home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.259
< prev
next >
Wrap
Text File
|
1995-01-03
|
16KB
|
386 lines
VIRUS-L Digest Wednesday, 13 Dec 1989 Volume 2 : Issue 259
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
Preventative measure for DIR exec (VM/CMS)
AIDS Disk sent in UK
Wdef at UKCC (Mac)
re: Poland Viruses/Oropax (PC)
Re: Seeking Gatekeeper (Mac)
Never say die
Major Trojan Warning (PC)
Update on AIDS Trojan (PC)
Yet Another EAGLE Appears (PC)
---------------------------------------------------------------------------
Date: Tue, 12 Dec 89 09:58:06 -0500
From: Lee Miller (Gonzo) <LPM102@PSUVM.PSU.EDU>
Subject: Preventative measure for DIR exec (VM/CMS)
Just a suggestion but anyone who wants to take an extra
precautionary measure towards the dir exec or any virus erasing files
meeting certain time date criteria could use the touch exec and module
available from the listserver at BLEKUL11 to change the time date of
your files. Thus before running any exec that you don't know what it
it you change all time dates to before 1990 so the deletion that dir
does wont find anything to erase. If you have any inquiries to this
exec e-mail me.
Lee Miller
LPM102@PSUVM.psu.edu.Bitnet
------------------------------
Date: Tue, 12 Dec 89 14:53:34 +0000
From: Alan Jay <alanj@ibmpcug.co.uk>
Subject: AIDS Disk sent in UK
AIDS DISK -- PC Cyborg Corporation
This disk was mailed to many people on a major magazine mailing list today
12-DEC-1989.
If you recived a copy DO **NOT** RUN it -- We do NOT know what it does.
This disk implies that it may cause harm to your PC -- DO NOT RUN IT!!!!
If you have run it -- DO NOT PANIC!!!!
Currently we have NO proof that the disk is harmful.
DO NOT RUN THE PROGRAM AGAIN.
The program renames your "autoexec.bat" so you will have to reconstitute your
old one. "Autoexec.bat" has been hidden by setting the 'hidden' attribute
you may need NORTON or similar to delete the new "Autoexec.bat".
There are also a number of other hidden subdirectories.
Currently we do not kenow the purpose of this disk and so can not say what
damage that it may do, if any, or what you should do about it.
Warn other users not to run the program.
Currently the only 100% safe course of action is to boot of the original
DOS system disk and perfrm a reformat of your disk -- We DO NOT recommend
you do this unless you have a recent backup that you are happy with --
We have no proof of any malicious nature in this disk.
We hope to update this bulletin later today or tomorrow as more information
becomes available.
[Ed. See more information below.]
Alan Jay @ The IBM PC User Group, PO Box 360, Harrow HA1 4LQ ENGLAND
Phone: +44 -1- 863 1191 Email: alanj@ibmpcug.CO.UK
Path: ...!ukc!slxsys!ibmpcug!alanj Fax: +44 -1- 863 6095
Disclaimer: All statements made in good faith for information only.
------------------------------
Date: Mon, 11 Dec 89 17:28:00 -0500
From: someone please stop the bunny <ACSAZ@SEMASSU.BITNET>
Subject: Wdef at UKCC (Mac)
Guess what?! I just talked to someone at UKCC (University of
Kentucky) with a finder slowdown problem. He checked and it was WDEF.
So now we have another site for WDEF infection. To date Southeastern
Mass U is clean (of WDEF that is). This is not nice. Anyone know
where this one came from?
- Zav
"ACS - Never a dull moment"
------------------------------
Date: 12 Dec 89 00:00:00 +0000
From: "David.M..Chess" <CHESS@YKTVMV.BITNET>
Subject: re: Poland Viruses/Oropax (PC)
Alan_J_Roberts@cup.portal.com:
> One of the five viruses submitted to McAfee by Andrzej Kadlof
> appears to be the long-lost Oropax virus, at least according to Dave
> Chess at IBM.
Just to be as timid as possible, I didn't say "this is the Oropax
virus"; I said "this seems to match the description of the 'Oropax'
given in the MSDOSVIR.A89 document from Hamburg". For all I know,
this is a brand-new virus, written by some unimaginative virus author
who heard the Oropax rumors, and decided it was a good idea! *8)
DC
------------------------------
Date: Mon, 11 Dec 89 19:41:41 -0700
From: Ben Goren <AUBXG@ASUACAD.BITNET>
Subject: Re: Seeking Gatekeeper (Mac)
Thanks to all those who replied. Here's a summary of what people reccomended:
Gatekeeper is avaible
1) through the Info-Mac archives. These can be accesed (as I did) through
Macserve (tell Macserve at PUCC help for instructions) or FTP at
sumex-aim.stanford.edu or Rice University (I no longer have their
complete address). There also is a relay in Ireland, and I believe others;
2) through FTP at Simtel-20.
