2,000 Greater & Lesser Mysteries

home *** CD-ROM | disk | FTP | other *** search

/ 2,000 Greater & Lesser Mysteries / 2,000 Greater and Lesser Mysteries.iso / computer / virus / mys00499.txt < prev next >

Wrap

Text File | 1994-06-10 | 878.8 KB | 20,686 lines

[ Last modified 23 January 89 - Ken van Wyk ] Welcome! This is the semi-monthly introduction posting to VIRUS-L, primarily for the benefit of any newcomers to the list. Many of you have probably already seen a message (or two...) much like this, but it does change from time to time, so I would appreciate it if you took a couple of minutes to glance over it. What is VIRUS-L? It is an electronic mail discussion forum for sharing information and ideas about computer viruses. Discussions should include (but not necessarily be limited to): current events (virus sightings), virus prevention (practical and theoretical), and virus related questions/answers. The list is moderated and digested. That means that any message coming in gets sent to me, the editor. I read through the messages and make sure that they adhere to the guidelines of the list (see below) and add them to the next digest. Weekly logs of digests are kept by the LISTSERV (see below for details on how to get them). For those interested in statistics, VIRUS-L is now (Jan. 23, 1989) up to 950 direct subscribers. Of those, approximately 80 are local redistribution accounts with an unknown number of readers. As stated above, the list is digested and moderated. As such, digests go out when a) there are enough messages for a digest, and b) when I put all incoming (relevant) messages into the digest. Obviously, this can decrease the timeliness of urgent messages such as virus warnings/alerts. For that, we have a sister list called VALERT-L. It is unmoderated and undigested - anything going in to the list goes directly out to all the subscribers, as well as to VIRUS-L for inclusion in the next available digest. VALERT-L is for the sole purpose of rapidly sending out virus alerts. Anyone who does not adhere to this one guideline of VALERT-L will be immediately removed from the list. That is, no news is good news. Subscriptions and deletions to VALERT-L are handled identically as those for VIRUS-L (see instructions below). What VIRUS-L is *NOT*? A place to spread hype about computer viruses; we already have the Press for that. :-) A place to sell things, to panhandle, or to flame other subscribers. If anyone *REALLY* feels the need to flame someone else for something that they may have said, then the flame should be sent directly to that person and/or to the list moderator (that would be me, <LUKEN@LEHIIBM1.BITNET>). How do I get on the mailing list? Well, if you are reading this, chances are *real good* that you are already on the list. However, perhaps this document was given to you by a friend or colleague... So, to get onto the VIRUS-L mailing list, send a mail message to <LISTSERV@LEHIIBM1.BITNET>. In the body of the message, say nothing more than SUB VIRUS-L your name. LISTSERV is a program which automates mailing lists such as VIRUS-L. As long as you are either on BITNET, or any network accessible to BITNET via gateway, this should work. Within a short time, you will be placed on the mailing list, and you will get confirmation via e-mail. How do I get OFF of the list? If, in the unlikely event, you should happen to want to be removed from the VIRUS-L discussion list, just send mail to <LISTSERV@LEHIIBM1.BITNET> saying SIGNOFF VIRUS-L. People, such as students, whose accounts are going to be closed (for example, over the summer...) - PLEASE signoff of the list before you leave. Also, be sure to send your signoff request to the LISTSERV and not to the list itself. Note that the appropriate node name is LEHIIBM1, not LEHIGH; we have a node called LEHIGH, but they are *NOT* one and the same. How do I send a message to the list? Just send electronic mail to <VIRUS-L@LEHIIBM1.BITNET> and it will automatically be sent to the editor for possible inclusion in the next digest to go out. What does VIRUS-L have to offer? All VIRUS-L digests are stored in weekly log files which can be downloaded by any user on (or off) the mailing list. Note that the log files contain all of the digests from a particular week. There is also a small archive of some of the public anti-virus programs which are currently available. This archive, too, can be accessed by any user. All of this is handled automatically by the LISTSERV here at Lehigh University (<LISTSERV@LEHIIBM1.BITNET>). How do I get files (including log files) from the LISTSERV? Well, you will first want to know what files are available on the LISTSERV. To do this, send mail to <LISTSERV@LEHIIBM1.BITNET> saying INDEX VIRUS-L. Note that filenames/extensions are separated by a space, and not by a period. Once you have decided which file(s) you want, send mail to <LISTSERV@LEHIIBM1.BITNET> saying GET filename filetype. For example, GET VIRUS-L LOG8804 would get the file called VIRUS-L LOG8804 (which happens to be the monthly log of all messages sent to VIRUS-L during April, 1988). Note that, starting June 6, 1988, the logs are weekly. The new file format is VIRUS-L LOGyymmx where yy is the year (88, 89, etc.), mm is the month, and x is the week (A, B, etc.). Readers who prefer digest format lists should read the weekly logs and sign off of the list itself. Subsequent submissions to the list should be sent to me for forwarding. Also available is a LISTSERV at SCFVM which contains more anti-virus software. This LISTSERV can be accessed in the same manner as outlined above, with the exceptions that the address is <LISTSERV@SCFVM.BITNET> and that the commands to use are INDEX PUBLIC and GET filename filetype PUBLIC. What is uuencode/uudecode, and why might I need them? Uuencode and uudecode are two programs which convert binary files into text (ASCII) files and back again. This is so binary files can be easily transferred via electronic mail. Many of the files on this LISTSERV are binary files which are stored in uuencoded format (the file types will be UUE). Both uuencode and uudecode are available from the LISTSERV. Uudecode is available in BASIC and in Turbo Pascal here. Uuencode is available in Turbo Pascal. Also, there is a very good binary-only uuencode/uudecode package on the LISTSERV which is stored in uuencoded format. Why have posting guidelines? To keep the discussions on-track with what the list is intended to be; a vehicle for virus discussions. This will keep the network traffic to a minimum and, hopefully, the quality of the content of the mail to a maximum. What are the guidelines? Try to keep messages relatively short and to the point, but with all relevant information included. This serves a dual purpose; it keeps network traffic to a necessary minimum, and it improves the likelihood of readers reading your entire message. Personal information and .signatures should be kept to the generally accepted maximum of 5 lines of text. The editor may opt to shorten some lengthy signatures (without deleting any relevant information, of course). Within those 5 lines, feel free to be a bit, er, creative if you wish. Anyone sending messages containing, for example, technical information should *PLEASE* try to confirm their sources of information. When possible, site these sources. Speculating is frowned upon - it merely adds confusion. This editor does not have the time to confirm all contributions to the list, and may opt to discard messages which do not appear to have valid sources of information. All messages sent to the list should have appropriate subject lines. The subject lines should include the type of computer to which the message refers, when applicable. E.g., Subject: Brain virus detection (PC). Messages without appropriate subject lines *STAND A GOOD CHANCE OF NOT BEING INCLUDED IN A DIGEST*. As already stated, there will be no flames on the list. Such messages will be discarded. The same goes for any commercial plugs or panhandling. Submissions should be directly or indirectly related to the subject of computer viruses. This one is particularly important, other subscribers really do not want to read about things that are not relevant - it only adds to network traffic and frustration for the people reading the list. Responses to queries should be sent to the author of the query, not to the entire list. The author should then send a summary of his/her responses to the list at a later date. "Automatic answering machine" programs (the ones which reply to e-mail for you when you are gone) should be set to *NOT* reply to VIRUS-L. Such responses sent to the entire list are very rude and will be treated as such. When sending in a submission, try to see whether or not someone else may have just said the same thing. This is particularly important when responding to postings from someone else (which should be sent to that person *anyway*). Redundant messages will be sent back to their author(s). Thank-you for your time and for your adherence to these guidelines. Comments and suggestions, as always, are invited. Please address them to me, <LUKEN@LEHIIBM1.BITNET> or <luken@Spot.CC.Lehigh.EDU>. Ken van WykVIRUS-L Digest Tuesday, 1 Aug 1989 Volume 2 : Issue 165 Today's Topics: ftp addresses for VIRUS-SCAN program (PC) Missouri Virus (PC) virus info requested (no system given) New Israeli Boot Virus (PC) Re: 2 remarks about the name "virus" --------------------------------------------------------------------------- Date: Mon, 31 Jul 89 08:42:48 -0500 From: kichler@ksuvax1.cis.ksu.edu (Charles Kichler) Subject: ftp addresses for VIRUS-SCAN program (PC) What anonymous ftp sites are keeping up with the current virus detection/preventtion programs? I am particularily interested in the VIRUS-SCAN program. I would prefer to avoid calling HomeBase on my own funds. The university doesn't like us making phone calls on them. Charles "chuck" E. Kichler, Grad. Stud. Computer & Info. Science Kansas State Univ. * Yesterday, Internet: kichler@ksuvax1.cis.ksu.edu | I knew the answers. BITNET: kichler@ksuvax1.bitnet * Today, UUCP: {rutgers,texbell}!ksuvax1!kichler | they changed the answers. ------------------------------ Date: Mon, 31 Jul 89 09:33:43 -0400 From: "Dennis P. Moynihan" <DMOYNIHA@WAYNEST1.BITNET> Subject: Missouri Virus (PC) John MacAfee writes: "There has been some confusion about the Bantam Book's "Dos Power Tools" diskettes, and the recent Wayne State newsletter advising purchasers of the book not to use the diskettes has obviously concerned the editors at Bantam - and the warning is unwarranted...." Well, first off I'm glad that the diskette doesn't contain a virus--it's bad enough worrying about shared diskettes without having to worry about shrinkwrap stuff, too. I think, at the time, there was ample reason to be cautious about this product. The original posting was quite strong for a virus warning: "The occurrence was at the National Security Administration. The virus came into their shop on a disk shipped with the book - "DOS Power Tools", published by Bantam. This was the third report of the virus entering an installation on this book....". While John points out in his recent posting that Mr. Dimsdale 'believed' the infection came from the book and that two other organizations also suspected a 'possibility' of the disk being infected, these qualifiers are not to be found in the initial posting. We're in a