home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.210
< prev
next >
Wrap
Text File
|
1995-01-03
|
19KB
|
402 lines
VIRUS-L Digest Tuesday, 3 Oct 1989 Volume 2 : Issue 210
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
re: Why not change OS?
re: Future AV software (PC)
List of PC viruses
VGA2CGA.ARC (or .ZIP) infected with virus (PC)
Re: Future AV software (PC)
Re: Posting to VALERT-L re: M-1704 (PC)
nVIR B (Mac)
Re: Viruses in Commercial Software
New PC Virus (AIDS Virus)
---------------------------------------------------------------------------
Date: 02 Oct 89 00:00:00 +0000
From: David.M..Chess.CHESS@YKTVMV
Subject: re: Why not change OS?
Hm. You seem to be assuming, among other things, that:
- If a virus can't talk directly to the hardware or to files
belonging to other folks, it can't do any serious harm, and
- UNIX programs are exchanged only as source, not as binaries.
I'd disagree with both of those claims; the Jerusalem virus, one of
the most widespread and troublesome in the PC world, doesn't talk
directly to the hardware, and doesn't rely on being able to write out
of the user's own space. I imagine everyone on the list can think of
a number of nasty/destructive/confusing things that a virus could do
even if it only had access to the user's own data files, and couldn't
write direct to hardware (I won't list any here, hehe!).
As UNIX and UNIX-derived systems continue to spread beyond the
programmer community, program exchange among groups using the same
hardware will tend, I would expect, to include more exchange of
binaries. I wouldn't expect to see a virus that could infect more
than one or two hardware platforms in the near future (cross fingers),
but a virus that could spread to any machine in one of the more
popular UNIX hardware categories would be quite enough to cause
problems for lots of folks!
While I don't know of any UNIX viruses at the moment, I would disagree
with the suggestion that UNIX is inherently virus-resistant enough to
make it worthwhile switching OS's in hopes of being able to forget
about virus protection! The same applies to any other general-purpose
OS around; viruses *don't* need insecure systems to spread and do Bad
Things. That's the whole point...
DC
IBM T. J. Watson Research Center
UNIX is a trademark of AT&T (or Bellcore, or someone like that)
------------------------------
Date: 02 Oct 89 00:00:00 +0000
From: David.M..Chess.CHESS@YKTVMV
Subject: re: Future AV software (PC)
Unfortunately, it's just about impossible to scan for new viruses by
examining the on-disk image of programs, and looking for things like
INTs. Three (at least) of the families of PC viruses out in the world
today store themselves on disk in "garbled" form, with only a little
"degarbler" stored in clear. That degarbler doesn't contain any INTs
or other suspicious instructions, and the garbled part of the virus
appears to be random data. The nasty instructions don't appear until
the virus executes, and the degarbler converts the garbled stuff to
code. So it's really only possible to catch these things at runtime
(as Flushot+ and similar programs try to do), not on disk...
DC
------------------------------
Date: Mon, 02 Oct 89 17:54:26 +0200
From: Y. Radai <RADAI1%HBUNOS.BITNET@VMA.CC.CMU.EDU>
Subject: List of PC viruses
On May 16 I submitted a list of 20 PC viruses to VIRUS-L. Since
then, the Terrible Twenty have become the Threatening Thirty (Plus
Two). Here's the list updated to the present (well, actually, only
to yesterday; at the current rate there'll probably be at least five
more today :-) ).
