home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.261
< prev
next >
Wrap
Text File
|
1995-01-03
|
22KB
|
497 lines
VIRUS-L Digest Monday, 18 Dec 1989 Volume 2 : Issue 261
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
re: 1813 Virus Info Needed (PC)
Aids disk information (PC)
Re AIDS disk (PC)
What does the WDEF virus do? (Mac)
Re: Update on AIDS Trojan (PC)
Disinfectant 1.5 (Mac)
WDEF found at University of Vermont (Mac)
AIDS TROJAN (PC)
Gatekeeper Aid 1.0 Released (Mac)
---------------------------------------------------------------------------
Date: 14 Dec 89 00:00:00 +0000
From: "David.M..Chess" <CHESS@YKTVMV.BITNET>
Subject: re: 1813 Virus Info Needed (PC)
The 1813 virus is the same virus that is commonly called "the
Jerusalem virus". It is the most widespread of a number that
activate on Friday the 13th, so it's sometimes called the
"Friday the 13th" virus. That's not a very good name, though,
since there's more than one virus that it fits. Stick with
"1813" or "Jerusalem"! *8) DC
------------------------------
Date: Thu, 14 Dec 89 11:14:39 +0000
From: Alan Jay <alanj@IBMPCUG.CO.UK>
Subject: AIDS disk information (PC)
The following, written by Alan Solomon, gives details of the AIDS
Information Disk sent out by PC-CYBORG and gives a method for
restoring your disk to its former state. Remember if you have not run
this disk DO NOT run it.
This information is believed to be correct BUT the program appears to be
very clever and therefore we suggest that you must be very careful in
carring out any of the followig instructions.
Alan Jay -- IBM PC User Group -- 01-863 1191
PRELIMINARY INFORMATION ON THE "AIDS" DISKETTE FROM PC
CYBORG CORPORATION.
This is bulletin number AS/3
You will probably have read in the press about the AIDS diskette, a
diskette that was mailed out to a great subscribers to PC Business
World (through absolutely no fault of the magazine's). This diskette
is a trojan - DO NOT RUN IT.
It is a diskette that was sent through the post, unsolicited, and
claiming to be a program that gave you useful information about the
AIDS disease. The accompanying licence was abit suspicious, so many
people didn't run it (it threatened to do dire things to your computer
if you didn't pay for the software).
We've done a preliminary analysis on it, and it works like this. If
you run the INSTALL program, it creates two subdirectories with
"impossible" names on the hard disk - one of these has a one-character
name, and that character is [Alt-255] (hexadecimal FF). In that
subdirectory , it puts a program called REM[Alt-255] .EXE. The
[Alt-255] character is invisible. It copies your AUTOEXEC to a file
called AUTO.BAT, and puts an Echo off and a REM statement in front.
It creates a new AUTOEXEC.BAT file, and makes it hidden and readonly.
In that AUTOEXEC, it does a "CD \[Alt255]" and then "REM[Alt-255]"
followed by a plausible-looking remark.
After you run the AUTOEXEC, and therefore the REM [Alt-255] program, a
number of times (we triggered it with 90, but this is only a
preliminary result, and it may be triggerable with fewer or more), the
damage routine is triggered. This would usually happen when the
machine has been booted that many times. A series of messages are put
up on the screen, aimed at persuading you not to switch off, and the
trojan then encrypts your directory and makes all the files hidden
except one called CYBORG.DOC.
If you then boot from the hard disk, it tells you that a software
licence has expired, and tells you to renew it - another request for
money. If you do a Ctrl-Alt-Del, it fakes a reboot, and pretends to
be running the Dos prompt - actually, a program is now running which
fakes Dos. If you do a DIR, it shows you the unencrypted filenames,
followed by a warning not to use the computer. it tells you that you
must renew the lease in the software. Any other command, it also
fakes a response to, and shows you the same message.
It also has a routine that could be called the SHARE routine. When
this runs, it tells you that you can have 30 more applications of the
program if you follow it's instructions. It tells you to put a blank
formatted floppy in drive A, and it then copies files onto it. Then
you are asked to put the diskette in another computer and type
A:SHARE. We're still pursing this path.
It may also do other damage - we're still investigating, but what
we've found so far is enough to make me want to issue an urgent
warning.
If you've already installed it, remove it. You can do this
temporarily by making the AUTOEXEC.BAT file (in the root directory)
read/write, and non-hidden, which you can do using one of a number of
utilities. Then delete the AUTOEXEC.BAT. This disables the trojan
lines that the install program put in. This APPEARS to deal with the
trojan, but since there is a lot of deep stuff going on, we would not
assume that it actually does fully deal with it.