situation here where we're not going to personally debug every new virus. We have to rely on the qualified and dedicated people who are already doing so. Virus-L is about the best forum for monitoring such activity. We're careful to take a report with weight the authors give it--when someone says "we're not sure yet" or "we believe", then we let them resolve that doubt before taking any action. I guess there is a two way lesson here. Readers of Virus-L have to be careful when evaluating a new report, and look for independent confirmation of reports before acting on them. However, I think this points out the need for utter clarity when offering a virus report to the list. People will act on them and there's no way of telling where something will end (sites will pass info on to others, the report may end up in a publication somewhere, etc.). For the record, I think everyone does take a tremendous amount of care with their reports and information, and the dedication of the group here is really amazing. And of course, the Hombase people are at the top of that heap. We'll our campus know that DOS power tools looks like a good buy after all. - -------------------------------------- Dennis Moynihan (DMOYNIHA@WAYNEST1) Computing and Information Technology Wayne State University Detroit, MI ------------------------------ Date: 01 Aug 89 02:59:35 +0000 From: mcvax!edvvie!eliza!andreas@uunet.UU.NET (Andreas Brandl) Subject: virus info requested (no system given) Hallo, I am looking for Anti-Virus-Software or Software to found viruses. If there is everyone out there who can help me, please write me. And if you don`t have Software i am also happy about a lot of sentenses. (New Virus, Software, Letters, .....) Please before you send programs, please Email me before. (andreas@edvvie.at) Many Thanks, Andreas - -- ------------------------------------------------------------------ EDV Ges.m.b.H Vienna Andreas Brandl Hofmuehlgasse 3 - 5 USENET: andreas@edvvie.at A-1060 Vienna, Austria/Europe Tel: (0043) (222) 59907 (8-16 CET) ------------------------------ Date: Mon, 31 Jul 89 12:01:50 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: New Israeli Boot Virus (PC) This is a forward from John McAfee: ============================================================================== I have received a copy of the boot virus reported by Yuval Tal and have included a check for it in the V32 of VIRUSCAN. The problem is that we don't have a name for it. I spoke with David Chess at IBM and suggested we call it the "Israeli Boot" since no other boot viruses have been reported from Israel. He found no problem with the name and I'd like to propose the name for general use. Any other name is also fine with me, but until another name is generally accepted the scan program will say "Israeli Boot Virus" whenever it's found. (I am aware that it is an unsatisfying name, it is marginally more descriptive than "Fred"). JDM [Ed. "Fred", eh? Hmmm... :-)] ------------------------------ Date: Mon, 31 Jul 89 19:06:43 -0000 From: raph@planet.british-telecom.co.uk Subject: Re: 2 remarks about the name "virus" In comp.virus you write: >1. The English language has certain traditional ways of naming groups >of animals, e.g., a goggle of goblins, a school of fish, a pack of >wolves, etc. Since both `virus' and `Trojan horse' have some kind of >animal overtones, I wonder what other people (preferably English >majors) think is a good way to name a group of those beasts. >Definitely not `diskful'---a disk is likely to be anything but full >after a visitation. A test-tube of viruses? A can of worms? A pack of >Trojan horses? `This BBS offers a horde of Trojan Horses for >downloading.' Please reply directly to me, and I'll summarize in the >newsgroup. These terms are called 'venereal' terms, because they were used in venery, or hunting. Maybe your analogy is stricter than you thought. ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Wednesday, 2 Aug 1989 Volume 2 : Issue 166 Today's Topics: anti-virus software Re: "Computer Condom" (from Risks digest)... os/2 question (PC) axe by sea (PC) Fixed-disk infectors (PC) Re: message virus (was: Computer Virus Research) Re: "Computer Condom" (from Risks digest)... --------------------------------------------------------------------------- Date: Tue, 01 Aug 89 16:55:53 +0700 From: KOCI Emil <KOCI@AWIIMC11.BITNET> Subject: anti-virus software I missed the actual programs (scan etc.) in VIRUS-L library at LEHIIBM1. It also would be a good idea to automatically distribute new versions when they arrive, to all members of the list. For "new" list-members it would be helpful to have instructions where/how to download/upload for different systems in every distribution-mail. (like IBMPC-L -list does). PS.: Is there on EARN/BITNET/ANYWHERE a regularily updated file with virus descriptions? (hard to get collection about known viruses and their symptomes) ------------------------------ Date: Tue, 01 Aug 89 12:33:15 -0400 From: Barry D. Hassler <hassler@nap1.arpa> Subject: Re: "Computer Condom" (from Risks digest)... In article <0003.8907311200.AA25265@ge.sei.cmu.edu> dmg@lid.mitre.org (David Gu rsky) writes: >[From the Seattle Weekly, 5/3/89] > >PUT A CONDOM ON YOUR COMPUTER > >... >Cummings, the company's president, says the system "stops all viruses" by >monitoring the user network, the keyboard, and the program in use. He notes >that the system is programmable to alter the parameters of its control on >any given machine, but he guarantees that, "when programmed to your >requirements, it will not allow viruses to enter." Pardon me for my opinions (and lack of expertise in viral control), but I think these types of products are dangerous to the purchaser, while most likely being especially profitable for the seller. I just saw a copy of this floating around to some senior management-types after being forwarded several times, and dug up this copy to bounce my two cents off. First of all, I don't see any method which can be guaranteed to protect against all viruses (of course the "when programmed to your requirements" pretty well covers all bases, doesn't it?). Naturally, specific viruses or methods of attach can be covered with various types of watchdog software/hardware, but I don't think it is possible to cover all the avenues in any way. - ----- Barry D. Hassler hassler@asd.wpafb.af.mil System Software Analyst (513) 427-6369 Control Data Corporation ------------------------------ Date: Tue, 01 Aug 89 16:32:00 -0400 From: IA96000 <IA96@PACE.BITNET> Subject: os/2 question (PC) does anyone know if any of the major viruses can pass to other files when running under (in) the dos compatibility box of os/2 extended edition? IN other words, the systems boots up under os/2, you enter the dos box and start to execute dos programs. i would think it would not be able to pass, but i am open to comments and conversation on this matter. ------------------------------ Date: Tue, 01 Aug 89 16:37:00 -0400 From: IA96000 <IA96@PACE.BITNET> Subject: axe by sea (PC) we have been testing various ways to help prevent a file from becoming infected and have stunbled on an interesting fact. system enhancement associates (the people who wrote arc) have also released axe, a program compression utility. basically axe reads a .exe or .com file, compresses it as much as possible, tacks a dos loader on the front of the file and then saves the new file. in many instances, the resulting file is from 15% to 50% smaller than the original file and loads and runs just like a regular dos file. what is interesting is when a virus attacks an axe'd file. the virus writes itself into the file as many viruses do. however, when you next attempt to load and run the file, it will not load and locks up the system. this is not because the viruys has taken control! this happens because when an axed file is loaded, it is decompressed and the checksum is compared to the original one generated when the file was axed. I know axe was never designed to be anti-viral, but it sure works well in this regard. since the file is actually in encrypted form on the disk, it screws up the virus! ------------------------------ Date: 01 Aug 89 00:00:00 +0000 From: David M. Chess <CHESS@YKTVMV.BITNET> Subject: Fixed-disk infectors (PC) Does anyone know of, or has anyone even heard credible rumors of, any boot-sector virus that will infect the boot sector (master or partition) of IBM-PC-type hard disks, besides the Bouncing Ball and the Stoned? Those are the only two I seem to see that do that; am I missing any? DC ------------------------------ Date: 01 Aug 89 21:23:30 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: message virus (was: Computer Virus Research) we call those ansi 3.64 control sequences.... vt100 and other terminals have similar if not exactly the same features... ansi.sys implements a subset of ansi 3.64 without any protection the problem has been known at various unix sites for years only now its starting to show up on pc's because of the usage of ansi.sys and other programs that recognize these sequences.... cheers kelly ------------------------------ Date: 01 Aug 89 21:18:49 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: "Computer Condom" (from Risks digest)... hahahahahahahahah!!!!!!! right chief just like swamp land in them thar everglades... seriously though things will not improve until vendors start going for protected mode and other tricks...I am talking about 386's and 68030's here... maybe something could be done in this area with charge cars on a 286 but I doubt it... your need that virtual 8086 partition on the 386 to have any real safety and have to be operating protected mode to take advantage of it(DESQVIEW 386, THD386.sys etc) after that then there are still so many ways to get in!! cheers kelly ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Thursday, 3 Aug 1989 Volume 2 : Issue 167 Today's Topics: viruses that reprogram ANSI keys Re: Computer Condom Re: Shareware? Hmm... (Mac) OS/2 and viruses... Re: Axe by SEA - not an anti-viral Re: os/2 question (PC) --------------------------------------------------------------------------- Date: Wed, 02 Aug 89 07:56:19 -0400 From: <V2002A@TEMPLEVM.BITNET> Subject: viruses that reprogram ANSI keys Hi, Just a quick note about viruses that reprogram keys to do nasty things. Several good terminal emulation packages have a feature that allows you to 'lock out' any host generated key redefinitions. With Persofts Smarterm 220/240 series of programs you can set the 'User Features Locked' and the program will ignore all attempts to reprogram the keys with escape sequences. Andy Wing V2002A@TEMPLEVM.BITNET [Ed. Not bad, but does MS-DOS's ANSI.SYS allow to lock out these sequences? I don't believe that it does. If not, escape codes imbedded in documentation, for example, can do a lot...] ------------------------------ Date: Wed, 02 Aug 89 09:26:00 -0400 From: <MANAGER@JHUIGF.BITNET> Subject: Re: Computer Condom Barry D. Hassler <hassler@nap1.arpa> writes: >Pardon me for my opinions (and lack of expertise in viral control), but I >think these types of products are dangerous to the purchaser, while most >likely being especially profitable for the seller. I just saw a copy of >this floating around to some senior management-types after being forwarded >several times, and dug up this copy to bounce my two cents off. >First of all, I don't see any method which can