home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl3
/
virusl3.32
< prev
next >
Wrap
Text File
|
1995-01-03
|
20KB
|
463 lines
VIRUS-L Digest Wednesday, 7 Feb 1990 Volume 3 : Issue 32
Today's Topics:
Checksums
Are virus sources public domain software ?
More about the 1260 virus (PC)
re: Universal virus detectors: Once more with feeling
Yankee Doodle Virus (PC)
Re: The 4096 virus (PC)
The V2000 virus (PC)
EDV Virus (New) (PC)
RE: AIDS... (Mac)
Killer Virus
Re: Universal Virus Scanner
VACSINA - the name (PC)
Identification strings
New Trojans (Mac)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
---------------------------------------------------------------------------
Date: Sun, 04 Feb 90 13:56:00 -0500
From: IA88000 <IA88@PACE.BITNET>
Subject: Checksums
This is an open question to anyone on the list who would care to
answer.
If you had your choice, which checksum routine would you consider most
secure, and why. If you do not want to reply on the list but would
rather reply by email, that's okay.
To make the question a little more specific, of the checksum routines
available today, which would you select.
------------------------------
Date: Mon, 05 Feb 90 10:31:39 +0000
From: ZDEE699@ELM.CC.KCL.AC.UK
Subject: Are virus sources public domain software ?
In VIRUS-L, V3-I29, Todd Hooper (<CHOOPER@acad.cut.oz>) writes:
> What possible technique could you use
> to make it illegal 'illegal to own or transmit virus code '? "
Well, how about some reliable organisation (the CERT, for example)
registering the source code under copyright laws ? Is virus code
considered as public domain software ? I wouldn't think so ! If the
source was copyright, then anyone having an unauthorized copy of it
would be in illegality. In fact, one might even say that the virus
itself is illegal on the grounds that it copies itself without
authorization. Anybody who feel they *NEED* to keep the source in
their possession should then also register or ask for authorization
from the organisation holding the copyright.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|Olivier M.J. Crepin-Leblond, Comp. Sys. & Elec. Eng | On this computer, |
|Electrical & Electronic Eng, King's College London, UK | a flame-proof |
|BITNET : <zdee699%elm.cc.kcl.ac.uk@ukacrl> | shield, is an |
|INTERNET: <zdee699%elm.cc.kcl.ac.uk@nsfnet-relay.ac.uk>| expensive gadget... |
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
------------------------------
Date: Mon, 05 Feb 90 12:19:47 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: More about the 1260 virus (PC)
David Chess has just informed me of an interesting fact I missed in my
earlier note dealing with the 1260 virus. If the encryption module is
removed, what is left is just a variant of the old and well-known
"Vienna" virus.
This variant is clearly derived from the version published in
"Computer Viruses: A high-tech disease". The book is then responsible
for three viruses, because Lisbon and GhostBalls were also based on
that disassembly.
I have now disassembled the virus and a detailed description of it
will appear in the March issue of the Virus Bulletin.
My F-PROT package has been modified, and now it can detect and
disinfect "1260" and other viruses that use encryption methods with
permutations of the decoding instructions.
This new version (1.08) will be uploaded to SIMTEL tomorrow. The bugs
found in 1.07 have also been fixed: One program (F-OSCHK) contained a
message in Icelandic, and another (F-DLOCK) interfered with CHKDSK and
some other programs.
Those of you who have asked me for a copy of F-PROT and not yet
received a reply - I will send you a copy of version 1.08 - sorry
about the delay.
Version 1.08 will also contain code to identify and remove the "new"
Bulgarian viruses.
- ------------------------------------------------------------------------------
frisk - Fridrik Skulason University of Iceland, Computing Services.
Technical Editor, Virus Bulletin.
------------------------------
Date: 05 Feb 90 00:00:00 +0000
From: "David.M..Chess" <CHESS@YKTVMV.BITNET>
Subject: re: Universal virus detectors: Once more with feeling
> David Chess continues, in essense, to complain about the user
> interface.
Not at all! I'm saying that, no matter *what* the user interface
looks like, a system that relies on a human to decide whether or not a
timestamp-change is legitimate is no more a "universal virus detector"
than a program that relies on the user to type in the answers is a
"universal problem solver".
