home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl3
/
virusl3.43
< prev
next >
Wrap
Text File
|
1995-01-03
|
25KB
|
552 lines
VIRUS-L Digest Thursday, 15 Feb 1990 Volume 3 : Issue 43
Today's Topics:
Re: The ethics of virus eradication
Re: Many WDEF reports (Mac)
Strange Macintosh Beeps (Mac)
Algorithms
WDef hits Carleton
Undetectable Virus (Mac)
Re: The AIDS "Trojan" is a Copy Protection System
Re: Forwarded: Re: *UNCONFIRMED* PC virus
Dr. Popp
Universal Virus Detector
New virus in Canada??? (Mac)
UNIX discussions?
Re: Many WDEF reports (Mac)
Virus Buster (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
---------------------------------------------------------------------------
Date: 14 Feb 90 20:06:52 +0000
From: jalden@eleazar.dartmouth.edu (Joshua M. Alden)
Subject: Re: The ethics of virus eradication
FEDERMAN@IPFWCVAX.BITNET writes:
>This week (Feb 5th-9th, 1990) marked the first occurrence of PC
>computer viruses on our campus. First our Library received the census
>disk, which we were warned of, and secondly a faculty member was
>infected by Jerusalem B. I was able to clean-up this system with some
>effort in about an hour. This was the last thing I did on Thursday
>afternoon. On Friday, I posted mail to all campus mainframe account
>holders (most of our campus users since our PC network is just in the
>beginning phase) about the two incidents, and how to avoid virus
>infections. In this E-mail message, I was particularly careful not to
>mention the name or department of the faculty member involved.
>
>Well, that didn't work. The faculty member was extremely angry about
>the E-mail message. I did mention the type of program that was the
>supposed virus vector. He contended that anyone on campus would figure
>out his identity from the type of program (fractals), since he was
>teaching a continuing course on the subject. I won't go into the
>details of the venom that was directed my way.
>
>My questions are these - what should I have done? Kept the infection
>secret? Are computer viruses a Social Disease? Are we physicians who
>are supposed to swear some form of Computerized Hippocratic Oath of
>confidentiality? Or, do we paint a Scarlet-V on the heads(or
>terminals) of those unfortunate ( careless enough) to become infected?
>I would like to hear of similar experiences and policies enacted to
>deal with virus infections.
Alan -
It sounds to me as though you did exactly the right thing. Taking
reasonable care not to reveal who was affected by the virus was a
responsible action. So was informing as many people as possible of the
incident in order to prevent any more damage.
I don't know how you phrased the e-mail message, but my guess is
that you did not insult the faculty member, nor imply awful things about
his character. Why he was upset I really can't imagine; most of us have
been infected at one point or another, whether through carelessness,
lack of knowledge, or whatever. Having been hit with a computer virus
certainly shouldn't be cause for ostracism or any other sort of punitive
behavior.
Furthermore, unless that fractals program was a very specific one, I
doubt that it pointed to him any more specifically than any other
program that generates wierd graphic output. In high school, a friend
of mine and I used to generate pretty color designs on his PC using a
Mandelbrot program.
I wouldn't worry about it too much, unless the professor continues
to give you trouble about it. Education is the key in the anti-viral
world, as it is in any situation involving an epidemic. Trying to
conceal outbreaks, especially when the worst result is embarrassment, is
foolish.
- -Josh.
/--------------------------------------------------+-------------------------\
|Josh Alden, Consultant, Kiewit Computation Center | HB 48, Dartmouth College|
| Private mail: Joshua.Alden@dartmouth.edu | Hanover, NH 03755 |
| Virus mail: Virus.Info@dartmouth.edu | (802) 295-9073 |
------------------------------
Date: Wed, 14 Feb 90 12:16:31 -0600
From: John Norstad <jln@acns.nwu.edu>
Subject: Re: Many WDEF reports (Mac)
CHESS@YKTVMV.BITNET (David.M..Chess) writes:
> Curious as to why we're seeing all these WDEF reports, and not similar
> numbers of reports of other widespread viruses. Has it just become a
> tradition to report WDEF on VIRUS-L, or is WDEF better at spreading?