be guaranteed to protect >against all viruses (of course the "when programmed to your requirements" >pretty well covers all bases, doesn't it?). Naturally, specific viruses or >methods of attach can be covered with various types of watchdog >software/hardware, but I don't think it is possible to cover all the >avenues in any way. Barry, I think it was supposed to be a joke. I mean, the company president's name was Rick (or Dick) Cummings... Think about it. It's even better than that thing by Mike RoChanle (Micro Channel). Remember that? Damian Hammontree System Programmer, Johns Hopkins School of Medicine, Baltimore MANAGER @ JHUIGF Disclaimer: I wouldn't be suprised if it was on the level and I'm wrong about this, but I don't think so.... 8^) ------------------------------ Date: Wed, 02 Aug 89 08:31:05 -0500 From: Joe McMahon <XRJDM@scfvm.gsfc.nasa.gov> Subject: Re: Shareware? Hmm... (Mac) Here is Jeff Shulman's reply to my letter about VirusDetective. ----------------------------Original message---------------------------- Bob forwarded your letter to me. I *would* appreciate you sending a followup letter to the virus list since I feel my reputation is at stake. I do empathise with the possible hurt feelings a user may have when seeing a bill for being honest. I have since been sending a letter of explanation as to why the price increased. I am still sending users what they paid for at the old price along with the bill (your friend *did* receive a disk if you recall). I'm not out to punish my honest users but to inform them that there has been a price increase and I would appreciate it if they paid the difference (after all it isn't fair to the new users who *pay* the current higher price for someone who paid the lower price, at the same time, to get the same service). Jeff uucp: ...rutgers!yale!slb-sdr!shulman CSNet: SHULMAN@SDR.SLB.COM AppleLink: KILROY Delphi: JEFFS GEnie: KILROY CIS: 76136,667 ------------------------------ Date: Wed, 02 Aug 00 19:89:34 +0000 From: utoday!greenber@uunet.uu.net Subject: OS/2 and viruses... OS/2 makes some hardware calls for things such as formatting a disk. It goes around the bios. As such, none of the monitoring type programs are gonna stop an OS/2 FORMAT command to trigger. Found that out the hard way! :-) Ross Ross M. Greenberg UNIX TODAY! 594 Third Avenue New York New York 10016 Review Editor Voice:(212)-889-6431 BBS:(212)-889-6438 uunet!utoday!greenber BIX: greenber MCI: greenber CIS: 72461,3212 ------------------------------ Date: Wed, 02 Aug 00 19:89:13 +0000 From: utoday!greenber@uunet.uu.net Subject: Re: Axe by SEA - not an anti-viral Programs such as Axe, which are stand alone decompressors, should not be considered an effective defense by any means angainst virus attacks. Consider a vanilla program, compressed and wrapped up in a decompress shell. Fine. Now, stick a virus around the shell (shell-within-a-shell). When you execute the program, the virus executes, then the decompressor starts to work. The checksum doesn;t match, so the system hangs, or aborts, or whatever. However the virus has already run.... (viruses such as the TSR Israeli Virus may not run, though, since the infected program is never really run if it crashes....) Ross Author, FLU_SHOT+ ------------------------------ Date: 03 Aug 89 04:39:10 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: os/2 question (PC) none of the com infectors I think would presently pass and none of the exe infe ctors at present for the strains that homebase has gotten samples of could....b ut exe header info for dos , windows and os2 is in essence somewhat the same(i. e. exe hdrs for windows and os2 contain extensions to the regular format...) if the exe file from dos will run unchanged in the compatibility box then I think you may indeed have a possibility of infection... however os-2 executable woul d tend to have selective parts of their exe header mashed...ones that I would t hink would represent a real possibility of infection would be the improved stra ins of the jerusalem virus(the strains that infects exe hdrs correctly) and oth er exe infectors that are reasonable well behaved...however the subject of tran sport viruses has come up before in conversations between john and myself and I think at least that it represents a real possibility...(also note that lacking a os-2 system at this time I am essentia! lly winging it...I did however tak e a look at the various header formats and various exe infectors that homebase folks have provided disassemblies of in answering in this fashion). If any of t he os-2 folks have comments negative or positive out there e-mail me and I will summarize to the net on this.I am also personally looking into this with respe ct to 386, Interactives UNIX 5.3 and their DOS under UNIX Option!! cheers kelly disclaimer: neither AMDAHL Corp. nor ONSITE Consulting take any responsibility nor make any warranties for what I say... it is totally and completely the res ponsibility of Cybernetic Systems Specialists Inc. and myself... flames>>/dev/nul ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Friday, 4 Aug 1989 Volume 2 : Issue 168 Today's Topics: Israeli boot viruses; New UnVirus (PC) New FTP source for anti-virals (PC) - Internet access required IBM Australian/Stoned Virus (PC) Re: viruses that reprogram ANSI keys Re: Shareware? Hmm... (Mac) --------------------------------------------------------------------------- Date: Thu, 03 Aug 89 17:07:48 +0300 From: Y. Radai <RADAI1@HBUNOS.BITNET> Subject: Israeli boot viruses; New UnVirus (PC) Israeli boot-sector viruses --------------------------- At least two boot-sector viruses were discovered in Israel recently. One, which hooks interrupt 17h and causes letters sent to the printer to be replaced by similar sounding ones, was reported by Yair Gany and by myself in VIRUS-L at the end of June. I referred to it then as the "Mistake" virus, but I now prefer the name "Typo". Another virus, mentioned by John McAfee a few days ago, was de- scribed only as being a boot-sector virus discovered in Israel; he suggested calling it the "Israeli Boot" virus since he thought that no such viruses had been reported from Israel previously. But since the Typo is also a boot-sector virus, John's suggestion is inappropriate. I have not yet seen the new virus in action, but according to info sent me by Yuval Tal, it causes letters on the screen to fall. (There are two other viruses which fit this description: the Cascade/Autumn/ Blackjack virus and the Traceback virus, but they infect files, not boot sectors.) I suggest we call it the Swap virus, since the words SWAP VIRUS FAT12 appear in the modified boot sector. New version of UNVIRUS ---------------------- A few weeks ago I offered to send the virus-eradicating program UNVIRUS to anyone who wanted it. It has now been updated to eradicate many more viruses. I have sent a package UNVIR6.ARC to Keith Petersen for uploading to the SIMTEL20 archive. It consists of the following three files: UNVIR6.DOC Instructions for use of the following two programs. UNVIRUS.EXE Eradicates Israeli (2 strains), Ping-Pong, Brain, Typo, (Vers. 6) April-1-Com, April-1-Exe. IMMUNE.EXE Prevents infection by Israeli and April-1 viruses and (Vers. 5) notifies of presence in RAM of any boot-sector virus. The authors (Yuval Rakavy and Omri Mann) plan to extend UNVIRUS to many more viruses in the near$future, but they always give priority to those which have appeared in Israel. The next virus on the list will evidently be the Swap virus. Y. Radai Hebrew Univ. of Jerusalem P.S. Please do not send requests for UNVIR6 to me. If it is not yet on SIMTEL20 it soon will be. ------------------------------ Date: Thu, 03 Aug 89 12:15:52 -0500 From: kichler@ksuvax1.cis.ksu.edu (Charles Kichler) Subject: New FTP source for anti-virals (PC) - Internet access required The following files dealing with computer viruses are now available by anonymous ftp (file transfer protocol) from 'hotel.cis.ksu.edu' [Ed. IP number is 129.130.10.12] located in Computer Science Dept. at Kansas State University, Manhattan, KS. The files have been and will be collected in the future from reliable sources, although no warranty is implied or stated. I will attempt to update the files as often as possible. If anyone becomes aware of new updates or new anti-viral programs, let me know. All files are in the /ftp/pub/Virus-L sub-directory. ./ DETECT2.ARC.1 GREENBRG.ARC.1 VACCINE.ARC.1 ../ DIRTYDZ9.ARC.1 IBMPAPER.ARC.1 VACCINEA.ARC.1 00-Index.doc DPROT102.ARC.1 IBMPROT.DOC.1 VACI13.ARC.1 ALERT13U.ARC.1 DPROTECT.ARC.1 INOCULAT.ARC.1 VCHECK11.ARC.1 BOMBCHEK.ARC.1 DPROTECT.CRC.1 MD40.ARC.1 VDETECT.ARC.1 BOMBSQAD.ARC.1 DVIR1701.EXE.1 NOVIRUS.ARC.1 VIRUS.ARC.1 CAWARE.ARC.1 EARLY.ARC.1 PROVECRC.ARC.1 VIRUSCK.ARC.1 CHECK-OS.ARC.1 EPW.ARC.1 READ.ME.FIRST VIRUSGRD.ARC.1 CHK4BOMB.ARC.1 F-PROT.ARC.1 SCANV30.ARC.1 pk36.exe CHKLHARC.ARC.1 FILE-CRC.ARC.2 SENTRY02.ARC.1 pk361.exe CHKSUM.ARC.1 FILECRC.ARC.2 SYSCHK1.ARC.1 uu213.arc CHKUP36.ARC.1 FILETEST.ARC.1 TRAPDISK.ARC.1 CONDOM.ARC.1 FIND1701.ARC.1 TROJ2.ARC.1 DELOUSE1.ARC.1 FSP_16.ARC.1 UNVIR6.ARC.1 The current list only includes programs for MS/PC-DOS computers. I will continue to expand the collection to include some worthwhile textual documents and possible programs for other machines and operating systems. The procedure is to first ftp to the hotel.cis.ksu.edu. [Ed. type: ftp hotel.cis.ksu.edu (or ftp 129.130.10.12). Enter "anonymous" (without the quotes) as a username and "your id" as a password.] Then use 'cd pub/Virus-L'. Next get the files you would like. You will need the 'pk361.exe' to expand the ARChived programs. Be sure to place ftp in a binary or tenex mode [Ed. type "bin" at ftp> prompt]. Please note that the highly recommended VirusScan program (SCANV30.ARC.1) is available. If there are any questions, send mail to me and I will make every effort to help you as soon as time allows. [Ed. Sorry for all the editorial comments... And thank you for all of your efforts, Chuck!] Charles "chuck" E. Kichler, Into. to PC Instructor/Co-ordinator Computer & Info. Science Kansas State Univ. * Yesterday, Internet: kichler@ksuvax1.cis.ksu.edu | I knew the answers. BITNET: kichler@ksuvax1.bitnet * Today, UUCP: {rutgers,texbell}!ksuvax1!kichler | they changed the answers. ------------------------------ Date: 04 Aug 89 07:35:42 -0100 From: Jeff Raynor <raynor@rzsin.sin.ch> Subject: IBM Australian/Stoned Virus (PC) One of my colleagues has just become infected with the "Stoned/Australian" virus and contacted me for help. I have searched through my VIRUS-L archives for information. There seems little specific details of what part of the hard disk it infects, nor how to remove it. The best information was on 8-May-89 from Alan_J_Roberts/Jim Goodwin: >..this virus stores itself between the partition table and the > first partition. According to Norton Utilities, Absolute sector Side 0, Cylinder 0, Sector 1 is my partition table, while Sector 2 is the start of my DOS partition. Where is the virus supposed to reside? at the end of the 1st sector, or is there an error in my sector numbering? There is further mention that SYS fails to remove the virus (I can confirm that), but recommends MDISK. I have downloaded the <MSDOS.TROJAN-PRO>MD40.ARC from Simtel, but find that it is DOS version specific, MD40 is for DOS 4.0 only. In this case, I need MD32, but would like MD30 and MD33 as we run 3.1 