Jerry's point that most machines are not used for program development
is well-taken. But the machines which -are- used for program
development are the ones where a virus could do the most damage (if I
buy a program that was infected with a virus "at the factory", the
fact that it can't spread any more on my machine isn't all that much
comfort). It's also important to remember that "program development"
has to include writing BAT and CMD files, tailoring HyperCard cards,
and anything else which can effect, in a general-purpose way, how the
machine acts; taking that into account, many machines are used for
program development, and the proportion that are is likely to grow
rapidly as "programming" becomes easier. It also becomes less clear
that an "is executable" bit is useable. Would a Basic program be
marked as executable? Would a shell script?
DC
------------------------------
Date: Mon, 05 Feb 90 10:09:36 -0800
From: Alan_J_Roberts@cup.portal.com
Subject: Yankee Doodle Virus (PC)
This is a forward from John McAfee:
=================================================================
O. Fadel points out that Clean-Up overwrites files infected
with the Yankee Doodle virus and then deletes them rather than
removing the virus and repairing the program. This is pointed out
clearly in the documentation. Clean-Up V57 currently repairs
infections from 17 of the most common viruses (Yankee Doodle is by no
means a common virus - at least based on our reporting statistics) and
will identify and overwrite the remainder. Each version of Clean-Up
will add more viruses to the list that we can repair - the remainder
we will still identify and overwrite. Our priorities for inclusion in
the "repair" list are based on the frequency of virus reports. We
hope to have all viruses included in the repair list by May 15.
Yankee Doodle is Scheduled for mid- April.
Mr. Fadel asks why the Clean-Up delete function for less
common viruses is any better than the DOS delete function and why
anyone would bother to include it. The answer is that the DOS delete
function, to the best of my memory, cannot search and identify an
infected file. Neither does it do an overwrite. (We overwrite with
C3H - the return function - so that a careless undelete will never
return the virus to your system).
If Yankee Doodle is indeed a larger problem than we thought,
then we can re-arrange its priority and move it from the delete list
to the repair list for the next version. I welcome suggestions.
John McAfee
408 988 3832 (Voice)
408 988 4004 (BBS)
408 970 9727 (FAX)
------------------------------
Date: 05 Feb 90 20:32:00 +0700
From: T762102@DM0LRZ01.BITNET
Subject: Re: The 4096 virus (PC)
In issue #27 John McAfee (Alan_J_Roberts@cup.portal.com) writes:
> The virus is memory resident and infects COMMAND.COM, EXE
>files and COM files. The virus initially places the machine in
>single-step mode and then issues an interrupt 21, sub-function 52 to
>determine the real address of the interrupt 21 code within DOS.
>Thereafter, it issues a long jump to that location to avoid any
>interrupt trapping antivirals that may be resident. Thus the
>infection process, after the virus becomes resident, is transparent.
> The strangest part of the virus is that it is also able to
>trap all other disk reads and writes, and whenever an infected file is
>accessed by any program, the virus performs a disinfection of the
>program on the fly. Thus checksumming techniques, file length checks,
>and other file modification detectors cannot perceive the infection on
>the disk. Even searching the disk for the specific virus code will
>fail, since the code is removed from the file during the read request.
I was sure that somewhen someone of the virus writers out there would
have the same idea! The latest versions of the Bulgarian TP viruses
perform exactly in the same way! (The 4096 virus however is not known
in Bulgaria.) I purposely didn't discuss in deep these techniques but
I see now that this was useless --- someone had already reinvented
them. Too sad...
By the way, I have some general questions about viruses:
(1). Which of the known viruses will run under OS/2? I mean
exactly OS/2, not its DOS 3.3 compatibility box.
(2). Does anybody know something about a VAX/VMS virus which,
when activated, slows down the data exchange with the
terminals (something about 3 bps)? There were some rumors
about such virus in Bulgaria, but I've never seen a
working copy.
