2,000 Greater & Lesser Mysteries

home *** CD-ROM | disk | FTP | other *** search

/ 2,000 Greater & Lesser Mysteries / 2,000 Greater and Lesser Mysteries.iso / computer / virus / mys00491.txt < prev next >

Wrap

Text File | 1994-06-10 | 115.2 KB | 2,371 lines

========================================================================= Date: Fri, 22 Apr 88 07:48:39 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: Welcome! Welcome to this new LISTSERV group, VIRUS-L. This list is intended to be a vehicle for discussing computer viruses. I'd like to not limit it to just microcomputers, even though the current "crop" of viruses seems to be aimed at micros. Valid discussion topics *include*: 1) Current status of known viruses (e.g., the virus at Lehigh has never been reported anywhere else, but the "Brain" virus has spread rampant to a number of Universities and businesses). 2) Means of detection (e.g., the Lehigh virus (for lack of a better name) changed the write date on the COMMAND.COM file; the "Brain" virus generally changes your volume label to read (C) Brain). I see that at least two of the four student consultants who isolated the Lehigh virus are present on this list, so hopefully they'll toss in some useful tidbits. 3) Means of stopping (e.g., the Lehigh virus could be stopped by merely setting your COMMAND.COM file read only!). 4) How particular (and non-particular) viruses propogate (e.g., did you know that the "Brain" virus cannot infect a 3 1/2" disk or a hard disk?). 5) Any other relevant topic. Did you know that the authors of the "Brain" virus left their names, addresses, and phone numbers in ASCII within the virus itself?!?!?! They say that it was meant purely as a joke among friends - it was not intended to do any harm. The joke got carried away... :-( Hopefully, by making this information public here where we're free from media hype, we'll at least be able to stop the spread of existing viruses and maybe learn something in the process. Viruses are not a joke (although joking a bit about them is fine by me :-) and we should make every effort to at least stop the ones that are known - that's what this list is for. As a suggestion, I say we make the "Brain" virus our first topic. I've just heard that it's gone as far as Miami (it was first seen at the Univ. of Delaware back in October 1987). So far, most people that I've spoken with are "curing" it by re-formatting disks. Does anyone have a program to counter the effects of this virus? If so, let's make it public *NOW*! This virus has spread way too far. Let's hear about some experiences that people have had with it. Comments and suggestions are always welcome. One side note: I won't tolerate any abuse of this list; it will be dealt with swiftly by removing any offender(s) from the list permanently. Thanks for signing up and, hey, let's be careful out there! (I know it's trite, but such is life... :-) Ken ------------------------------------------------------------------------ = Kenneth R. van Wyk = If found wandering aimlessly, = = User Services Senior Consultant = please feed and return... = = Lehigh University Computing Center =-------------------------------= = Internet: <LUKEN@VAX1.CC.LEHIGH.EDU> = This just in: = = BITNET: <LUKEN@LEHIIBM1> = Humptey Dumptey was pushed! = ------------------------------------------------------------------------ ========================================================================= Date: Mon, 25 Apr 88 10:47:44 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: Virus seminar at local University I don't have real good details on this (I saw a flyer on it, but don't remember all the details), but there's going to be a free virus seminar (that is, open to the public...) at LaSalle University in Philadelphia, PA on either April 27 or 28. Perhaps someone out there on the net has better descriptions and could let us all know? I'm not sure of the agenda either, but it could be worth attending for anyone that's interested. On another matter, we're up to 92 subscribers on the list, and growing rapidly! Hopefully, this will turn into a worthwhile discussion group once people start using it. Let's see some participation... How about a discussion on the "Brain" virus to start things off? I have reports of it getting as far as Miami now. How about someone out there sending to the list some details on how it works so that we can try to contain it a bit better? Ken ------------------------------------------------------------------------ = Kenneth R. van Wyk = If found wandering aimlessly, = = User Services Senior Consultant = please feed and return... = = Lehigh University Computing Center =-------------------------------= = Internet: <LUKEN@VAX1.CC.LEHIGH.EDU> = This just in: = = BITNET: <LUKEN@LEHIIBM1> = Humptey Dumptey was pushed! = ------------------------------------------------------------------------ ========================================================================= Date: Mon, 25 Apr 88 11:25:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: GILL@QUCDNAST Subject: Anti-viral agents spread I joined this discussion as I got a message through the HZ-110 internet discussion, and started thinking hard about viruses as I was playing around with FLUSHOT on the weekend. Queen's University is dedicated to IBM-PCs (well actually Zeniths and PS/2s) as the micro of choice for undergrad engineers. With the sale of a machine, the students are given a comprehensive software package that they will be using during the year in their classes. However, there are no anti-virus programs included in this package! At a time when virus programs are beginning to proliferate, this seems to me to be a major oversight. Hence, I am giving Computing Services copies of all of the anti- virus programs that I have obtained over the last few months, and promoting the inclusion of these programs in the engineer's software package (if not in the operating system package so everyone has it). Since these are all public domain, if not completely free, similar steps should be taken at all universities cross North America that support some type of microcomputer for student usage. Since this is a virus forum, I would suggest that everyone attempt to introduce a similar program at their affiliated institution. For access to these anti-viral programms, I suggest you check out the SIMTEL20 public domain libraries (MSDOS only as far as I know). These can be reached through the LISTSERVer at RPICICGE (on a BITNET node). I am not sure what the ARPANET location is, but I believe that it may actually be SIMTEL20 itself. (The LISTSERV@RPICICGE just has a copy of the library for BITNET users.) For those in the know about ARPANET, perhaps they could supply the missing information. In case anyone is wondering, the programs that I will be pushing are BOMBSQAD, FLUSHOT+, and CHK4BOMB. I am in no way affiliated with the authors of any of these programs, but they are all I got! Arnold Gill Queen's University at Kingston ========================================================================= Date: Mon, 25 Apr 88 12:32:30 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: -=*REB*=- <RB00@LEHIGH> Subject: Anti-virus programs > In case anyone is wondering, the programs that I will be pushing >re BOMBSQAD, FLUSHOT+, and CHK4BOMB. I am in no way affiliated with >he authors of any of these programs, but they are all I got! As far as I know, BombSqad and Chk4Bomb are *NOT* public domain or ShareWare programs! There was an unathorized release of them a while back. I believe the programmer released them without the consent of his employer. Also, these two programs are not designed to squash the spread of viruses. They are aimed at programs (viruses or not) which intentionally try to wipe out data. BombSqad traps disk writes. Chk4Bomb checks a program to see if it contains code to do absolute disk writes. Richard Baum _______________________________________________________________ / From: -=*REB*=- ", /FoneNet: (0010 0001 0101) 1000 0110 0111-1000 0100 0011 0011 BCD ", /InterNet: kREBaum@Vax1.CC.Lehigh.EDU BitNet: RB00@Lehigh.Bitnet ", / SlowNet: 508 E 4th St. (positively) Suite #1, Bethlehem, PA 18015 ", !----------------------------------------------------------------------! ! The Brent Z*ne! ! "----------------------------------------------------------------------" ========================================================================= Date: Mon, 25 Apr 88 13:11:53 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: Re: Anti-viral agents spread In-Reply-To: Message of Mon, 25 Apr 88 11:25:00 EST from <GILL@QUCDNAST> > Hence, I am giving Computing Services copies of all of the anti- >virus programs that I have obtained over the last few months, and >promoting the inclusion of these programs in the engineer's software >package (if not in the operating system package so everyone has it). >Since these are all public domain, if not completely free, similar steps >should be taken at all universities cross North America that support >some type of microcomputer for student usage. Not completely true. Only a few of the anti-virus packages, to date, are in the public domain; most of them are relatively simple. Some of the more thorough packages, like Data Physician, cost money (!) and may or may not meet your needs. Dr. Fred Cohen feels that no anti-virus software could work 100% of the time; they merely reduce the risk of virus infection. > Since this is a virus forum, I would suggest that everyone attempt >to introduce a similar program at their affiliated institution. For >access to these anti-viral programms, I suggest you check out the >SIMTEL20 public domain libraries (MSDOS only as far as I know). These >can be reached through the LISTSERVer at RPICICGE (on a BITNET node). I >am not sure what the ARPANET location is, but I believe that it may >actually be SIMTEL20 itself. (The LISTSERV@RPICICGE just has a copy of >the library for BITNET users.) For those in the know about ARPANET, >perhaps they could supply the missing information. The LISTSERV up there is great for BITNET only sites to get files from SIMTEL20, but it's very slow, and not very reliable. Still, it's worth looking into. > In case anyone is wondering, the programs that I will be pushing >are BOMBSQAD, FLUSHOT+, and CHK4BOMB. I am in no way affiliated with >the authors of any of these programs, but they are all I got! BOMBSQAD and CHK4BOMB are actually unauthorized public domain releases of non-public domain programs written by Panda Systems, Inc. Both are quite easy to fool. Look out for FLUSHOT 4 - it is a TROJAN! The last official release of FLUSHOT is 3! The ideas here are great - certainly more care must be taken at different sites in protecting against viruses. But, I'm not sure whether public domain programs - particularly when distributed without source code - is the answer. You get what you pay for! Ken ------------------------------------------------------------------------ = Kenneth R. van Wyk = If found wandering aimlessly, = = User Services Senior Consultant = please feed and return... = = Lehigh University Computing Center =-------------------------------= = Internet: <LUKEN@VAX1.CC.LEHIGH.EDU> = This just in: = = BITNET: <LUKEN@LEHIIBM1> = Humptey Dumptey was pushed! = ------------------------------------------------------------------------ ========================================================================= Date: Mon, 25 Apr 88 14:05:23 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: msmith@topaz.rutgers.edu Subject: Re: Anti-viral agents spread In-Reply-To: <8804251734.AA14073@topaz.rutgers.edu> (LUKEN@lehiibm1.bitnet) Actually, the newest release of FLUSHOT is FLUSHOT+. FLUSHOT4 is a TROJAN! He renamed it especially to avoid the trojan. Mark Smith ---- Mark Smith (alias Smitty) "Be careful when looking into the distance, RPO 1604, CN 5063 that you do not miss what is right under your nose." New Brunswick, NJ 08903 {backbone}!rutgers!topaz.rutgers.edu!msmith msmith@topaz.rutgers.edu <This space for rent, I can't think of anything> ========================================================================= Date: Mon, 25 Apr 88 15:27:50 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Mark Powers <MP14STAF@MIAMIU> Subject: Virus at Miami University As someone noted earlier, Miami University has been infected by the BRAIN virus. We have also noticed a Macintosh virus on campus. We have experienced some data loss. We are still looking in to the situation and will report back to the list when we have more concrete information. Mark Powers Miami University Academic Computer Service ========================================================================= Date: Mon, 25 Apr 88 15:51:46 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: Re: Virus at Miami University In-Reply-To: Message of Mon, 25 Apr 88 15:27:50 EST from <MP14STAF@MIAMIU> >We have also noticed a Macintosh virus on campus. What are the symptoms of the Mac virus; perhaps