parts
from their parents.
(Hot stuff!)
Rgds,
Iain Noble
------------------------------
Date: Wed, 30 Aug 89 19:52:23 -0500
From: Christoph Fischer <RY15%DKAUNI11.BITNET@IBM1.CC.Lehigh.Edu>
Subject: VACSINA ... why we called it so (PC)
Hi,
we called the virus VACSINA because the virus opens a file named VACSINA.
It dosen't check the return status of the open call. It never touches the
file till the end of the virus code, where it closes the file (again
ignoring the return code). We think the virus programmer will add some
code in a later version of the virus. (Remember we presumed that this is
a prematurely escaped virus). The word vaccine comes from the latin word
vacca = cow and is spelled with two c in all languages. Only in Norwegian
we found the word to be spelled vaksine. So VACSINA is rather odd and what
the virus does with the file it opens is odd too, so we decide to name the
virus VACSINA. Anyhow nobody will detect a virus by it's name like cascade
or vienna or whatever. The File length is somewhat ambigous and therefor
not necessarily suitable.
To detect the original virus we found, you can in fact search for the word
VACSINA (all capitals).
I hope this answers those questions about the name.
Chris
*****************************************************************
* Torsten Boerstler and Christoph Fischer and Rainer Stober *
* Micro-BIT Virus Team / University of Karlsruhe / West-Germany *
* D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 *
* E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET *
*****************************************************************
------------------------------
Date: Wed, 30 Aug 89 15:35:53 -0400
From: "Gregory E. Gilbert" <C0195@UNIVSCVM>
Subject: Virus Collection (Mac)
Suppose one has a disk infected with nVir B. How would one go about
"capturing" the virus?
------------------------------
Date: Wed, 30 Aug 89 17:11:34 -0400
From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV>
Subject: Virus Collecting (Mac)
"Gregory E. Gilbert" <C0195@UNIVSCVM> writes:
>
>How does one go about "capturing" virus code on an infected disk or at
>least view the offending code? Would one use ResEdit? Any other
>comments are most welcome. Thanks much.
>
Very carefully. ResEdit is of course the best way of looking at the
resources in a given file, but it's of little use if you are attempting
do disassemble the code. MacNosy is a good debugger/disassembler
combination, once you know where the code is hiding.
My suggestion, of course, is to get rid of any virus you find as fast
as possible. If you're sure it's new, contact John Norstad at the
address in the Disinfectant documentation; he's interested in new
viruses, so that he can keep Disinfectant up to date.
--- Joe M.
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253