home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl3
/
virusl3.116
< prev
next >
Wrap
Text File
|
1995-01-03
|
22KB
|
503 lines
VIRUS-L Digest Monday, 25 Jun 1990 Volume 3 : Issue 116
Today's Topics:
re: FORM-Virus (PC)
VSHIELD and WIN 3.0 (PC)
New files on MIBSRV (PC)
Re: Help requested with a purported Yankee Doodle infection (PC)
Warning - Flipper virus (Mac)
Re: UnVirus (PC); Public Domain
Re: Mainframe attacks (MVS)
Re: Mainframe attacks (MVS)
Re: Discussion: definitions of common computer beasts (ie. viruses..)
New files on MIBSRV (PC)
On Tippett's "Kinetics..."
Re: GateKeeper Aid 'ADBS' Query (Mac)
1704-virus (PC)
Anti-viral philosophies
Re: FORM virus (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
---------------------------------------------------------------------------
Date: 18 Jun 90 15:00:50 -0400
From: "David.M.Chess" <CHESS@YKTVMV.BITNET>
Subject: re: FORM-Virus (PC)
Norbert Hanke <dosman%cs.id.ethz.ch@cernvax>:
> One of our users just encountered a new boot sector virus which calls
> itself FORM-Virus. It is not detected by SCANV63.
We recently got a sample of that from Switzerland as well. It infects
both floppy diskettes and the bootable partition of hard disks. The
only side-effect I've found is that it will cause the speaker to click
while typing under some circumstances. Usual disclaimers, of course;
what you've seen may not be the same virus that I've seen!
DC
------------------------------
Date: Mon, 18 Jun 90 17:02:00 -0400
From: LINDYK@Vax2.Concordia.CA
Subject: VSHIELD and WIN 3.0 (PC)
I have not encountered any difficulty in running the two together.
VSHIELD is loaded at the beginning of my autoexec.bat and subsequently
I load WIN 3.0 from a menu. If anybody does have problems with this
or a different configuration, I'd also like to hear about it.
Bogdan KARASEK
lindyk@vax2.concordia.ca
------------------------------
Date: Mon, 18 Jun 90 11:51:04 -0500
From: James Ford <JFORD@UA1VM.BITNET>
Subject: New files on MIBSRV (PC)
The following files have been placed on MIBSRV.MIB.ENG.UA.EDU (130.160.20.80)
for anonymous FTPing in the directory pub/ibm-antivirus:
chkup39.zip - CheckUp V3.9
netsc63b.zip - McAfee's NetScan program V63B. (taken from Homebase)
vcopy63.zip - McAfee's VCOPY program V63. (taken from Homebase)
secur109.zip - SECURE V1.09, tsr that prevents all known and unknown viruses.
(*NOTE: Description taken from SECURE.DOC. I have no knowledge
of the program myself....JF)
vtac42.zip - PC environment security program.
If you do not have FTP ability at your BITNET site, send a one line mail
message HELP to BITFTP@PUCC.
- ----------
He who never sticks out neck, never wins by nose.
- ----------
James Ford - JFORD@UA1VM.BITNET, JFORD@MIBSRV.MIB.ENG.UA.EDU
THE University of Alabama (in Tuscaloosa, Alabama USA)
------------------------------
Date: 19 Jun 90 08:58:54 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: Re: Help requested with a purported Yankee Doodle infection (PC)
DLV@CUNYVMS1.BITNET (Dimitri Vulis) writes:
>1. Can someone refer me to a document, or a previous discussion on this news-
>group, where this virus is discussed? What does it do?
There are actually two different virus groups called "Yankee Doodle". Both are
from Bulgaria, but they are different in several ways.
Group 1: "Old Yankee" infects only .EXE files. When an infected program is
run, the virus does a full-depth recursive search on the current directory,
until a non-infected file is found, which will then be infected. The
virus then plays the Yankee Doodle tune and transfers control to the
original program. It does not remain resident in memory. Infected
files are marked by placing the word "motherfucker" at the end.
Two variants are known one 1961 byte and another, shorter one, only 1621
bytes, which does not play the tune - it does nothing but replicate. More
variants are expected in the future, as the author has distributed the
source to the virus.
Group 2: TP's "Yankee Doodle". Versions 26-44+ of the TP series of
viruses (which includes the "Vacsina" viruses as well) also play Yankee
Doodle. Versions 26-32 play it when Atrl-Alt-Del is pressed, 33-43 play
it at 5pm, but versions 44- have only a 1-in8 chance of playing it at that
time. Those viruses are resident, and quite a bit longer than the other
ones 2-3.5K
Compared to many other viruses, the "Yankee-Doodle" viruses are fairly
harmless, but nevertheless a problem.