PC-DOS/MS-DOS Viruses
=====================
No. of First
Names Strains Type Appearance
----- ------- ---- ----------
1. Brain, Pakistani, Ashar 8 Boot sector 7K F Jan? 86
2. Merritt, Alameda, Yale 8 Boot sector 1K F Apr? 87
3. South African, Friday 13th 2 COM D ? 87
4. Lehigh 2 COMMAND.COM RO 0 Nov 87
5. Vienna, Austrian, Dos-62, Unesco 3 COM D 648 Dec? 87
6. Israeli, Friday-13, Jerusalem 12 COM/EXE R 1813/1808 Dec 87
7. April-1-Com, Suriv-1 1 COM R 897 Jan 88
8. April-1-Exe, Suriv-2 1 EXE R 1488 Jan 88
9. Ping-Pong, Bouncing-Ball, Italian 3 Boot sector 2K Mar 88
10. Marijuana, Stoned, New Zealand, 2 Boot sector 1K; Early 88
Australian partition record on hard disk
11. Nichols 1 Boot sector Apr 88
12. Missouri 1 Boot sector May 88 (89?)
13. Agiplan 1 COM R 1536 Jul 88
14. Cascade, Autumn, Blackjack 6 COM R 1701/1704 Sep 88 (87?)
15. Oropax, Music 1 COM RD 2756 to 2806 Feb 89
16. DenZuk, Venezuelan, Search 6 Boot sector 7K F Early 89?
17. Dbase 1 COM/EXE R Mar? 89
18. DataCrime 2 COM D 1168/1280 Mar 89
19. 405 1 COM DO 405 Apr? 89
20. Screen 1 COM R May? 89
21. FuManchu 1 COM/EXE R 2086/2080 May? 89
22. Ohio 1 Boot sector May 89
23. Icelandic, Saratoga 3 EXE R 656/642/632 Jun? 89
24. Typo 1 Boot sector 2K Jun 89
25. Traceback 1 COM/EXE RD 3066 Jun 89
26. Disk Killer 1 Boot sector Jun? 89
27. Swap 1 Boot sector 2K Jul 89
28. DataCrime II 1 COM/EXE D 1514 Jul 89
29. Vacsina 1 COM/EXE R 1206 Aug 89
30. Mix1 1 EXE R 1618 Aug 89
31. Syslock, 3555 1 COM D 3555 Sep 89
32. Dark Avenger 1 COM/EXE 1800 Sep 89
--
Total no. of strains 77
Summary by type:
Boot = 11, COM = 10, EXE = 3, COM/EXE = 7, COMMAND.COM = 1.
Among file viruses,
Resident = 12, Direct = 6, Resident-Direct = 2.
Notes:
1. In the "Type" column, "COM" or "EXE" indicates the type of files
infected. "R" stands for "resident", meaning that when an infected
program is run the virus makes itself RAM-resident (hooking one or
more interrupts); usually such a virus infects subsequently executed
programs of the appropriate type, e.g. COM files. "D" stands for
"direct", meaning that it searches the disk for an uninfected file and
infects it; normally such a virus does not stay resident. (However,
it is possible for a virus to be both resident and direct in this
sense.) "O" indicates that the virus overwrites the beginning of the
file instead of appending or prepending itself to it. The number(s)
after the "R" or "D" indicate the number of bytes by which the virus
extends files which it infects (however, in the case of EXE files, the
total size of the file after infection will get rounded up to the next
multiple of 16 if it is not already such a multiple). The number
after the "O" is the number of bytes overwritten. In the case of a
boot-sector virus, the number of the form "nK" indicates the amount of
RAM which the virus occupies. "F" means that the virus infects only
diskettes.
2. I include only those viruses which have spread publicly, as
opposed to localized test viruses (of which there may be hundreds).
(The "Pentagon virus" is deliberately excluded since as far as I know
it has not spread publicly; in fact, in the form it was received in
the UK, it cannot spread at all.)
3. By definition of "virus", this list does not include non-replica-
ting software.
4. Questionable cases:
(a) I suspect that the "Lotus 123 virus" and the "Cookie virus" repor-
ted recently in VIRUS-L may not be true viruses, and I have therefore
decided not to include them, at least for the time being.
(b) Although I have included the Dbase and Screen viruses reported by
Ross Greenberg, no one else currently on VIRUS-L seems to have encoun-
tered them. Jim Goodwin claimed that Dbase does not replicate and
hence is not a virus, though it's possible that Jim and Ross were
talking about two different things.
(c) In May 88 I read about a "retro-virus" which infects 3 specific
programs and is capable of reinfecting files after apparently being
eradicated. Does anyone have any further info on this virus?
(d) I have heard of spreadsheet viruses which occasionally change a
value by a small amount, but I have not included them in the table.
Further info would be appreciated.
We frequently find new viruses which have evidently been created by
using an existing virus as a starting point and then modifying it.
