home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl3
/
virusl3.111
< prev
next >
Wrap
Text File
|
1995-01-03
|
27KB
|
642 lines
VIRUS-L Digest Monday, 11 Jun 1990 Volume 3 : Issue 111
Today's Topics:
Re: removing Stoned from harddisks (PC)
re: Brain (PC)
re: Possible virus or trojan (Mac)? Help!!!
Re: Possible virus or trojan (Mac)? Help!!!
Re: Creation of New Viruses to Sell Product
RE: Documented mainframe viral attacks
Re: removing Stoned from harddisks (PC)
Re: First jailed UK computer h
Re: New Virus (PC)
Soviet Virus Questions
Re: 1451 virus in Yugoslavia (PC)
First generation samples (PC)
Re: Possible virus (PC)
Military use of computer viruses
F-PROT version 1.10 (PC)
Ping-Pong Ball Virus (PC)
Citation request - "What Do You Feed A Trojan Horse"
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
---------------------------------------------------------------------------
Date: 08 Jun 90 12:37:27 -0400
From: "David.M.Chess" <CHESS@YKTVMV.BITNET>
Subject: Re: removing Stoned from harddisks (PC)
> he said that the tech from the disk company claimed
> that Stoned actually does destroy the media permanantly.
The Stoned virus that I've seen does nothing special that would
tend to destroy media; it just does normal reads and writes
via the BIOS INT13 interface. It is of course possible that
there are Stoned variants out there that do nastier things, or
hardware that can be permanently damaged as an indirect result
of (for instance) having a bad partition table written on it,
but I've seen no convincing evidence of either...
DC
------------------------------
Date: 08 Jun 90 12:48:47 -0400
From: "David.M.Chess" <CHESS@YKTVMV.BITNET>
Subject: re: Brain (PC)
> How does one outsmart the pakistani brain virus. I have found it on
> several of my disks some of which I don't have working backups for.
If you have the usual "Brain" virus on some diskettes, you can
just copy the data off of them onto clean diskettes (using COPY,
*not* DISKCOPY), and reformat them. Be very careful, of course,
to do this in a machine in which the virus is *not* currently active!
DC
------------------------------
Date: Fri, 08 Jun 90 14:32:40 -0400
From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV>
Subject: re: Possible virus or trojan (Mac)? Help!!!
> b. Suddenly icons can't find their applications
> c. Applications are increasingly unable to open data files or
> find them
This sounds like a corrupted Desktop. Try rebuilding it.
> d. The parameters of applications like Versaterm are unaccountably
> changing themselves i.e. the baud rate changes itself or the
> Kermit parameters change for no known reason
> e. The options of the System and Desktop are unaccountably changing
> themselves i.e. the sound bar is turned up without anyone having
> done it.
These symptoms sound like a damaged System file at the least, possibly
some of the other files in the System folder are damaged too. You may
also need to replace your battery.
> f. There are more system bombs, and other disk and ram error messages
> than I've ever seen before in two years of working with Macs.
This sounds like real hardware trouble. Maybe. Try the other stuff I
mentioned first. If the person taking the software was using an old
version of the System file (i.e., booted from a floppy), it's remotely
possible that may have done it.
--- Joe M.
------------------------------
Date: 08 Jun 90 13:35:44 +0000
From: vaxb.acs.unt.edu!ac08@cs.utexas.edu (C. Irby)
Subject: Re: Possible virus or trojan (Mac)? Help!!!
mitchell@crcc.uh.edu writes:
> I've got a strange Mac problem and need help. Monday night, one
> of my colleagues allowed a friend in to the office to steal Mac software
> (using his old Mac disks, of course). After the appropriate cussing-out
> and running-off, the machine in question (Mac SE, 20Mb hard disk, System
> 6.0.3) started acting funny. Symptoms:
Before you do that- have you tried to reinstall the System software?
If your friend accidentally trashed a file or two, that could be the
easy fix...
Viruses? Maybe, but who knows...?
C Irby
------------------------------
Date: 08 Jun 90 13:40:53 +0000
From: vaxb.acs.unt.edu!ac08@cs.utexas.edu (C. Irby)
Subject: Re: Creation of New Viruses to Sell Product
WHMurray@DOCKMASTER.NCSC.MIL writes:
>>This leaves a greater potential for companies to profit from the
>>creation of new viruses.
>
> New viruses do not sell product. Old viruses sell product. There
> are not enough copies of a new virus to be noticed.
>
> William Hugh Murray, Executive Consultant, Information System Security
> 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
> 203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL
You're joking, right?
"New virus reported- 1 copy found- get your new virus killer here!"