>2. Can someone please recommend a PD or shareware program for *scanning*
>existing executable files for this speciaes of virus (and others, if possible)
.
Three program that can (I think) find all the known variants
VIRSCAN from IBM
SCAN from McAfee
F-PROT my own - which can remove them all as well :-)
- -frisk
- --
Fridrik Skulason University of Iceland |
Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion
E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |
------------------------------
Date: 19 Jun 90 10:51:23 +0000
From: mumhongh@vax1.tcd.ie
Subject: Warning - Flipper virus (Mac)
A virus known as "FLIPPER" has 'woken up' on the Apple Mac in the Arts. It was
removed by Disinfectant in early June, but it is possible it is still on some
user disks. Please check yours using Disinfectant!
------------------------------
Date: Wed, 20 Jun 90 15:07:52 +0300
From: Y. Radai <RADAI1@HBUNOS.BITNET>
Subject: Re: UnVirus (PC); Public Domain
David Chess asks:
>If you don't consider it proprietary, I'd be curious to know what
>the scanning algorithm is that it doesn't slow down as the number
>of viruses increases.
A word to the wise is sufficient, isn't it? Well, the word in this
case is "hashing" ....
BTW, the implementation of the new UnVirus has since been speeded up
so that it's now almost 4 times as fast as SCAN.
I was also asked in a personal letter what I meant when I wrote in
the same posting:
> *freeware* (often erroneously called "public domain" software).
Since "public domain" is a legal term, some of what I'm about to write
may not be entirely accurate, but I think my conclusion will still be
valid. As I understand it, "public domain" means (at least approxi-
mately) *not copyrighted*. Previous postings here on copyrighting
have indicated that a program written after 1 Mar 89 (the date the
U.S. became a signatory to the Berne Convention) is automatically
copyrighted at the moment of creation, without need for a copyright
notice. It therefore seems to me that a program written after this
date (in the U.S.) can be PD only if its author explicitly states that
he releases it to the public domain or that he waives all his rights.
And such cases constitute only a very small portion of the programs
available on most so-called "PD" servers, even if we restrict our-
selves to freeware.
True, a program written before 1 Mar 89 is not copyrighted unless it
bears a copyright notice of the form "Copyright year name", and many
authors thought they could write "(C)" instead of "Copyright", which
is incorrect. So maybe such programs would be considered PD if such a
matter ever came to court. In any case, the *concept* or *definition*
of "public domain" is very different from that of "freeware", and
that's all I was claiming.
Disclaimer: I have no legal background; if anyone with such a back-
ground finds an error in what I've written, I shall repent.
Y. Radai
Hebrew Univ. of Jerusalem, Israel
RADAI1@HBUNOS.BITNET
RADAI@HUJIVMS.BITNET
------------------------------
Date: 20 Jun 90 19:42:55 +0000
From: CAH0@gte.com (Chuck Hoffman)
Subject: Re: Mainframe attacks (MVS)
TONY@MCGILL1.BITNET (Tony Harminc) writes:
> I think mainframe hacking was much more popular in those days simply
> because mainframes were all there were.
That also was about two years before the time that the Security group
at SHARE formed, which developed the specifications for the product which
became ACF2 in 1978. Simultaneously, IBM was secretly developing RACF.
By the early 80's, ACF2 was beginning to dominate the MVS system security
market, and it became much more difficult for hackers who were not in the
systems programming groups to make significant intrusions into MVS
systems. RACF was slow to develop because, in many people's opinions, it
was conceptually a poor design. These days, though, many MVS sites do use
it.
It is true that some of the architectural features of the original MVS
still exist in MVS/XA, making it possible to obtain system privileges.
Those who have been involved with MVS systems programming over the years
know the features well. But on systems which are routinely managed by
ACF2, TopSecret, or RACF, it is very difficult for a person outside the
systems programming group to exploit those features. There also are
extensive auditing tools and methods for monitoring systems, and, unlike
micros, MVS systems generally do not update or upgrade themselves while
they are running. It is still possible, but unlikely. With 15 years on
MVS systems in many companies, 10 on ACF2 and RACF protected systems, I
personally have never heard of a case of an unauthorized system update
caused by someone outside the systems programming group. I'm sure they're
there, but if they were common, I guess I would have heard about a few
through one of my employers, or through my consulting business, or through
the ACF2 conventions, through SHARE, or through the regional ACF2 user's
group I was heavily involved with. I didn't.
Things are about to become tighter, too. Computer Associates is in the
process of raising the rating of ACF2 and Top Secret from C2 to B1.
On Digital VAXs, the VMS system technically is C2, but in my opinion
the architecture is so cumbersome that systems managers have some
justification when they say that you need system privileges all the time
just to do a job. Yes, it's C2, but so many people end up with privileges
that it hardly matters.