there's a Mac expert (certainly not me!) out there who might be able to help out? The Brain virus hides in the boot tracks of your disk. Perhaps someone on the list has a program that'll remove the Brain virus without having to re-format the infected floppy? If not, the only thing that other places have done so far is to re-format any infected disk(s). FYI, the authors' names, addresses, and phone numbers are stored in ASCII within the virus code itself - you can use Norton (or another disk utility program) to look at it... Also, the Brain virus can only infect a 5 1/4" floppy; it currently won't affect a 3 1/2" or a hard drive. Has anyone disassembled the Brain virus? If so, what system interrupts does it use to propogate? Chances are fairly good that even one of the simpler anti-virus packages would be able to stop it - if anyone has tested FLUSHOT+, or another program, against it, let's hear about it! > Mark Powers Ken ------------------------------------------------------------------------ = Kenneth R. van Wyk = If found wandering aimlessly, = = User Services Senior Consultant = please feed and return... = = Lehigh University Computing Center =-------------------------------= = Internet: <LUKEN@VAX1.CC.LEHIGH.EDU> = This just in: = = BITNET: <LUKEN@LEHIIBM1> = Humptey Dumptey was pushed! = ------------------------------------------------------------------------ ========================================================================= Date: Mon, 25 Apr 88 17:49:20 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Well Folks, There have been quite a few comments made to start off the list, let me try to reply to a few of them, answer a few questions and correct a few statements made so far. Definitions Department: Virus: Some program which attaches itself to other programs generally to do some sort of damage later on. Its a program which replicates itself. Trojan Horse: A program which pretends to have some useful function, and usually just destroys your hard drive or files somehow. Time Bomb: A program which runs several times before "blowing up" and taking something with it. Although these are simple definitions, for people who didn't understand, I think they are necessary. Commercially available anti-viral programs: There are MANY! The problem is that most of the public domain programs are very limited in ability and aren't going to protect your files against all of the present damaging viruses. Flushot is not bad, but it does not take care of most viruses. It does a nice job wiping the Lehigh Virus and several others, but I don't believe it is general enough to take care of most viruses. Testing it, I've found a few problems. There are two public domain programs being circulated called Vaccine. One of them isn't bad. The name is in trouble though. A company called "FoundationWare" out of Ohio has the name Trademarked. There are a few good packages for sale. The aforementioned Vaccine package by FoundationWare is quite good. I would never use it however. It is indicative of most anti-viral packages. What they do is lock up the system so that no executable or command file can change. Whether they do it by CRC check or some other check, they keep the user from editing programs. You cannot write programs in such an environment. Although this is great for businesses. We of Lehigh Valley Innovative Technologies have been working for several months on the 'perfect' anti-virus design. We should be releasing it in the next 2 - 3 weeks. We would like feedback on it when it is released. We will have versions for MS-DOS and Macintosh's as well. Comments: I'd like to explain the quote of Fred Cohen made by Ken. Fred, incidently, is the premier name in viruses. He has fashioned his career on working on them. I knew him when he used to teach at Lehigh University. A brilliant man, although I never got along with him. What he was saying was that you may be able to create a package which wipes out all present viruses, but someone will always be able to find a way around it if they spend enough time working on it. That brings my next point up. Its our job to create a virus busting program which will stop every currently known virus, AND be as hard as possible to crack or to find a way around. Which brings up my third point: I read your comment, Ken, about ten times, and I still don't understand it. I don't believe public domain programs are the answer at all. I believe we should use commercially available fixes. But, likewise, you mention that public domain virus-fixes should be given with source code. If we want to make the perfect fix... one that will take the virus writer infinitely long to break, then we do NOT want source code EVER given out, or even the details of how the system works! Viruses: Let me go over some existing viruses, so people know what to watch out for: Lehigh Virus: The Lehigh Virus injects itself into MS-DOS Command.Com. I, along with Chris Bracy, Joe Sieczkowski, and Mitchel Ludwig solved this particular virus for Lehigh University. The virus will copy itself 4 times into other command.com files, and after the fourth, will explode, taking with it any files on any disks in the drives and your hard disk too. What to watch for? Watch the write date on command.com, it changes when the Lehigh Virus goes. To protect against it, attrib +r your command files, and you won't have a problem. Israeli Virus: Not much is known. It apparently attaches itself to all executable files, appending itself to the end of the file. Watch for growing files. Brain Virus: The brain virus has hit everywhere. We have seen examples of it out at UCSF and UCB, as well as the east coast. All the brain virus does is change the label of the disk to (C) Brain, and mark floppy sectors as bad (unused sectors). It is not incredibly destructive but very annoying. PKArc: There is a bad version of PKArc floating around that wipes your hard disk. MacKiller: Is a nasty little virus that was apparently written by an MS-DOS lover. The problem isn't yet widespread, but its a Mac virus we have now encountered. And many others. BE CAREFUL! Loren K Keim .----------------------------------------------------------------------------. | Loren K Keim | |----------------------------------------------------------------------------| | Keim Enterprises - Consulting / Programming | | Lehigh Valley Innovative Technologies - Software and Hardware | | Century 21 Loren Keim - Commercial / Industrial / Residential | | Lehigh University - Consulting / Programming | |----------------------------------------------------------------------------| | Virus Busting Team: Loren Keim, Chris Bracy, Joe Sieczkowski, Mitch Ludwig | |____________________________________________________________________________| ========================================================================= Date: Mon, 25 Apr 88 18:17:46 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: David.Slonosky@QueensU.CA Subject: Bad PKARC In-Reply-To: <QUCDN.X400GATE:LKUK1py7*> How can you tell if you have a bad PKARC? I just got one from and, although I'm sure it's reputable, was just wondering if there was any obvious way to tell the difference. ========================================================================= Date: Mon, 25 Apr 88 18:19:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Mitchel Ludwig <KMFLUDW@VAX1.CC.LEHIGH.EDU> Loren Keim writes : > I'd like to explain the quote of Fred Cohen made by Ken. Fred, > incidently, is the premier name in viruses. He has fashioned > his career on working on them. I knew him when he used to teach > at Lehigh University. A brilliant man, although I never got > along with him. What he was saying was that you may be able > to create a package which wipes out all present viruses, but someone > will always be able to find a way around it if they spend enough > time working on it. I was unaware of this. From what I have heard concerning this, I thought Fred's main point was that there was *NO* way to wipe out all present viruses. To do so, he said, would require one hell of a computer and one hell of alot of time. From knowing him, and the way he taught his courses, and the things he told me, his biggest push was in the very area you seem to put down, that of preventative maintenence. It was always (In class) a stressed point that the best offense against these things was a good defense. I took a course with him one semester where he would daily express his distastes for us to hear. His biggest was that the Lehigh software loan out system was the way it was, so vulnerable. Had we defended against a virus beforehand, perhaps the problem would never have occurred. > That brings my next point up. Its our job to create a virus > busting program which will stop every currently known virus, AND > be as hard as possible to crack or to find a way around. Go for it. You'll never do it though. Don't mean to sound the pessimest, but you'll never do it. An hour after you release your program there will be 100 ways around it. It's the nature of things. Look at copy protection. Have the increased efforts of the software manufacturing companies done any good? No, all they have done is bring rise to a better class of pirates. The challenge is just too great to be ignored. > Which brings up my third point: I read your comment, Ken, about > ten times, and I still don't understand it. I don't believe > public domain programs are the answer at all. I believe we should > use commercially available fixes. But, likewise, you mention > that public domain virus-fixes should be given with source code. > If we want to make the perfect fix... one that will take the > virus writer infinitely long to break, then we do NOT want source > code EVER given out, or even the details of how the system works! Granted (Sorry Ken, but he *HAS* got a point :-) Tag... You're it ____________ ____/--\____ //-n-\\ \______ ___) ( _ ____) _____---=======---_____ __\ \____/ / `--' ====____\ /.. ..\ /____==== ) `|=(- - - - - - - - - - -*// ---\__O__/--- \\ \------------' \_\ /_/ BITnet : MFL1@lehigh.bitnet Phonet : 215-758-1381 INTnet : KMFLUDW@vax1.cc.lehigh.edu Slonet : Box 72 Lehigh Univ. Bethlehem, PA 18015 ========================================================================= Date: Mon, 25 Apr 88 18:25:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Mitchel Ludwig <KMFLUDW@VAX1.CC.LEHIGH.EDU> Subject: RE: Bad PKARC >How can you tell if you have a bad PKARC? I just got one from >and, although I'm sure it's reputable, was just wondering if there >was any obvious way to tell the difference. You could run it... But seriously, try it on a machine without a hard drive, that won't cause problems for your whole world if it *is* a bad boy. No other way except is you had a good copy and did a compare. From what I know, the bad copy is exactly the same size and stuff so that wont be of any help... Mitch Tag... You're it ____________ ____/--\____ //-n-\\ \______ ___) ( _ ____) _____---=======---_____ __\ \____/ / `--' ====____\ /.. ..\ /____==== ) `|=(- - - - - - - - - - -*// ---\__O__/--- \\ \------------' \_\ /_/ BITnet : MFL1@lehigh.bitnet Phonet : 215-758-1381 INTnet : KMFLUDW@vax1.cc.lehigh.edu Slonet : Box 72 Lehigh Univ. Bethlehem, PA 18015 ========================================================================= Date: Mon, 25 Apr 88 18:37:17 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: msmith@topaz.rutgers.edu Subject: RE: Bad PKARC In-Reply-To: <8804252233.AA01772@topaz.rutgers.edu> (KMFLUDW@vax1.cc.lehigh.edu) From what I know, the bad version of PKARC is called PKX35B35.EXE, while the real PKARC is PKX35A35.EXE. X stands for Xtract, and A for Archive, so the person who made this thought A was a revision mark, and named his B. Mark ---- Mark Smith (alias Smitty) "Be careful when looking into the distance, RPO 1604, CN 5063 that you do not miss what is right under your nose." New Brunswick, NJ 08903 {backbone}!rutgers!topaz.rutgers.edu!msmith msmith@topaz.rutgers.edu <This space for rent, I can't think of anything> ========================================================================= Date: Mon, 25 Apr 88 19:15:07 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> I think you misunderstood some of my point Mitch, I agree that it is very hard, if not impossible, to eliminate all existing viruses. I do think that its possible to stop all viruses I have encountered to date with one package. It is not possible, as Fred Cohen has pointed out, to stop viruses as a genre. The reason is that a virus can always be written to get around any program. If was make a good enough program, however, it will stop most (I hope) of those people out there from writing them, simply because we'll make it too difficult for some people to figure out ways around those viruses. The reason we cannot stop viruses is, according to Fred, because any string indeterminably carries a virus. What this means is that any data string could carry a virus, we do not know whether or not it does