home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl3
/
virusl3.138
< prev
next >
Wrap
Text File
|
1995-01-03
|
22KB
|
523 lines
VIRUS-L Digest Friday, 3 Aug 1990 Volume 3 : Issue 138
Today's Topics:
Various subjects (PC)
re: Antivirus-viruses
Virus documentation
New link virus: COM + 453, direct action (PC)
Forwarded: POSSIBLE PROGRAM TROJAN HORSE!! (PC)
4096 Virus and Checksums (PC)
4096 Running Rampant at Wharton! (PC)
Virus information requested
Re: Site licenses
Re: 4096 Running Rampant At Wharton! (PC)
Re: Site licenses
F-PROT experience, anyone?
4096 in Bradford, UK (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
---------------------------------------------------------------------------
Date: Thu, 02 Aug 90 13:23:11 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: Various subjects (PC)
F-PROT news
F-PROT version 1.12 is finished - It is not completely up to date, as I have
not yet been able to obtain samples of some very recent viruses (Sublimal and
Poem for example). The next update will therefore appear soon - expect 1.13
late in August.
The program has been sent to everybody on my distribution list, and has also
been uploaded to chyde.uwasa.fi. I also expect it to appear soon on
comp.binaries.ibm.pc.
"Stealth" virus
I have seen the name "Stealth" used for 4 different viruses, 4096 (Frodo, IDF)
and 1260, as well as two of the Bulgarian viruses. This is too confusing, so
what I propose (and what I will do in version 1.13 of F-PROT) is to use
"Stealth" to refer to a class of viruses - the viruses that attempt to hide
from detection, using a variety of methods. Comments, anybody ?
Lost mail
Some time ago I deleted several mail messages by accident. I assume many of
them were virus-related, so if any of you sent me mail about three weeks ago
and have not received a reply, I probably lost your messages. Sorry :-(
Just E-mail me again, but don't expect a reply until in about 10 days or so,
because .....
Vacation time
I am going on a vacation today - the first time for more than two years when
I will not have a computer in front of me most of the day. I will be back on
August 10.........
- -frisk
- --
Fridrik Skulason University of Iceland |
Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion
E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |
------------------------------
Date: 02 Aug 90 09:33:09 -0400
From: "David.M.Chess" <CHESS@YKTVMV.BITNET>
Subject: re: Antivirus-viruses
Anthony Appleyard <XPUM04@prime-a.central-services.umist.ac.uk>
writes, among other things:
> For example, if Den Zuk hadn't got the bug of malfunctioning on
> small disks, it would likely have spread largely ignored, and
> flushed out the harmful Brain from most of the places where it
> breeds...
I imagine there will be lots of flames on this, and I don't
really want to add to them (on the other hand, I don't
want there to be no response to the item, so here I am!).
I'm not sure if Mr. Appleyard means to imply that if the Den Zuk had
only been less buggy, it would have been a Good Thing; if that's the
intent, though, I'd like to disagree strongly! Any virus (with or
without the Den Zuk's Brain-removal, "logo" and other side effects)
that messes around with my system without my knowledge is a Bad Thing.
It will eventually spread to some place where it will do harm (a
non-standard disk format that it doesn't notice, but messes up; a new
version of the op system that it's not compatible with; or whatever).
The only anti-virus virus that would be at all defensible would be
one that announced itself in large and unmissable letters when first
run, and gave the user the option (which I, personally, would always
exercise) to tell it to erase itself completely from the system.
Even then, I don't entirely share Mr. Appleyard's confidence that
there are already so many sample viruses out there that one more
won't provide budding virus writers with extra education. I'm not
certain that it would, but I wouldn't want to take the chance...
DC
------------------------------
Date: Thu, 02 Aug 90 10:47:00 -0400
From: "Michael N. Davis" <DAVISM%ATSUVAX1.BITNET@VTVM2.CC.VT.EDU>
Subject: Virus documentation
I just joined this list and I was wondering if this list maintains an
archive of full documentation on each virus. For example, a warning
has gone out about the 4096 virus at a med school in a nearby city
that I do some pc work for. The report said that there was no
software that could detect and remove it. Someone here at my
institution told me that there is software to detect and remove it.
It would be nice if I could get at will an archive file from this list
fully describing the 4096 virus, its modus operandi, and the software
that will cure it. Does such exists and if so how do I access it from
BITNET?
Thanks.