------------------------------
Date: 02 Feb 90 10:49:00 +0700
From: T762102@DM0LRZ01.BITNET
Subject: The V2000 virus (PC)
The V2000 Virus
---------------
This virus is also "made in Bulgaria" and again I am
indirectly the cause of its creation. I am a well known
"virus-buster" in Bulgaria and my antivirus programs are very widely
used. Of course, virus designers didn't like it. So their next
creation... causes trouble to my antivirus programs.
This virus is exactly 2000 bytes long and I think that it was
created by the author of the Eddie (Dark Avenger) virus. The
programming style is the same and there are even pieces of code which
are the same.
The virus acts much like the Eddie one --- it installs
resident in memory by manipulating the memory control blocks; infects
COMMAND.COM at the first run; infects both .COM- and .EXE-files;
infects files when one executes them as well as when one copies them.
However, there are some extras added. First, the virus is
able to fetch the original INT 13h vector just like the V512 one (by
using the same undocumented function --- tricks spread fast between
virus programmers).
Second, it intercepts the find-first (FCB) and find-next (FCB)
functions --- just like V651 (and contains the same bugs), so you
won't see the increased file lengths in the listing displayed by the
DIR command.
Third, it contains the string "Copyright (C) 1989 by Vesselin
Bontchev", so people may think that I am the author of this virus. In
fact, the virus searches every program being executed for this string
(the case of the letters does not matter) and if found, hangs the
system. It is not necessary to tell you that all my antivirus
programs contain this string. Of course, now I will have to use some
kind of encryption, just to prevent such tricks.
Sincerely,
Vesselin
------------------------------
Date: Mon, 05 Feb 90 15:19:09 -0800
From: Alan_J_Roberts@cup.portal.com
Subject: EDV Virus (New) (PC)
This is a forward from John McAfee:
=================================================================
Dave Chess sent us another new virus that uses "creative"
techniques to avoid detection from scanning type programs. Dave calls
it the EDV virus. The virus infects boot sectors of floppy diskettes
and the partition table (master boot record) of hard disks -- similar
to the stoned virus. It saves the original boot sector and if any
program attempts to read the boot sector, the virus intercepts the
read and retrieves the original boot sector instead. Thus the system
will appear normal even if infected. This technique is not new. The
Pakistani Brain was the first virus to use this avoidance technique.
What is new about this virus is that it also avoids detection
from a memory scan. The virus accomplishes this feat by intercepting
the clock tic and at each tic the virus interrogates ES and DS to
determine if anyone is looking at the virus code. If someone is
looking, the virus hangs the system.
All these new detection avoidance techniques can of course be
circumvented. They do require development time, however, and are
becoming a nuisance. We have opted in SCAN not to block the timer
interrupt (the obvious bypass to circumvent this virus) due to
potential problems with time dependent background code. Instead,
we've chosen to outrun the virus using our own "creative" memory scan.
Seems to work so far and will be included in V58 of SCAN - - due out
Feb 15th -- if beta testing goes well.
John McAfee ...................
------------------------------
Date: Mon, 05 Feb 90 20:50:21 -0500
From: woodb!scsmo1!don@cs.UMD.EDU
Subject: RE: AIDS... (Mac)
I don't think that I have seen this question but...
Did the AIDS virus really contain ANY information on AIDS or any REAL
non-virus program?
- --
DON INGLI-United States Department of Agriculture - Soil Conservation Service
INTERNET: scsmo1!don@uunet.uu.net PHONEnet: 314!875!5344
UUCP(short): uunet!scsmo1!don UUCP(long): uunet!mimsy!woodb!scsmo1!don
These are my opinions. I represent myself.
Who do you think you are, Bjorn Nitmo? David Letterman '90 Catch Phrase
------------------------------
Date: 05 Feb 90 21:07:52 +0000
From: sdjr@amdcad.AMD.COM (James Reeves)
Subject: Killer Virus
I have just finished disassembling a virus that was found in our
company that is called KILLER DISK by Computer OGRE. If anyone has been
infected by this virus drop me a line. I have written a program that
will detect and remove the virus from any floppy or hard disk. In
addition I have extracted the algorithm neccessary to undo the damage
if the virus attacks the hard disk. The virus takes about 48 hours
of computer use before attacking. In the mean time it transfers itself
to ANY floppy that is read or written from the infected machine.