> If the latter, does anyone have a good feeling for what about WDEF
> makes it so (um) virulent? DC
WDEF now appears to be the most widespread of all the Mac viruses - more
widespread than even nVIR A and B. I don't know why. I do know that by
the time it was discovered in early December of 1989, it had already
spread very widely. We clearly didn't catch it until it had been around
for quite some time.
One reason for not being detected earlier is almost certainly that WDEF
contained special code to get past all but one of the popular virus
protection INITs. All of these INITs have since been improved to catch
WDEF, but when it first began to spread only AntiToxin would catch it - it
got past Vaccine, GateKeeper, SAM Intercept, and the Virex INIT. This is
a problem with the general-purpose suspicious activity monitor virus
protection INITs on the Mac - with enough effort a new virus can evade
their protection measures.
A properly used checksumming system is clearly the most reliable way to
catch new viruses. This topic has been beaten to death on virus-l. The
problem with such systems is convincing users to make use of them.
WDEF is also clearly one of the most buggy Mac viruses. It doesn't
attempt to do any damage on purpose, but it does contain bugs which can
and do cause almost anything to go wrong with the proper functioning of
Macintoshes. We've seen everything from problems with the proper display
of font styles to trashed disks.
I don't think it's necessary for everybody to report every sighting of
WDEF here on VIRUS-L. I gave up trying to keep track of all the sightings
a long time ago - it's everywhere.
It's also interesting that WDEF appears to be much more widespread outside
the university environment than any of the previous Mac viruses. The
so-called "serious business community" (as if universities somehow don't
count in capitalist America) is getting hit hard. Perhaps the silver
lining in this very dark cloud will be an increased awareness of the
problem among the public, and perhaps people will even finally start to
take measures to protect their machines.
The Mac anti-viral community did an excellent job of combatting WDEF.
Within two days of the discovery of the virus we had disassembled and
analyzed the virus and informed the public with accurate, complete
information. Within a week there were tools available for detecting and
eliminating the virus. Within two weeks there were tools available that
actually worked properly :-). We have established a very effective group
on the Internet of anti-viral tool authors (commericial, shareware, and
freeware) and other experts which goes into high gear whenever a new
virus, Trojan, or other kind of destructive Mac software appears.
John Norstad (author of Disinfectant)
Northwestern University
jln@acns.nwu.edu
------------------------------
Date: Wed, 14 Feb 90 16:07:15 -0500
From: dmg@lid.mitre.org (David Gursky)
Subject: Strange Macintosh Beeps (Mac)
If you do not have Macintalk in your System Folder, the nVIR virus
will cause the Mac to beep (or make whatever sound is selected as the
System Beep) on a periodic basis. The period is well defined, but I
do not know it. If Macintalk is installed, the Mac will speak "Don't
worry".
WDEF does not make any noises.
------------------------------
Date: Wed, 14 Feb 90 14:25:36 -0500
From: David_Conrad%Wayne-MTS@um.cc.umich.edu
Subject: Algorithms
Could someone provide a bibliography on the subject of data
verification algorithms (CRC, MD4, ...)? Reply to me or the list.
Assume access to good public and university libraries.
Thank you,
David R. Conrad
BITNET: David_Conrad%Wayne-MTS@um.cc.umich.edu
"You cannot propel yourself forward by patting yourself on the back."
------------------------------
Date: Wed, 14 Feb 90 15:37:00 -0600
From: "Paul Duckenfield (Consultant, User Services)" <DUCKENFP@carleton.edu>
Subject: WDef hits Carleton
For the past four or five months, the Carleton College Micro Lab
has been plagued by inexplicable crashes. In the past month, the crashes
have escalated in volume to as many four or five a day. Here is our
configuration-
Macintosh IIcx file server
o 2 MB RAM
o twin 40MB HD's (one internal, one external, both Apple)
o AppleShare v2.0.1
22 Macintosh Pluses in a Lab (LocalTalk)
o 2.5MB RAM
o Running RAM disks
8 Macintosh Pluses in a remote lab (served by TOPS Repeater)
o same as above
10 Staff Macs scattered throughout offices
o various types (CX, Plus, SEHD)
All running System 6.0.3 (except CX's which run 6.0.4)
sometimes we run the Apple Print Spooler, but sometimes we have
trouble with that.