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Michael N. Davis, System Manager, NC A&T State University, Greensboro, NC 27411
BITNET: DAVISM@ATSUVAX1
------------------------------
Date: 02 Aug 90 16:10:23 -0500
From: "Otto Stolz" <RZOTTO@DKNKURZ1.BITNET>
Subject: New link virus: COM + 453, direct action (PC)
In the HQ of Sxdwestdeutscher Bibliotheks-Verbund (located at the
university of Constance, Germany), a new virus has been detected. The
virus adds 453 (four hundred fifty three) bytes to COM files. (It is
neither the V-345 from the Amstrad strain, nor the Vienna 435.)
F-FCHK and SCAN do not recognize this virus.
It is not yet know whether this virus carries a payload.
I know that it infects COM files in the local directory; whilst it did
not infect files in other directories during my tests, we cannot be
completely sure about the infection mechanism until the virus has been
dis-assembled.
Following are my preliminary findings in VTC format.
I'll send a sample to the VTC at Hamburg for further investigation.
If anybody has already seen this beast and knows more than I do (cf.
infra), please drop me a note.
Otto
- ---------------
Entry................. ((not yet assigned -- anything alluding to the
length would be confusing, as we have already
435 and 345 viruses))
Alias(es).............
Strain................
Detected: when........ 1 Aug 1990
where....... Sxdwestdeutscher Bibliotheksverbund
(located at Universit2t Konstanz)
Classification........ Link virus, direct action COM infector
Length of virus....... 453 bytes added to COM files
- ----------------------- Preconditions --------------------------------
Operating System(s)...
Version/Release.......
Computer models.......
- ------------------------Attributes -----------------------------------
Easy identification... File size increases by 453 bytes
The following offsets are taken relative to the
address the JMP instruction (cf. infra) points to.
offset | string / bytes found
-------+----------------------------------
007 | "VIRUS"
00D | "*.COM"
013 | "????????COM"
030 | file-id of the infected program
043 | original contents of 1st 3 bytes
052 | "TUQ.RPVS"
Type of infection..... Direct action.
Begin of program is overwritten with JMP
instruction pointing to appended viral code.
Infection trigger..... Executing an infected file will trigger the
infection attempt in the local directory.
Virus has been tested with one bait (at most)
available, so it is not clear whether multiple
programs will be infected. No files outside the
local directory have been infected during tests.
Interrupts hooked..... none
Damage................
Particularities.......
- ----------------------- Acknowledgement ------------------------------
Location.............. Rechenzentrum der Universit2t Konstanz
Classification by..... Otto Stolz <RZOTTO at DKNKURZ1.BITNET>
Dokumentation by ..... Otto Stolz <RZOTTO at DKNKURZ1.BITNET>
Date.................. 1990-08-02
------------------------------
Date: Thu, 02 Aug 90 12:02:35 -0700
From: rogers@marlin.nosc.mil (Rollo D. Rogers)
Subject: Forwarded: POSSIBLE PROGRAM TROJAN HORSE!! (PC)
The info below was provided by our local Computer REsource Center. I
contacted the sender below and tried to get more details on this.
However, he told me he had gotten the info from a third party. So
there is no local confirmation that this is a real trojan horse
running around within this program. Since the trigger date was two
days ago, thought you might wish to distribute this information, so
users who currently have or contemplate obtaining this software can be
forewarned. Sorry i could not obtain more complete details. I was
told this could be the commercial or PD version of the software.
- -------
>From marlin!nosc!manta!bray Wed Aug 1 15:41:42 PDT 1990
Article 660 of nosc.micro:
Path: marlin!nosc!manta!bray
>From: bray@manta.NOSC.MIL (Robert E. Bray)
Newsgroups: nosc.micro
Subject: DISCOVER Program Warning
Keywords: disk management utility, program problems
Message-ID: <1171@manta.NOSC.MIL>
Date: 1 Aug 90 22:01:12 GMT
Distribution: nosc
Organization: Naval Ocean Systems Center, San Diego
Lines: 16
- -------
DISCOVER Program Users:
It has come to the attention of the CRC that the PC program called,
DISCOVER (a disk management desktop utility similar to PC Tools, Norton
Commander, XTREE Pro, etc.), has been programmed with a trigger to
begin ciphering files/directories that are referenced or created AFTER
31 JULY 1990, AND it doesn't let you un-cipher those files/directories!
Users beware--you may want to stop using DISCOVER asap.
Currently, further information on this problem is limited. However, if
you have questions, call the CRC (Bayside x32247 or Topside x32268).
Bob B. (Bayside CRC)
- -------
------------------------------
Date: 02 Aug 90 13:39:32 -0400
From: Steve Albrecht <70033.1271@CompuServe.COM>
Subject: 4096 Virus and Checksums (PC)
In browsing through the April 1990 issue of Computers and Security,
Volume 9, No. 2, I read the following comments of Dr. Harold
Highland on the 4096 virus:
"This recently published computer virus is particularly
disturbing in that...checksum techniques likewise appear to
be useless, the virus `disappears' during the checksum
process..."