If anyone has any comments or questions please let me know.
Thanks
James Reeves
------------------------------
Date: 06 Feb 90 09:31:28 +0000
From: d88-cwe@nada.kth.se (Christian Wettergren)
Subject: Re: Universal Virus Scanner
I think that the discussion about an Universal Virus Scanner is very
intresting but is it even possible to conclude that a program doesn't
modify itself?
What I mean is that I don't think that you could create a program that
could say YES, this program modifies itself, or NO, this program
doesn't modify itself.
That depends of course of what microprocessor you use. On an ordinary
8086 you couldn't, I think. Imagine this;
The program has an instruction that contains a reference to it's own code-
adress. ( MOV CS:0199h, XXXX )
OK, then don't tolerate that.
But what if it calculates it from a formula? ( MOV CS:[BX], XXXX )
Then don't tolerate a reference that uses a CS-prefix.
But the same adress is reachable from perhaps some Data Segment.
( MOV DS:1238h, XXXX )
OK, then don't tolerate direct references to the code through a Data
Segment But what if it is calculated through a formula? ........
( MOV DS:[BX], XXXX )
Then don't tolerate writes at all.... 8-)
Of course some micros could prohibit this behavior by some sort of
MMU-scheme, but I think that at least 8086 and 68000 (not so sure
there, though) couldn't contain an algorithm that could determine if
the program was self-modifying or not. (Of course it could contain it,
but it would have to be simulating the micro itself, and hence has the
same problem there, etc)
Christian Wettergren d88-cwe@nada.kth.se
Royal Institute of Technology, Stockholm, Sweden
------------------------------
Date: Tue, 06 Feb 90 10:20:11 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: VACSINA - the name (PC)
Some time ago there was a bit of discussion here on Virus-L, regarding the
virus name VACSINA.
According to Vesselin Bontchev - the Bulgarian virus researcher, there
is a logical explanation for the name - which is the Bulgarian word
for "vaccine".
VACSINA is the logical name of a device-driver virus-protection program,
written by the same person as wrote the virus. Since the virus communicates
with this program, the string VACSINA appears in the virus.
The full decription of the "VACSINA" virus (as well as the other 30-50
Bulgarian virus variants) will probably be posted by Vassilian soon.
- ------------------------------------------------------------------------------
frisk - Fridrik Skulason - University of Iceland, Computing Services
Technical Editor, Virus Bulletin
------------------------------
Date: Tue, 06 Feb 90 10:47:37 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: Identification strings
I have been comparing a few little-known virus-detection programs
recently. There is a problem with some of the less well known
programs, namely that they may appear as infected to some of the other
anti-virus programs.
The reason is that they sometimes store a virus identification string
in unmodified form, and in the case of the shorter viruses, two
programs may have picked the same identification string, which may
cause them to appear as infected to one another.
So - you anti-virus writers out there: Please store identification
strings encrypted, reversed or somehow modified.
Another subject - there is some confusion regarding the terms
"identification string" vs. "signature strings". How about:
Identification string: A sequence of bytes, used by anti-virus
programs to check if a program is infected.
Signature string: A sequence of bytes, used by the virus to check
if a program is infected.
Comments ?
Fridrik Skulason - University of Iceland, Computing Services.
frisk@rhi.hi.is Technical Editor, Virus Bulletin.
------------------------------
Date: 06 Feb 90 08:56:00 -0500
From: "WARTHMAN" <warthman@softvax.radc.af.mil>
Subject: New Trojans (Mac)
Peter Johnston posted information about two strains of a new trojan
which can damage the Macintosh file system. One strain exists in a
program called "Mosaic" and the other in a program called
"FontFinder". I'd like to know if anyone else has had experience with
these two trojans, and which of the existing commercial and public
domain anti-virus tools can detect/prevent them from doing their
damage. Since the "FontFinder" trojan has a trigger date of 10 Feb,
it's important that we quickly publicize this trojan's effects and
countermeasures. Thanks in advance.
--- Jim Warthman
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253