When should the new creature be considered a new virus and when should
it be considered as merely a new strain of the same virus? The cri-
terion I have tried to follow (though I probably haven't been entirely
consistent) is as follows:
If the "damage" part of the virus has been qualitatively altered, or
if a virus has been altered to infect additional files (e.g. EXE files
where the original infected only COM files), then I classify it as a
separate virus. (E.g. although FuManchu, Typo, DataCrime-2, and Mix1
are based on Israeli-Friday13, Ping-Pong, DataCrime-1 and Icelandic-1,
resp., I consider these as separate viruses.)
If code has been altered, but only by something minor, such as
changing a target date or the number of infections required to trigger
the damage, or if the alteration seems to be merely an attempt on
the author's part to *improve* the code of an existing virus without
adding new features, then I regard it as a different strain of the
same virus.
If the only difference is that only strings (e.g. messages or volume
labels) have been modified, then I do not consider it as even a sepa-
rate strain.
Corrections and additions to this list are welcome. (I'm particu-
larly curious about those questionable dates.) Please send your cor-
rections directly to me; I'll post an updated version of this table
from time to time.
I have received suggestions to include additional info in the table,
such as the symptoms and damage caused by each virus, what types of
disks it infects, etc. While I agree that such information would be
very useful, it is beyond the intended scope of this table, both be-
cause of the difficulty of describing this information in such a short
space and because the answers often depend on the particular strain
of the virus. This would make the table much more complicated than it
was intended to be. Those interested in further information on the
viruses listed here will eventually find it in various catalogs under
preparation, e.g. one by David Ferbrache and another by the Virus Test
Center at the Univ. of Hamburg (these include non-PC viruses as well).
Acknowledgments: I have drawn on information provided by many
people. Postings in VIRUS-L are too numerous to mention individual
names, but among those who have corresponded with me personally, I
would like to thank Dave Ferbrache, Dr. Alan Solomon, Joe Hirst, Prof.
Klaus Brunnstein, Fridrik Skulason, John McAfee, Bernd Fix, Otto
Stolz, and David Chess.
Y. Radai
Hebrew Univ. of Jerusalem
------------------------------
Date: Mon, 02 Oct 89 11:08:00 -0600
From: Keith Petersen <w8sdz@WSMR-SIMTEL20.ARMY.MIL>
Subject: VGA2CGA.ARC (or .ZIP) infected with virus (PC)
A BBS operator in the Detroit area received an MSDOS program infected
with a virus. The file, VGA2CGA.ARC (or .ZIP) - a program which
claims it can display VGA graphics on a CGA display, has not been
distributed in Detroit and no systems were affected as far as we know.
The date/time stamps of the member files in this archive are April 1,
1989 (April fools day).
The BBS in California where this file was obtained has been notified
to remove the file.
Please let me stress that SIMTEL20 does NOT have this program in its
archives. I am just acting as a go-between to pass the warning to
this newsgroup.
[Ed. See followup, on "AIDS" virus, from Alan Roberts in this digest.]
- --Keith Petersen
Maintainer of SIMTEL20's CP/M, MSDOS, and MISC archives
Internet: w8sdz@WSMR-SIMTEL20.Army.Mil [26.2.0.74]
Uucp: {ames,decwrl,harvard,rutgers,ucbvax,uunet}!wsmr-simtel20.army.mil!w8sdz
------------------------------
Date: 02 Oct 89 21:32:49 +0000
From: jwright@atanasoff.cs.iastate.edu (Jim Wright)
Subject: Re: Future AV software (PC)
In article <0014.8910021145.AA27888@ge.sei.cmu.edu> carroll1!tkopp@uunet.UU.NET
(Tom Kopp) writes:
| A version/variant of ViruScan would run, searching not for
| viral-identifying code, but rather for the interrupt calls that write
| to a disk (a la Flu_Shot techniques). When it finds one, it looks in
| a table to see if that code is allowed.
There is a program to do this already. CHK4BOMB will scan a program and
report on anything "suspicious" it finds. This was originally meant to
find Trojan Horses, but could work against some viruses as well if used
in conjunction with other programs. One thing it cannot find is code
which is self-modifying, thus hiding the actual low-level access to the
disk controller.