and 3.3 here. I would also like to see a DOS independent algorithm to remove the virus manually using DEBUG low-level read/writes or a Disk editor. Thanks for your help Jeff Raynor EARN: RAYNOR@RZSIN.SIN.CH Post: Paul Scherrer Institut, Badenerstrasse 569, 8048 Zurich, Switzerland. ------------------------------ Date: 03 Aug 89 22:18:25 +0000 From: hutto@attctc.Dallas.TX.US (Jon Hutto) Subject: Re: viruses that reprogram ANSI keys They don't usually harm people using communications softwares as much as it does BBS's, because the sequences are set for only certain directories, and files. IBM's ANSI.SYS doesn't let you filter them out eithere. There are some ANSI substitutes that do. Such as NANSI, and PC-Mag had one in an issue called ANSI.COM. - -- - -- Jon Hutto PC-Tech BBS (214)271-8899 2400 baud USENET: {ames, texbell, rutgers, portal}!attctc!hutto INTERNET: hutto@attctc.dallas.tx.us or attctc!hutto@ames.arc.nasa.gov ------------------------------ Date: Thu, 03 Aug 89 08:21:33 -0400 From: "W. K. Bill Gorman" <34AEJ7D@CMUVM.BITNET> Subject: Re: Shareware? Hmm... (Mac) Yeah, I know - wrong list, but... Wouldn't it be interesting if others, say auto dealers, took this same position,i.e., since one has the use of a vehicle purchased from them, kick in the difference in price between, say, the '89 and '90 models? Yeow!!! :-) ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Monday, 7 Aug 1989 Volume 2 : Issue 169 Today's Topics: Infection report (PC) re: Israeli boot viruses - naming (PC) FluShot+v1.6 boot block checksum alerts? (PC) Re: viruses that reprogram ANSI keys All about Virus (PC) axe by sea (PC) --------------------------------------------------------------------------- Date: Fri, 04 Aug 89 10:22:00 -0500 From: Holly Lee Stowe <IHLS400@INDYCMS.BITNET> Subject: Infection report (PC) I asked Ken (hi!) whether I should report a recent infection here to someone, and to whom I should report it, and he suggested that I post it here and let those folks doing tracking contact me if need be... so... :-) We recently have found Yale/Alameda in 3 of our micro clusters on a total of approximately 10-12 disks. We also found it on one of our faculty's disks. Fortunately, we feel we caught it early on, and this particular virus is not difficult to eradicate, nor does it cause irreparable damage. The bad news is that we still do not have permission to put regular disk checking in place for our IBM clusters, and the discovery of the virus was more an accident than anything else. One of our consultants recently downloaded VIRUSCAN off Homebase and was showing it to another consultant. (Since our Scores infection in our Mac clusters last winter, every time a disk doesn't work, we here the cries of "Virus!". It turns out that this time it was valid.) I hope that with this infection, as it was with Scores, we will be given the green light to make some checking policies in the IBM clusters as well as the Mac's. Those who track infections of various viruses are welcome to contact me at IHLS400@INDYCMS.BITNET if they wish. Please don't become concerned if I don't respond immediately as I'm getting ready to go on *VACATION!* for 2 weeks. I will reply on my return. (Computers... just say NO! :-) - -Holly If something is preposterous, does it later become postposterous? ------------------------------ Date: 04 Aug 89 00:00:00 +0000 From: David M. Chess <CHESS@YKTVMV.BITNET> Subject: re: Israeli boot viruses - naming (PC) Y. Radai: > I suggest we call it the Swap virus, since the words > SWAP VIRUS FAT12 appear in the modified boot sector. Although Yuval's sample disk does contain those words, I assumed that he must have put them there himself, as a way of labelling the diskette. When the virus spreads, it does not (as far as I've been able to tell from both testing and disassembly) put those words in the boot sector. All it does is change the initial JMP, and overlay 31 bytes of the original boot sector (in the message-text area in at least some versions of DOS) with its code to load and call the main virus from its "bad" sector. The words "SWAP VIRUS" don't occur anywhere on the freshly-infected diskette I just produced. Since the virus doesn't really "swap" anything, I'm not sure how good a name that is, although "Israeli boot" is poor for the reason you give. Naming is a pain, isn't it? We could call it the "Falling Letters Boot Virus" (tho' there'll probably be another one next month...). DC ------------------------------ Date: Fri, 04 Aug 89 13:26:00 -0600 From: Pete Klammer/303-556-3915 <PFKLAMMER@CUDENVER.BITNET> Subject: FluShot+v1.6 boot block checksum alerts? (PC) Help! I am either infected or else just mystified! (Or...???) I am getting frequent messages from FluShot+ version 1.6 saying, Boot Record Checksum(s) do not match! and, indeed, if I go into DEBUG>L 0 2 0 1, there I find at offset 002E/ 5F 0E 0A at one time and B8 E2 09 at another. My boot block is changing! VIRUSCAN version 0.4V30 does not detect anything. My boot-block documentation here is scanty... I did a VOLABEL C: and the label I gave does not appear anywhere in DEBUG>D 0 L 200 output... am I really looking at my boot block? Isn't that where the label is? /** --poko " I'm half Estonian, which makes up for the other half. " Pete Klammer/Systems Programmer/(303)556-3915 PKLAMMER@PIKES.COLORADO.EDU CU-Denver Computing Services / Campus Box 169 BITNET: PKLAMMER@CUDENVER 1200 Larimer St NC2506 / Denver CO 80204-5300 UU:!boulder!pikes!pklammer **/ ------------------------------ Date: 04 Aug 89 20:27:47 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: viruses that reprogram ANSI keys In article <0004.8908041206.AA09232@ge.sei.cmu.edu>, hutto@attctc.Dallas.TX.US (Jon Hutto) writes: > They don't usually harm people using communications softwares as much as > it does BBS's, because the sequences are set for only certain directories, > and files. The trick of defining a command sequence to create sushi on a unix system would compromise root integrity... most comm software that is capable of either emul atining programmable terminal sequences or ansi.sys and programs that implement those sequences are capable of accepting a command line into a buffer or windo w with the view attribute set to non-visible and then retransmitting that comma nd to the host unix system all under remote control.... I could hardly call tha t harmless... furthermore most users including a surprising number of systems a dministration types are unaware that their terminal or programmable termulator/ file transfer package can be tricked in this fashion..> > Jon Hutto PC-Tech BBS (214)271-8899 2400 baud > USENET: {ames, texbell, rutgers, portal}!attctc!hutto > INTERNET: hutto@attctc.dallas.tx.us or attctc!hutto@ames.arc.nasa.gov Kelly Goen Cybernetic Systems Specialists Inc. Disclaimer: My Thoughts are my own. Neither Amdahl Corp nor Onsite Consulting m ake any warranty and/or have anything to do with the information contained abov e! p.s. sushi --> SuperUser SHell Interactive the trick above is known as a boomer ang also!! ------------------------------ Date: 04 Aug 89 23:53:21 +0000 From: mcvax!edvvie!eliza!andreas@uunet.UU.NET (Andreas Brandl) Subject: All about Virus (PC) I am looking for Anti-Virus-Software or Software to found viruses. If there is everyone out there who can help me, please write me. And if you don`t have Software i am also happy about a lot of sentenses. (New Virus, Software, Letters, .....) In my last mail, i don't write anything about my Work-System. I am working on an IBM PS/2 Computer. Please before you send programs, please Email me before. (andreas@edvvie.at) Many Thanks, Andreas ------------------------------------------------------------------ EDV Ges.m.b.H Vienna Andreas Brandl Hofmuehlgasse 3 - 5 USENET: andreas@edvvie.at A-1060 Vienna, Austria/Europe Tel: (0043) (222) 59907 (8-16 CET) ------------------------------ Date: Sat, 05 Aug 89 12:59:00 -0400 From: IA96000 <IA96@PACE.BITNET> Subject: axe by sea (PC) i did not mean to propse that axe is the cure all or preventative for viral infections. i just wanted to point out what we had found. in most cases, a virus attacking a program which has been axed creates a situation where the axe'd program will not load properly due to the compression used when the program was axe'd. basically axe reads a file and like arc applies a compression formula to the file and then writes the file back to the disk along with a special loader incorporated in the file. when a virus attacks the file, it changes (obviously) some of the compressed data. however it does not really know that the data has been compressed by axe. so when the user goes to load the program the loader cannot un-compress the data and halts operation. while not a cure all or anything like that it is a good way to spot instantly if a file has been tampered with. ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Tuesday, 8 Aug 1989 Volume 2 : Issue 170 Today's Topics: WARNING: New Mac virus (reposted from comp.sys.mac) Typo Virus (PC) Israeli Boot Virus (PC) nFLU Virus & Disinfectant (Mac) FLU_SHOT+ V1.6 and Boot Blocks (PC) --------------------------------------------------------------------------- Date: Mon, 07 Aug 89 12:48:25 -0000 From: "John Norstad" <jln@acns.nwu.edu> Subject: WARNING: New Mac virus (reposted from comp.sys.mac) Another Macintosh virus named "nFLU" has been discovered at the University of Minnesota. This virus is identical to nVIR B, except for the name change. Disinfectant version 1.2 has been configured to recognize nFLU. We recommend that all Disinfectant users obtain a copy of this new version. Version 1.2 also contains a few other minor changes. For a detailed list of all the changes see the section titled "Version History" in the online document. Disinfectant is free. Features: - - Detects and repairs files infected by Scores, nVIR A, nVIR B, Hpat, AIDS, MEV#, nFLU, INIT 29, ANTI, and MacMag. These are all of the currently known Macintosh viruses. - - Scans volumes (entire disks) in either virus check mode or virus repair mode. - - Option to scan a single folder or a single file. - - Option to "automatically" scan a sequence of floppies. - - Option to scan all mounted volumes. - - Can scan both MFS and HFS volumes. - - Dynamic display of the current folder name, file name, and a thermometer indicating the progress of a scan. - - All scans can be canceled at any time. - - Scans produce detailed reports in a scrolling field. Reports can be saved as text files and printed with an editor or word processor. - - Carefully designed human interface that closely follows Apple's guidelines. All operations are initiated and controlled by 8 simple standard push buttons. - - Uses an advanced detection and repair algorithm that can handle partial infections, multiple infections, and other anomalies. - - Careful error checking. E.g., properly detects and reports damaged and busy files, out of memory conditions, disk full conditions on attempts to save files, insufficient privileges on server volumes, and so on. - - Works on any Mac with at least 512K of memory running System 3.2 or later with HFS. - - Can be used on single floppy drive Macs with no floppy shuffling. - - Extensive online document describing Disinfectant, viruses in general, the Mac viruses in particular, recommendations for "safe" computing, Vaccine, and other virus fighting tools. We tried to include everything in