because a computer interprets everything to be data. The only way to stop viruses is to deal with the ways they effect the system, and stop them from happening. That is why most anti-viral programs lock up your system and don't allow you to develop. We have a few alternatives that we've been working on for a while, and hopefully, they will slow down the spread of viruses. Any comments I make here concerning Fred are either from my memory or from his text on Computer Security. If I misquote him in any way, I apologize, but I don't believe I have. Loren Keim ========================================================================= Date: Mon, 25 Apr 88 23:50:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Roger Gonzalez <USERABFY@CLVM> In-Reply-To: Your message of Mon 25 Apr 88 19:15:07 EDT Hello. I am a virus writer. I have never unleashed any of my nasties into the public, and don't intend to either. I'm willing to share some of my knowledge of my MS-DOS (Zenith, specifically) viruses, although I'm sure that my methods are pretty common. First: The motivation of this particular programmer My viruses don't destroy, they annoy. I wrote the programs as a challenge to myself, and to get back at a friend who played a practical joke on me. My 3 viruses: 1st: Spam Quite a simple program. It hooks into the disk read interrupt. When the code runs, it checks the length of command.com and copies itself onto the end. After generating 5 times, it prints "spam" at a random location on the screen. Programs like this are nastry, because when you do even a simple directory, the virus spreads. WHAT TO WATCH FOR IN THIS TYPE OF VIRUS: Abnormally long disk reads. If your instincts (you have to develop them) say that the light is on too long, watch out! 2nd: Cookie Monster The idea was stolen from probably the very first virus. Same as Spam, with the following exceptions: It hooks into the FAT, it generates 10 times, and prints out "Gimme cookie" at random intervals. If you don't type OREO or CHOCOLATE CHIP it changes the name of command.com to "munched" and prints "never mind. found cookie". My first version deleted it, but this seemed cruel. 3rd: Pac Man This little gem gets appended to MSDOS.SYS. It watches the vertical sync interrupt, and makes a pac-man come out and eat a character off the screen. The character reappears if you scroll the screen, but its highly irritating. Some points: Many viruses attach themselves to system files (IO.SYS, MSDOS.SYS, COMMAND.COM) Record the lengths of these files each time you upgrade. Its difficult to detect viruses attached to a normal program, but these are less dangerous because they don't appear until you run that specific program. Disk read interrupts are probably the most common way to "activate" the code. These are also rarely changed by programs. The disk read is ideal for viruses because they can sneak a check to see if there already is a virus on the disk. Vertical sync, the timer, and the keyboard interrupts are all good activation candidates so it seems to me that a vaccine program could be made for each version of DOS to check that the interrupts are pointing where they ought to. Of course, if you use TSR's, this would foul it all up, so you would have to run it on a "unchanged" system. Also, watch for bad sectors. If you think that they look suspicious, get a clean disk. I recommend using a clean disk rather than trying to simply innoculate the old. I feel fairly confident that I could hide a virus in such a way that it either could not be found by a program, or would fool the program into thinking that it was important. Oh, one last thing. This is pretty simple, but watch for invisible files. They are easy to detect using many methods. I hope this stuff helps a little. Yeesh, I must be growing up or something :-) -rg- PS anyone want to hire me? ========================================================================= Date: Tue, 26 Apr 88 01:02:36 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: -=*REB*=- <RB00@LEHIGH> Subject: Nettiquite > -rg- > > PS anyone want to hire me? FLAME ON! Do you *really* think that this is appropriate here? I thought this was a list for virus DISCUSSION. Not an employment agency. Let's face it, it's not terribly difficult to write a virus. Unfortunately, your pastime is not unique. But let's not discuss THIS forever. I think we can safely let the employment subject die off... FLAME OFF! Richard Baum [Boy, this list's first real flame :-) :-) :-) ] _______________________________________________________________ / From: -=*REB*=- ", /FoneNet: (0010 0001 0101) 1000 0110 0111-1000 0100 0011 0011 BCD ", /InterNet: kREBaum@Vax1.CC.Lehigh.EDU BitNet: RB00@Lehigh.Bitnet ", / SlowNet: 508 E 4th St. (positively) Suite #1, Bethlehem, PA 18015 ", !----------------------------------------------------------------------! ! The Brent Z*ne! ! "----------------------------------------------------------------------" ========================================================================= Date: Tue, 26 Apr 88 01:13:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Roger Gonzalez <USERABFY@CLVM> Subject: Re: Nettiquite In-Reply-To: Your message of Tue 26 Apr 88 01:02:36 EDT Perhaps I should have said *Wistful tone of voice* Anyone want to hire me? It was a joke... I really don't think that one bloody line was worth a flame. Please humbly excuse me for imposing on your excellencies. I know that some people find viruses simple, but obviously some people don't, or this list wouldn't have been created. If you find them so simple, why don't you just get rid of them all yourself? I've never had any problems. Once again, try to find it deep within your superior skull to forgive me for my incredibly offensive postscript. ========================================================================= Date: Tue, 26 Apr 88 01:37:33 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: msmith@topaz.rutgers.edu Subject: Gimme Cookie In-Reply-To: <8804260529.AA29569@topaz.rutgers.edu> (USERABFY@clvm.bitnet) This is the famous "Gimme Cookie" story as I heard it about 6 years ago. At the Los Alamos Labs, there was a computer. Someone decided to play a pratical joke, or a hacker placed it there. One day, Appearing on all users consoles: GIMME COOKIE typing anything but "Cookie" did nothing but get the prompt back. When you typed "COOKIE", everything ran fine again. Then, it went dormant for a while. Later: GIMME COOKIE GIMME COOKIE To which you had to answer "COOKIE COOKIE" or it would stay there. Then, a shorter time later: GIMME COOKIE GIMME COOKIE GIMME COOKIE This continued until the number of Cookies was large and the time between prompts very short. As I heard, they had to kill the ROM to get rid of this thing, it was so strong. Mark ---- Mark Smith (alias Smitty) "Be careful when looking into the distance, RPO 1604, CN 5063 that you do not miss what is right under your nose." New Brunswick, NJ 08903 {backbone}!rutgers!topaz.rutgers.edu!msmith msmith@topaz.rutgers.edu <This space for rent, I can't think of anything> ========================================================================= Date: Tue, 26 Apr 88 01:40:57 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: -=*REB*=- <RB00@LEHIGH> Subject: Nettiquette Okay, *whistful tone of voice* :-) Sorry to flame, but other lists have in the past degenerated into employment agencies... I wanted to avoid this. (Anyone remember when the VAX list turned into a "do we digest or not" discussion for a month or so? - don't answer that!) REB _______________________________________________________________ / From: -=*REB*=- ", /FoneNet: (0010 0001 0101) 1000 0110 0111-1000 0100 0011 0011 BCD ", /InterNet: kREBaum@Vax1.CC.Lehigh.EDU BitNet: RB00@Lehigh.Bitnet ", / SlowNet: 508 E 4th St. (positively) Suite #1, Bethlehem, PA 18015 ", !----------------------------------------------------------------------! ! The Brent Z*ne! ! "----------------------------------------------------------------------" ========================================================================= Date: Tue, 26 Apr 88 02:38:17 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Richard (excuse me, REB), No, the problem with other lists generally has not been that they become places for people to place job offers. Some people have, and that is very helpful to the individual looking for the job. Rather what has ruined many lists is that they become taught with people complaining about small parts of other people's letters not belonging in the list. Instead of your last two letters (one I believe cut up Arnold Gill for thinking that two programs were public domain, and the second to complain about a le sentence in a very interesting letter from Roger Gonzalez), you might try to add something useful to this list if you are capable of such thought. I found Roger's comments to be very interesting. Realize that several "PacMan" viruses have been found floating around, as well as one I recall that sent random characters to the screen at certain intervals. Incidently, the LaSalle talk will be given on the 28th. I will upload information when I can locate it. I will be there, although I won't be speaking. Loren .----------------------------------------------------------------------------. | Loren K Keim | |----------------------------------------------------------------------------| | Lehigh Valley Innovative Technologies: Software / Hardware (215) 865-4253 | 4253 | | Century 21 Loren Keim: Com / Ind / Res (215) 395-0393 | 0393 | | Keim Enterprises: Consulting / Programming (215) 865- 3904 | 3904 | | Lehigh University: Consulting / Programming | |----------------------------------------------------------------------------| | The Virus Busters: Loren Keim, Chris Bracy, Joe Sieczkowski, Mitch Ludwig | |____________________________________________________________________________| ========================================================================= Date: Tue, 26 Apr 88 02:53:55 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Speaking Well Folks, I am quite surprized at the number of personal letters I received over this list over the last day. Comments should probably be sent to the list directly, instead of sending them just to me. Because such a large number of users asked me if we do speeches, I will reply to that question here on the list. I, along with Chris Bracy and Joe Sieczkowski, have been to a few conventions in the last couple weeks to speak about, or help discuss viruses in general, ways of avoiding them, their implications, and so on. If you are interested in having us speak, yes it is possible, please send me your name, your groups name, a phone number I can call and where you are located, and we'll see what we can do. I'm glad to see such overwhelming responses over this list, because viruses are such a serious problem at this point in time. Again, general comments should probably go to the list, and not just to me, although I would refrain from sending in depth information about any particular virus to this list because it tends to help people think up new ways of writing viruses. Loren .-----------------------------------------------------------------------. | Loren K Keim | |-----------------------------------------------------------------------| | Lehigh Valley Innovative Technologies: Software / Hardware | | (215) 865-4253 | | Century 21 Loren Keim: Com / Ind / Res (215) 395-0393 | | Keim Enterprises: Consulting / Programming (215) 865-3904 | | Lehigh University: Consulting / Programming | |-----------------------------------------------------------------------| | Virus Busters: Loren Keim, Chris Bracy, Joe Sieczkowski, Mitch Ludwig | |_______________________________________________________________________| ========================================================================= Date: Tue, 26 Apr 88 02:42:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Roger Gonzalez <USERABFY@CLVM> Subject: Virus types In-Reply-To: Your message of Tue 26 Apr 88 01:37:33 EDT Does the now infamous XMAS EXEC that munched up all the IBMs on Bitnet really qualify as a virus? Technically, it DID reproduce, but it seems almost more Trojan Horsey. Frankly, I'm a bit scared about the future of viruses... Imagine 5 years from now, when we all have incredibly fast 586 machines with 256 parallel processing CPUs! Have fun tracking the little bugger down then! I agree with you... I think its pretty safe to say that nothing will ever be a cure-all for viruses. I may be growing out of my destructive tendencies, but I can certainly understand how much fun it can be to thwart trends toward complete user-friendliness. Its the same thing with software piracy.. it's FUN to crack copy protection schemes. I just heard of a nasty virus starting to circulate on IBM pcs. Its on BATTLEZNE and I'm told that it randomly causes warm boots to occur until you shut the silly thing off. Fortunately for "serious" users, a virus on a game shouldn't be too threatening. If anyone really wants the details, I'll track 'em down, but I wouldn't worry about it. Pax etc, Roger ========================================================================= Date: Tue, 26 Apr 88 09:26:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: MITCH MITCHELL ROSEN <MRR2607@RITVAX> Subject: Fuddy-duddies unite > From: -=*REB*=- <RB00@LEHIGH> > Subj: Nettiquite >> PS anyone want to hire me? > FLAME ON! > Do you *really* think that this is appropriate here? That flame was the most inappropriate gripe I've come across for a while. The writer's tongue was clearly in cheek when asking about employment. Chill out a bit. Its not healthy to take everything so seriously. - Mitchell Rosen > [Boy, this list's first real flame :-) :-) :-) ] I guess I'm number two. ========================================================================= Date: Tue, 26 Apr 88 13:38:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Mitchel Ludwig <KMFLUDW@VAX1.CC.LEHIGH.EDU> Subject: RE: Fuddy-duddies unite >From: MITCH MITCHELL ROSEN <MRR2607%RITVAX.BITNET@IBM1.CC.LEHIGH.EDU> > >> From: -=*REB*=- <RB00@LEHIGH> >> Subj: Nettiquite > >>> PS anyone want to hire me? > >> FLAME ON! >> Do you *really* think that this is appropriate here? > >That flame was the most inappropriate gripe I've come across for >a while. The writer's tongue was clearly in cheek when asking about >employment. > >Chill out a bit. Its not healthy to take everything so seriously. > >- Mitchell Rosen > >> [Boy, this list's first real flame :-) :-) :-) ] > >I guess I'm number two. > Guys, please?!?!? This is getting a little crazy. Both REB and whoever the writer was were both a) A little overzealous and b) Joking. Let's let it lie. Mitch Tag... You're it ____________ ____/--\____ //-n-\\ \______ ___) ( _ ____) _____---=======---_____ __\ \____/ / `--' ====____\ /.. ..