home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.30
< prev
next >
Wrap
Text File
|
1995-01-03
|
25KB
|
523 lines
VIRUS-L Digest Monday, 30 Jan 1989 Volume 2 : Issue 30
Today's Topics:
re: checksum protection
Virus Terminology
A detailed description of the INIT 29 Macintosh Virus (Mac)
Apple Viruses? (NOT Mac)
FRG Nazi virus? Huh?
---------------------------------------------------------------------------
Date: 27 January 1989, 13:27:00 EST
From: David M. Chess <CHESS@YKTVMV.BITNET>
Subject: re: checksum protection
Don Alvarez <boomer@space.mit.edu> writes:
> Checksums are good for checking the integrity of data if you have
> reason to believe that it has been corrupted (ie did I just download a
> bogus copy of VirusRX off the network). They are not a good way to
> handle everyday protection against viruses...
because, basically, it takes too long to run the checksum checks.
That's a matter of personal taste, I suppose. I run a checksum
program that takes about ten minutes, every couple of days. Of
course, if it really wasted ten minutes of *my* time, it wouldn't be
worth it. But I always have ten minutes of stuff to do that doesn't
require the computer (reading journals, eating lunch, etc), and who
cares if I waste the *computer's* time? With multi-tasking operating
systems becoming the norm, it'll be even less of a concern; just start
the checker running in the background with a low priority.
If checksums (and related modification-detection schemes) aren't a
good way to handle everyday protection against viruses, what is? The
only alternatives seem to be to check for the N viruses that you
happen to have heard of (you'll still get bitten by virus N+1), or to
hope somebody else gets bitten by a new virus before you do, so you'll
be told about it. Neither very satisfying!
The bit about rebooting the machine from a trusted floppy before
running the check is, of course, more of a pain than I'm willing to go
to. I was just using it as an extreme example to argue against some
claims that, for theoretical reasons, undefeatable checking is
impossible. I hope that future operating systems and technology will
make possible undefeatable checking that *is* human-useable. May not
be soon, of course, but I just wanted to suggest that it was
theoretically possible.
DC
P.S.
> How am I going to know what the checksum for each of them should be?
> Keep a list of checksums on my disk?
Yes, of course. On the same disk that the checker program is on.
Sorry I didn't make that clear. The checksums that are stored are
just the ones the checker found last time. The checker doesn't tell
you "this program is/isn't clean", just "this program is/isn't the
same as it looked last time I saw it". Imperfect, perhaps, but I
haven't thought of anything really better...
------------------------------
Date: Fri, 27 Jan 89 11:32:46 PLT
From: Joshua Yeidel <YEIDEL@WSUVM1.BITNET>
Subject: Virus Terminology
In Virus-L V2 #28, Danny Schwendener writes:
< The 'INIT 29" virus is not a mutation of nVIR, even if it is very
< similar. Its sole purpose is to replicate itself. Other than that, it
< causes no harm to the system. However, it will copy itself to *every*
< resource fork that has been opened by the System, an application or a
< utility (CDEV, DA, etc). I'd classify it as extremely virulent.
This is not a flame, but just an attempt to clarify our terminology.
My "American Heritage" Dictionary defines "virulent" as "extremely
poiosonous or pathogenic". I think we should reserve that word for
viruses, worms, Torjan horses, and other slime ("virus" in Latin)
which have known malignant effects. In my opinion, the correct term
for INIT 29 is "extremely contagious", since it spreads through so
many mechanisms and so many infection sites (filetypes).
This may seem like a very small point of diction, but it is very
important to use accurate terms and avoid giving misimpressions when
conveying virus information to large numbers of people. More damage
at our site has been caused by virus panic than by the malignant
effects of all viruses together.
By the same token, I would recommend against describing any virus as
"benign". There is no way of ensuring that a virus will do no harm in
any hardware/system/application setting it might infect. This is
especially true since copies of a virus have no way of being updated
to reflect system software updates. The "benign" virus of today might
become a "bomber" tomorrow. In this sense (at least), every virus is
a threat.
- - -- - -- - -- - -- - -- - -- - -- - -- - -- - -- - -- - -- - -- - -- -
Joshua Yeidel YEIDEL@WSUVM1.BITNET
Academic Computing Services YEIDEL@WSUVMS1.WSU.EDU
Washington State University (509) 335-0441
Pullman, WA 99164-1220
DISCLAIMER: I'm speaking solely for myself here, not Washington State U.