the document that the average Mac user needs to know about viruses. John Norstad Academic Computing and Network Services Northwestern University 2129 Sheridan Road Evanston, IL 60208 Bitnet: jln@nuacc Internet: jln@acns.nwu.edu AppleLink: a0173 CompuServe: 76666,573 ------------------------------ Date: Sat, 05 Aug 89 16:55:21 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Typo Virus (PC) I just began an analysis of the Typo virus and, as with all new reported viruses, I ran McAfee's ViruScan against it as a first step. Imagine my surprise when it identified it as the Ping Pong virus! After tearing it apart, it turned out to be 90% original Ping Pong. Someone has taken the Ping Pong Carrier mechanism and modified the code that displays the bouncing dot to effect the typographical errors reported by Y Radai. I gave the disassembly to John and I believe Scan version 33 discriminates between the two viruses. John also just gave me a copy of the new Datacrime-2 virus, which is a strange beast. The encryption at the front of the virus is very different from the 1701/4 encryption method. Included in the decryption code is a routine to prevent looking at the code through debug, Codeview or other single step utility. I'll report back when I've ripped the beast apart, meanwhile I gave John sufficient info to update ViruScan so it can identify it (I think it's also included in V33). Alan ------------------------------ Date: Sat, 05 Aug 89 17:06:52 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Israeli Boot Virus (PC) This is a forward from John McAfee: ============================================================================ Mr Radai rightly points out that there are two boot viruses that have emanated from Israel. He suggests that we call the first one (the one that causes letters to fall from the screen) the "Swap" virus, since the message - 'SWAP Virus FAT12' appears in the modified boot record. I would heartily agree, except that the version I have does not display such a message. The thirty byte modification to the boot record (in my copy), is program code - no data characters at all. I don't know now whether we are talking about different viruses (although both allegedly originated with Mr. Tal) or whether some slight, or major, modification has been made to this virus in its travels. In any case, for the meantime, I will leave the VIRUSCAN messages alone. The original virus I still call the 'Israeli Boot', the new virus I call the 'Typo'. I will change the name to a more acceptable name after someone has educated me on this issue. Thanks for bearing with me. John McAfee ------------------------------ Date: Mon, 07 Aug 89 10:39:26 -0400 From: Joe McMahon <XRJDM@SCFVM> Subject: nFLU Virus & Disinfectant (Mac) Disinfectant 1.2 has been added to the automatic file distribution for those who are AFD'd to the VIRUSREM package at SCFVM. The file should be distributed this evening. --- Joe M. ------------------------------ Date: Mon, 07 Aug 00 19:89:51 +0000 From: utoday!greenber@uunet.uu.net Subject: FLU_SHOT+ V1.6 and Boot Blocks (PC) There is a minor bug in FLU_SHOT+, V1.6, that will (depending upon the version of DOS used) ocasionally trigger the Boot Block Has Changed Message. Ends up I forgot to zero out the top half of a register. Fixed in V1.7. (The beta's all went out today, by the way...thanks for your patience!) Some people have recently started telling me about V1.6 telling them the boot has changed (under DOS 4.0) and (when they investigate it) they find that to be true. No firsthand verification yet, though... ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Wednesday, 9 Aug 1989 Volume 2 : Issue 171 Today's Topics: worm discussion on comp.protocols.tcp-ip Looking for anti-viral archive sites Memory Resident ViruScan (PC) Intro to the anti-viral archives Re: nFLU Virus & Disinfectant (Mac) Amiga anti-viral archive sites Apple II anti-viral archive sites Atari ST anti-viral archive sites Documentation anti-viral archive sites IBMPC anti-viral archive sites --------------------------------------------------------------------------- Date: 08 Aug 89 13:09:44 +0000 From: krvw@sei.cmu.edu (Kenneth Van Wyk) Subject: worm discussion on comp.protocols.tcp-ip Those interested in discussing and/or reading about the Internet Worm (of last November) may want to take a look at some of the current discussions on the Usenet newsgroup, comp.protocols.tcp-ip. Ken ------------------------------ Date: Tue, 08 Aug 89 13:16:04 -0500 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Looking for anti-viral archive sites In conjunction with comp.virus/VIRUS-L, we have been trying to establish a number of archive sites throughout the world to distribute anti-viral information and software. The microcomputer sites are well established, and now we'd like to expand our focus. To this end, I'm asking for one or more sites to volunteer their support of the archive system. What we are particularly looking for is a site to hold information of interest to the computers hooked up to these various networks. Most likely this will be focused on Unix support, but other systems (VMS, MVS, etc.) are also welcome. What interests you? The contents of the archives will be determined by what is contributed. Research papers, warnings of potential problems, bug fixes, monitoring software, etc. etc. The archives will hopefully reflect the community's needs. If you already maintain such an archive, please let me know so I can add you to our list of sites. If you'd like more information, write to me or post a message to the list. All follow-ups have been directed to comp.virus. Thanks for your consideration. Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: Tue, 08 Aug 89 12:07:56 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Memory Resident ViruScan (PC) The following is a forward from John McAfee: ============================================================================== I've had a number of requests for a version of VIRUSCAN which will stay resident and check each program as it's loaded. The suggestions were that such a program would give no false alarms and would not interfere with other memory resident programs since it would not need to check interrupt 13 or other disk I/O calls. I succumbed to temptation and made a memory resident version. Initial testing has gone well and it indeed does not conflict with any other memory resident program and we have not seen sny false alarms from a variety of systems. When it loads it checks the partition table, boot sector, hidden files and the Command Interpreter. Thereafter it scan each program that's loaded. That's it. What I need now are beta testers. Everyone who insisted that I build this thing has a moral obligation to step up to the line and volunteer. Please call me at 408 727 4559, 408 988 3832, or leave a message on HomeBase at 408 988 4004. Thanking you in advance. John McAfee ------------------------------ Date: 08 Aug 89 22:54:39 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Intro to the anti-viral archives # Introduction to the Anti-viral archives... # Listing of 08 August 1989 This posting is the introduction to the "official" anti-viral archives of virus-l/comp.virus. With the generous cooperation of many sites throughout the world, we are attempting to make available to all the most recent news and programs for dealing with the virus problem. Currently we have sites for Amiga, Apple II, Atari ST, IBMPC and Macintosh microcomputers, as well as sites carrying research papers and reports of general interest. Still looking for sites for larger systems. If you have general questions regarding the archives, you can send them to this list or to me. I'll do my best to help. If you have an archive site and would like to volunteer your site (and are in a position to do so! :-), send me a message. Also, if you have a submission for the archives, you can send it to me or to one of the persons in charge of the relevant sites. If you have any corrections to the lists, please let me know. ------------------------------ Date: Tue, 08 Aug 89 16:54:41 -0600 From: pvi!kenr@ncar.ucar.edu (Ken Regelson) Subject: Re: nFLU Virus & Disinfectant (Mac) In article <0004.8908081126.AA21881@ge.sei.cmu.edu> you write: >Disinfectant 1.2 has been added to the automatic file distribution for >those who are AFD'd to the VIRUSREM package at SCFVM. The file should >be distributed this evening. > > --- Joe M. Dear Joe: I don't know if this is at all possible, but is there some way I can be included in an AFD (Automatic File Distribution ??) for Disinfectant? I am not directly on the internet, but can be reached by UUCP. My apologies if thru ignorance I have asked for something that is inappropriate. My many thanks if there is some way to honor my request. I would be quite pleased to receive other Virus Remedies thru mail as well. thanks, again. Ken Regelson, Precision Visuals, Inc. ...boulder!pvi!kenr or boulder!kenr@pvi.com ------------------------------ Date: 09 Aug 89 03:13:08 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Amiga anti-viral archive sites # Anti-viral archive sites for the Amiga # Listing last changed 08 August 1989 cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Amiga index for the virus archives can be retrieved as request: amiga topic: index For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk> ms.uky.edu Sean Casey <sean@ms.uky.edu> Access is through anonymous ftp. The Amiga anti-viral archives can be found in /pub/amiga/Antivirus. The IP address is 128.163.128.6. pd-software.lancaster.ac.uk Steve Jenkins <pdsoft@pd-software.lancaster.ac.uk> No access details yet. uxe.cso.uiuc.edu Mark Zinzow <markz@vmd.cso.uiuc.edu> Lionel Hummel <hummel@cs.uiuc.edu> The archives are in /amiga/virus. There is also a lot of stuff to be found in the Fish collection. The IP address is 128.174.5.54. Another possible source is uihub.cs.uiuc.edu at 128.174.252.27. Check there in /pub/amiga/virus. ------------------------------ Date: 09 Aug 89 03:13:54 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Apple II anti-viral archive sites # Anti-viral archive sites for the Apple II # Listing last changed 08 August 1989 brownvm.bitnet Chris Chung <chris@brownvm.bitnet> Access is through LISTSERV, using SEND, TELL and MAIL commands. Files are stored as apple2-l xx-xxxxx where the x's are the file number. cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Apple II index for the virus archives can be retrieved as request: apple topic: index For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk> pd-software.lancaster.ac.uk Steve Jenkins <pdsoft@pd-software.lancaster.ac.uk> No access details yet. ------------------------------ Date: 09 Aug 89 03:16:43 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Atari ST anti-viral archive sites # Anti-viral archive sites for the Atari ST # Listing last changed 08 August 1989 cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Atari ST index for the virus archives can be retrieved as request: atari topic: index For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk>. pd-software.lancaster.ac.uk Steve Jenkins <pdsoft@pd-software.lancaster.ac.uk> No access details yet. ssyx.ucsc.edu Steve Grimm <koreth@ssyx.ucsc.edu> Access to the archives is through FTP or mail server. With ftp, look in the directory /pub/virus. The IP address is 128.114.133.1. For instructions on the mail-based archiver server, send help to <archive-server@ssyx.ucsc.edu>. ------------------------------ Date: 09 Aug 89 03:17:22 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Documentation anti-viral archive sites # Anti-viral archive sites for documentation # Listing last changed 08 August 1989 cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The index for the **GENERAL** virus archives can be retrieved as request: general topic: index The index for the **MISC.