For example, there are some companies that sell "yearly upgrade
support" for X dollars- if there are no new viruses, there *is* no
reason for the product...
C Irby
ac08@vaxb.acs.unt.edu
ac08@untvax
------------------------------
Date: Fri, 08 Jun 90 17:52:36 -0400
From: Arthur Gutowski <AGUTOWS@WAYNEST1.BITNET>
Subject: RE: Documented mainframe viral attacks
spoelhof@newkodak.kodak.com (Gordon Spoelhof) asks:
>1. How many mainframe viral attacks are documented?
The ones that come to my mind (and I believe all have been reported
here) are the XMAS, BUL, 4PLAY, and HEADACHE execs on VM/CMS and the
RTM worm and WANK worm on Unix.
>2. How many incidents are reported/not reported?
Hard to say. I suspect that just as with PC and Macintosh viruses, some
cases go unreported.
>3. In general, how are the viruses introduced?
I'm not sure about the Unix worms, as I didn't follow them as closely,
but I believe they exploited mail/file xfer bugs/features. The VM execs
used nickname files in PROFS and Rice Mail to send themselves to everyone
you knew as they ran.
>4. What corrective measures had to be taken?
The only VM exec we encountered here was the origional XMAS exec. Luckily,
we had alert tech support staff who monitored this list and Valert-L, caught
the thing when it first came in, and nipped it in the bud.
>5. What preventative measures are taken?
One, never trust unexpected files from unknown sources. Even though it may
not be a virus or worm as such, it has the potential of being a Trojan.
Two, monitor Virus-L/Valert-L for warnings of new/recurring problems.
Three, make sure your operations and tech support staff monitor things
like (on VM) spool space filling up with a certain filename, perhaps even
setting up filters in RSCS to reject all such files (when a confirmed report
is received). News facilities to spread the word to users to be on the
lookout for such a file also help.
These are things that we've done to keep attacks to a minimum.
>6. What is the level of risk?
So far, to my knowledge (corrections welcomed if I'm wrong), the only
threat the VM execs have posed is filling up spool space, which can
cause VM to crash, if the problem goes unnoticed. However, there always
is the risk of a virus/worm carrying a payload that will format your A-disk,
erase certain key files, or whatever.
Basically, we try not to get caught with our britches down. This list and
Valert-L are the good sources for new emergences. And staff awarness, along
with past experiences keep us on our toes.
/===" Arthur J. Gutowski, System Programmer
: o o : MVS & Antiviral Group / WSU University Computing Center
: --- : Bitnet: AGUTOWS@WAYNEST1 Internet: AGUTOWS@WAYNEST1.BITNET
\===/ AGUTOWS@cms.cc.wayne.edu
Have a day.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Waiter: Would you care for some coffee, sir?
DesCartes: I think not. ...*Poof!*, gone.
------------------------------
Date: 09 Jun 90 01:27:10 +0000
From: btr!public!gio@decwrl.dec.com (Giovanni V. Guillemette gio@btr.com)
Subject: Re: removing Stoned from harddisks (PC)
plains!person@uunet.UU.NET (Brett G. Person) writes:
>I had a friend call me who told me that Stoned actually damaged the
>media on the hard drive. He said they lost a full ten Meg. He took
>the drive through a low-level + dos format, and only wound up with
>20Meg on a 30 meg disk.
>
>Now, I know that a piece of software isn't supposed to physically
>destroy media, but he said that the tech from the disk company claimed
>that Stoned actually does destroy the media permanantly. I don't
>pretend to know everything about the pc, do I told him I'd ask here.
>My bet is that the drive was either mis-labled as a 30 meg, or somehow
>partitioned wrong.
>
>- --
>Brett G. Person
>North Dakota State University
>uunet!plains!person | person@plains.bitnet | person@plains.nodak.edu
This has happened to me before, but not in relation to a virus. It happened
when I tried to format an RLL drive in MFM format, as RLL offers 50% more
data per track. Run CHKDSK on the disk. If you get a message to the effect
that you have 10 megs of bad sectors, then it's media damage. If not, then
it's because you didn't partition the disk properly. Here's how:
Use a program like Ontrack's Disk Manager, or Speedstor to do your low-level
format. It will ask you for the drive type - and, in both cases, you should
be able to enter the specific disk (assuming it's a Seagate, but, even if it's
not, Speedstor might still have it) by brand and model. Then, let the program
partition it for you, using the *default* values. What it will do is to create
a small (<1MB) MFM partition for DOS to boot off of (obviously, that's where
you load your system), and another 31MB RLL partition, which DOS will only be
able to access after loading the device driver that Disk Manager (or Speedstor)
loads automatically on the first partition for you. Hope I didn't confuse you.