Our recommendation at this point in time, is based on the fact that
this thing is doing some pretty deep work on the disk, and since it
contains a lot of code, it will be a long time before it is completely
understood. So as of now, our suggestion is:
First, switch off the computer, put a known CLEAN DOS diskette in
drive A, and switch on again. This makes sure that the trojan has no
control. Back up all your data files using a file-by-file backup.
Format the disk, reload all your executables from known clean
diskettes, and restore the data files. You should take two backups,
in case the first one fails to restore.
If you haven't installed it, don't and tell everyone else not to. The
police have been brought into this case; if you wish to make a formal
complaint to the Computer crime unit, please contact Detective
Sergeant Donovan on 01-725 2434. Also, contact him if you have any
useful information.
If you want more information about this trojan, it will be covered in
full in Virus Fax International - please call if you want to know more
about this.
Please note that the information has been got out quickly as possible,
and is therefore subject to change in the details.
ALAN SOLOMON
------------------------------
Date: Thu, 14 Dec 89 13:31:49 +0000
From: Martin Ward <martin@EASBY.DURHAM.AC.UK>
Subject: Re AIDS disk (PC)
I feel that I should point out that the effects of this disk are
entirely in accordance with the standard warrenty used by most
commercial software developers (the ones which disclaim that the
programs are fit for any purpose at all, that XXX will disclaims all
responsibility for any damage or loss caused etc.) Either these
warrenties are ILLEGAL or the perpetrators of this disk are entirely
within their legal rights to do what they have done. Does anyone (eg a
lawyer) know which is the case?
Martin.
My ARPANET address is: martin%EASBY.DUR.AC.UK@CUNYVM.CUNY.EDU
OR: martin%uk.ac.dur.easby@nfsnet-relay.ac.uk UUCP:...!mcvax!ukc!easby!martin
JANET: martin@uk.ac.dur.easby BITNET: martin%dur.easby@ac.uk
------------------------------
Date: Thu, 14 Dec 89 10:05:36 -0500
From: Jeff_Spitulnik@um.cc.umich.edu
Subject: What does the WDEF virus do? (Mac)
I just discovered that a scribes disk (one that is used by many different
typists at different times to compile class notes) that crashed was
infected with the WDEF virus. The Mac SE FDHD that I am using now had
trouble reading the disk and MacTools confirmed that there were many
damaged blocks. After using Symantec's utilities to recover the files on
the disk, including the desktop, I checked to see if the file had the WDEF
virus. It did.
I reformatted the scribe disk with no problems and verified that it was ok
after the reformatting. Did it crash because of WDEF? What's the latest
on what WDEF does?
Thanks!
--Jeff
------------------------------
Date: Thu, 14 Dec 89 18:02:03 +0000
From: Matthew Moore <teexmmo@isis.educ.lon.ac.uk>
Subject: Re: Update on AIDS Trojan (PC)
This afternoon I was one of a small team which successfully tracked
down the method of invocation of the Aids trojan, on a pc clone which
was infected, but not devastated.
Definition : <255> = the ascii character 255 , aka hex FF
The program is called: rem<255>.exe
(ie 4 char filename which shows as 3)
It resides in a hidden directory called: \<255>
(ie a 1 char filename)
It is invoked by two lines in the autoexec.bat file :-
cd \<255> (which if course usually looks like : cd \ )
rem<255> some statement (which looks like : rem some statement)
There two additional features worth noting:-
i) there is another root level hidden directory, also using a nonprintable
character (I dont know which), containing further hidden subdirectories
to four levels down, and at the bottom are files which appear to contain
data from elsewhere on the disk, and sundry other info.
ii) there is a red herring in the autoexec.bat file.
Underneath the two statements listed above, the line 'auto.bat'
followed by an EOF (^Z).
The file \auto.bat contains the original autoexec.bat
Presumably, it would be stopped by removing or renaming \<255>\rem<255>.exe
and reverting to a clean auotexec.bat .
(Corrections to this presumption welcome!)
- --
mjm@cu.neur.lon.ac.uk | Post: Computing & Statistics Unit
JANET : mjm@uk.ac.lon.neur.cu | Institute of Neurology
INTERNET: try mjm%cu.neur.lon.ac.uk | Queen Square, London, WC1
Phone : 01-837-5141 | London WC1 3BG
------------------------------
Date: Thu, 14 Dec 89 16:20:56 -0500
From: jln@acns.nwu.edu
Subject: Disinfectant 1.5 (Mac)
Disinfectant 1.5
================
December 14, 1989
Disinfectant 1.5 is a new release of our free Macintosh virus
detection and repair utility.