** virus archives can be retrieved as request: misc topic: index **VIRUS-L** entries are stored in monthly and weekly digest form from May 1988 to December 1988. These are accessed as log.8804 where the topic substring is comprised of the year, month and a week letter. The topics are: 8804, 8805, 8806 - monthly digests up to June 1988 8806a, 8806b, 8806c, 8806d, 8807a .. 8812d - weekly digests The following daily digest format started on Wed 9 Nov 1988. Digests are stored by volume number, e.g. request: virus topic: v1.2 would retrieve issue 2 of volume 1, in addition v1.index, v2.index and v1.contents, v2.contents will retrieve an index of available digests and a extracted list of the the contents of each volume respectively. **COMP.RISKS** archives from v7.96 are available on line as: request: comp.risks topic: v7.96 where topic is the issue number, as above v7.index, v8.index and v7.contents and v8.contents will retrieve indexes and contents lists. For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk> lehiibm1.bitnet Ken van Wyk <LUKEN@LEHIIBM1.BITNET> new: <krvw@sei.cmu.edu> This site has archives of VIRUS-L, and many papers of general interest. Access is through ftp, IP address 128.180.2.1. The directories of interest are VIRUS-L and VIRUS-P. pd-software.lancaster.ac.uk Steve Jenkins <pdsoft@pd-software.lancaster.ac.uk> No access details yet. unma.unm.edu Dave Grisham <dave@unma.unm.edu> This site has a collection of ethics documents. Included are legislation from several states and policies from many institutions. Access is through ftp, IP address 129.24.8.1. Look in the directory /ethics. ------------------------------ Date: 09 Aug 89 03:17:54 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: IBMPC anti-viral archive sites # Anti-viral archive for the IBMPC # Listing last changed 08 August 1989 cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The IBMPC index for the virus archives can be retrieved as request: ibmpc topic: index For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk> ms.uky.edu Daniel Chaney <chaney@ms.uky.edu> This site can be reached through anonymous ftp. The IBMPC anti-viral archives can be found in /pub/msdos/AntiVirus. The IP address is 128.163.128.6. pd-software.lancaster.ac.uk Steve Jenkins <pdsoft@pd-software.lancaster.ac.uk> No access details yet. uxe.cso.uiuc.edu Mark Zinzow <markz@vmd.cso.uiuc.edu> This site can be reached through anonymous ftp. The IBMPC anti-viral archives are in /pc/virus. The IP address is 128.174.5.54. wsmr-simtel20.army.mil Keith Peterson <w8sdz@wsmr-simtel20.army.mil> Direct access is through anonymous ftp, IP 26.2.0.74. The anti-viral archives are in PD1:<MSDOS.TROJAN-PRO>. Simtel is a TOPS-20 machine, and as such you should use "tenex" mode and not "binary" mode to retreive archives. Please get the file 00-INDEX.TXT using "ascii" mode and review it offline. NOTE: There are also a number of servers which provide access to the archives at simtel. WSMR-SIMTEL20.Army.Mil can be accessed using LISTSERV commands from BITNET via LISTSERV@NDSUVM1, LISTSERV@RPIECS and in Europe from EARN TRICKLE servers. Send commands to TRICKLE@<host-name> (for example: TRICKLE@AWIWUW11). The following TRICKLE servers are presently available: AWIWUW11 (Austria), BANUFS11 (Belgium), DKTC11 (Denmark), DB0FUB11 (Germany), IMIPOLI (Italy), EB0UB011 (Spain) and TREARN (Turkey). ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Thursday, 10 Aug 1989 Volume 2 : Issue 172 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU. Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Unix archive site DataCrime II - tiny clarification (PC) Virus in Gould logic analyzer distribution (MAC) Macintosh virus sites Macintosh anti-viral archive sites LaserWriter (Mac) --------------------------------------------------------------------------- Date: 09 Aug 89 13:57:52 +0000 From: krvw@sei.cmu.edu (Kenneth Van Wyk) Subject: Unix archive site It looks like we have an archive site for Unix anti-virus software (wuarchive.wustl.edu (IP#=128.252.135.4)). Now all we need is some software for the archive. It would seem logical to start by putting all of the documents on the Internet Worm there (which is already done), but I'd also like to see some software tools. For example, a tool for automating checksums (and/or CRCs) on specified, or all, binary files would be a good starting point. The files on wuarchive.wustl.edu are in "~ftp/usenet/comp.virus". The current document files there are in the "doc" directory (of the above directory) and any programs, as they're made available, will be in the "src" directory. Contributions of both software and documentation are encouraged, as are ideas, suggestions, comments, etc. And thanks to Chris Myers for supplying the archive directory! Thanks, Ken ------------------------------ Date: 09 Aug 89 00:00:00 +0000 From: David M. Chess <CHESS@YKTVMV.BITNET> Subject: DataCrime II - tiny clarification (PC) Alan Roberts is basically right about the oddness of the "DataCrime II"s self-degarbling code. One small point (just so we don't get too impressed with these virus-writers): while the trick that Alan refers to does prevent the virus from degarbling itself if you single-step through it, it's still trivial to disassemble; just set a breakpoint right after the degarbling loop (there's even one clear byte there to make it easy!), and let it run until then. The virus writer was probably trying to show off, and no doubt thinks him/her/itself very clever, but in fact the trick added about 90 seconds to the time required to analyze the virus, and was hardly worth the effort... DC ------------------------------ Date: Wed, 09 Aug 89 09:41:57 -0600 From: dce@Solbourne.COM (David Elliott) Subject: Virus in Gould logic analyzer distribution (MAC) Yesterday, one of the people here discovered that the Mac II's we are using as part of a Gould logic analyzer setup came from Gould infected with nVIR. The disk is marked as CLAS 4000 Software Version A12 Gould knows of this problem, and I assume they are taking appropriate steps. David Elliott dce@Solbourne.COM ...!{uunet,boulder,nbires,sun}!stan!dce ------------------------------ Date: Wed, 09 Aug 89 13:23:53 -0400 From: Sari Khoury <3XMQGAA@CMUVM.BITNET> Subject: Macintosh virus sites Are there any virus archives for the Macintosh besides MACSERVE@PUCC AND LISTSERV@RICE? Acknowledge-To: <3XMQGAA@CMUVM> [Ed. See next message...] ------------------------------ Date: 09 Aug 89 17:36:03 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Macintosh anti-viral archive sites Apparently I missed the posting of the Mac archive sites. Sorry folks. I'm trying to automate things a bit, and must have lost it in the confusion. # Anti-viral archive sites for the Macintosh # Listing of 08 August 1989 cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Mac index for the virus archives can be retrieved as request: mac topic: index For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk> ifi.ethz.ch Danny Schwendener <macman@ethz.uucp> Interactive access through SPAN/HEPnet: $SET HOST 20766 or $SET HOST AEOLUS Username: MAC Interactive access through X.25 (022847911065) or Modem 2400 bps (+41-1-251-6271): # CALL B050 <cr><cr> Username: MAC Files may also be copied via SPAN/HEPnet from 20766::DISK8:[MAC.TOP.LIBRARY.VIRUS] pd-software.lancaster.ac.uk Steve Jenkins <pdsoft@pd-software.lancaster.ac.uk> No access details yet. rascal.ics.utexas.edu Werner Uhrig <werner@rascal.ics.utexas.edu> Access is through anonymous ftp, IP number is 128.83.144.1. Archives can be found in the directory mac/virus-tools. Please retrieve the file 00.INDEX and review it offline. Due to the size of the archive, online browsing is discouraged. scfvm.bitnet Joe McMahon <xrjdm@scfvm.bitnet> Access is via LISTSERV. SCFVM offers an "automatic update" service. Send the message AFD ADD VIRUSREM PACKAGE to listserv@scfvm.bitnet and you will receive regular updates as the archive is updated. You can also subscribe to automatic file update information with FUI ADD VIRUSREM PACKAGE sumex.stanford.edu Bill Lipa <info-mac-request@sumex-aim.stanford.edu> Access is through anonymous ftp, IP number is 36.44.0.6. Archives can be found in /info-mac/virus. Administrative queries to <info-mac-request@sumex-aim.stanford.edu>. Submissions to <info-mac@sumex-aim.stanford.edu>. There are a number of sites which maintain shadow archives of the info-mac archives at sumex: * MACSERV@PUCC services the Bitnet community * LISTSERV@RICE for e-mail users * FILESERV@IRLEARN for folks in Europe wsmr-simtel20.army.mil Robert Thum <rthum@wsmr-simtel20.army.mil> Access is through anonymous ftp, IP number 26.2.0.74. Archives can be found in PD3:<MACINTOSH.VIRUS>. Please get the file 00README.TXT and review it offline. - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: 10 Aug 89 02:43:26 +0000 From: carroll1!dnewton@uunet.UU.NET (Dave Newton) Subject: LaserWriter (Mac) Is there such a thing as a LaserWriter virus on an AppleTalk net? We printed out a directory listing from a MacII hooked to a net and on two of the pages got these large black lock-like looking things in the middle of the page. The funny thing is, they were different sizes, one was big, one was small. I didn't read about those in any Apple book 8-) - -- "Life is just a popularity contest, and I didn't get my entry in on time." -David L. Newton David L. Newton (414) 524-7253 dnewton@carroll1.cc.edu =8-) (smiley w/ a mohawk) (414) 524-7343 uunet!marque!carroll1!dnewton ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Friday, 11 Aug 1989 Volume 2 : Issue 173 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU. Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: LaserWriter (Mac) Re: DataCrime II - tiny clarification (PC) Re: Memory Resident ViruScan (PC) DATACRIME-2 (PC) --------------------------------------------------------------------------- Date: Thu, 10 Aug 89 09:13:59 -0400 From: Tom Coradeschi <tcora@PICA.ARMY.MIL> Subject: Re: LaserWriter (Mac) >Is there such a thing as a LaserWriter virus on an AppleTalk net? We >printed out a directory listing from a MacII hooked to a net and on >two of the pages got these large black lock-like looking things in the >middle of the page. The funny thing is, they were different sizes, >one was big, one was small. If the lock looking things were next to files or folders, (assuming you sorted the directory by name, type, size or date, of course) that means that the files they were adjacent to are locked. Select those files under the Finder and to a "Get Info..." (CMD-I), and you should see the locked file checkbox marked. If the locks _aren't_ next to any files... you got me swingin'. tom c Electromagnetic Armament Technology Branch US Army Armament Research, Development and Engineering Center Picatinny Arsenal, NJ 07806-5000 ARPA: tcora@pica.army.mil UUCP: ...!