- -- - -- - -- - -- - -- - -- - -- - -- - -- - -- - -- - -- - -- - -- - --
------------------------------
Date: Fri, 27 Jan 89 16:31 EST
From: DEC P/N 90-09203-00, for all your baking needs. <JEN@VTCS1>
Subject: A detailed description of the INIT 29 Macintosh Virus (Mac)
Here's a detailed analysis of the INIT 29 Macintosh Virus from Thomas
Bond.
- -Jeff E. Nelson
- -Virginia Polytechnic Institute and State University
- -INTERNET: jen@vtcs1.cs.vt.edu
- -BITNET: jen@vtcs1.bitnet
begin forwarded message------------------------------------------------
0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0
THE ELEVENTH WORD:
0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0
An Investigation Into the 712-byte RINIT 29S Macintosh Virus
by Thomas Bond, Mac Consultant
11684 Ventura Blvd., #932 % Studio City, CA 91604
818-843-0567
(C) 1989 by Thomas Bond. Permission is hereby granted to distribute in whole
part by any means, whether in print or electronic, as long as the name,
address and phone of the author remain unchanged. Publications may quote
parts for use in education on computer virus problems.
Code 0
/
Virus Segment
\
Application Segments
/
????????
ACKNOWLEDGEMENTS: This research could not have been completed without
the very valuable help received from Q Tom Pitts, Robert Wright and
David Lagerson of the MacValley Macintosh Users Group, Mark Weems of
Kinko's Studio City store, Ken Cary of PaperWorks in Burbank, Joe
Niewe of California State University, Northridge, and many others who
gave up their time and advice.
[MacValley membership is $30.00 per year, and provides access to the
PD Library with 1000's of freeware and shareware programs, official
releases of Apple System software, association with over 700 Mac
users, and special presentations from software companies, covering new
programs and developments in the industry. For membership info, call
Bob Campbell, 818-784-2666.]
BACKGROUND:
This report is being prepared on January 17, 1989, for distribution
at the monthly meeting of MacValley Macintosh Users Group in Burbank,
California. It contains the most recent information available to the
author at this time: How the new RINIT 29S 712 byte virus acts, how to
detect it, how to prevent it, and how to repair the damage it may do,
at least in the early stages of its infection. Those who need
immediate help because they know or strongly suspect that their disks
or hard disk(s) are infected, please turn to the section below labeled
FOR EMERGENCY ACTION. Others may benefit from a more deliberate
reading of this paper, learning how these kinds of viruses work and
what to do about them.
The author, Thomas Bond, is a Mac Consultant working primarily in
desktop publishing and graphics, for various companies in the San
Fernando Valley and Greater Los Angeles area. He is available for
professional consultations regarding this or other Macintosh
applications and problems by calling the number above, 24 hours.
Late in December, 1988, one of my clients, the Kinko's Copy Center at
Fulton Boulevard & Burbank Boulevards in Van Nuys, reported an unusual
problem: It's three rental computers, all with hard disks attached,
were rejecting all locked disks inserted into them. After unlocking
and reinserting the disks, documents would open normally. Sometimes
documents created with several programs such as PageMaker 3.0,
MacWrite 5.01, Ready,Set,Go! 4.0a, Microsoft Word 3.02, Aldus Freehand
2.0, Adobe Illustrator 88, and others, would fail to print. The
report from the program was either that Rthis document failed to
printS or in some cases there would be a bomb, or no report at all,
simply a failure to print. On occasion, the hard disk would fail to
boot properly.
Checks with Apple's Virus Rx 1.3 & later Virus Rx 1.4 showed only that
almost all applications, the System and Finder (v. 6.0.2) were
damaged. Replacement of the damaged programs and system files was
performed repeatedly over a week's period. In the meanwhile, hundreds
of customers used the machines and infected their diskettes. In
between my own efforts, employees of the store often replaced the
system files and applications themselves, in an effort to fix the
problem. The hard disks were initialized several times over several
days. Never-the-less, the infection reappeared immediately each time,
soon after it began to be used.
A few days later, similar problems began to be reported at the Kinko's
Studio City store, on Ventura Boulevard near Laurel Canyon. The same
procedures were followed at that store. Some of the same well-meaning
but uninformed employees tried to solve the problem. In spite of the
best efforts of several staff members and my own frequent visits, the
equipment failed to print roughly half the time. Each store was
losing 100's of dollars due to the problem, adding to $1000's.