Shortly after the release of version 1.4, a new strain of the WDEF
virus was discovered. Version 1.5 has been configured to recognize
the new strain. Version 1.5 also contains code to detect and repair
other strains of WDEF which may exist but have not yet been reported.
Disinfectant 1.5 is available now via anonymous FTP from site
acns.nwu.edu [129.105.49.1]. It will also be available soon on
sumex-aim, comp.binaries.mac, ComuServe, Genie, Delphi, BIX, MacNet,
America Online, Calvacom, and other popular sources for free and
shareware software.
The following text is extracted from the new section on WDEF in
Disinfectant's online document. It describes what we know to date
about this new virus. The description has been expanded to include
new information that has recently become available.
The WDEF virus was first discovered in December, 1989 in Belgium
and in one of our labs at Northwestern University. Since the
initial discovery, it has also been reported at many other
locations throughout the United States, so we fear that it is
widespread. We have reason to believe that the virus has been in
existence since at least mid-October of 1989. We know of two
strains, which we call "WDEF A" and "WDEF B."
WDEF only infects the invisible "Desktop" files used by the
Finder. With a few exceptions, every Macintosh disk (hard drives
and floppies) contains one of these files. WDEF does not infect
applications, document files, or other system files. Unlike the
other viruses, it is not spread through the sharing of
applications, but rather through the sharing and distribution of
disks, usually floppy disks.
WDEF may have been introduced initially via a Trojan Horse
application, in a fashion similar to the way the MacMag virus was
first introduced via a Trojan Horse HyperCard stack. We do not yet
know if this is indeed the case, and we may never know.
WDEF spreads from disk to disk very rapidly. It is not necessary
to run a program for the virus to spread.
The WDEF A and WDEF B strains are very similar. The only
significant difference is that WDEF B beeps every time it infects
a new Desktop file, while WDEF A does not beep.
Although the virus does not intentionally try to do any damage,
WDEF contains bugs which can cause very serious problems. We have
received reports of the following problems:
* The virus causes both the Mac IIci and the portable to crash.
* Under some circumstances the virus can cause severe performance
problems on AppleTalk networks with AppleShare servers.
* Many people have reported frequent crashes when trying to save
files in applications under MultiFinder.
* The virus causes problems with the proper display of font styles
(the outline style in particular).
* We have two reports that the virus can damage disks.
* We have a report that the virus causes Macs with 8 megabytes of
memory to crash.
* We have a report that the virus is incompatible with the
"Virtual" INIT from Connectix.
Even though AppleShare servers do not use the normal Finder
Desktop file, many servers have an unused copy of this file
anyway. If the AppleShare administrator has granted the "make
changes" privilege to the root directory on the server, then any
infected user of the server can infect the Desktop file on the
server. This is one of the situations which can lead to the severe
performance problems mentioned above. For this reason,
administrators should never grant the "make changes" privilege on
server root directories. We also recommend deleting the Desktop
file if it exists. It does not appear that the virus can spread
from an AppleShare server to other Macs on the network, however.
When using Disinfectant to repair WDEF infections, you must use
Finder instead of MultiFinder. Under MultiFinder the Desktop files
are always "busy," and Disinfectant is not able to repair them. If
you try to repair using MultiFinder, you will get an error
message.
Unfortunately, when the WDEF virus first appeared, none of the
current versions of the most popular virus prevention tools were
able to detect or prevent WDEF infections. This includes Vaccine
1.0.1, GateKeeper 1.1.1, Symantec's SAM Intercept 1.10, and HJC's
Virex INIT 1.12.
Chris Johnson, the author of Gatekeeper, has released "GateKeeper
Aid," a free system startup document (INIT) that detects and
automatically removes WDEF infections and notifies the user of the
infection. GateKeeper Aid can be used together with GateKeeper or
together with Vaccine to provide protection against WDEF.
New versions of the commercial tools should also be released soon,
and we expect that at least one other free protection tool will
also be available soon.
It is very important that all Mac users obtain and install
GateKeeper Aid or some other WDEF protection tool. You can use
Disinfectant to remove an existing infection, but if you do not
install a protection tool you may very likely become infected
again.
In addition to the two known strains of the WDEF virus,
Disinfectant will also detect and repair other strains which may
exist but have not yet been reported. If an unknown strain is
detected, Disinfectant places the following message in the report:
### File infected by an unknown strain of WDEF
If you see this message, and if you have not already repaired the
file, we would appreciate it if you would send a copy to the
author. The author's addresses are at the end of this document.
You may need the assistance of an expert, since the Desktop files
that are infected by the WDEF virus are normally invisible. You
should use ResEdit or some other file editing tool to make the
file visible, then make a copy to send to us, then use the same
tool to make the original file invisible again, and use
Disinfectant to repair it. Send the copy to the author, then
delete the copy.