\ /____==== ) `|=(- - - - - - - - - - -*// ---\__O__/--- \\ \------------' \_\ /_/ BITnet : MFL1@lehigh.bitnet Phonet : 215-758-1381 INTnet : KMFLUDW@vax1.cc.lehigh.edu Slonet : Box 72 Lehigh Univ. Bethlehem, PA 18015 ========================================================================= Date: Tue, 26 Apr 88 13:51:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Mitchel Ludwig <KMFLUDW@VAX1.CC.LEHIGH.EDU> Subject: RE: Speaking >From: Loren K Keim -- Lehigh University <LKK0%LEHIGH.BITNET@IBM1.CC.LEHIGH.EDU >Well Folks, > >I am quite surprized at the number of personal letters I received >over this list over the last day. Comments should probably >be sent to the list directly, instead of sending them just to >me. > [Erronious kaka eliminated] > >Loren > >|-----------------------------------------------------------------------| >| Virus Busters: Loren Keim, Chris Bracy, Joe Sieczkowski, Mitch Ludwig | >|_______________________________________________________________________| Loren, As one of the 'Virus Busters' I am beginning to get a bit annoyed at the constant back patting you seem to be giving yourself. None of the rest of us involved in the Lehigh virus affair have gone out of our way to let the world know how great we are. Yes, I agree with you that the public needs to know exactly what they are dealing with in respect to virus's in general, but I do not agree with your methods. Richard Baum may have been wrong in his flame earlier when he complained about job hunting here, but he was wrong because the request should have been taken as a joke. You, on the other hand are using the net as a way, not to educate the public concerning virus's, but rather to educate them concerning the fact that *YOU* know all about virus's. Now, enough of this, if you wish to let the world know how much you know about computer virus's, do it in one long letter that we can all ignore. Then get down to the business of what the list is about, helping others. Now, for everyone : I am looking for information (for a second party not on the network) concerning virus's (is this right or is it viruses?) that cause problems on the mac. He is concerned because his workplace uses primarily mac's for publishing needs. Any help? Mitch (I may have helped solve a virus but that's no reason to brag) Ludwig Tag... You're it ____________ ____/--\____ //-n-\\ \______ ___) ( _ ____) _____---=======---_____ __\ \____/ / `--' ====____\ /.. ..\ /____==== ) `|=(- - - - - - - - - - -*// ---\__O__/--- \\ \------------' \_\ /_/ BITnet : MFL1@lehigh.bitnet Phonet : 215-758-1381 INTnet : KMFLUDW@vax1.cc.lehigh.edu Slonet : Box 72 Lehigh Univ. Bethlehem, PA 18015 ========================================================================= Date: Tue, 26 Apr 88 14:30:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Joe Ogulin -- 'Milamber' <P12I1798@JHUVM> Subject: Re: Nettiquite In-Reply-To: Your message of Tue 26 Apr 88 01:02:36 EDT come on, rich...anyone can tell it's a joke... --Joe ========================================================================= Date: Tue, 26 Apr 88 15:14:07 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: David.Slonosky@QueensU.CA Subject: Macintosh viruses I would also be interested in Macintosh virus information as our lab uses a fat Mac. Does anyone remember the article in the Computing Recreation section of Scientific American about two or three years back where he talked about worms and battling programs, one pro-computer and one anti-computer? It's sort of tangent to this discussion, but reading these comments made me think of it and I'd like to read it again soon. ========================================================================= Date: Tue, 26 Apr 88 16:15:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: UJWSIEC@VAX1.CC.LEHIGH.EDU Subject: RE: Speaking >>From: Loren K Keim -- Lehigh University <LKK0%LEHIGH.BITNET@IBM1.CC.LEHIGH.EDU > >>Well Folks, >> >>I am quite surprized at the number of personal letters I received >>over this list over the last day. Comments should probably >>be sent to the list directly, instead of sending them just to >>me. >> >>Loren >> > >From: Mitchel Ludwig <KMFLUDW@VAX1.CC.LEHIGH.EDU> > >Loren, > > As one of the 'Virus Busters' I am beginning to get a bit >annoyed at the constant back patting you seem to be giving yourself. >None of the rest of us involved in the Lehigh virus affair have gone >out of our way to let the world know how great we are. > > Yes, I agree with you that the public needs to know exactly >what they are dealing with in respect to virus's in general, but I do >not agree with your methods. You are using the net as a way, >not to educate the public concerning virus's, but rather to >educate them concerning the fact that *YOU* know all about virus's. > >Mitch FFFFFFFF LL AAAA MM MM EEEEEEE OOOOO NNN N FF LL AA AA MMM MMM EE OO OO NNNN N FFFFF LL AA AA M MM MM M EEEE OO OO NN NN N FF LL AAAAAAAA M MM M EE OO OO NN NN N FF LL AA AA M M EE OO OO NN NNN FF LLLLLL AA AA M M EEEEEEE OOOOO NN NN Enough is Enough! This pointless bickering is getting out of hand. Mitch, if you have a gripe with Loren send mail to him directly. There is no point making it nationwide. Moreover, Loren's letter was perfectly pertinent. Yesterday he received numerous letters that were very appropriate for the list. So he stated the fact. I don't think he was practicing conceit. *Flame off* Athough I feel its inappropriate to bring such quarrels to the list, I felt this particular letter was neccessary to clear the air of any misconceptions. I'm sorry for those of you that had to wade though it. Now let's talk about viruses.... ------------------------------------------------------------------------------ ujwsiec@vax1.cc.lehigh.edu Joe Sieczkowski {ihnp4}!c11ux!lehi3b15!joes AI Lab, CSEE Department jws5@lehigh.bitnet Lehigh University Packard Lab #19 Bethlehem, PA 18015 -------------------------------------------------------------------- "Yes...It was a dark and stormy night that a party of three and myself found, tracked, and destroyed the Lehigh Virus." --------------------------------------------------------- ========================================================================= Date: Tue, 26 Apr 88 16:40:30 ECT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Art Weisenseel <PR0032@BINGVMB> Subject: RE: Speaking In-Reply-To: Message of Tue, 26 Apr 88 13:51:00 EST from <KMFLUDW@VAX1.CC.LEHIGH.EDU> Actually this is not in reference to Speaking, but to Mac viruses. Anyhow, in this week's Infoworld (the April 25 issue) on page 8 there is an article on a Mac virus which looks for the programming signatures "ERIC" and "VULT" in Electronic Data Systems' proprietary programs. According to the article the virus is unruly enough to cause printing and system problems and occasionally destroy data, although its real purpose is to destroy Mac applications which have those two signatures. The article says the Killscores program available on Compuserve Macintosh b-boards and elsewhere will knock it off infected disks. Hope I got it right; I'm not an Mac user. Art Weisenseel Computer Services State University of NY - College at Purchase PR0032@BINGVMB.BITNET "Twenty Seconds Ahead of the Past" ========================================================================= Date: Tue, 26 Apr 88 21:29:34 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Emergency: In case of emergency, contact me at 865-4253 or 865-3904. A few things: I have had quite a bit of difficulty finding information about the new slew of Mac Viruses that have arrived. Here is some of what I HAVE been able to locate: The NASA virus: NASA has kept very quiet about how this virus works, and replicates. From what I've been able to decipher (someone correct me if they have more knowledge), it doesn't actually damage the system in any way, but slows down programs and increases their length, makes it very hard to print things, crashes the system, as well as typing some sort of obnoxious message. Apparently the virus has no effect on data files, but it injects itself into every program file and makes itself very hard to eliminate. I believe that the virus probably appends itself to the end of the program file. It "goes off" every 2, 4 and 7 days after infected. Another Christmas Tree Virus: A Mac version that simply copies itself to any existant hard drive and any disks in any drives attached to the system. It does no actual damage, and appears in the directory as a program file. The way to know if you have this virus is if you have a file XMAS in your directory. Unnamed virus: According to the April 11 issue of Infoworld, a virus exists that "transmits itself from Mac to Mac by invading a standard executable application file". This virus destroys files. "The easiest way to spot this virus is by looking at the icons tht represent the Note Pad File and Scrapbook File in the Macintosh System Folder". "These icons normally resemble small Macintoshes, but when infected, the icons become a rectangle with a bent corner. More as I get it. I believe the NASA virus and the Unnamed one (found in Washington and Boston so far) will be taken care of by the new anti viral program for the Mac that we'll (LVIT'll) be releasing in the next few weeks. Also, if you missed Art W.'s letter, go back and read it! Also, I must apologize. Mitch tells the world that: >> As one of the 'Virus Busters' I am beginning to get a bit >> annoyed at the constant back patting you seem to be giving yourself. >> None of the rest of us involved in the Lehigh virus affair have gone >> out of our way to let the world know how great we are. If I have upset anyone, I am quite sorry. I was not trying to pat myself on the back. And Mitch, we argue constantly; lets try to keep it off the listservs. Incidently, the trailer that I put on my message is a direct copy of the trailer Chris Bracy's been using for a while. Gotta Run, Loren ========================================================================= Date: Tue, 26 Apr 88 14:52:20 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Lou Surface <LBS100S@ODUVM> Subject: Re: Nettiquite In-Reply-To: Message of Tue, 26 Apr 88 14:30:00 EDT from <P12I1798@JHUVM> Can we please get back to the discussion at hand? This should be the last message of its kind please. ========================================================================= Date: Wed, 27 Apr 88 17:04:40 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: David.Slonosky@QueensU.CA Subject: Worms, viruses, and so on Does anyone remember the article in Scientific American 2-3 years back called "Core Wars"? It dealt with the basics of program destruction/saving and I was wanting to reread it. If anyone knows of any other basic introductions to virus theory, I would also appreciate knowing about them. ========================================================================= Date: Wed, 27 Apr 88 19:47:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: UJWSIEC@VAX1.CC.LEHIGH.EDU Subject: RE: Worms, viruses, and so on >If anyone knows of any other basic introductions to virus > theory, I would also appreciate knowing about them. > As a matter of fact, Fred Cohen wrote several booklets on viruses and system security matters. They were quite good. By now, he must have comprised into a book (or several). ------------------------------------------------------------------------------ ujwsiec@vax1.cc.lehigh.edu Joe Sieczkowski {ihnp4}!c11ux!lehi3b15!joes AI Lab, CSEE Department jws5@lehigh.bitnet Lehigh University Packard Lab #19 Bethlehem, PA 18015 -------------------------------------------------------------------- "Yes...It was a dark and stormy night that a party of three and myself found, tracked, and destroyed the Lehigh Virus." --------------------------------------------------------- ========================================================================= Date: Wed, 27 Apr 88 22:38:29 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Regarding that talk on viruses to be held at La Salle U: Its Thursday Arpill 28... 