home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.231
< prev
next >
Wrap
Text File
|
1995-01-03
|
14KB
|
330 lines
VIRUS-L Digest Friday, 3 Nov 1989 Volume 2 : Issue 231
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
Brain Virus info needed (PC)
Jerusalem Virus (PC)
Re: Checksum programs
WANK Antidote (VAX/VMS/DECnet)
Virus Invasion of Hardware?
Macintosh Virus List (Mac)
Identify Ashar Virus
re: VGA2CGA infected with virus? (PC)
---------------------------------------------------------------------------
Date: Fri, 03 Nov 89 10:01:04 -0600
From: Mitch Cottrell <C2852%UMRVMB.BITNET@VMA.CC.CMU.EDU>
Subject: Brain Virus info needed (PC)
Help Help Help
We have been infected with two virus strains... Jeruslum-B and
Pakastani Brain... I have gotten some information on Jeruslium...
but have not been able to get any info on brain other than how it
replicates itself.. I still dont know what system damage it can do
other than eat up a couple sectors of disk space. Please let me know
if you have any info on this virus or a source for info. ps. I have
already tried McAfee Associates BBS.
Thanks...
Acknowledge-To: <C2852@UMRVMB>
------------------------------
Date: Fri, 03 Nov 89 24:41:00 -0500
From: "Chris_C.Conner" <13501CCC%MSU.BITNET@IBM1.CC.Lehigh.Edu>
Subject: Jerusalem Virus (PC)
The computers(PC) in many of the labs on campus(MSU) have been struck
by the Jerusalem Virus. I used SCAN.EXE (I don't know what version)
and identified it as the Jerusalem Virus. Irealize there have been
quite a few articles about it in the recent digests, but thinking I
was not susceptible, I didn't bother reading any of them. Could
someone please send me any information on what the virus does, what I
can do to get rid of it, and any other shareware that could help out.
CCC
------------------------------
Date: 03 Nov 89 17:44:32 +0000
From: kerchen@iris.ucdavis.edu (Paul Kerchen)
Subject: Re: Checksum programs
In article <0002.8911031455.AA13850@ge.sei.cmu.edu> len@csd4.csd.uwm.edu (Leona
rd P Levine) writes:
>The checksum program and the checksum should be stored in a place that is
>different on each machine. Furthermore, there is no special "best"
>crc or testing algorithm, many will do with varying polynomials.
True, but the checksum program must have some way of knowing what
these algorithms are and where the checksums are stored. If the `sum
program can find these things, so can a virus. If the `sum program
must be told where these things are then there is no problem; the
virus cannot find the info it needs because it isn't on the system.
However, that could become tedious for administrators who oversee
tens or hundreds of machines, detracting them from their real work.
>A satisfactory system is one in which each user can use a polynomial
>of his/her choice and where the list of files and their crc's
>(for example) is stored in some arbitrary location. No virus writer
>will be looking for YOU, rather just a collection of systems that
>are alike enough to infect.
Again, where are these polynomials stored? One must keep this fact
in mind: a virus can do anything a legitimate program can do. A "good"
virus will be able to adapt to minor changes in systems and find out
where these things are hidden.
I don't mean to play the devil's advocate here, but I think it's
important to realize that no solution will be a 100% solution. There
are a lot of people who read this newsgroup, some of whom may not
realize this point, and it always pains me to hear about someone who
invested all of their trust into some vaccine, only to get burned by
the next virus to come down the pike; they didn't realize the
complexity of the problem and jumped right on to someone's bandwagon.
Folks have to realize that all of the vaccines, filters, shields,
latest & greatest methods, etc., will only slow viruses down; they
won't stop them. Of course, if the resposible computing community can
make it so difficult for the degenerate virus writers to make a
living, perhaps those degenerates will find something else to occupy
their time, like making crank calls or torturing small woodland
animals.