On Tuesday, January 3, I began to seriously and scientifically
investigate the nature of the problem. Careful poking around in the
files with ResEdit 1.2b2 had already revealed no infestation of either
Scores or nVIR, with which we were sadly very familiar and expert at
handling.
Using ResEdit, I opened up a RcleanS and RdirtyS copy of Teach Text.
The infected copy was exactly 728 bytes larger than the clean one.
The CODE resource list showed ID's 0 thru 3 in the infected copy, and
0 thru 2 in the clean copy. The new resource, ID number 3, was
exactly 712 bytes. The CODE resource numbered 0 was exactly 16 bytes
bigger in the dirty copy than the clean copy.
I became very, very concerned about the problem, as I found by using
the Virus Detective* desk accessory to search for 712 byte CODE and
INIT resources that there was also an INIT ID 29 installed in most
documents, other INIT files such as Pyro* & Suitcase II, the System of
course, the Desktop file, and all font and DA suitcase files, as well
as font printer drivers such as the LaserWriter driver, and Adobe
printer fonts. Some applications such as PageMaker, Freehand and
Illustrator, had literally dozens of extra 712-byte CODE resources
added. They grew bigger on each startup and during each boot, whether
started up or not.
HOW RINIT 29S WORKS:
After some 57 hours of research and virus fighting labor at Kinko's 2
infected local stores, I have determined the following:
1. The INIT 29 Virus will not accept locked disks after it has been
fully activated on an infected system. This is the easiest way to
find out if you are fully infected. However, since this symptom does
not occur immediately, you will also need to make further checks.
2. The virus first invades the Desktop file of a disk when a program
is copied onto it, inserting the 712 byte INIT ID 29 resource into it.
(Alternately, the INIT is added to a system file if an infected
application is started up, even without being copied to the disk.)
3. On the next boot, the INIT is added to the System from the desktop
file (or elsewhere, perhaps), and to every application (as a new code
resource numbered one higher than the existing resource ID, and
adjusted CODE ID 0 resource) that is used during that work session,
and to most documents created by the infected applications during the
session.
4. During the very next boot, the infected System will insert the
INIT or CODE resources into every targeted file on the hard disk (or
diskette), including:
% The actual Desktop file of the operative system disk (hard
disk or not)
% INITs such as Suitcase II, Pyro*, etc.
% CDEVs, RDEVs, and other system folder files
% All applications and programs containing CODE resources,
with Illustrator 88, Freehand 2.0 and PageMaker 3.0 getting
(2) new 712 byte resources per each use or boot. Others
seem to stay content to keep only one extra CODE resource.
% Most document files, including those created by MS Word,
MacWrite, Ready,Set,Go!, PageMaker, Illustrator, Freehand,
and MS Works. Oddly, MacPaint files seemed to be free of
the INIT.
% All Rscreen fontS files (whether for imagewriter or
laserwriter, new or old versions), all Desk Accessory files,
new or old, all LaserWriter printer drivers, including those
used by Cassidy, Adobe and Apple fonts, Laser Prep and Aldus
Prep files, etc.
5. During invasion of an application, the INIT 29 Virus makes itself
a vital part of the application, by changing the applications
"jump-table" or CODE ID = 0 resource to list it as the FIRST SEGMENT
TO BE RUN ON LAUNCH. The address of the next segment of CODE to be
run is copied from the jump table into the virus itself. This means
that removing the virus will kill the application (very much like some
protoplasmic viruses). The title of this report is taken from the
address of the order to run first, namely the eleventh word of the
jump table, which is changed to read the new address of the virus
instead of the first segment of the original program CODE. It is this
word that is changed by most Mac viruses, at least so far, to ensure
that they are run before any other, possibly anti-viral, instructions.
SYMPTOMS OF THE INFECTION INCLUDE:
% After the infected system is rebooted with the INIT running,
it will not accept locked disks. It provides the alert saying that
the disk suffers from minor damage and asks to repair it. You say OK
and then it ejects the disk saying, of course, that the Desktop file
could not be rebuilt on it.
% After the infection is mature, often several days old, it
begins to interrupt printing and cause documents to fail to print.
This has especially been noticed with MacWrite, MS Word, PageMaker,
Illustrator and Ready,Set,Go! This seems to be an intermittent
problem, and can sometimes express itself very soon after infection.