3) through many individuals, including myself, if all else fails. Just ask!
The Info-Mac archives have several other virus protection programs, as well as
a large collection of other free-, shareware, and public domain files. I
imagine that Simtel-20 also has a similar collection, if it is not another
copy of Info-Mac.
Now, one more question: is there a complete list of resources one shoul
configure VirusDetective with?
Thanks again,
..............................................................
Ben Goren T T T /
Trumpet Performance Major )------+-+-+--====*0
Arizona State University ( --|-| |---)
Bitnet: AUBXG@ASUACAD --+-+-+--
..............................................................
------------------------------
Date: Thu, 07 Dec 89 21:42:23 -0800
From: cpreston@cup.portal.com
Subject: Never say die
Virus Immortality
There is a growing trend, not just in portable computers, to save
the state of the machine when the computer is "turned off".
This is a consideration for fault-tolerant or semi-fault-tolerant
systems, where there has been great attention paid to saving all
files and system state no matter what, but probably these system
administrators will be knowledgeable enough to work through the
problems created by system design.
There will, however, be users who don't understand what is
happening when they put a computer to sleep or turn it off, or even
remove the battery. In some cases, even removal of the power supply
(battery) does not kill the contents of RAM due to a "keep-alive"
smaller battery backup.
Leaving aside the other security implications of always
preserving RAM, (such as password retention or decrypted file
retention) virus detection and removal will certainly be more
confusing.
In other words, the current practice of telling computer users to
be sure their machine has been turned off during virus removal will
no longer be sufficient. Even the people who think they are being
extra careful by removing the battery for a minute or two will be
fooled.
Cases in point:
1. Macintosh Portable. The normal "off" mode is really a sleep
mode, with all RAM contents retained. At the touch of a key,
the user is able to continue with any operations in progress
at the time the machine was left. The running program (s) are
still running, data files open, etc. Removal of the main
battery will not erase RAM due to a 9 volt backup, designed to
ensure continuity during battery switches.
According to an Apple representative, use of the reset
switch (not the interrupt) will force an immediate power-off
to RAM, and a start-up with clean RAM.
2. Zenith MinisPort. Part of RAM can be configured as a non-
volatile RAM disk. A number of other machines have this
feature also. This shouldn't cause as much problem, since
people are used to permanent storage on disks and know that
it needs to be checked and purged. Extra RAM can also be
configured as EMS memory, probably also non-volatile.
3 Poqet pocket MS-DOS PC. Memory is powered all the time. Even
when the batteries are changed, a capacitor will keep the
system going for 10 to 15 minutes. The keyboard I/O "on/off"
switch merely puts the machine to sleep. There is a recessed
reset button which will purge RAM.
4 Toshiba portables. New portables, such as the T1000SE, have
an "auto-resume" feature to allow the computer to be turned
"off", including changing the battery, while RAM contents are
preserved.
5 Emerson Accucard. This is an IBM PC hardware card with its
own battery. It is designed to detect a power failure, and
save the state of the machine to disk before shutting down.
When I called both the company and their national distributor,
nobody could tell me whether there was any way to defeat this
system, such as cold booting from a floppy disk, without
physically removing the card. They promised to call back with
more information.
------------------------------
Date: Tue, 12 Dec 89 11:26:29 -0800
From: Alan_J_Roberts@cup.portal.com
Subject: Major Trojan Warning (PC)
This is an urgent forward from John McAfee:
A distribution diskette from a corporation calling itself
PC Cyborg has been widely distributed to major corporations and
PC user groups around the world and the diskette contains a
highly destructive trojan. The Chase Manhattan Bank and ICL
Computers were the first to report problems with the software.
All systems that ran the enclosed programs had all data on the
hard disks destroyed. Hundreds of systems were affected.
Other reports have come in from user groups, small businesses and
individuals with similar problems. The professionally prepared
documentation that comes with the diskette purports that the
software provides a data base of AIDS information. The flyer
heading reads - "AIDS Information - An Introductory Diskette".
The license agreement on the back of the same flyer reads:
"In case of breach of license, PC Cyborg Corporation reserves the
right to use program mechanisms to ensure termination of the use
of these programs. These program mechanisms will adversely
affect other program applications on microcomputers. You are
hereby advised of the most serious consequences of your failure
to abide by the terms of this license agreement."