Paul Kerchen | kerchen@iris.ucdavis.edu
------------------------------
Date: Fri, 03 Nov 89 13:10:39 -0500
From: TBUTLER@NSSDCA.GSFC.NASA.GOV
Subject: WANK Antidote (VAX/VMS/DECnet)
*********** WANK WORM VACCINE **************
A vaccine to combat the WANK worm has been developed by Bernard Perrot
of the Institut de Physique Nucleaire, Orsay, France.
The vaccine consists of creating a bogus file which you put in
SYS$SYSTEM:RIGHTSLIST.DAT. When the worm tries to use the information
in this file, the worm-code generates errors and blows up causing the
attacking worm to die. The vaccine does NOT affect the remote system -
it only kills the worm.
This vaccine will stop attacks from any attacking nodes, it should
therefore greatly reduce the "annoyance level" of attacks by reducing
the volume of audit trails.
******************* IMPORTANT IMPORTANT IMPORTANT ***********************
PLEASE READ!!!
THIS VACCINE WILL ONLY WORK AGAINST **CURRENT** STRAINS OF THE WORM.
WE BELIEVE HOWEVER THAT TO ELIMINATE THIS WORM FROM THE NETWORK, THIS
TECHNIQUE WILL HAVE TO BE USED ON AS MANY SYSTEMS AS POSSIBLE. IT IS
THE ONLY WAY TO ATTACK THE WORM AT IT'S SOURCE (short of system
management action on the infected node...and a lot of system managers
are either asleep, ignorant, lazy or??? and therefore the worm has
been running on some systems for days).
******************************************************************************
This method has been tested on VMS 4.7 thru VMS 5.2 systems. In order to
correctly implement this fix, the following steps must be performed:
1) If you have previously implemented any of our suggestions regarding
file protection or ACL's on RIGHTSLIST.DAT, it is necessary to undo them
restoring SYS$SYSTEM:RIGHTSLIST.DAT to its original configuration.
2) RENAME the file SYS$SYSTEM:RIGHTSLIST.DAT to some other name of
your choosing.
3) To make VMS operate correctly with the rightslist file in a new
location, issue the following command, and also add it to your
system startup procedure:
$DEFINE/SYSTEM/EXEC RIGHTSLIST <ddcu:[dir]new-file-name>
The worm won't find the file because it can't translate the
logical symbol.
4) Take the 4-line file listed below, protect it W:R and do not
put an ACL on it. Name it SYS$SYSTEM:RIGHTSLIST.DAT. You *WANT*
the worm to access this file! Users on your system will translate the
system logical RIGHTSLIST and things will work correctly.
When an infected system attacks your node, the first thing it does is
copy your sys$system:rightslist.dat file and tries to get your local
usernames. This dummy file will cause the attacking worm to abort with
a fatal error when it tries to use the information it finds in the
bogus file.
If you have followed each of the above steps, VMS will run normally, and
you will not be vulnerable to the CURRENT strains of the worm which are
running aroung the network.
The following file should be copied into SYS$SYSTEM:RIGHTSLIST.DAT exactly
as it appears below:
- -------------------------- CUT HERE - RIGHTSLIST.DAT -----------------
DUMMY MAINTENANCE RECORD
0123456789012345"'F$PID(ON)
0123456789012345'F$PID(ON)
0123456789012345BATCH
- --------------------------- CUT HERE ----------------------------------
John McMahon of NASA/GSFC Advanced Data Flow Technology Office has
created a command procedure that will have the same end-result as the
above instructions. It is available by copying WANK_SHOT.COM from
NSSDCA::WANK_SHOT.COM or 6277::WANK_SHOT.COM. This command procedure
uses a modification of the above procedure using a SET FILE/ENTER
command to set up an alias for RIGHTSLIST.DAT rather than the RENAME
command above. Knowledgable system managers may want to decide for
themselves which version they prefer.
Todd Butler Ron Tencati
SPAN/GSFC Routing Center Manager SPAN Security Manager
(301)286-7251 (301)286-5223
6277::Tbutler or NSSDCA::tbutler 6277::Tencati or NSSDCA::Tencati
------------------------------
Date: Fri, 03 Nov 89 13:38:54 -0500
From: "Gregory E. Gilbert" <C0195%UNIVSCVM.BITNET@VMA.CC.CMU.EDU>
Subject: Virus Invasion of Hardware?