7 pm to 9 pm, and will be done by John Hagman, Donald Montabana, and Steve Weissman. It covers what viruses are, how theye detected, what the cures available are and do they require changes in computer management. Loren ========================================================================= Date: Thu, 28 Apr 88 07:42:08 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> In-Reply-To: Message of Mon, 25 Apr 88 17:49:20 EDT from <LKK0@LEHIGH> > Which brings up my third point: I read your comment, Ken, about > ten times, and I still don't understand it. I don't believe > public domain programs are the answer at all. I believe we should > use commercially available fixes. But, likewise, you mention > that public domain virus-fixes should be given with source code. > If we want to make the perfect fix... one that will take the > virus writer infinitely long to break, then we do NOT want source > code EVER given out, or even the details of how the system works! I guess I didn't phrase myself very clearly. I didn't mean that people should not use commercial packages; quite the contrary. I have little faith in the public domain anti-viral packages because of things like FLUSHOT - it's too easy to put a virus in one. That, and I believe that all public domain software should be distributed with source code. Not because they're anti-viral programs, but because they're in the public domain. I feel that most of the commercial packages are more thorough than any of the public domain packages at this time. They should *NOT* be distributed with source code. A user should be safer using a commercial package - yes, we all know about Aldus... I don't think that *ANY* software solution to the virus problem can be 100% effective, though. I hope that clears things up a bit... Which brings me to my next point. I've just been out of town for a couple days on a business trip. When I read my mail last night, I was very surprised about all the traffic that we've gotten on VIRUS-L - thanks to *ALL* who submitted! Let's keep it going! I wasn't too happy to see flames and commercial plugs, though. As the listowner, I will tolerate none of either. Differences of opinion are one thing, but flames are not acceptable or proper. If anyone *REALLY* feels the need to flame someone, then reply to that person directly - NOT TO THE LIST! That way, I won't have to read it, unless it's me getting flamed; but, hey, I can purge a message as fast as the next guy... :-) Commercial plugs are against BITNET policy. 'Nuff said. Anyone sending a flame or a commercial plug to the list does so knowing that it is his/her final submission to the list - you *WILL* be removed permanently. Which leaves only melodrama - there's no official BITNET policy against melodrama unfortunately. I just hope that all of our readers have a grain or two of salt handy... :-) Oh yeah, one general guideline - when intending to be "tongue in cheek" or anything like that, please bear in mind that it is difficult to interpret something as tongue in cheek. A shortcoming of computer mail I'm afraid. It's easy enough to *EMPHASIZE* something, but how do we put inflection into it? How about @tongue_in_cheek(this is tongue in cheek)? :-) Thanks for the info on La Salle, Loren. Hope someone out there will be making use of it. And thanks to everyone who has submitted! Ken ------------------------------------------------------------------------ = Kenneth R. van Wyk = If found wandering aimlessly, = = User Services Senior Consultant = please feed and return... = = Lehigh University Computing Center =-------------------------------= = Internet: <LUKEN@VAX1.CC.LEHIGH.EDU> = This just in: = = BITNET: <LUKEN@LEHIIBM1> = Humptey Dumptey was pushed! = ------------------------------------------------------------------------ ========================================================================= Date: Thu, 28 Apr 88 08:11:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: J_CERNY@UNHH Subject: virus in Aldus Freehand self-training disks I just received my copy of the Aldus Freehand demo disk. As I understand it, this runs a muscial script to show off what Freehand can do. Just before I got around to putting it in my hard-disk SE system for the first time, however, I read in the March 15, 1988 issue of MacWEEK that the Aldus Freehand training disk is infected with a virus!! I'd previously heard that some copies of the actual program were infected, but this was the first I'd heard about the training disk. Does anyone know more about this, specifically: (1) Is what the article calls the "training disk" the same thing as this scripted, musical demo disk? Or is the training disk something you get when you order the full-blown program? (2) Are ALL copies of the training disk believed to be infected? Jim Cerny, University Computing, University of N.H. J_CERNY@UNHH ========================================================================= Date: Thu, 28 Apr 88 15:59:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Joe Simpson <JS05STAF@MIAMIU> Subject: Purpose of this list. I am about to send a description of the computer virus epidemic that surfaced at Miami University to this list. I hope this is an appropriate place to distribute the information. I subscribed to the list three days ago and am a little confused about the purpose of virus-l. My interest is in obtaining information about active viruses discovered in the computing community and in recommendations for combating/defending/managing. If this is not appropriate would someone direct me to the appropriate forum? Thank You Joe Simpson ========================================================================= Date: Thu, 28 Apr 88 16:02:55 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Joe Simpson <JS05STAF@MIAMIU> Subject: A description of computer virus epidemic at Miami U. THIS IS A FIRST DRAFT OF A POSTING TO THE VIRUS-L LISTSERV GROUP. PLEASE RESPOND WITH EDITORIAL COMMENTS. MIAMI UNIVERSITY WAS HIT BY AN OUTBREAK OF MS-DOS AND MACINTOSH VIRUS APPROXIMATELY 10 DAYS BEFORE THE END OF SEMESTER. VIRUS APPEARED IN VIRTUALLY EVERY MICRO LAB ON CAMPUS WITHIN 2 DAYS OF FIRST NOTICE. THE IBM VIRUS APPEARED TO BE A VARIANT OF BRAIN. THE MAC VIRUSES APPEARED TO BE IDIOT AND SCORES. SCREENING PROCEDURES WERE INSTITUTED IN THE LABS TO DETECT AND QUASH VIRUS INFECTED DISKETTES. DETECTION BECAME MORE ACCURATE OVER TIME. THE PROCEDURE USED TO DISINFECT DISKETTES IS: 1) COPY DATA FILES (WP, SPREADSHEET, DATABASE) TO "CLEAN MEDIA" 2) FORMAT INFECTED DISKETTE ABANDONING ANY DOS AND OTHER EXECUTABLE FILES. 3) COPY DATA FILES BACK ONTO THE USER DISKETTE. THERE IS SOME REASON TO BELIEVE THAT THIS PROCEDURE IS OVERLY CAUTIOUS. IN THE MS-DOS WORLD: SCREENING PROCEDURES STARTED WITH LOOKING FOR THE WORD BRAIN IN THE DISKETTE LABEL. NOW WE LOOK FOR THREE OR MORE CONTIGUOUS BAD SECTORS USING SOMETHING LIKE THE NORTON UTILITIES. A STUDENT HAS WRITTEN A PROGRAM TO LOOK FOR VIRUS IN RAM. THE SAME STUDENT IS ATTEMPTING TO REVERSE ENGINEER A SOLUTION. FRED COHEN FROM UNIV. CINN. HAS BEEN UP TO ASSIST US AND WOULD PROBABLY HAVE GOOD INFORMATION ON THE VIRUS IF HE HADN'T CONTRACTED ONE OF THE HUMAN VARIETY LAST NIGHT. INFECTED DISKETTES HAVE BEEN POSTED TO BOWLING GREEN FOR STUDY (AND OF COURSE TO FRED). AT THIS POINT WE ARE NOT SURE HOW LONG THE DORMANT PHASE OF THIS VIRUS WAS. IT MAY HAVE BEEN SEVERAL MONTHS. SUBJECT TO FRED'S AND THE STUDENT'S NEW INFORMATION HERE IS WHAT WE BELIEVE ABOUT THE MS-DOS VIRUS. IT IS A VERSION OF PAKISTANI BRAIN. IT PROBABLY CANNOT INFECT A HARD DISK. MORE ON THIS WHEN WE REALLY KNOW. PROPERLY INSTALLED LAN'S APPEAR TO OFFER PROTECTION(BECASE OF THE ABOVE?) IT LIVES IN THREE (OR IN SOME CASES POSSIBLY FIVE) CONTIGUOUS SECTORS MARKED BAD IN THE FAT. THE THREE SECTOR VERSION INSTALLS IN HIGH RAM AND CAN BE DETECTED THERE USING STANDARD DOS CALLS. IF THERE IS A FIVE SECTOR VERSION (THIS MAY BE DAMAGE AND NOT VIRUS), IF IT IS A VIRUS, IT DOESN'T PERMANENTLY INSTALL IN HIGH RAM. THE THREE SECTOR VERSION APPEARS TO INSTALL BOOTSTRAP CODE INTO AT LEAST THE FOLLOWING FILES: COMMAND.COM, PRINT.COM, FORMAT.COM. FRED HAS A CHECKSUM PROGRAM THAT WE USED TO DIAGNOSE THIS BEHAVIOR. THE THREE SECTOR VIRUS WILL PLACE BRAIN IN THE DISKETTE VOLUME LABEL AND REMOVE IT PERIODICALLY. THUS, ABSCENCE OF BRAIN IS NOT ASSURANCE OF A CLEAN DISKETTE. SOME OF THE THINGS THAT THE PRUDENT COMPUTER USER SHOULD DO IN THE COMPUTER AGE (SAGE WISDOM SUBJECT TO FREQUENT REVISION): USE ATTRIB TO MAKE COMMAND.COM AND MANY OTHER FILES READ ONLY. THIS LIST SHOULD PROBABLY INCLUDE PROGRAMS. BACKUP, BACKUP, BACKUP, BACKUP. I KEEP A 3 WEEK ROLLING BACKUP TO PROTECT MYSELF FROM DORMANT PHASE VIRUSES AS OBSERVED IN THE MAC WORLD. WRITE PROTECT ALL ORIGIONAL DISKETTES WITHIN SECONDS OF OPENING THE SHRINK WRAP. WHEN TRANSFERRING INFORMATION BETWEEN COMPUTERS USE DISKETTES THAT CONTAIN NO EXECUTABLES (SYSTEM AND APPLICATIONS SOFTWARE). WHERE POSSIBLE BOOT FLOPPIES SHOULD BE WRITE PROTECTED. IT IS NOT KNOWN AT THIS TIME WHETHER WRITE PROTECTION IS HARDWARE OR SOFTWARE MEDIATED. WE ARE FOLLOWING UP WITH IBM. IN THE MACINTOSH WORLD WE SUSPECT THAT WE WERE INFECTED BY SCORES AND IDIOT. MAC USERS ARE MUCH MORE ATONOMOUS AND OUR INFORMATION IS NOT AS GOOD. WE ARE STILL TRYING TO OBTAIN COPIES OF INFECTED MACINTOSH DISKETTES. IN THE MEAN TIME WE ARE DISTRIBUTING KILLVIRUS, VACCINE, AND FERRET 1.1. DIAGNOSIS RELIES UPON FINDING CHARACTERISTIC SIGNATURE FILES. PRESENT RECOMMENDATIONS FOR PREVENTION INCLUDE ALL OF THE ABOVE RECOMMENDATIONS FOR THE MS-DOS WORLD PLUS RUNNING KILLVIRUS OR VACCINE. SOME THINGS WE ARE CONSIDERING FOR NEXT YEAR. ENCOURAGE STUDENTS TO EXCHANGE INFORMATION ON DATA DISKETTES THAT DO NOT INCLUDE EXECUTABLES. MORE WRITE PROTECTION AT DOS ATTRIB LEVEL AND HARDWARE LEVEL. INVESTIGATE VIRUS PROTECTION SOFTWARE. IN THE MAC WORLD WE ARE USING VACCINE AND LOOKING AT VIRUSDETECTIVE AND KILLVIRUS. INVESTIGATE VIRUS PROTECTION IN THE MS-DOS WORLD? USE LOCAL HACKS TO PERIODICALLY LOOK FOR RAM RESIDENT SOFTWARE THAT SHOULDN'T BE THERE? ========================================================================= Date: Thu, 28 Apr 88 16:16:02 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: Re: Purpose of this list. In-Reply-To: Message of Thu, 28 Apr 88 15:59:00 EST from <JS05STAF@MIAMIU> >I am about to send a description of the computer virus epidemic that >surfaced at Miami University to this list. I hope this is an >appropriate place to distribute the information. This list is definitely an appropriate place for that discussion! >I subscribed to the list three days ago and am a little confused about >the purpose of virus-l. My interest is in obtaining information >about active viruses discovered in the computing community and in >recommendations for combating/defending/managing. If this is not >appropriate would someone direct me to the appropriate forum? While the list is less than a week old, I think that you're definitely on target with what you expect. I'd like to see the same things, and a bit more. Discussing existing viruses alone is somewhat limiting, and probably an uphill battle. While information on them should definitely be available here, we shouldn't limit ourselves to that. Some theoretical discussions on future virus possibilities, and how to prevent them, should also be found. Hope that clears it up... Ken ------------------------------------------------------------------------ = Kenneth R. van Wyk = If found wandering aimlessly, = = User Services Senior Consultant = please feed and return... = = Lehigh University Computing Center =-------------------------------= = Internet: <LUKEN@VAX1.CC.LEHIGH.EDU> = This just in: = = BITNET: <LUKEN@LEHIIBM1> = Humptey Dumptey was pushed! = ------------------------------------------------------------------------ ========================================================================= Date: Thu, 28 Apr 88 16:54:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Loren Miller, Senior Large-Systems Consultant" <MILLERL@wharton.upenn.edu> Subject: MAC VIRUS info -- relayed from INFO-MAC Date: Tue 26 