Can someone please elaborate on how the virus avoids the checksum
process, or perhaps direct me to more detailed information on this
virus?
In particular, does it avoid all checksum algorithms, or only
certain ones? How does it avoid detection from the checksum
operation?
Any help would be most appreciated.
Steve Albrecht
MIS Field Services
PLAN International
70033,1271@compuserve.com
------------------------------
Date: Thu, 02 Aug 90 15:07:25 -0500
From: martha rapp <IMER400@INDYCMS.BITNET>
Subject: 4096 Running Rampant at Wharton! (PC)
Michael,
You must find a way to check and remove the virus from
Students's or the lab will never completely get rid of the infection.
Get an old machine wit h the proper size drives and set it up near the
doorway and don't allow anyone to use the machines if their disks have
not be certified virus free. I don't t hink that Diskmanager is a
anti-virus program. Use and pay for Scan from McAfe e or something
similar and ensure that you can get updates easily. The main it em is
that with hard drives on your machines you must constantly check for
viru sues.
Martha Rapp
Computing Services
IUPUI
------------------------------
Date: 02 Aug 90 15:17:33 +0000
From: cdss!hyman@uunet.UU.NET (Risa Hyman x2021)
Subject: Virus information requested
Hello Netlanders,
I am posting this for a student at the University of Maryland and also
for our own development information. Would appreciate info on virus
screens, virus scanning packages and successful approaches that you
have found in dealing with these threats to our open network of
communication. His class does not have access during the summer
session to the Internet, and we have been so busy on our development
set up that we have neglected to become smart enough, fast enough.
We've read the books, but real life information is better. Any info
on public domain virus screens would be great.
Thanks in advance as always.
- --
Risa B Hyman Any opinions expressed are my own.
Arinc Research Inc uucp : uunet!cdss!hyman
SRG, Mail Stop 5230 voice: 301 266 2021
2551 Riva Road Annapolis , MD 21401 fax : 301 266 2047
------------------------------
Date: Thu, 02 Aug 90 21:26:12 +0000
From: plains!umn-cs!LOCAL!aslakson@uunet.UU.NET (Brian Aslakson)
Subject: Re: Site licenses
DKAZEM@NAS.BITNET (Don Kazem) writes:
>We have been thinking about standardizing on a virus
>scanner/disinfector for our organization. We have about 1500 users.
>Our vision is to have a scanner/disinfector package available
>to the PC support analysts and have them use it on suspicious
>machines or perform random audits.
>I have been thinking about purchasing a Service Industry
>License from McAfee Associates. The total package would cost
>about $6800.00 for (20 copies). This license would allow us
>to perform checks on various machines, however, the software
>must not remain with the clients.
The security guy here got a good laugh and said that you must be a
couple decimal places off. 68$. I could believe 680$ (maybe).
I don't know FPROT (fprot111.zip via mibsrv.mib.eng.ua.edu in
pub/ibm-antivirus via anonymous ftp) but the security guy recommends
it and they charge either one or two dollars per machine in large
numbers...
Brian Aslakson
- --
Macintosh related: mac-admin@cs.umn.edu
All else: aslakson@cs.umn.edu
------------------------------
Date: Thu, 02 Aug 90 21:59:37 +0000
From: plains!umn-cs!LOCAL!aslakson@uunet.UU.NET (Brian Aslakson)
Subject: Re: 4096 Running Rampant At Wharton! (PC)
GREVE@wharton.upenn.edu (Michael Greve) writes:
> We thought we had rid ourselves of the 4096 virus. Since I last wrote
> to this list the 4096 virus has re-infected the orginal 5 machines in
> our lab plus 4 more. We seem to be losing the battle of 4096. What
> I feel is wrong is that we probably have some students with infected
> com and exe files on their floppies (programs, games etc.). They are
> using their programs and re-infecting our machines (unknowingly). We
> are currently using Diskmanager as our hard disk protection software.
> Diskmanager isn't protecting the machine against 4096. Is there a
> program, either shareware or by purchase, that will work with Diskmanager
> and protect the machine from 4096? At this point we don't have the
DiskManager, by Ontrack Software (800)752-1333, is not anti-viral
software, has never claimed to be (I'll betcha) anti-viral, and if you
told them -- wait --, I'll tell them.
I didn't have to finish asking my question about anti-viral
when the man said "No." It isn't anti-viral, never claimed to be
anti-viral, it partions Harddisks. That's what it does. Okay? "No.