- -Chuck
- - Chuck Hoffman, GTE Laboratories, Inc.
cah0@bunny.gte.com
Telephone (U.S.A.) 617-466-2131
GTE VoiceNet: 679-2131
GTE Telemail: C.HOFFMAN
------------------------------
Date: 21 Jun 90 03:49:45 +0000
From: woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal)
Subject: Re: Mainframe attacks (MVS)
While we are talking mainframe attacks, way back in 1976 or so, some
of my crowd of hackers, discovered that if you ran a program that upped
your privlege level temporarily in order to run (there were several), then
hit CTRL and BREAK backand forth several times rapidly, the os would get
confused. Then when you exited your session, your account table was dumped
back to disk with the result that when you logged on again, you had A0
(system administrator) privelege, and could do anything you jolly well
pleased. The hole was plugged within a couple of days, but I understand
that certain other accounts were created in the mean time that allowed
unfettered access to the machine.
I once had a psychology prof, who imparted a real jewel to the class.
"Things take more time than they do" A paraphrase of that:
"Operating systems are as secure as they are.
Cheers
Woody
The above attack was made on CP-V on a Xerox Sigma 6 or 7.
------------------------------
Date: Thu, 21 Jun 90 11:27:56 +0000
From: jerry@matt.ksu.ksu.edu (Jerry Anderson)
Subject: Re: Discussion: definitions of common computer beasts (ie. viruses..)
Here are my definitions of virus, worm and Trojan horse:
virus - a dependent self-replicating program.
worm - an independent self-replicating program.
Trojan horse - a program with a hidden agenda.
By dependent, I mean that a virus "lives" within another program.
I do not believe that the definition of a worm has anything to do with
networks. I think that association has risen due to the infamy of the
Internet worm.
I took the definition for a Trojan horse directly from Maarten Van Swaay.
I also think that a Trojan horse is the program that carries the
"payload," not the payload itself. (Remember, the Trojan horse of
literature *contained* the suprise.)
When describing virii, worms, etc, many people end up by saying something
like "... and does something bad, like erase your files." Granted, the
people who create these things and set them loose quite often put in
something nasty, but that isn't really part of what they are. It is simply
how they are used. If someone writes a program with a beneficial hidden
agenda, the program is still a Trojan horse.
- --
I like girls - German girls. Jerry J. Anderson
Computing Activities
BITNET: jerry@ksuvm Kansas State University
Internet: jerry@ksuvm.ksu.edu Manhattan, KS 66506
------------------------------
Date: Thu, 21 Jun 90 08:26:31 -0500
From: James Ford <JFORD@UA1VM.BITNET>
Subject: New files on MIBSRV (PC)
The following files have been placed on MIBSRV.MIB.ENG.UA.EDU (130.160.20.80)
in the directory pub/ibm-antivirus for anonymous FTPing.
fprot110.zip - FProtect
vsum9006.zip - Virus Summary Listing (current as of June 1990)
(Thanks to Jim Wright for sending FPROT110 to me......)
- ----------
James Ford - JFORD1@UA1VM.BITNET, JFORD@MIBSRV.MIB.ENG.UA.EDU
------------------------------
Date: 21 Jun 90 15:42:17 -0400
From: "David.M.Chess" <CHESS@YKTVMV.BITNET>
Subject: On Tippett's "Kinetics..."
Various people have mentioned Dr. Peter Tippett's paper "The Kinetics
of Computer Virus Replication" here recently. We wrote a brief reply
to the paper awhile back, and I thought it might be reasonable to post
it. This isn't an Official IBM Statement or anything like that, just
the reaction of the researchers here at the High Integrity Computing
lab. (I don't know how people in general can get a copy of the paper
itself, I'm afraid. I don't know whether it's been formally published
anywhere; the copy we have was apparently handed out at a press
conference.)
The conclusions in Dr. Tippett's paper are based on a very
simple model of uncontrolled, exponential growth. We are not
convinced that the assumptions or conclusions of the paper are
correct, and they do not seem to be supported by the actual data
available to us. The model neglects several effects that we think
are crucial to understanding virus spread. We think substantially
more work in modelling virus spread will be required before it's
possible to make valid quantitative predictions.
Tippett's analogy with runaway biological growth neglects the
paths along which programs are shared (the "sharing topology"), and
incorrectly models the effects of widespread scanning on virus
growth. Our own preliminary studies of very crude models which
incorporate program sharing and scanning indicate that, under
certain conditions, the fraction of infected machines can stabilize
at a much lower value than Tippett suggests ( < 1% in some cases).