Apr 88 03:36:16-EDT From: "Vin McLellan" <SIDNEY.G.VIN%OZ.AI.MIT.EDU@XX.LCS.MIT.EDU> Subject: Virus Sores and Scores Relayed from: INFO-MAC Digest Saturday, 23 Apr 1988 Volume 6 : Issue 40 From jpd@eecs.nwu.edu Mon Apr 18 10:11:09 1988 Subject: The Scores Virus Date: 18 Apr 88 16:11:09 GMT My colleague Bob Hablutzel got a copy of the Scores virus last Thursday and disassembled it, and I've been studying and testing it ever since. So far I've reverse-engineered about half the code and have a thorough understanding of how it works. This note is a preliminary report on what I know so far, after four days of research. It also outlines plans for a disinfectant program. The virus is definitely targeted against applications with signatures VULT and ERIC. I don't know if any applications with these signatures exist or are planned to be released. The virus infects your system folder when you run an infected program. The virus lies dormant for two days after your system folder is first infected. After two, four, and seven days various parts wake up and begin doing their dirty work. Two days after the initial infection the virus begins to spread to other applications. I haven't completely finished figuring out this mechanism, but it appears that only applications that are actually run are candidates for infection. After four days the second part of the virus wakes up. It begins to watch for the VULT and ERIC applications. Whenever VULT or ERIC is run it bombs after 25 minutes of use. If you don't have a debugger installed you'll get a system bomb with ID=12. If you have MacsBug installed you'll get a user break. After seven days the third part of the virus wakes up. Whenever VULT is run the virus waits for 15 minutes, then causes any attempt to write a disk file to bomb. If you don't do any writes for another 10 minutes the application will bomb anyway, as described in the previous paragraph. There's also more code to force a bomb after 45 minutes, but I can't see any way that this code can be reached, given the forced bomb after 25 minutes. The virus identifies VULT and ERIC by checking to see if the application contains any resources of type VULT or ERIC. Applications with signatures VULT and ERIC normally contain these resources, but other applications normally don't. I verified the behaviour of the virus by using ResEdit to add empty resources of types VULT and ERIC to the TeachText application. TeachText bombed as described above on an infected system, even though TeachText itself was not infected! While running my experiments I was in ResEdit on the infected system and heard the disk whir. Sure enough, ResEdit was infected. I've been running on an infected system with an infected ResEdit for three days. I reset the system clock to fool the various parts of the virus into thinking it was time for them to wake up. The Finder has also become infected. ResEdit, Finder, and the rest of the system seem to be functioning normally. Only my version of TeachText modified to look like VULT or ERIC has been affected by the virus. If you repeat any of these experiments be very careful to isolate the virus. I'm using a separate dual floppy SE to perform my experiments, and I've carefully labelled and isolated all the floppies I'm using. My main machine is an SE with a hard drive, where I have MPW and my other tools installed. It's OK to look at infected files on the main machine (e.g. with ResEqual, DumpCode, etc.), but don't run any infected applications on the main machine - that's how it installs itself and spreads. Children should not attempt this without adult supervision :-) An infected application contains an extra CODE resource of size 7026, numbered two higher than the previous highest numbered CODE resource. Bytes 16-23 of CODE resource number 0 are changed to the following: 0008 3F3C nnnn A9F0 where nnnn is the number of the new CODE resource. You can repair an infected application by replacing bytes 16-23 of CODE 0 by bytes 2-9 of CODE nnnn, then deleting CODE nnnn. I've tried this using ResEdit on an infected version of itself, and it works. The MPW utility ResEqual reports that the result is identical to the original uninfected version. The virus creates two new invisible files named Desktop (type INIT) and Scores (type RDEV) in your system folder, and adds resources to the files System, Note Pad File, and Scrapbook File. Note Pad File and Scrapbook File are created if they don't already exist. Note Pad File is changed to type INIT, and Scrapbook File is changed to type RDEV. Both of these files normally have file type ZSYS. The icons for these two files change from the usual little Macintosh to the generic plain document icon. Checking your system folder for this change is the easiest way to detect that you're infected. Copies of the following five resources are created: Type ID Size Files ----- ----- ----- ------------------------------------- INIT 6 772 System, Note Pad File, Scrapbook File INIT 10 1020 System, Desktop, Scores INIT 17 480 System, Scrapbook File atpl 128 2410 System, Desktop, Scores DATA -4001 7026 System, Desktop, Scores A disinfectant program would have to repair all infected applications and clean up the system folder, undoing the damage described above. I don't yet know exactly which files can be infected, but I know for sure that Finder (file type FNDR) can get infected, and that applications (file type APPL) can get infected. For safest results the disinfectant should examine and disinfect the resource forks of all the files on the disk. I recommend the following algorithm: Scan the entire file hierarchy on the disk, and for each file on the disk check it's resource fork. Delete any and all resources whose type, ID, and size match the table above. Delete all files whose resorce forks become empty after this operation. If the resource fork's highest numbered CODE resource is numbered two more than the next highest numbered CODE resource, and if it's size is 7026, then patch the CODE 0 resource as described above, and delete the highest numbered CODE resource. Also examine all files named Note Pad File and Scrapbook File. If their file type is INIT or RDEV, change it to ZSYS. I'm fairly confident that a disinfectant program implemented using the algorithm above would sucessfully eradicate the virus from a disk, restore all applications to their original uninfected state, and not harm any non-viral software on the disk. It should work even on disks with multiple infected system folders. I also believe that it should work even if run on an infected system, and even if the disinfectant program becomes infected itself! There's a small chance that it could delete too many resources, and hence damage some other application, but that's a small price to pay for a clean system. Getting rid of a virus is tricky, even with a disinfectant program. The disinfectant program should be placed on a floppy disk along with a system folder. Make a backup copy of this disk. The machine should be booted using the startup disk you just made, and then the disinfectant should be run on all the hard drives and floppies in your collection, including the backup copy of the startup disk you just made. Don't run any other programs or boot from any other disks while disinfecting - you might get reinfected. When you're all done, reboot from some other (disinfected) disk and immediately erase the startup disk you used to do the disinfecting, which may be (and probably is) infected itself. This should absolutely, positively get rid of all traces of the virus. The backup disk you made and disinfected should contain an uninfected copy of the disinfectant program in case you need to use it again. There are at least two red herrings in the virus. It uses a resource of type 'atpl', which is usually some sort of AppleTalk resource. As far as I can tell, however, the virus does not attempt to spread itself over networks. The 'atpl' resource is used for something else entirely. This is not a bug. Also, the virus creates the file Desktop in your system folder. This is done on purpose. It is not a failed attempt to modify the Finder's Desktop file in the root directory. The file is used by the virus, and has nothing to do with the Finder. I don't know why the virus seems to cause reported problems with MacDraw, printing, etc. Perhaps it's a memory problem - the virus permanently allocates 16,874 bytes of memory at system startup (four blocks in the system heap of sizes 772, 40, 8, and 334, and one bock at BufPtr of size 15360). I've only found one possible bug in the virus code, and it looks pretty harmless. The code is very sophisticated, however, and I can easily understand how I might have overlooked a bug, or how it might interact in strange unintended ways with other applications and parts of the system. When we've finished completely cracking this virus we'll probably distribute another report. I've posted these preliminary results now to get the information out as quickly as possible. We also hope to write the disinfectant program, if someone else doesn't write it first. I've decided not to distribute detailed information on how this virus works. I'll distribute detailed technical information about what it does and how to get rid of it, but not internal details. This was a very difficult decision to make, because normally I firmly believe in the enormous benifit of the free exchange of code and information. The Scores virus is a very interesting and complicated piece of code, I've learned a great deal about the Mac by studying it, and I'm sure other people could learn a great deal from it too. But I don't want to teach twisted minds how to write these incredibly nasty bits of code. If I write the disinfectant program, however, I will distribute its source, because I do want to teach untwisted minds how to get rid of them. So please don't bombard me with requests for more information. You may be the nicest, most honest, incredibly important person, but I won't tell you how it works. I'll make only two exceptions, and that's for a very few of my colleagues at Northwestern University, and for qualified representatives of Apple Computer. Thanks to Howard Upchurch for giving us a copy of the virus, and to Bob Hablutzel for helping me crack it. John Norstad Northwestern University Academic Computing and Network Services 2129 Sheridan Road Evanston, IL 60208 Bitnet: JLN@NUACC Internet: JLN@NUACC.ACNS.NWU.EDU Monday morning, April 18, 1988. ------------------------------ ========================================================================= Date: Thu, 28 Apr 88 20:12:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: UJWSIEC@VAX1.CC.LEHIGH.EDU Subject: RE: A description of computer virus epidemic at Miami U. >SCREENING PROCEDURES WERE INSTITUTED IN THE LABS TO DETECT AND >QUASH VIRUS INFECTED DISKETTES. DETECTION BECAME MORE ACCURATE >OVER TIME. THE PROCEDURE USED TO DISINFECT DISKETTES IS: >1) COPY DATA FILES (WP, SPREADSHEET, DATABASE) TO "CLEAN MEDIA" >2) FORMAT INFECTED DISKETTE ABANDONING ANY DOS AND OTHER EXECUTABLE > FILES. >3) COPY DATA FILES BACK ONTO THE USER DISKETTE. >THERE IS SOME REASON TO BELIEVE THAT THIS PROCEDURE IS OVERLY CAUTIOUS. >IN THE MS-DOS WORLD: >SCREENING PROCEDURES STARTED WITH LOOKING FOR THE WORD BRAIN IN THE >DISKETTE LABEL. NOW WE LOOK FOR THREE OR MORE CONTIGUOUS BAD SECTORS >USING SOMETHING LIKE THE NORTON UTILITIES. > Be very careful here... Suppose you follow steps 1, 2, & 3, if you miss even one disk, you could be back where you started in a week. After you analyze the assmembly, I would suggest the you implement a screening proceedure and vaccination procedure in a program. Install that program in the autoexec of every bootable disk, so that on bootup you automatically check whether or not the disk is infected and if it is infected you kill the virus. This way your disks become "vaccinated" against that particular strain. This is what we did at Lehigh. Of course, write protecting all disks (maybe even notch-less) is probably a better solution, but sometimes that isn't appropriate. >MORE WRITE PROTECTION AT DOS ATTRIB LEVEL AND HARDWARE LEVEL. DOS Attribing doesn't do much and its very easy for a virus to by-pass this. I'm unfamiliar with any attrib at the HARDWARE level. It's hard to say much more without knowing specifically how the virus comunicates itself, how it finds its hiding spot, and so forth. Decipering the assembly is very important, otherwise you might miss something. Good Luck ------------------------------------------------------------------------------ ujwsiec@vax1.cc.lehigh.edu Joe Sieczkowski {ihnp4}!c11ux!lehi3b15!joes AI Lab, CSEE Department jws5@lehigh.bitnet Lehigh University Packard Lab #19 Bethlehem, PA 18015 -------------------------------------------------------------------- "Yes...It was a dark and stormy night that a party of three and myself found, tracked, and destroyed the Lehigh Virus." --------------------------------------------------------- ========================================================================= Date: Thu, 28 Apr 88 21:10:50 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: -=*REB*=- <RB00@LEHIGH> Subject: Core Wars Someone asked about Core Wars. The idea for Core Wars appeared in Scientific American in May of 1984. It is a rudimentary mathematical game based on writing small programs whose mission is to survive while annihilating other similar programs in the same workspace. The programs are written in a language called "redcode." They are in memory at random positions, and neither knows the location of the other. They take turns at executing instructions. Methods of operation are described whereby programs "bomb" certain areas of memory, copy themselves around to give the other program "the slip", etc. The article is definitely worth checking out. The entire game has many similarities to the current virus problem. There was also a IBM PC based public domain program floating around which played the game. I think I have a copy of it somewhere. Richard Baum _______________________________________________________________ / From: -=*REB*=- ", /FoneNet: (0010 0001 0101) 1000 0110 0111-1000 0100 0011 0011 BCD ", /InterNet: kREBaum@Vax1.CC.Lehigh.EDU BitNet: RB00@Lehigh.Bitnet ", / SlowNet: 508 E 4th St. (positively) Suite #1, Bethlehem, PA 18015 ", !