{uunet,rutgers}!pica.army.mil!tcora BITNET: Tcora@DACTH01.BITNET ------------------------------ Date: 10 Aug 89 20:52:18 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: DataCrime II - tiny clarification (PC) The comments about the cache usage on datacrime2 is somewhat fallacious... while there is most certainly the 6 byte instruction on board the chip and its status is relayed via signal pins to external devices... that is not the reason why CV and debug lose control during the jmp to loc 124(1 byte into a multibyte instruction...the actual reason is that while tracing under cv a set of internal simulation registers are continually utilized, the jump into the middle of an instruction causes them to lose synchronization with the program running...these simulation registers are what allow the debugger to disassemble code correctly... TurboDebug's ability to merely handle the the situation without error merely means that more robust code is executing than codeview...(I have the latest for both and have tested both) datacrime2 code was more unique than most viruses in this regard but hardly very sophisticated... cheers kelly p.s. before suspecting true skulduggery exmine the tool for fallacious results!! disclaimer I do not represent Amdahl Corp...or Onsite consulting I represent me(myself only) ------------------------------ Date: Thu, 10 Aug 89 09:14:56 -0400 From: bnr-vpa!bnr-fos!bnr-public!mlord@gpu.utcs.toronto.edu (Mark Lord) Subject: Re: Memory Resident ViruScan (PC) Would you consider perhaps someday posting VIRUSCAN to comp.binaries.ibm.pc ? I know I would love to have a copy, and there are probably thousands of other interested onlookers as well. I know there are archive sites, but that doesn't help those of us who lack BITNET and FTP access. Cheers, - -Mark ------------------------------ Date: Thu, 10 Aug 89 22:20:31 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: DATACRIME-2 (PC) I just caught David Chess's posting about the Datacrime-2 virus. He's absolutely correct about the ease in bypassing the virus's de-garbling code. Not that I had a chance to find out for myself. As I was psyching myself up to the disassembly challenge, John McAfee sent me two very good and well commented disassemblies, one of which, I believe, was from David Chess himself. It's not very satisfying to settle for someone else's disassembly, no matter how well done, but it's even harder to do your own when at least two are in front of your face. Which leads me to a question. Why do three or four dozen people (at least) disassemble every new virus that pops up? I'm not complaining in the least. Just wondering if some of us are redundant. Should we maybe draw straws to see who gets to do the next one, and the rest of us go see a movie or something instead? I don't know. But back to the Datacrime-2. Even though, as I was shown, you can set a breakpoint at 124H, it is still unnerving not to be able to single step a virus. I like to take my time - do one instruction and contemplate it. Savor the meaning of a single branch instruction; the simplicity of an XOR; the power of a multiply. To be forced to submit to the brutal pace of two to three hundred operations per millisecond - - even for a short loop - is not my idea of a good time. And as to Dave's comment about adding 90 seconds to his disassembly time, he can only speak for himself. When MY debugger kicked out to DOS, I spent at least a half hour trying to figure out which virus had infected my debugger, and how could I have been so stupid as to let it happen. I spent the next half hour complaining about the bug in Codeview, and the half hour after that I watched a 1963 Andy Griffith Show on television to try and calm down. So I'm not so sure the virus designer was just showing off. He/she/it nearly off'd one of us. Alan Roberts ------------------------------ End of VIRUS-L Digest ********************* VIRUS-L Digest Monday, 14 Aug 1989 Volume 2 : Issue 174 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU. Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: DataCrime II - tiny clarification (PC) Re: LaserWriter viruses Disk Killer (PC) Accessing the archives without ftp Re: Unix archive site Viruscan test (PC) ------------------------------------------------------------ Date: 11 Aug 89 00:00:00 +0000 From: David M. Chess <CHESS@YKTVMV.BITNET> Subject: Re: DataCrime II - tiny clarification (PC) Not to prolong the technical discussion too long, but... Kelly Goen and Alan Roberts are both completely correct (or, actually, I'll assume they are, not knowing myself!); CodeView probably does get confused by the odd things the virus does. I always use good old DEBUG for initial examination of viruses, because I know exactly what it's doing! (CodeView is much more powerful, but for that reason also more complex.) I didn't get thrown out to DOS at any point, but I *did* notice that the virus was doing some bizarre self-alteration, decided that it was trying to avoid being single-stepped, and then confirmed that by experiment. (If you single-step through it, it degarbles to garbage, rather then to the actual virus code.) So I never got to observe the effect that Kelly and Alan saw! (So I don't think anything I said was "fallacious"; we were just talking about different effects.) Alan asks a good question about disassemblies. I think it's probably a Good Thing if at least two or three people do independant disassemblies of each virus, just to make it less likely that something subtle will be missed. I know my disassemblies (except the ones I've spent lots of time on) always contain sections marked with vaguenesses like "Does something subtle with the EXE file header here". At some point, I guess, some time does start to be wasted by duplication of effort; hard to say where, though. I probably tend to lean towards "the more the merrier"! DC ------------------------------ Date: Fri, 11 Aug 89 10:34:27 -0700 From: forags@violet.berkeley.edu Subject: Re: LaserWriter viruses Networked Apple Laserwriters aren't really subject to permanent virus infestation, since a power-off cycle will clear their RAM. HOWEVER, a proficient Postscript programmer can deposit code in an LW's memory which can stay resident and affect other users' output until the power is cycled. These modifications can include re-defining standard Postscript operators to do different things (such as "showpage" could be extended to overprint the word "CLASSIFIED" on every page printed). PostScript has a password mechanism to prevent some alterations to persistent parameters (such as printing a start-up page), but many users leave the password un-set. Al Stangenberger Dept. of Forestry & Resource Mgt. forags@violet.berkeley.edu 145 Mulford Hall - Univ. of Calif. uucp: ucbvax!ucbviolet!forags Berkeley, CA 94720 BITNET: FORAGS AT UCBVIOLE (415) 642-4424 ------------------------------ Date: 12 Aug 89 03:34:00 +0000 From: tyl@cbnews.ATT.COM (Ten-Yu Lee) Subject: Disk Killer (PC) Does anyone know of a virus called "Disk Killer" ? My IBM PC is seriously being infected with this virus. The system hung and can't be brought up by any means. I tried to use firmware to re-format the hard disk. The formatting completed without any error message but the computer still does not work. I need help to remove or kill this virus. ------------------------------ Date: 12 Aug 89 20:18:59 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Accessing the archives without ftp In article <0003.8908111142.AA01970@ge.sei.cmu.edu> bnr-vpa!bnr-fos!bnr-public! mlord@gpu.utcs.toronto.edu (Mark Lord) writes: | Would you consider perhaps someday posting VIRUSCAN to | comp.binaries.ibm.pc ? Not a good idea. At the rate it is being updated, anything that eventually got through c.b.i.p would be long out of date. | I know I would love to have a copy, and there are probably thousands | of other interested onlookers as well. I know there are archive | sites, but that doesn't help those of us who lack BITNET and FTP | access. If you can send email, you can access some of the archive sites. I think its safe to say that you have access to email, right? Here is a note I received from a VIRUS-L reader. He was able to get through to simtel using only email. Before trying this, CHECK THE ARCHIVE SITE LIST FOR THE SERVER NEAR YOU. Overloading this one poor site would not be a nice thing to do. > I have just managed to access WSMR-SIMTEL20.ARMY.MIL from mail via > LISTSERV@NDSUVM1. The commands I used are : > > 1) For a listing of the files in the directory : > > /pddir pd:<msdos.trojan-pro>*.* 9999 > > 2) To retreive a specified file : > > /pdget pd:<msdos.trojan-pro>fname.ext You can also get help, which will explain what is going on here. ------------------------------ Date: Fri, 11 Aug 89 16:45:26 -0400 From: fitz@wang.WANG.COM (Tom Fitzgerald) Subject: Re: Unix archive site About the UNIX anti-archive site at wustl.edu. This sounds great, but since we (and a lot of other people) aren't on the Internet, we can't get to it. Would it be possible to set up an anonymous UUCP account or an archive-server mail demon on the system? Many people would be grateful. [Ed. This was sent to me personally, but I thought that others may be interested... The answer is that the people coordinating the Unix archive sites are working on the problems. We hope to be able to make a mail-archive and an anonymous UUCP available in addition to the current anonymous FTP. No estimate on time, but it's being worked on...] - --- Tom Fitzgerald Wang Labs, 1 Industrial ave. 019-890, Lowell MA 01851 fitz@wang.com uunet!wang!fitz 508-967-5865 ------------------------------ Date: Sun, 13 Aug 89 09:48:20 -0700 From: portal!cup.portal.com!Charles_M_Preston@Sun.COM Subject: Viruscan test (PC) For the past couple weeks I have been testing the latest versions of John McAfee's virus scanning program, Viruscan, downloaded as SCANV29.ARC, SCANV33.ARC, etc., and very briefly the resident version archived as SCANRES4.ARC. While I have not completed the testing protocol with each virus, perhaps an interim report will be of interest. The testing protocol is: 1. Scan a disk containing a copy of a virus in some form; 2. Have the virus infect at least one other program (for .COM and .EXE infectors) or disk (for boot infectors) so Viruscan must locate the virus signature as it would normally be found in an infected machine; 3. Modify the virus in the most common ways people change them (cosmetic changes to ASCII text messages or small modifications to the code and try Viruscan again. Step 2 arises from testing another PC anti-virus product which was supposed to scan for viruses. When I found that it would not detect a particular boot virus on an infected floppy, I asked the software vendor about it. I was told that it would detect a .COM program which would produce an infected disk - not useful to most people with infected disks, the common way this virus is seen Even though the viruses tested are not technically self-mutating, my intent is to test Viruscan against later generation infections, as they would be found in a normal computing environment. Naturally, there is a problem knowing which virus is actually being found, since they go under different names and are frequently modified. The viruses are currently identified by their length, method of infection, symptoms of activity or trigger, and any imbedded text strings, based on virus descriptions from a variety of sources. These include Computers & Security journal, and articles which have been