- --
Jim Wright
jwright@atanasoff.cs.iastate.edu
------------------------------
Date: Mon, 02 Oct 89 18:18:56 -0500
From: James Ford <JFORD1%UA1VM.BITNET@VMA.CC.CMU.EDU>
Subject: Re: Posting to VALERT-L re: M-1704 (PC)
I recently posted a question on VALERT-L about the file M-1704.EXE.
SCAN V36 stated that it was infected. I now know, from McAfee and
others, that the 1704 virus is encrypted. Since it is, M-1704 must
have a specific hex search string in it....one that will indeed cause
SCAN to flag it. This is *normal* (thats as technical as I can
get....I don't know more, and what I just said is probably techincally
wrong).
I hope that my posting of the VALERT-L message does not reflect
negatively on the Wellspring BBS. The Wellspring BBS is a top-notch
BBS, and its anti-viral file collection is among the best in the
country. If I gave you a wrong impression of Wellspring, I apologize.
I would post this statement about the Wellspring BBS on VALERT-L, but
have been informed that VALERT-L is not suppost to be carrying such
postings.
JF
Acknowledge-To: <JFORD1@UA1VM>
------------------------------
Date: Mon, 02 Oct 89 19:46:00 -0500
From: <CTDONATH@SUNRISE.BITNET>
Subject: nVIR B (Mac)
I recently came across the nVIR B virus on a cluster of Macs. I removed
it using Disinfecant 1.5 and appears to be gone.
What problems does nVIR B cause? Does it delete files, do annoying things,
or simply spread? Being a semi-public cluster, how much of a concern
is its presence?
------------------------------
Date: 03 Oct 89 02:23:01 +0000
From: bnr-di!borynec@watmath.waterloo.edu (James Borynec)
Subject: Re: Viruses in Commercial Software
In article <0008.8909281133.AA14331@ge.sei.cmu.edu>, TMPLee@DOCKMASTER.ARPA wri
tes:
> In commenting on viruses being distributed (accidentally, of course)
> through commercial software someone recently mentioned that someone
> near him had been hit by a virus that was in a shrink-wrapped copy of
> WordPerfect. I'm skeptical...
It happened. A co-worker bought a copy of WordPerfect for his Amiga. When
it came to him, it was infected. Those are the facts as he told them to me.
If anyone wants more details I am willing to supply them. It probably
won't do any good because the problem has been fixed. If anyone is
collecting historical information and wants more details send E-mail.
(BTW. to the person who sent me E-mail on this topic, did my reply get
through to you?)
The story behind this goes something like: WP sold the distribution and
support rights for the Amiga version of WP for Canada to a company in
Ontario. That company had some problems. That company no longer
has the redistribution rights.
I personally have been hit TWICE by viruses in commercial software. From
different vendors. Once when I was examining a popular speech synthesis
package for my Mac, and once when we got our TI micro-explorer. Just the
thing, factory loaded viruses.
To summarize: It happens. Treat ALL software entering your system
with caution.
James Borynec
- --
UUCP : utzoo!bnr-vpa!bnr-di!borynec James Borynec, Bell Northern Research
Bitnet: borynec@bnr.CA Box 3511, Stn C, Ottawa, Ontario K1Y 4H7
------------------------------
Date: Mon, 02 Oct 89 21:45:03 -0700
From: portal!cup.portal.com!Alan_J_Roberts@SUN.COM
Subject: New PC Virus (AIDS Virus)
A new PC virus was submitted to the CVIA from Keith Peterson (who
maintains the SIMTEL20 MSDOS archives). This virus replicates in COM files
and has the unusual capability of infecting generic COM files internally -
without changing the real size of the file (unlike the zero-bug virus which
maintains an "apparent" constant infected file size). Small COM files are
infected externally, and the files sizes, for all files under 10K, changes to
13952 bytes - another unusual characteristic. The virus displays a full
screen graphic with the the word "AIDS" occupying the bottom half of the
screen. The top half contains a long rambling message from the author
informing the user of how stupid he has been for using public domain
software.
SCANV40 has been updated to identify the virus. It is not yet known
how destructive the virus may be (all tests have been done with a disabled
hard disk). More info forthcoming. ViruScan identifies the virus as the
AIDS Virus. Thanks to Keith Peterson for his quick identification of
the virus and for his timely response.
Alan
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253