----------------------------------------------------------------------! ! The Brent Z*ne! ! "----------------------------------------------------------------------" ========================================================================= Date: Fri, 29 Apr 88 08:33:42 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Joe Simpson <JS05STAF@MIAMIU> Subject: Hardware write protection Does anyone know whether the write protect hardware in commonly used microcomputers is a) merely a sensor that operates through software mediatation (and is thereby at risk to hostile software) - or - b) or be operated purely at the hardware digital logic gate, for example via a hardware "or" gate? Of course answers to this question must be specific to hardware. I'll start off with the old Apple II 5.25 disk drives. It's hardware here. ========================================================================= Date: Fri, 29 Apr 88 08:55:56 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Jim Eshleman <LUJCE@LEHIIBM1> Subject: Testing Please ignore this test. Jim Eshleman Lehigh University Computing Center ========================================================================= Date: Fri, 29 Apr 88 09:39:16 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: More info on Miami U's virus woe's I just spoke with Fred Cohen, who was helping Miami University with their Brain virus problems. He gave me some additional information to pass along to the list. First, their PC virus is indeed a *NEW* strain of the Brain virus. It is quite a lot more sophisticated than its ancestor, however. Major differences: 1) It infects COM files as well as system files. The COM files show no changes in file size or in write date when a DIR command is issued. 2) The virus appears to move around a bit. For example, the ASCII message displaying the Pakistani authors' names and addresses *sometimes* appears in the boot sectors, sometimes not. 3) The new Brain virus can now infect hard drives. The previous one could not infect *anything* other than 5 1/4" disks. At Miami U., some BAT files were found which contained commands to copy some infected COM files to the C: drive. Trying to stop a virus like this from spreading, particularly in a typical university computing environment, is proving to be very difficult indeed. They're currently running a program which checks for any of the standard interrupt addresses to change; whereupon they halt the system. This way, at least they get flagged that the virus is on that system. Placing write protect tabs on most of the disks helps, but is not always feasible - particularly in the case of copy protected software like Lotus 1-2-3. That brings me to another point. It seems that, with the current crop of viruses, copy protected software is presenting a serious security problem. If you cannot write protect a disk, then that disk runs a real threat of becoming infected. So, if you must use copy protected software, make sure you boot the system (power down/up - not just ctrl-alt-del; that's easy to fake!) from a write-protected system disk, and then only use your copy protected program. Do not introduce any outside disks into the system during this time. The original Brain virus spread all over the place fairly quickly. This one is much more elaborate, and has been spotted at more than one university already. The need to be extremely cautious cannot be overstressed. Ken ------------------------------------------------------------------------ = Kenneth R. van Wyk = If found wandering aimlessly, = = User Services Senior Consultant = please feed and return... = = Lehigh University Computing Center =-------------------------------= = Internet: <LUKEN@VAX1.CC.LEHIGH.EDU> = This just in: = = BITNET: <LUKEN@LEHIIBM1> = Humptey Dumptey was pushed! = ------------------------------------------------------------------------ ========================================================================= Date: Fri, 29 Apr 88 10:10:27 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: another Miami update One more thing on the new Brain virus - IT CAN INFECT DATA DISKS. That is, non-system disks containing NO EXECUTABLE FILES. It has been found that, if you try to boot an infected data disk, the pc will respond with NON SYSTEM DISK (or something similar). If you then place a bootable disk in the system and press any key, the bootable disk will boot, and the virus will be resident in memory, even if the bootable disk was previously uninfected. Note that this may not work on all pc clones, depending upon how they boot. That is, not all machines will try to boot another disk if you just press any key after getting a NON SYSTEM DISK message. Also, if you CTRL-ALT-DEL to re-boot, the virus will not remain in memory in this case. Hopefully we'll get yet more information on this new virus in the near future... Ken ------------------------------------------------------------------------ = Kenneth R. van Wyk = If found wandering aimlessly, = = User Services Senior Consultant = please feed and return... = = Lehigh University Computing Center =-------------------------------= = Internet: <LUKEN@VAX1.CC.LEHIGH.EDU> = This just in: = = BITNET: <LUKEN@LEHIIBM1> = Humptey Dumptey was pushed! = ------------------------------------------------------------------------ ========================================================================= Date: Fri, 29 Apr 88 09:57:52 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: DG5EOPER@MIAMIU We've been discussing how to thoroughly clean up a viral infection so that there aren't any remaining copies hangning around to infect the labs all over again. Why not introduce a virus-killer VIRUS? A program that spreads itself just like a virus with a sole purpose of hunting down a particular virus and nullifying it? It would propigate itself and spread just as quickly as a virus and would clean up up student's disks even if they didn't know they were infected. Maybe this is not a good idea. I am rather new to the subject, but find it interesting. Anyone's comments on this idea would be welcomed. David Geis ========================================================================= Date: Fri, 29 Apr 88 12:55:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: UJWSIEC@VAX1.CC.LEHIGH.EDU Subject: NO "Virus Killer" Viruses >Why not introduce a virus-killer VIRUS? >A program that spreads itself just like a virus with a sole purpose >of hunting down a particular virus and nullifying it? It would propigate >itself and spread just as quickly as a virus and would clean up up >student's disks even if they didn't know they were infected. >Maybe this is not a good idea. No, its not a good idea... "Vaccines" should not be viruses themselves. I agree that a program should be developed that would hunt down and kill a particular strain of virus. But the program should not be a virus itself otherwise your wonderful cure, in the future, might become an annoying pain in the ?#s. Once administered, you have no control of it. A virus uncontrollably propagating through computer systems could, as a side effect, cause software to malfunction, take up computing resources, etc. Moreover, you have to put out a new "killer vaccine virus" for every new regular virus, and soon systems would be overloaded with protection viruses that would probably fight amonst themselves and prevent a computer from functioning optimally. ------------------------------------------------------------------------------ ujwsiec@vax1.cc.lehigh.edu Joe Sieczkowski {ihnp4}!c11ux!lehi3b15!joes AI Lab, CSEE Department jws5@lehigh.bitnet Lehigh University Packard Lab #19 Bethlehem, PA 18015 -------------------------------------------------------------------- "Yes...It was a dark and stormy night that a party of three and myself found, tracked, and destroyed the Lehigh Virus." --------------------------------------------------------- ========================================================================= Date: Fri, 29 Apr 88 14:27:21 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Jim Eshleman <LUJCE@LEHIIBM1> Subject: MAC VIRUS info - from Loren Miller The XWell Mailer does not like addresses that span lines so Loren's posting got sent to me: From: "Loren Miller, Senior Large-Systems Consultant" <MILLERL@wharton.upenn.edu> Please refrain from using addresses like this until I can get the beast fixed. I am working on it. Many thanks. Here's Loren's posting below. Sorry for the delay in getting this to the list. /jce ------------------ Start of mail from Loren Miller ------------------- Subject: MAC VIRUS info -- relayed from INFO-MAC Date: Tue 26 Apr 88 03:36:16-EDT From: "Vin McLellan" <SIDNEY.G.VIN%OZ.AI.MIT.EDU@XX.LCS.MIT.EDU> Subject: Virus Sores and Scores Relayed from: INFO-MAC Digest Saturday, 23 Apr 1988 Volume 6 : Issue 40 From jpd@eecs.nwu.edu Mon Apr 18 10:11:09 1988 Subject: The Scores Virus Date: 18 Apr 88 16:11:09 GMT My colleague Bob Hablutzel got a copy of the Scores virus last Thursday and disassembled it, and I've been studying and testing it ever since. So far I've reverse-engineered about half the code and have a thorough understanding of how it works. T(iz note is a preliminary report on what I know so far, after four days of research. It also outlines plans for a disinfectant program. The virus is definitely targeted against applications with signatures VULT and ERIC. I don't know if any applications with these signatures exist or are planned to be released. The virus infects your system folder when you run an infected program. The virus lies dormant for two days after your system folder is first infected. After two, four, and seven days various parts wake up and begin doing their dirty work. Two days after the initial infection the virus begins to spread to other applications. I haven't completely finished figuring out this mechanism, but it appears that only applications that are actually run are candidates for infection. After four days the second part of the virus wakes up. It begins to watch for the VULT and ERIC applications. Whenever VULT or ERIC is run it bombs after 25 minutes of use. If you don't have a debugger installed you'll get a system bomb with ID=12. If you have MacsBug installed you'll get a user break. After seven days the third part of the virus wakes up. Whenever VULT is run the virus waits for 15 minutes, then causes any attempt to write a disk file to bomb. If you don't do any writes for another 10 minutes the application will bomb anyway, as described in the previous paragraph. There's also more code to force a bomb after 45 minutes, but I can't see any way that this code can be reached, given the forced bomb after 25 minutes. The virus identifies VULT and ERIC by checking to see if the application contains any resources of type VULT or ERIC. Applications with signatures VULT and ERIC normally contain these resources, but other applications normally don't. I verified the behaviour of the virus by using ResEdit to add empty resources of types VULT and ERIC to the TeachText application. TeachText bombed as described above on an infected system, even though TeachText itself was not infected! While running my experiments I was in ResEdit on the infected system and heard the disk whir. Sure enough, ResEdit was infected. I've been running on an infected system with an infected ResEdit for three days. I reset the system clock to fool the various parts of the virus into thinking it was time for them to wake up. The Finder has also become infected. ResEdit, Finder, and the rest of the system seem to be functioning normally. Only my version of TeachText modified to