Is it possible to write a virus that will invade hardware? Has it
been done? Just curious.
Gregory E. Gilbert
Computer Services Division
University of South Carolina
Columbia, South Carolina USA 29208
(803) 777-6015
Acknowledge-To: <C0195@UNIVSCVM>
------------------------------
Date: Fri, 03 Nov 89 13:50:53 -0500
From: "Gregory E. Gilbert" <C0195%UNIVSCVM.BITNET@VMA.CC.CMU.EDU>
Subject: Macintosh Virus List (Mac)
Recently I have been writing an article on Macintosh infections. In
writing the article I tried to compile an exhaustive list of Macintosh
viruses. Below is the list. If anyone has anything to add to the list
I would appreciate them notifying me so I can update the list. Thanks
much!
================================= CUT HERE ==================================
Macintosh Infections
- ----------------------
There are about eight Macintosh infections that are known at present
(a list of infections and the years in which they first appeared
can be seen in the following table).
- ------------------------------------------------------------
Infection Strains Clones
- ---------- ------- ------
Scores(Spring 1988)*
nVir(Early 1988)
nVir A(?)
nVir B(?)
Hpat(Late 1988)
AIDS(Late 1988)
MEV#(March 1989))
nFLU(August 1989)
INIT 29(Late 1988)
ANTI(Early 1989)
MacMag(December 1987)**
Dukakis(Early 1988?)
SNEAK(?)
San Jose Flu(?)
- ------------------------------------------------------------
* - also known as the NASA virus
** - also known as the Drew Virus, Brandow Virus, and the Peace
Virus
================================== AND HERE =================================
Gregory E. Gilbert
Computer Services Division
University of South Carolina
Columbia, South Carolina USA 29208
(803) 777-6015
Acknowledge-To: <C0195@UNIVSCVM>
------------------------------
Date: Fri, 03 Nov 89 14:41:00 -0500
From: SHERIFF@steffi.acc.uncg.edu
Subject: Identify Ashar Virus
We encountered a boot sector virus yesterday that we have not seen,
can anyone help with identification and explanation? The virus has
only been identified on disks that also contain the Pakistani Brain
Virus. Further, we have only seen it on three diskettes, thus far.
When we run Viruscan 0.7V42 on an infected disk, here is what we see:
" Found Pakistani Brain Virus in boot sector.
Found Ashar Virus in boot sector.
Disk B: contains 1 directories and 5 files.
ld viruses found. "
Please also observe that the number of viruses found is oddly noted.
I have only noticed that phenomenon when the Ashar virus has been
identified.
Light shed by anyone concerning this virus would be greatly appreciated.
Tom Sheriff
Microcompuer Support Manager
UNC Greensboro - Greensboro, NC
SHERIFF@UNCG.BITNET
SHERIFF@STEFFI.ACC.UNCG.EDU
------------------------------
Date: 01 Nov 89 15:16:07 -0500
From: "David Chess" <CHESS@ibm.com>
Subject: re: VGA2CGA infected with virus? (PC)
I have a sample of this thing (or what I assume is the same thing) now;
it seems to be a rather silly overwriting-virus (that is, rather than
arranging to execute more or less silently before the victim, it
simply arranges to execute *instead of* the victim; the victim code,
at least much of it, no longer exists). It also seems to be written
in a Borland language, perhaps Turbo Pascal. It's very possible that
it's based on the Turbo Pascal overwriting-virus "Number One", source
for which was published in the Burger book "Computer Viruses, a
high-tech disease". I haven't taken it apart enough to know,
for instance, what damage if any it does, or when it prints its
message; it's hard to reverse-compile compiler output, and this
virus isn't likely to spread very far (since an infected file
is obviously infected, in that it doesn't do what it used to...).
DC
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253