Furthermore, if the scanning rate for a known virus were sufficiently
high, the exponential growth of the virus population predicted by
Tippett would reverse, and the virus would eventually become
extinct. This is in contradiction to Tippett's conclusion that
scanning is ineffectual. (To anyone interested in looking into some
good work on modelling the spread of biological viruses, we'd
suggest consulting recent issues of the journal "Mathematical
Biosciences".)
Our own data on virus incidents do not show any trend towards
explosive growth, neither for viruses in general nor for the 1813
and Brain viruses which Tippett discusses. We would be very
interested in seeing other reliable data on virus populations as a
function of time.
We are rather confused at Tippett's assertion that "systems
management software" can contribute to real improvement in the
problem, whereas other methods cannot. No evidence is presented for
this in the paper, and it would appear that the same analysis that
is used to claim that scanning is ineffective could be applied to
virtually any other method of reducing the virus population,
including the use of systems management software.
We believe that, in order to make reasonable predictions about
the population dynamics of computer viruses, we need to formulate
more realistic models which incorporate some aspects of the virtual
and physical connectedness of the world's computers and at least a
minimal understanding of human habits. The analysis and interpretation
of such a model will not be easy, but the success that mathematical
epidemiologists have achieved in understanding the spread of some
infectious diseases encourages us to think that we will be able to
do it.
DC
------------------------------
Date: Thu, 21 Jun 90 17:47:00 +0700
From: h+@diab.se (Jon W{tte - SoftWare konsult)
Subject: Re: GateKeeper Aid 'ADBS' Query (Mac)
Maybe the ADBS weren't where it belonged, or was patched to load
another resuorce. (an ADBS is a driver routine for the Apple Desktop
Bus, if memory serves me right)
Just a guess...
------------------------------
Date: Fri, 22 Jun 90 10:05:12 -0400
From: 9991@db0tuz01
Subject: 1704-virus (PC)
We got a virus problem at our site (FU-Berlin, Neurobiology): several
of our AT's got a virus infection. It's very likely that we have the
old 1704 virus or one of its children with the same head. Does
anybody know of a way how to get rid of this virus (without erasing
all infected *.COM files)? It seems the virus knows of the old start
address of the program but where the hell does he hide it? Any
advises or recommondations are welcome.
Thanks in advance
E.Lieke.
------------------------------
Date: 22 Jun 90 13:32:33 -0400
From: Bob Bosen <71435.1777@CompuServe.COM>
Subject: Anti-viral philosophies
>> Like to get some opinions on this one. If you could only get
>>one program for your pc/pc-xt/pc-at or clone, what would it be?
> This is a question that keeps coming up and while I agree that
>McAfee's products are the best for someone who knows what they
>are doing, they are not products that are suitable for environments
>with vast numbers of PCs and semi-educated users...
>
> 1- Can you imagine trying to install monthly updates on 5000 PCs...
>....
> What I perfer is a package that resides in the background of the
> user's PC and reports any change to the environment with no
> appreciable hit to performance
My thanks to Padgett for so clearly expressing what I have been unable
to say on this forum. As a vendor, it's hard for me to come here and
initiate discussions about my own products. Be warned: I am speaking
about my own commercial product here.
Our "SafeWord VIRUS-Safe" performs exactly as Padgett describes above.
It was designed with EXACTLY this kind of situation in mind. It also
maintaines a detailed log of changes to files so a virus researcher
can figure out what kind of virus may have been polluting things. The
log reveals the date and time of detected changes, before-and-after
signatures using any industry-standard signature algorithms, length
changes, etc. If That's what you are looking for, please give me a
message.
Bob Bosen
Enigma Logic
USA tel: (415) 827-5707
Bob Bosen
------------------------------
Date: Sat, 23 Jun 90 20:01:14 +0200
From: swimmer@fbihh.informatik.uni-hamburg.de (Morton Swimmer)
Subject: Re: FORM virus (PC)
I'm sorry I didn't post this before, but the way things are at
the moment, I rarely get to eat.
The Form virus is a Swiss product. It has apparently infected
most of the schools in canton Zug so I'm not surprised that
you have got it at ETH Zuerich.
To make it short: it is indeed a boot sector virus. It will
infect floppies as well as hard disks. It has a damage: on
every 24th of any month it will make the keys click, but
it doesn't seem to work on my machine. Otherwise it is not
destructive. It is well programmed, and doesn't seem to have
been derived directly from any other virus. Normally it
should not bother you.
I had promised an antivirus for it, but time didn't allow it.
Like most boot sector viruses, it can be removed (or at least
deactivated) by booting from a _clean_ disk and using the SYS
command to overwrite the virus boot sector.
Cheers, Morton
Virus Test Center
------------------------------
End of VIRUS-L Digest [Volume 3 Issue 116]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253