look like VULT or ERIC has been affected by the virus. If you repeat any of these experiments be very careful to isolate the virus. I'm using a separate dual floppy SE to perform my experiments, and I've carefully labelled and isolated all the floppies I'm using. My main machine is an SE with a hard drive, where I have MPW and my other tools installed. It's OK to look at infected files on the main machine (e.g. with ResEqual, DumpCode, etc.), but don't run any infected applications on the main machine - that's how it installs itself and spreads. Children should not attempt this without adult supervision :-) An infected application contains an extra CODE resource of size 7026, numbered two higher than the previous highest numbered CODE resource. Bytes 16-23 of CODE resource number 0 are changed to the following: 0008 3F3C nnnn A9F0 where nnnn is the number of the new CODE resource. You can repair an infected application by replacing bytes 16-23 of CODE 0 by bytes 2-9 of CODE nnnn, then deleting CODE nnnn. I've tried this using ResEdit on an infected version of itself, and it works. The MPW utility ResEqual reports that the result is identical to the original uninfected version. The virus creates two new invisible files named Desktop (type INIT) and Scores (type RDEV) in your system folder, and adds resources to the files System, Note Pad File, and Scrapbook File. Note Pad File and Scrapbook File are created if they don't already exist. Note Pad File is changed to type INIT, and Scrapbook File is changed to type RDEV. Both of these files normally have file type ZSYS. The icons for these two files change from the usual little Macintosh to the generic plain document icon. Checking your system folder for this change is the easiest way to detect that you're infected. Copies of the following five resources are created: Type ID Size Files ----- ----- ----- ------------------------------------- INIT 6 772 System, Note Pad File, Scrapbook File INIT 10 1020 System, Desktop, Scores INIT 17 480 System, Scrapbook File atpl 128 2410 System, Desktop, Scores DATA -4001 7026 System, Desktop, Scores A disinfectant program would have to repair all infected applications and clean up the system folder, undoing the damage described above. I don't yet know exactly which files can be infected, but I know for sure that Finder (file type FNDR) can get infected, and that applications (file type APPL) can get infected. For safest results the disinfectant should examine and disinfect the resource forks of all the files on the disk. I recommend the following algorithm: Scan the entire file hierarchy on the disk, and for each file on the disk check it's resource fork. Delete any and all resources whose type, ID, and size match the table above. Delete all files whose resorce forks become empty after this operation. If the resource fork's highest numbered CODE resource is numbered two more than the next highest numbered CODE resource, and if it's size is 7026, then patch the CODE 0 resource as described above, and delete the highest numbered CODE resource. Also examine all files named Note Pad File and Scrapbook File. If their file type is INIT or RDEV, change it to ZSYS. I'm fairly confident that a disinfectant program implemented using the algorithm above would sucessfully eradicate the virus from a disk, restore all applications to their original uninfected state, and not harm any non-viral software on the disk. It should work even on disks with multiple infected system folders. I also believe that it should work even if run on an infected system, and even if the disinfectant program becomes infected itself! There's a small chance that it could delete too many resources, and hence damage some other application, but that's a small price to pay for a clean system. Getting rid of a virus is tricky, even with a disinfectant program. The disinfectant program should be placed on a floppy disk along with a system folder. Make a backup copy of this disk. The machine should be booted using the startup disk you just made, and then the disinfectant should be run on all the hard drives and floppies in your collection, including the backup copy of the startup disk you just made. Don't run any other programs or boot from any other disks while disinfecting - you might get reinfected. When you're all done, reboot from some other (disinfected) disk and immediately erase the startup disk you used to do the disinfecting, which may be (and probably is) infected itself. This should absolutely, positively get rid of all traces of the virus. The backup disk you made and disinfected should contain an uninfected copy of the disinfectant program in case you need to use it again. There are at least two red herrings in the virus. It uses a resource of type 'atpl', which is usually some sort of AppleTalk resource. As far as I can tell, however, the virus does not attempt to spread itself over networks. The 'atpl' resource is used for something else entirely. This is not a bug. Also, the virus creates the file Desktop in your system folder. This is done on purpose. It is not a failed attempt to modify the Finder's Desktop file in the root directory. The file is used by the virus, and has nothing to do with the Finder. I don't know why the virus seems to cause reported problems with MacDraw, printing, etc. Perhaps it's a memory problem - the virus permanently allocates 16,874 bytes of memory at system startup (four blocks in the system heap of sizes 772, 40, 8, and 334, and one bock at BufPtr of size 15360). I've only found one possible bug in the virus code, and it looks pretty harmless. The code is very sophisticated, however, and I can easily understand how I might have overlooked a bug, or how it might interact in strange unintended ways with other applications and parts of the system. When we've finished completely cracking this virus we'll probably distribute another report. I've posted these preliminary results now to get the information out as quickly as possible. We also hope to write the disinfectant program, if someone else doesn't write it first. I've decided not to distribute detailed information on how this virus works. I'll distribute detailed technical information about what it does and how to get rid of it, but not internal details. This was a very difficult decision to make, because normally I firmly believe in the enormous benifit of the free exchange of code and information. The Scores virus is a very interesting and complicated piece of code, I've learned a great deal about the Mac by studying it, and I'm sure other people could learn a great deal from it too. But I don't want to teach twisted minds how to write these incredibly nasty bits of code. If I write the disinfectant program, however, I will distribute its source, because I do want to teach untwisted minds how to get rid of them. So please don't bombard me with requests for more information. You may be the nicest, most honest, incredibly important person, but I won't tell you how it works. I'll make only two exceptions, and that's for a very few of my colleagues at Northwestern University, and for qualified representatives of Apple Computer. Thanks to Howard Upchurch for giving us a copy of the virus, and to Bob Hablutzel for helping me crack it. John Norstad Northwestern University Academic Computing and Network Services 2129 Sheridan Road Evanston, IL 60208 Bitnet: JLN@NUACC Internet: JLN@NUACC.ACNS.NWU.EDU Monday morning, April 18, 1988. ========================================================================= Date: Fri, 29 Apr 88 14:46:30 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "David M. Chess 862-2245" <CHESS@YKTVMV> Subject: Viruses in MS-DOS / PC-DOS I know of five actual viruses: - The "brain" virus, that spreads between boot sectors of floppy diskettes, and apparently does no intentional damage (although I've heard that it has a bug or two that can sometimes cause cross-linked FATs). - The "Jerusalem" virus, that spreads between executable files (both COM and EXE), and that will erase any file that you try to execute on Friday the 13th (starting on May 13 this year). It has a bug, in that it will install a copy of itself in any EXE file you run, even if the file is already infected, so your EXE files will grow very quickly. (COM files get infected only once.) - The COMMAND.COM virus that showed up at Lehigh, and led to this list; it spreads between COMMAND.COMs, changes the date on infected COMMAND.COMs, and trashes all the data it can find after spreading four times. (I've never actually seen a copy of this one.) - Two "april fools" viruses (one for COM files and one for EXE files), that cause your machine to hang up at various intervals, and print annoying messages (one of them will print the message "HA HA HA YOU HAVE A VIRUS" every time you execute any file). I haven't heard any reports of these two showing up in the real world. The COMMAND.COM virus is in a sense the worst, in that it seems to be the only one that will really destroy valuable information. Has anyone heard of it appearing anywhere since it was first Busted? Has anyone heard of any other viruses (not just Trojan Horses) for this environment? I'd especially like more details about the Miami variant of "Brain" that Ken reported above. Has it been isolated and disassembled? Various people asked about write-protection; I'm not a hardware techie, but I know that the write protection on all the genuine IBM floppy drives that I know of is in fact in hardware. A program can write to a write-protected floppy only if the drive itself is broken, or has been modified. There's a microswitch of some kind that, I believe, disables the Write line on the drive. Dave Chess Watson Research Center * Any opinions or information contained herein are my own, * and not Official Statements of any company I might happen * to work for. ========================================================================= Date: Fri, 29 Apr 88 13:12:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Joseph M. Beckman" <Beckman@DOCKMASTER.ARPA> In-Reply-To: Message of 27 Apr 88 22:38 EDT from "Loren K Keim -- Lehigh University" I recently listened to the ABC broadcast on viruses. Fred Cohen stated that the Hebrew U. virus propagated to the Mossad (Israeli intelligence agency) and to the United States. Anybody else here of this happening? Any ideas on where in the United States the infection is alleged to have occurred? Will someone who attended the LaSalle talk post a summary to this forum? Which Mac virus is the "Idiot" virus? Joseph ========================================================================= Date: Fri, 29 Apr 88 15:39:56 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> Comments: Resent-From: KPETERSEN@SIMTEL20.ARPA Comments: Originally-From: phri!dasys1!wfp@NYU.EDU (William Phillips) From: KPETERSEN@SIMTEL20.ARPA Subject: Flushot Plus - anti-virus/anti-trojan The following is a response from Ross Greenberg, author of Flushot+, to several complaints posted to the comp.binaries.ibm.pc newsgroup over the past few days: " After examining the FLUSHOT+ code, I noticed that a comment was left in which would allow the brief bug to bite. That has since been fixed. The current release of FLU_SHOT+ is at Version 1.2, coming to a USENET site near you soon. As to the character who thinks that me charging ten bucks is absurd, please tell him I agree. His option, of course, is to not use the code. The $10 fee entitles him to use it. Obviously, he's using an unregistered copy. Tell him I sincerely hope that he has good luck using the $200 commercial protection programs. Oh! And please have him tear up my phone number!" According to Ross, Flushot+ v 1.2 will be posted via SIMTEL20 within the next few days. -- William Phillips {allegra,philabs,cmcl2}!phri\ Big Electric Cat Public Unix {bellcore,cmcl2}!cucard!dasys1!wfp New York, NY, USA !!! JUST SAY "NO" TO OS/2 !!! ========================================================================= Date: Fri, 29 Apr 88 15:52:45 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Terry Sanderson <SANDERS@UTORONTO> Subject: Re: Viruses in MS-DOS / PC-DOS In-Reply-To: Message of Fri, 29 Apr 88 14:46:30 EDT from <CHESS@YKTVMV> Hi, I would just like to clarify a point about write-protecting IBM PC type floppy disks. If they are write-protected, they CANNOT be written to. A microswitch or a photo-transistor senses whether or not the copy protect hole is covered. If it is, no matter what you do, the hardware logic disables the "write mechanism" (as I will call it), and you cannot write to the disk. This logic is simple TTL-type stuff, which is NOT programmable by any type of fancy programming. Hope this helps. --------------------------------------------------------------------------- Terry Sanderson P. Eng. Micro Systems Analyst University of Toronto Computing Services sanders@utoronto.bitnet sanders@gpu.utcs.toronto.edu Just Remember.....It's all fun until somebody loses an eye.