Further in the license is the sentence: "Warning: Do not use
these programs unless you are prepared to pay for them".
If the software is installed using the included INSTALL program,
the first thing that the program does is print out an invoice
for the software. Then, whenever the system is re-booted, or
powered down and then re-booted from the hard disk, the system
self destructs.
Whoever has perpetrated this monstrosity has gone to a great deal
of time, and more expense, and they have clearly perpetrated the
largest single targeting of destructive code yet reported. The
mailings are professionally done, and the style of the mailing
labels indicate the lists were purchased from professional
mailing organizations. The estimated costs for printing,
diskette, label and mailing is over $3.00 per package. The
volume of reports imply that many thousands may have been mailed.
In addition, the British magazine "PC Business World" has
included a copy of the diskette with its most recent publication
- - another expensive avenue of distribution. The only indication
of who the perpetrator(s) may be is the address on the invoice to
which they ask that $378.00 be mailed:
PC Cyborg Corporation
P.O. Box 871744
Panama 7, Panama
Needless to say, a check for a registered PC Cyborg Corporation
in Panama turned up negative.
An additional note of interest in the license section reads:
"PC Cyborg Corporation does not authorize you to distribute or
use these programs in the United States of America. If you have
any doubt about your willingness or ability to meet the terms of
this license agreement or if you are not prepared to pay all
amounts due to PC Cyborg Corporation, then do not use these
programs".
John McAfee
------------------------------
Date: Tue, 12 Dec 89 18:17:04 -0800
From: Alan_J_Roberts@cup.portal.com
Subject: Update on AIDS Trojan (PC)
The following is a posting from John McAfee:
Early reports from people who have disassembled the AIDS
trojan that has been mailed to numerous European corporations indicate
that the trojan may be encrypting information on the disk rather than
destroying it outright. The results are the same without a decrypting
routine but the possibility is] now raised that the perpetrators do
have and may offer such a decryptor. The report from Chase Manhattan
Bank that the name and address in the Trojan are bogus may not be
correct. John Markoff of the New York Times has since stated that his
sources found a real corporation corresponding to the name and address
in the file. This raises some interesting questions which, I believe,
only time will answer. Whatever is happening, this much is known: The
trojan will make all data on the hard disk unusable; the change
happens suddenly; and no recovery is yet known. If you find or have a
copy of this diskette don't use it.
John McAfee
------------------------------
Date: Tue, 12 Dec 89 18:09:00 -0500
From: IA96000 <IA96@PACE.BITNET>
Subject: Yet Another EAGLE Appears (PC)
At 03:00 yesterday another version of EAGLE.EXE was discovered and
forwarded to SWE for analysis. Here are the results.
See back issues of VIRUS-L and/or VALERT-L for original symptoms.
This new version has changed slightly:
1) Contains Jerusalem-D virus. Active and spreads!
2) Seeks out and overwrites the following files and locations:
a) COMMAND.COM (ascii 246 used to overwrite)
b) BOTH FAT's (ascii 246 used to overwrite)
c) BOOT SECTOR (ascii 246 used to overwrite)
d) EAGLSCAN.EXE (string "F**K YOU" used to overwrite)
e) SCAN.EXE (string "F**K YOU" used to overwrite)
f) VIRUSCAN.EXE ( same as last two above used to overwrite)
3) There seems to be a built in timer. Once the file has been loaded
it remains dormant for twenty minutes. During this time the VIRUS
can be detected by SCAN.EXE if you use the /M switch. Once the timer
has run down, the trojan takes over and does its dirty deed.
4) Unlike previous versions, it DOES NOT matter if the disk is a
DOS system disk or not. If a file is not found, it just continues
on down the list. Previously COMMAND.COM had to be in the root to
trigger the trojan.
5) SWE reports that they feel this WAS NOT written by the same author(s)
as the first two versions. First, this new version appears to be
written in Pascal. Second, SCAN.EXE will identify the file. It has
not been encrypted or compressed like the previous versions.
Since SCAN.EXE will detect the virus, and since SWE is closing for their
vacation period, they feel there is NO rush to update EAGLSCAN at this
time. They said it will be done when they get back.
One important point needs to be repeated! SCAN.EXE will identify the
virus, in memory when you use the /M switch. It will also detect the
virus in a file. It has no way of knowing if the file also contains a
trojan (understandable, it wasn't designed to) so be wary if you
decide to experiment with this new version of EAGLE.EXE!!!!
Thanks to Harriman, New York for sending it for evaluation.
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253