Please do not worry if you are not comfortable with these
instructions and you do not have access to an expert. Go ahead and
repair the infected file. It is more important that you rid your
system of the virus than it is for us to get a copy of the unknown
strain.
This version of Disinfectant is being released only one week after
the discovery of the WDEF virus. We do not yet understand it as
thoroughly as we do the other older viruses. We have disassembled
it completely, and we understand the basic replication mechanism.
We know that it can cause serious problems, and we know why it
causes some of the problems. Research into the behavior and
adverse effects of this virus will continue for some time.
You should keep in touch with your local Mac user group or
bulletin board for more information about this new virus as it
becomes available. Commercial online services like CompuServe and
Genie and the Macintosh trade press publications like MacWeek are
also good sources of information.
When the WDEF virus was first discovered, the authors of most of
the popular virus-fighting programs and other experts immediately
began working together to analyze and test the virus. The
information presented here is a compilation of our joint
discoveries. The author would like to thank everybody who helped
in the investigation. Particular thanks to Chris Johnson
(GateKeeper), Jeff Shulman (VirusDetective), Paul Cozza (SAM),
Robert Woodhead (Virex), Dave Platt, Werner Uhrig, and the Apple
Virus Rx team. Thanks also to the many Mac users who sent reports
of WDEF sightings and problems caused by the virus.
John Norstad
Academic Computing and Network Services
Northwestern University
2129 Sheridan Road
Evanston, IL 60208
Bitnet: jln@nuacc
Internet: jln@acns.nwu.edu
CompuServe: 76666,573
AppleLink: A0173
------------------------------
Date: Thu, 14 Dec 89 17:31:10 -0500
From: Lynne Meeks <LZM@UVMVM.BITNET>
Subject: WDEF found at University of Vermont (Mac)
We discovered we have at least one Mac with the WDEF virus. The most
likely source is a disk brought here from Dartmouth by a student.
although there is another (unknown) potential source. The virus was
discovered (and successfully removed) by Virus Detective 3.1 which we
were trying out. We did not have any indication we had a virus. Guess
this one travels fast...
------------------------------
Date: Thu, 14 Dec 89 19:08:00 -0500
From: IA96000 <IA96@PACE.BITNET>
Subject: AIDS TROJAN (PC)
The AIDS trojan does bring up some interesting questions. Political
issues aside for a second, what makes anyone think that the company or
individuals behind this are in Panama?
Just because the mail goes to Panama does not mean a thing. There
are also more lax regulations (I would assume) about renting post
office boxes outside of the United States.
Has anyone considered that this might be work of the people who
introduced BRAIN to the world? Other than the address, it might
well be the same culprits.
Rather than worry about who did it, perhaps it would be a better
idea to figure out what to do about? After all the potential for
damage is quite high, and little seems to be know about what is
happening, so far.
------------------------------
Date: 14 Dec 89 23:32:14 +0000
From: emx.utexas.edu!ut-emx!chrisj@cs.utexas.edu (Chris Johnson)
Subject: Gatekeeper Aid 1.0 Released (Mac)
Gatekeeper Aid 1.0 of 13-Dec-89
by Chris Johnson (c) 1989
Gatekeeper Aid is a supplement to version 1.1.1 of the Gatekeeper
Anti-Virus System. Gatekeeper Aid is a new component designed to
locate and remove the WDEF viruses that have recently appeared
and which are not hindered by Gatekeeper's existing security
system. Gatekeeper Aid also checks for possible future variants
of WDEF.
Gatekeeper Aid automatically checks files as they are used for
the presence of specific viruses and, if viruses are found, it
removes them. Like Gatekeeper, Gatekeeper Aid runs continuously
without the attention (and usually without the awareness) of the
user.
Unlike Gatekeeper, Gatekeeper Aid requires no configuration by
the user -- it's objectives are specific enough that there's
simply no need for configuration at this point.
Although Gatekeeper Aid is designed to supplement Gatekeeper,
it does not require that Gatekeeper be present in order to
operate.
Gatekeeper Aid has been posted to comp.binaries.mac, and is
immediately available for anonymous ftp from ix1.cc.texas.edu
and ix2.cc.utexas.edu. You'll find it (and Disinfectant 1.5)
in the ~microlib/mac/virus directory.
The IP addresses of ix1 and ix2 are, respectively, 128.83.1.21
and 128.83.1.29.
Gatekeeper Aid will should be available from sumex and simtel
in the near future.
Cheers,
- ----Chris Johnson
- ----Author of Gatekeeper
- ----chrisj@emx.utexas.edu
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253