One caveat: The disk program will install a device driver and a default
CONFIG.SYS file. Make sure you don't remove the "device=[driver].sys" file
from your CONFIG.SYS, or you won't be able to access the 31MB partition!
Let me know if that helps. This is my first posting ever to the net (I'm new
to Unix, but not DOS), and I don't want to think I'm wasting bandwidth.
- Gio
gio@btr.com
73677,2727@compuserve.com
(I may be new to Unix, but I've heard of the line eater. Eat this!)
------------------------------
Date: Sat, 09 Jun 90 07:44:00 +0000
From: Costas Krallis <g7ahn@compulink.co.uk>
Subject: Re: First jailed UK computer h
An important point is that he was convicted for serious criminal
damages, not for hacking which is not really illegal by itself. He was
not just a hacker but a computer vandal.
Costas Krallis
London, UK
E-Mail: <g7ahn@compulink.co.uk>
PS: The word "hacker" here is used to describe a "password cracker"
but has also other meanings. Please, let refrain from the flame
war about it.
------------------------------
Date: Sat, 09 Jun 90 07:38:00 +0000
From: Costas Krallis <g7ahn@compulink.co.uk>
Subject: Re: New Virus (PC)
Yuval Tal <NYYUVAL@WEIZMANN.BITNET> writes:
> I've just received a copy of a virus called "Armagedon the GREEK".
> Have anyone ever seen this virus? SCAN 62 did not identify this virus
> so I consider this as a new virus. I've checked it a bit and from what
> I found out, at a certain time, the virus sends a special command to
> your ports which a Hayes compatible modem can understand!
Is it really a virus or just a trojan ? Any inteeresting copyright
strings in the program ?
> Greek fellows: What does the phone number 081-141 mean?
081-141 is the phone number where you can hear the time announcement
in Iraklion, Crete.
Costas Krallis G7AHN
E-Mail: <g7ahn@compulink.co.uk>
------------------------------
Date: Sat, 09 Jun 90 15:42:00 -0500
From: Sanford Sherizen <0003965782@mcimail.com>
Subject: Soviet Virus Questions
I recently returned from a technical study mission to the USSR,
participating with a group of specialists reviewing EDP audit, data
security, and quality assurance. Experts from universities,
ministries, and financial organizations (both state and private) kept
mentioning their concerns with virus (Russian pronunciation=vee'rus)
attacks. There have been a number of virus problems even though there
is *very* restricted access to machines and minimal network links to
the outside. Soviet systems seem ill prepared to prevent virus
epidemics, except for some homegrown scanning programs. Current plans
to expand computerization within the public as well as private sectors
will create opportunities for many problems.
I am interested in hearing from anyone who has information about the following:
1. Incidents of virus problems in the USSR (I have some details from
the November, 1988 period but nothing else.)
2. Vaccines or other virus prevention/detection programs in the USSR
3. Western virus prevention/detection programs that are available for
export to the USSR
Finally, I mentioned Virus-L in my talks and there were many people
who were interested in obtaining its messages. Does anyone know of
existing links that could be used to make Virus-L available to Soviet
researchers and other interested parties given current official and
technical restrictions over their receiving external messages?
Any assistance that you can offer will be appreciated. I plan to send
information to people there and will be writing a number of articles
on the findings from my trip.
Nice to be back in the U.S.
Sandy Sherizen
******************
Sanford Sherizen
RESPOND VIA-------------------> MCI MAIL: SSHERIZEN (396-5782)
-------------------> FAX: 508-879-0698
-------------------> PHONE: (508) 655-9888
******************
------------------------------
Date: Sat, 09 Jun 90 22:41:00 -0400
From: Paul Coen <PCOEN@drew.bitnet>
Subject: Re: 1451 virus in Yugoslavia (PC)
>VirusName : ?, (1451COM/1411EXE)
>Type : indirect executable code infector
>Infects : COM and EXE files
>VirusBodyLength : 1451 bytes (COM), 1411 bytes (EXE)
>Expanding victim: YES, to paragraph boundary, both COM and EXE
>Location in RAM : before end of memory
>Steals interrupt: 21h
>Intercepts func.: 40h (write to file), 4Bh (load & execute)
>Attacks : Sept., Oct., Nov., Dec., each year
>Action : When executing int 21h, func. 40h (write to file)
> intercepts the call. If triggered the action code
> increments register DX by 0Ah, changing the address
> of buffer to be written to disk.