No. No."
Anyway, get either scan or fprot (or both), also get some memory
resident program like scanres or vshield. Fprot may have something
like this in it (with it). READ the documentation. Try anonymous ftp
at mibsrv.mib.eng.ua.edu goto pub/ibm-antivirus and mget til you're
blue in the face. There is some excellent stuff there. scanv64.zip
fprot111.zip vshld64.zip and so on....
Try to download to a clean machine, read everything, then go for it.
Scanres you'll have to get from McAfee's BBS directly, if you want it.
The number's in the documentation for scan. Fprot I'm checking out
tonite.
Good luck.
Brian Aslakson
- --
Macintosh related: mac-admin@cs.umn.edu
All else: aslakson@cs.umn.edu
------------------------------
Date: Thu, 02 Aug 90 20:59:21 +0000
From: frotz%drivax@uunet.uu.net (Frotz)
Subject: Re: Site licenses
DKAZEM@NAS.BITNET (Don Kazem) writes:
] We have been thinking about standardizing on a virus
] scanner/disinfector for our organization. We have about 1500 users.
We have about 200.
] Our vision is to have a scanner/disinfector package available
] to the PC support analysts and have them use it on suspicious
] machines or perform random audits.
We intend to put dedicated PC class machines (no or very *tiny* hard
disk ~10M) in stations around the company. We can do this because we
have so many of these low class machines practically lying around.
These machines would contain one of these licensed disinfectants and
would provide local access to the latest disinfectant and would allow
users to easily check software that has come in from questionable
sources (e.g. BBS' or via Tech Support...)
] I have been thinking about purchasing a Service Industry
] License from McAfee Associates.
It has been suggested that we do this as well. I am still evaluating
other resources (e.g. This newsgroup.) before I commit to doing this,
though I agree that it is very cost effective (psychologically to
upper management) to have direct associations with McAfee Associates.
] Has anyone one else in the corporate arena implemented such a
] policy/structure?
We are in the very early stages of defining and implementing this.
Will post more as I get a better handle on things.
- --
John "Frotz" Fa'atuai frotz%drivax@uunet.uu.net (email@domain)
Digital Research, Inc. {uunet|amdahl}!drivax!frotz (bang!email)
c/o MIS Dept. (408) 647-6570 (vmail)
80 Garden Court, C13 (408) 649-3896 (phone)
Monterey, CA 93940 (408) 646-6248 (fax)
------------------------------
Date: 03 Aug 90 03:38:14 +0000
From: sigurd@vax1.udel.edu (Sigurd Andersen)
Subject: F-PROT experience, anyone?
Academic Computing Support at the University of Delaware is
considering licensing F-PROT, a set of programs by Fridrik Skulason
(frisk@rhi.hi.is).
I'd like to know if anyone has reviewed or tested these programs,
and what their experience has been.
I can summarize responses if people are interested.
------------------------------
Date: Thu, 02 Aug 90 10:07:50 +0000
From: Drew <SCR596@Cyber2.Central.Bradford.AC.UK>
Subject: 4096 in Bradford, UK (PC)
Just for the record, here's a few details of a recent attack of the 4096
virus at the University of Bradford in the UK.
In May 1990 I found a copy on one of our machines in our department.
Having identified it as 4096 and removed it with the latest version of the
excellent Scan from McAfee. Talking to one of our students she indicated
it had come from our computer centre
It seemed the CC here has a version of Netscan installed on their Novell
Networks which was not current enough to be able to detect it, hence they
seemed to be lulled into a false sense of security.
Anyway it was all removed eventually, but it was the most virulant viral
attack at the University. Previously we've had Brain and Vienna on
Computer Centre PCs, and nVIR B and WDEF B on their Macs.
Obviously if we have had it here it must be common within the UK, and
perhaps more widespread in Europe and the US than people may imagine.
Drew Radtke
- -----------
Janet: Drew@uk.ac.bradford.central.cyber2
Internet: Drew%cyber2.central.bradford.ac.uk@cunyvm.cuny.edu
Earn/Bitnet: Drew%cyber2.central.bradford.ac.uk@ukacrl
UUCP: Drew%cyber2.central.bradford.ac.uk@ukc.uucp
Post: Science & Society, University of Bradford, Bradford, UK, BD7 1DP.
Phone: +44 274 733466 x6135
Fax: +44 274 305340
Telex: 51309 UNIBFD G
PS Could Friderick Skulason send me his notes on this virus as I am
interested in his opinions and ideas?
------------------------------
End of VIRUS-L Digest [Volume 3 Issue 138]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253