Symptoms:
o Print Spooler crashes 15 minutes before server (that is
why we don't always use it)
o Internal HD light on server turns on and stays on
o Everyone gets the "watch" when they attempt to access
the server and it never goes away
o restarting the IIcx and the workstations temporarily
solves the problem (until the next crash!)
What we did:
Reformatted the HD from scratch and reinstalled software.
The server still crashed. Then we ran Disinfectant v1.6. It told us that
the server was infected with WDef. We removed WDef. Problems began appearing
a few days later, same as before. Again we checked for WDef, but it wasn't
there. A few days later, it reappeared (it is possible that it accidentilly
found its way in through a server administration disk).
Finally, we killed the DESKTOP file to prevent WDEF from
having a refuge of any sort. This appears to have worked for there haven't
been any crashes in awhile.
Conclusions-
o WDef is never "really" eradicated, even when Disinfectant kills
it. Like pnuemonia, it goes away, but lasting damage remains.
o WDef infections to file servers can be prevented by canning the
DeskTop file which is unused.
o WDef is extremely virulent and elusive.
Paul Duckenfield
Micro Consultant
Carleton College
User Services
DUCKENFP@CARLETON.EDU
------------------------------
Date: 14 Feb 90 21:58:28 +0000
From: harvey@nems.dt.navy.mil (Betty Harvey)
Subject: Undetectable Virus (Mac)
I have seen two Macintoshes that have a virus that I can't seem
to recognize. I have run Disinfectant 1.6 because I thought it was the
WDEF virus that I have been reading about but disinfectant didn't find
anything abnormal. I have also ran several other virus eradicaters and
they didn't recognize anything out of the ordinary.
Symptoms:
The system file increases in size and the date changes
each time the system is rebooted. One system file was
2 meg long before all application program ceased to work.
Applications unexpectedly stop.
The system hoses up occasionally when going to the printer.
Is anyone aware of any new viruses or what I might be dealing with.
We had a massive outbreak of Scores and nVir about 1 year ago, but
have had fairly healthy machines since then.
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
Betty Harvey <harvey@nems.dt.nav.mil> |
David Taylor Research Center |
Office Automation/Microcomputer Support Branch |
Bethesda, Md. 20084-5000 |
|
(301)227-4901 |
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\\/\/
------------------------------
Date: 14 Feb 90 16:49:40 +0000
From: attcan!ram@uunet.UU.NET (Richard Meesters)
Subject: Re: The AIDS "Trojan" is a Copy Protection System
Interesingly enough, much of the previous discussions that I read on
this topic (and posted on, as well) has little to do with the fact
that a demo version of the software can have a self-destruct mechanism
(a time bomb).
However, what we are dealing with here is the fact that this program
does not destroy itself, but rather renders all your programs and data
un-usable. In fact, you have no evidence to back up the fact that
even if I did send in the money for the purchase of the program, that
I would get the fix back. The fact that the address was an unknown
post-office box in Panama seems to indicate that the whole thing was a
scam.
I agree that if the persons receiving this program had read the
notice, they probably wouldn't have installed the program, but don't
confuse that with justifying the actions taken by the program after
installation.
The issue here is, in my opinion, twofold. First, did the auhor of
this trojan commit a fraudulent act. And can someone who sends you an
un-solicited copy of a program make you pay for the use of the
package. This was NOT a demo version of the software, from all
indications.
Regards,
- ------------------------------------------------------------------------------
Richard A Meesters |
Technical Support Specialist | Insert std.logo here
AT&T Canada |
| "Waste is a terrible thing
ATTMAIL: ....attmail!rmeesters | to mind...clean up your act"
UUCP: ...att!attcan!ram |
- ------------------------------------------------------------------------------
------------------------------
Date: 15 Feb 90 00:31:53 +0000
From: kelly@uts.amdahl.com (Kelly Goen)
Subject: Re: Forwarded: Re: *UNCONFIRMED* PC virus
rogers@marlin.nosc.mil (Rollo D. Rogers) writes:
>hi, does anyone else have knowledge/experience with this alleged PC
>virus?