{Apple's own Virus Information Report says this is most likely due to
the Vertical Screen Blanking Interval being used by the virus to do
its work, and the work cycle of the virus running too long and
interfering with the printing tasks.}
% Also after a mature infection of several days, the system
seems to of ten fail to boot from the infected disk, giving a System
Error ID 02. {Robert Wright tells me that that this is due to the
Virus trying to use parts of the system which have not yet loaded into
RAM.}
FOR EMERGENCY ACTION:
% Don't rely entirely on Vaccine 1.01 from CE Software, or
Apple's own VirusRX 1.4a2, or any other currently available program
other than Virus Detective* DA, version 2.0 (1.2 will do, but is not
as flexible, and will sometimes give false reports of removing locked
or protected viral resources).
% You will need to type 3 new lines of search instructions
into Virus Detective* 1.2: INIT ID 29, INIT Size 712, CODE Size 712.
(Virus Detective* 2.0 comes setup for several viruses including INIT
29 already.) So far, the only two programs I have found with
legitimate CODE resources of 712 bytes are the fun PD programs
Biorhythm and Geographic. Others you may find are most likely
infected and need to be removed from your hard disk.
NOTE: Simply removing the INIT is good enough from the
infected non-application files, but applications will bomb if they are
restarted after only removing the 712 byte CODE sections. Their
jump-table, or CODE ID = 0 resource has been re-written by the virus
to look for the VirusUs own CODE segment. Since the segment will no
longer be there after you remove it, the System will crash with a
System Error ID 15 {Robert Wright tells me this is a "segment loader"
failure}. If you know how to use ResEdit, you can replace words 9,
10, 11 and 12 in Code Segment 0 with words 16, 17, 18 and 19 of the
top-most viral code segment. Then remove the viral code segment(s) by
RclearingS them. Remember that many applications may have received
many, many segments of the 712 byte viral code. The newest segment,
or highest numbered one, will be the one containing the proper words
for copying back into the code 0 segment. Be certain to removed all
viral segments. If you are not willing or able to re-write the code
using ResEdit as described here, rely on your original master disk
(which should always, of course, be kept locked), and simply replace
the damaged copy with another clean one.
% Be sure that you do not miss a single infected file,
especially the Desktop, System, Finder or INITs, CDEVs, or RDEVs.
Also, check ALL your diskettes. They can be infected, even if no
programs have been copied from them or to them. Simple insertion into
an infected hard disk computer set-up infects them. You can then run
your system again.
% The Virus Detective* 1.2 desk accessory will not remove
certain INIT ID 29 resources from documents and other files, since
they are locked or protected by the virus. Sometimes it claims to
have removed the infections EVEN THOUGH IT HAS NOT DONE SO, and
sometimes it tells you it actually failed. Don't trust it completely.
(Version 2.0 of the DA may do this job better, and comes fixed to look
for Peace, Scores, nVIR, hPAT, and INIT 29.) Go into ResEdit and
check all questionable files and clear out the locked INIT ID 29s. To
encourage great Mac-ers like the author of this program, Jeffry
Shulman, be sure to send him his money Q $ 20.00 is a bargain! His
address is Q P.O. Box 521, Ridgefield, CT 06877-0521.
I understand from talking with people in the LAMG and elsewhere that
this virus is as yet not well known around LA. However, rumors of the
virus have cropped up, evidently occurring some weeks ago in the Simi
Valley. Members of the Canejo-Ventura area Mac Users Group reported a
new virus which added INIT ID 29 to various applications on hard
disks. As far as I know, no application has yet been written by their
group to repair jump tables of infected applications. Of course, this
report is posted on several local BBS units and 100 copies were given
away at the January MacValley meeting to interested members.
Communication is also being performed with other regional BBS units
and interested parties in an effort to fight the growing epidemic of
INIT 29 and its associated problems.
FUTURE EFFORTS:
We are now working on efforts to automatically detect the infection of
the INIT 29 Virus and to prevent its operation. MacValley members
should expect to receive further information by the next meeting, in
February. Other efforts are being made to provide a program that will
automatically repair infected documents, files, and applications.