>Consequences : wrong data (or garbage) written to disk
From the trigger time, location in RAM, and the action/result, this
sounds remarkably like the 1554/1559 virus. We were hit with it in
March/April here at Drew U. One thing we noticed was that it doesn't
always add the same amt. to a file -- ours tended to be around 1300+
bytes. However, Viruscan and the dissasembly indicated that it was
the virus commonly known as the 1554. I'd guess that yours is the
same beastie.
I could be wrong, but I think it originated in Taiwan. My first
recollection of it was when someone from Taiwan posted a UUENCODED
.COM file (chkdsk, I think) containing the virus to the VALERT-L list.
I haven't heard of too many places getting hit -- supposidly we were
only the third or so reported hit in the United States.
We (Drew U. Academic Computer Center) figured that it was probably
written by/for students in particular -- since the trigger time
roughly corresponds to the fall semester in many places.
McAfee's viruscan (the latest version in v63) detects the 1554. I'd
be interested in knowing if that is what it identifies your virus as.
One other item of note -- the virus we were hit with doesn't go TSR
by calling the standard interrupt(s). It just writes itself in the
upper 128K (on a 640K machine) and hopes nothing writes over it.
Because of this, it blows right by programs watching the interrupts,
like FluShot+. If this is the method that your virus uses, I'd say
it's almost certainly the same virus -- or a variant.
It's a nasty bug -- it might look like a disk error to the uninformed.
Good luck with it.
------------------------
Paul Coen Drew University
pcoen@drew.edu pcoen@drunivac.bitnet
------------------------------
Date: Sun, 10 Jun 90 14:16:38 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: First generation samples (PC)
When the author of a virus wants to get his creation into circulation,
he might send a copy of it to a virus researcher - probably because it
is a fast and easy way to get the publicity he wants.
Sometimes this is done anonymously, but the author could just as well
claim to have "found" the virus on some computer. It is even possible
that this might be done in order to establish a good working
relationship with the virus researcher - with possible virus exchanges
in the future in mind.
It is so much easier to write a virus when a starting point, in the
form of an existing virus is provided.
The question is: Has this ever happened ? Are any of the virus samples
that have been made available to researchers "first-generation copies"
directly from the virus authors ?
Several such cases are known - Murphy-2, New Vienna, the TP-series and
Icelandic-2, and the Pentagon "virus" might also be included in the
group.
There are also a few cases where the sample originally made available
for research is not a typical infected program, as it includes a text
string or a piece of code which is not included when the virus
replicates. In some cases the virus is structurally different,
missing a 3-byte JMP at the beginning for example. This only seems to
be possible if...
...the person who made the virus available is the author
or
...he obtained the virus directly from the author
This article is written because a few days ago I obtained two new
viruses, where the samples are different from typical infected
programs - clearly the samples were first-generation programs.
Those two viruses were called SVIR.EXE (a 512 byte direct-action .EXE
file infector) and 13J.EXE, a 1201 byte encrypted .EXE file infector.
Some previous such cases were known, including the Amoeba (a 1392 byte
.EXE and .COM infector), but I suspect that several other viruses have
also been distributed by their authors this way.
- -frisk
Fridrik Skulason University of Iceland |
Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion
E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |
------------------------------
Date: 11 Jun 90 03:46:33 +0000
From: woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal)
Subject: Re: Possible virus (PC)
IBNG300@INDYVAX.BITNET (SEAN KRULEWITCH) writes:
> prompt. When I try again, I get an incorrect Dos version error. If I
> then proceed to type ver it says Dos 3.41. However I am running Dos
> 4.01. If i type ver a few more times it continues to say dos 3.41.
This sounds like one of the 4.01 bugs. DON'T EVEN LET dos 4.X NEAR a
machine. It causes all kinds of strange problems. I have a long
string of friends and aquaintances who have tried it, and have had to
go back to dos 3.x for reliablity. The technical reasons for this are
many and varied, but the major culprit seems to be the 32 bit fat
table. Some of the function calls have been modified. Specificaly,
some of the older calls did not specify the contents ofthe CX register
pair. Under DOS 4.01 the CX register pair is checked for a specific
value, to enable 32 bit fat stuff. Since this was not a requirement
that CX have anything in it, some programs use it for a counter etc.
etc. These programs can crash bigtime in certain cases. DON'T USE
DOS 4.X
Cheers
Woody
------------------------------
Date: Mon, 11 Jun 90 10:12:36 +0100
From: Anthony Appleyard <XPUM04@prime-a.central-services.umist.ac.uk>
Subject: Military use of computer viruses
{A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Mon, 11 Jun 90 09:54:04 BST
......................................................................
from UK newspaper 'The Sunday Telegraph', Sunday 10 June 1990
[Germ war looks to computer virus], by Roger Highfield, Science Editor
A new era of warfare - "electronic garm warfare" - is about to be launched.