>
>[Ed. As with all such reports, I urge people to NOT BELIEVE this
>without some reliable third party confirmation. We've all seen that
>rumors can be just as time consuming as The Real Thing...]
>
>Forwarded mail follows:
>Date: Tue, 13 Feb 90 14:52:02 -0800
>From: Yong Kim <yjkim@milton.u.washington.edu>
>Subject: Re: virus
>
>...
>this one lives in the setup-memory (CMOS) that was backed up by the
>computer battery.
>...
Well sorry this one isnt plausible... infectious code will not be
using CMOS to spread from(standalone...) just isnt enough memory in
there on standard AT architectures...on Micro-channel there is enough
space... however the data is simply read or written not executed...
(n.b. I have run into programs which through programming mistakes
rendered CMOS data unusable... but not a virus living in
there...caused by poor coding though not a virus or trojan) this one
kind of reminds me of the hilarious(at least to myself and chuck
forsberg) MODEM virus SCARE of 1988(NO IT wasnt and isnt REAL)...
cheers
kelly
p.s. on microchannel architectures there is adequate unused space in
cmos adapter ram... but another cooperating process would be needed
to read the cmos for the code and place it into main memory as
code cannot be executed in CMOS RAM Buffers...
------------------------------
Date: Wed, 14 Feb 90 19:26:00 -0500
From: WHMurray@DOCKMASTER.NCSC.MIL
Subject: Dr. Popp
>Ed: ... did he break any U.S. laws? Will Dr. Popp be
>tried here or in Britain? Just a few thoughts...]
Dr. Popp was arrested in Willowick, OH on an extradition warrant. He
is not charged with any crime in the US. His defense against
extradition is technical, i.e., being treated for mental problem, not
substantive. [It is a mere coincidence that Dr. Popp and RTM hold
degrees from the same elite institution. Few inferences would be
justified.]
William Hugh Murray, Fellow, Information System Security, Ernst & Young
2000 National City Center Cleveland, Ohio 44114
21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
------------------------------
Date: Wed, 14 Feb 90 18:49:00 -0500
From: "Science:Controlled Paranoia" <IAQR100@INDYVAX.BITNET>
Subject: Universal Virus Detector
I agree with Russell McFatter's [russ@alliant.Alliant.com] rules in that
they would work. However, I don't believe it would be successful with
some shareware products, or quick-fixes/patches. Not that any of us
INTENTIONALY program that way, but at 3 in the morning when a quick
long jump will solve the problem over rewriting an entire 5000 line
module... And as (it would seem) more people contract viruses through
shareware than anything else, the problem is compounded.
I am curious as to why everyone seems to stick to a Universal
Virus Detector that 'detects on the fly.' Wouldn't it be more feasible
for a Universal Virus Detector to act as more of a high-security Operating
System, than a program?
Let me elaborate...
Boot up a PC from a clean DOS, then implement this Virus Detection
Operating System (VDOS). VDOS now clamps down on every interrupt, AND
watches for every redirect interrupt command. Then you give it a
program to check. VDOS pseudo-executes the program, checking for
every possible outcome and attempts to write to disk. Any attempt to
write to an area locked out by you constitutes a virus. (Or at least
something not kosher...) Theoreticallly, so long as the VDOS isn't
contaminated, and so long as you don't add a program that hasn't been
checked, you're clean. The positives for this are 1. Unhampered
program execution.
2. More control over Virus checking then 'check on the fly' detection.
(algorithms can be more complex...)
The negatives are
1. Time to detect. I'm figuring this may take awhile for long programs.
It may not even be feasible with large menu driven programs...
(DBase IV, and Lotus 1-2-3, for example) to check every possible outcome
or result...(But if you're willing to wait an hour to backup your
hard drive, maybe its worth it?)
2. Wouldn't defend against viruses that just replicate themselves, unless
you looked for it specifically.
3. Of course it's not 100% fool-proof.
Overall though, you could have more complex algorithms than a virus-scanner,
plus more control than a memory resident detector (flu-shot).
But then this was all just a thought, anyway.
(Oh, once you've finished with the program, you then reboot to Normal DOS,
with the knowledge of whether or not you have an infected disk...)