Until such programs are available, you would be advised to avoid using
public service bureau computers for laser printing or otherwise
WITHOUT FIRST LOCKING YOUR DISKETTES, then copying the data onto their
hard disks for revision or printing. If your locked disk is rejected,
DO NOT UNLOCK IT. You may unlock it, and try to copy it, print it and
or revise it on their hard disk. DO NOT RECOPY THE REVISED VERSION OF
YOUR FILE TO YOUR DISK unless you are willing to accept the
consequences of an infection at home. NOTE: Some document files after
infection fail to copy, due apparently to their "protect" bit being
set by the virus. This is the cause of much frustration at such
service bureaus.
FURTHER REPORTS OF INFECTIONS,
NEW VIRUS SYMPTOMS, ETC.:
Any further information, elaboration on the symptoms, or other virus
reports would be appreciated . Call Thomas Bond at 818-843-0567, or
David Lagerson, MacValley President, at 818-882-4467.
end forwarded message-------------------------------------------------
------------------------------
Date: Sat, 28 Jan 89 09:59:55 EST
From: "John P. McNeely" <JMCNEELY@UTCVM.BITNET>
Subject: Apple Viruses? (NOT Mac)
Does anyone know of ANY virus that infects Apple computers? It
seems that all of the virus attacks you hear about affect PCs or MACs.
There is certainly a substantial amount of Apples being used,
especially in schools. Why have they not become a popular target for
viruses?
Anyone ?
John P. McNeely
BITNET ADDRESS: JMCNEELY@UTCVM.BITNET
[Ed. I assume that you mean the Apple ][ series...]
------------------------------
Date: Sat, 28 Jan 89 15:43 EST
From: Dimitri Vulis <DLV@CUNYVMS1.BITNET>
Subject: FRG Nazi virus? Huh?
>From Newsweek, Jan 23, 1989, p. 32:
Nazi Software: The Ultimate Virus
West Germany has given new meaning to the term computer virus:
infecting the electronic bulletin boards of the Federal Republic are a
growing number of neo-Nazi computer games. They bear names like
``Aryan test'', and ``Concentration Camp Manager''. Players of
``Cleaning Up Germany'' score points by killing Jews, Turks,
homosexuals and environmentalists to the strains of ``Deutschland
\"uber Alles''. The ``Anti-Turks Test'' features the digitized voice
of Nazi propaganda minister Joseph G\"obbels.
Though illegal in West Germany, the game disks are swapped in
schoolyards and circulated though computer networks, making
interdiction nearly impossible. The authorities know of at least 20
games---but don't know who's designing them. Last year a raid on
apartments of suspected neo-Nazis netted copies of some of the games,
but no proof they were produced on site. By the end of 1987, about 11
percent of German households has a personal computer, and, warns
Jurgen Lindenau of the Office for Youth Protection, ``One should
assume that just about every youngster who owns a computer and uses it
for playing games has come across the Nazi software sooner or later''.
The hope is the games are too crude for anything beyond brief
curiosity.
There's also a photo (captioned `Aryan Test') of an (apparently C64)
screen showing assorted swastikas and magen Davids and the text:
ARIERTEST (Arian test)
ARIER ODER JUDE? (Arian or Jew?)
DAS IST RIER DIE FRAGE (That is the question)
(C) 1986 BY ADOLF HITLER SOFTWARE LTD.
- ----
I must note that I find the idea of government censorship applied to
the contents of computer games much more (disgusting, abhorrent,
sickening) than the (disgusting, abhorrent, sickening) Nazi
propaganda. If those Germans had any brains, they would leave these
sickos alone, instead of encouraging them with the free publicity.
Perhaps this is what they have in mind?
>From what I understand/heard before, we're just talking about
programs being up/downloaded, to/from BBSs, not programs that infect
other programs with Nazi messages. The article quoted above has
nothing to do with viruses, except the headline. The author's/editor's
stupidity and ignorance do not surprise me the least bit after the
``360 concentric circles of data'' (360K / 40 tracks confusion) in the
Time article last fall. It seems however that the media (read:
J-school morons) has now appropriated the term ``computer virus'' and
uses it to designate ``any buggy, malicious, destructive or offensive
program''. Perhaps we should start looking for another term to
designate ``a program that can `infect' other programs by modifying
them to include a possibly evolved copy of itself''. (This seems
silly; but after 10 years I've stopped applying the term ``hacker'' to
myself for similar reasons.)
Any comments or suggestions?
P.S. Our VAX has apparently been trashing mail lately. I will comment
on the last 2 week's worth of this digest after I get it from a
server.
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253