Computer viruses are to be developed into weapons. Viruses, destructive
rograms that can propagate undetected through computer networks, could
wreak havoc on battlefield computers, disabling communications and making
weapons useless. "We're looking to see if we can develop some malicious
software concepts.", said Dr. Richard Poisel, chief of research and
technology at the secretive US Army Centre for Signals Warfare in
Warrenton, Virginia, USA. One security expert, Professor Lance Hoffman of
George Washington University, said advanced nations were most vulnerable.
"Their military systems are much more dependent on computers.".
Details of the attack virus are contained in the "Program Solicitation
90-2" issued in the Defence Department's Small Business Innivation Research
Programme. Entitled "Computer Virus Electronic Counter Measure", it
outlines how the research "shall be to determine the potential for using
computer viruses as an electronic counter measure technique against generic
military communications systems/nets.". The project not only calls on the
company to design the viruses but to determine if they can be transmitted
by radio to infect the enemy's computer. One potential target of viruses
could be organizations like the Government Communications Headquarters in
Cheltenham (UK), which intercept foreign radio transmissions and decode
them by computer. Once in an enemy system, the virus could lurk undetected
until required. It could scramble data, infect another computer, and
possibly even go on to delete itself.
The US Department of Defence has offered an initial $50,000 to businesses
prepared to undertake a feasibility study.
------------------------------
Date: Mon, 11 Jun 90 10:40:17 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: F-PROT version 1.10 (PC)
F-PROT version 1.10 is now finished. The major changes since 1.09 include:
* Scanning and disinfection of LZEXE-packed files. This is rather
slow, as it is written in C. I version 1.11 this routine will be
written in assembly language.
* A bug in F-DISINF that prevented it from removing the 'Stoned'
virus from hard disks has been corrected.
* Some command line options added: /AUTO to automatically remove
any infections found, without asking.
* Support for the Bulgarian version (P16) of DOS.
* The programs can now detect, stop and remove numerous new viruses -
including Shake, Victor, 5120, Jo-Jo, Liberty, Murphy, 800, Fish 6
and Form. The number of virus families is now 81, major variants
(different infective lengths for example) are around 120 and total
number of variants is over 150.
The German version is not ready yet - those I have promised a copy of
it will have to wait a bit longer.
I will send a copy to those on my mailing list tomorrow, as well as
upload a copy to SIMTEL, if possible - we often have problems reaching
SIMTEL from here.
- -frisk
Fridrik Skulason University of Iceland |
Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion
E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |
------------------------------
Date: Mon, 11 Jun 90 13:36:35 +0000
From: Bechaa Mahmoud <SBECHAA@FRECCL11.BITNET>
Subject: Ping-Pong Ball Virus (PC)
I found the ping-pong ball virus on 3 of our pc hard disks. Symptoms:
a ball bouncing on the screen and destroying characters. The program
seems to choose whether to activate itself or not. So, we can
sometimes see it run and sometimes not. The problem is : I am not very
used to viruses and to the way to fight them. I would like to know if
such a virus can attack EXE and COM files and what is the best way to
definitively stop the infection.
I have tried reinstalling the system files by a 'SYS c:' command, but
many students have disks already infected and they reintroduce the
virus when they work on the PC. I wonder if programs like SAM (on Mac)
exists for pc systems. It would be a good solution, the floppy disk
being always controled and treated if an infection is detected. Can
anyone give me all the suggestions to help me stop the virus.
i Groupe ESC Lyon i
i 23 Avenue Guy de Collongue i
i 69130 - Ecully i
i France i
------------------------------
Date: Mon, 11 Jun 90 08:32:00 -0500
From: JACOBY@MSUS1.BITNET1
Subject: Citation request - "What Do You Feed A Trojan Horse"
Would anyone have the text of Clifford Stoll's address
"What do you feed a Trojan horse?" given at Proceedings of the 10th National
Computer Security Conference (Baltimore, Md. Sept 21-24, 1987)
As usual, send responses, comments directly to me. I will summarize
for the net if there is interest.
Brian Jacoby, JACOBY@MSUS1.BITNET
In tribute to Jim Henson, a.k.a. Grover:
N N EEEEE AAA RRRR
NN N E A A R R
N N N EEE AAAAA RRRR
N NN E A A R R
N N EEEEE A A R R far
------------------------------
End of VIRUS-L Digest [Volume 3 Issue 111]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253