Charles Cafrelli Bitnet: IAQR100@INDYVAX
Computer Constultant for the IUPUI English Department
Disclaimer:
"I don't know what they're saying, and they don't know what I'm saying."
------------------------------
Date: Wed, 14 Feb 90 21:37:07 -0700
From: Ben Goren <AUBXG@ASUACAD.BITNET>
Subject: New virus in Canada??? (Mac)
I have heard rumors from people here at Arizona State University that
there is a new Macintosh virus on the loose. I am currently trying to
trace these rumors, and will let the list know when I hear anything.
It is supposed to be intentionally and maliciously destructive, has not
yet made it out of Canada, and "Disinfectant probably won't catch it."
(the person who said that was not an overly experienced Mac user).
Let's keep our fingers crossed that this is just a rumor.
........................................................................
Ben Goren T T T /
Trumpet Performance Major )------+-+-+--====*0
Arizona State University ( --|-| |---)
Internet: AUBXG%ASUACAD@ASUVM.INRE.ASU.EDU --+-+-+--
........................................................................
------------------------------
Date: Thu, 15 Feb 90 04:24:18 +0000
From: SMSgt Michael L. Shamel <email!lgdelta!mshamel@tachost.af.mil>
Subject: UNIX discussions?
I have just started monitoring this group and am new to the unix
environment. Has there been any discussion on viruses trojans or
other nasty things that unix systems are vulnerable to? I am
particularly interested in how one guards against things sent through
the internet either by regular mail, or some of the UUCP processes.
uux seems like a particularly good candidate for mischief. If this
subject has come up before, please point me in the direction of the
proper archive.
Thanks
Mike Shamel....
------------------------------
Date: 15 Feb 90 01:48:18 +0000
From: MINICH ROBERT JOHN <minich@a.cs.okstate.edu>
Subject: Re: Many WDEF reports (Mac)
CHESS@YKTVMV.BITNET (David.M..Chess) writes:
> Curious as to why we're seeing all these WDEF reports, and not similar
> numbers of reports of other widespread viruses. Has it just become a
> tradition to report WDEF on VIRUS-L, or is WDEF better at spreading?
> If the latter, does anyone have a good feeling for what about WDEF
> makes it so (um) virulent? DC
I don't know about the "tradition" part, but WDEF is easily the most
virulent entity on the Mac, and probably any computer. The only way to
make it spread faster would be to have all the Macs connected together
with zero protection of the desktop files. All it takes is one
insertion of an infected disk, and the unprotected machine gets it.
Kind of like what some weird people used to (still do, perhaps?) think
about AIDS (the human kind.) "Touch someone and you get it."
Robert Minich
minich@a.cs.okstate.edu
Oklahoma State University
------------------------------
Date: Thu, 15 Feb 90 15:36:24 +0200
From: Yuval Tal <NYYUVAL@WEIZMANN.BITNET>
Subject: Virus Buster (PC)
About a month or so, I've posted a message about beta testers for the
next version of Virus Buster. Well, a few days after posting this
message, a big software house here, in Israel, have asked Uzi, the
second author, and me about whether we agree to sell Virus Buster to
them. After thinking about it, we've decided to agree and sell Virus
Buster to them.
Here I would like to thank all the beta-testers who accepted to test
Virus Buster. Thank you guys! But now, of course, it would be improper
to ask them to test it.
Another version with bugs correction will probably be released soon,
but I can't promise.
Thank you very much,
Yuval Tal
+--------------------------------------------------------------------------+
| BitNet: NYYUVL@WEIZMANN Domain: NYYUVAL@WEIZMANN.WEIZMANN.AC.IL |
| InterNet: NYYUVAL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU |
+----------------------+---------------------------------------------------+
| Yuval Tal | Voice: +972-8-474592 (In Israel: 08-474592) |
| P.O Box 1462 | BBS: +972-8-421842 * 20:00-7:00 * 2400 * N81 |
| Rehovot, Israel | FidoNet: 2:403/136 (CoSysop) |
+----------------------+---------------------------------------------------+
| "Always look on the bright side of life" *whistle* - Monty Phython |
+--------------------------------------------------------------------------+
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253