on Virus-L, such as Jim Goodwin's descriptions modified by Dave Ferbrache, and reports by Joe Hirst from the British Computer Virus Research Centre. There is a proposal for checksumming of viruses in the June Computers & Security, which would allow confirmation that a found virus is the identical one already disassembled and described by someone. In the meantime, identification has been made as mentioned. So far, Viruscan has detected the following viruses: Boot infectors - Brain, Alameda/Yale, Ping-Pong, Den Zuk, Stoned, Israeli virus that causes characters to fall down the screen; .COM or .EXE infectors - Jerusalem -several versions including sURIV variants, 1701-1704-several versions, Lehigh, 1168, 1280, DOS62-Vienna, Saratoga, Icelandic, Icelandic 2, April First, and Fu Manchu. SCANV33 has a byte string to check for the 405.com virus, but does not detect it. SCANV34 has been modified to allow proper detection. SCANRES 0.7V34, the resident version of Viruscan, correctly detects the 405 virus when an infected program is run. I have not had any false positives on other commercial or shareware programs that have been scanned. Viruscan appears to check for viruses only in reasonable locations for those particular strains. If there is a virus that infects only .COM files, and an infected file has a .VOM or other extension, it will not be reported. Of course, it is not immediately executable, either. On the other side of the coin, if a disk has been infected by a boot infector, and still has a modified boot record, it will be reported by Viruscan. This is true even if the rest of the virus code normally hidden in other sectors has been destroyed, thus making the disk non-bootable and non infectious. This is a desirable warning, however, since the boot record is not original, and since other disks may be still infected. Disclaimer: I am a computer security consultant and have been working with PC and Macintosh microcomputer viruses and anti- virus products for about 18 months. I have no obligation to John McAfee except to report the outcome of the tests. I am a member of the Computer Virus Industry Association, which is operated by John McAfee. Charles M. Preston 907-344-5164 Information Integrity MCI Mail 214-1369 Box 240027 BIX cpreston Anchorage, AK 99524 cpreston@cup.portal.com ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Tuesday, 15 Aug 1989 Volume 2 : Issue 175 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU. Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: IBM PC virus found? Posting VIRUSCAN (PC) possible new PC virus? Marijuana Virus wreaks havoc in Australian Defence Department (PC) --------------------------------------------------------------------------- Date: 14 Aug 89 23:28:16 +0000 From: berman-andrew@CS.Yale.EDU (Andrew Berman) Subject: IBM PC virus found? Hi. I don't have much familiarity with viruses, but: A good friend has been working for a few months on some IBM PC's. In the last several weeks, all her programs were screwing up. We ran her stuff and noticed that each time an executable was ran, it's size increased by 1808 bytes. This included some system files such as 'SORT'. She had been using a bunch of disks, including some disks from Israel. So far, it just seems that it was loading up the disks. Anyway, if anyone has any information about this virus, we'd be very interested. She proceeded to copy all her source files onto clean, formatted disks. Is that sufficient, assuming she zaps everything else? Thanks, Andrew P. Berman ------------------------------ Date: Mon, 14 Aug 89 18:12:37 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Posting VIRUSCAN (PC) In yesterday's Virus-L, Jim Wright stated: >(Posting VIRUSCAN to comp.binaries)... is not a good idea. Since it is >frequently updated it would be long out of date by the time it got through >c.b.i.p. I'd like to point out that, while ViruScan is indeed updated as soon as a new virus is discovered, even the first version of ViruScan is still statistically current. We need to differentiate between the NUMBER of viruse out there and the statistical PROBABILITY of infection from any given virus. Viruses are not created on one day and the next become major infection problems. It take many months, and in some cases - years, before a given virus becomes a statistically valid threat to the average computer user. A case in point is the Jerusalem virus. It's nearly 2 years old and was first reported in the States (other than by a researcher) in February of 1988. In August of '88 the reported infection rate was 3 infections per week. In July of '89, the rate was over 30 reports per day. Today the Jerusalem virus is a valid threat. Another more current case is the Icelandic virus. It's over 2 months old and we've had no reported infections in the U.S. Given even the limited information we have about virus epidemiology, any product that can identify 99% of the infection ocurrences today, will be able to identify close to the same percentage 5 to 6 months from now, irrespective of the number of new viruses created in the interim. For those that insist on the 100% figure, I suggest you bite the bullet and download the current version of ViruScan from HomeBase every month. P.S. Some people have suggested that the CVIA statistics are inaccurate or incomplete. The numbers come from a reporting network composed of member companies. These companies include such multinationals as Fujitsu, Phillips N.A., Amdahl, Arthur Anderson and Co., the Japan Trade Center, Weyerhauser, Amex Assurance and others whose combined PC base, either internal or through client responsibility, totals over 2 million computers. It is highly unlikely that a major virus problem could exist and not be reported by one or another of these agencies. ------------------------------ Date: Mon, 14 Aug 89 10:09:01 -0700 From: rogers@cod.nosc.mil (Rollo D. Rogers) Subject: possible new PC virus? Original-From: tyl@cbnews.ATT.COM (Ten-Yu Lee) Original-Newsgroups: comp.sys.ibm.pc,comp.sys.mac Original-Subject: Virus - Disk Killer Does any one know a virus called "Disk Killer" ? My IBM PC is seriously being affected by this unknown virus. The system hung and can't be brought up by any means. I tried to use firmware to re-format the hard disk. The formatting completed without any error message but the computer still does not work. I need help to remove or kill this virus. ------------------------------ Date: Mon, 14 Aug 89 10:18:16 +0100 From: J.Holley@MASSEY.AC.NZ Subject: Marijuana Virus wreaks havoc in Australian Defence Department (PC) [Ed. This is from RISKS...] Quoted from The Dominion, Monday August 14 : A computer virus call marijuana has wreaked havoc in the Australian Defence Department and New Zealand is getting the blame. Data in a sensitive security area in Canberra was destroyed and when officers tried to use their terminals a message appeared : "Your PC is stoned - Legalise marijuana". Viruses are [guff on viruses] The New Zealand spawned marijunana has managed to spread itself widely throughout the region. Its presence in Australia has been known for the past two months. The problem was highlighted two weeks ago when a Mellbourne man was charged with computer trespass and attempted criminal damage for allegedly loading it into a computer at the Swinbourne Institute of Technology. The virus invaded the Defence Department earlier this month - hitting a security division repsonsible for the prevention of computer viruses. A director in the information systems division, Geoff Walker said an investigation was under way and the infection was possibly an embarrassing accident arising from virus prevention activities. New personal computers installed in the section gobbled data from their hard disk, then disabled them. Initially it was believed the virus was intoduced by a subcontractor installing the new computer system but that possibility has been ruled out. One more outlandish theory suggested New Zealnd, piqued at its exclusion from Kangaroo 89 military exercises under way in northern Australia, was showing its ability to infiltrate the Canberra citadel. New Zealand was not invited to take part in Kangaroo because of United States' policy of not taking part in exercises with New Zealand forces since Labour's antinuclear legislation. However, New Zealand observers were invited. New Zealand Defence Department spokesmand Lieutenant Colonel Peter Fry categorically denied the claim. "It would be totally irresponsible to do this kind of thing." In fact, New Zealand's Defence Department already had problems with the virus, he said. ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Wednesday, 16 Aug 1989 Volume 2 : Issue 176 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU. Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Swapping Virus (PC) Response to query from A.Berman, Yale,8-14-89 (PC) CERT Internet Security Advisory --------------------------------------------------------------------------- Date: Tue, 15 Aug 89 20:36:50 +0300 From: "Yuval Tal (972)-8-474592" <NYYUVAL@WEIZMANN.BITNET> Subject: Swapping Virus (PC) +------------------------------------------------------+ | The "Swapping" virus | +------------------------------------------------------+ | | | Disassembled on: August, 1989 | | | | Disassembled by: Yuval Tal | | | | Disassembled using: ASMGEN and DEBUG | | | +------------------------------------------------------+ Important note: If you find *ANYTHING* that you think I wrote incorrectly or is-understood something, please let me know ASAP. You can reach me: Bitnet: NYYUVAL@WEIZMANN InterNet: NYYUVAL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU This text is divided into theree parts: 1) A report about the Swap Virus. 2) A disassembly of the Swap Virus. 3) How to install this virus? - ------------------------------------------------------------------------------ - R E P O R T - ------------------------------------------------------------------------------ - Virus Name..............: The Swap Virus Attacks.................: Floppy-disks only Virus Detection when....: June, 1989 at......: Israel Length of virus.........: 1. The virus itself is 740 bytes. 2. 2048 bytes in RAM. Operating system(s).....: PC/MS DOS version 2.0 or later Identifications.........: A) Boot-sector: 1) Bytes from $16A in the boot sector are: 31 C0 CD 13 B8 02 02 B9 06 27 BA 00 01 CD 13 9A 00 01 00 20 E9 XX XX 2) The first three bytes in the boot sector are: JMP 0196 (This is, if the boot sector was loaded to CS:0). B) FAT: Track 39 sectors 6-7 are marked as bad. C) The message: "The Swapping-Virus. (C) June, by the CIA" is located in bytes 02B5-02E4 on track 39, sector 7. Type of infection.......: Stays in RAM, hooks int $8 and int $13. A diskette is infected when it is inserted into the drive and ANY command that reads or writes from/to the diskette is executed. Hard disks are NOT infected ! Infection trigger.......: The virus starts to work after 10 minutes. Interrupt hooked........: $8 (Timer-Tick - Responsible for the letter dropping) $13 (Disk Drive - Infects!) Damage..................: Track 39 sectors 6-7 will be marked as bad in the FAT. Damage trigger..........: The damage is done whenever a diskette is infected. Particularities.........: A diskette will be infected only if track 39 sectors 6-7 are empty. +-----------------------------------------------------------------------+ | BitNet: NYYUVL@WEIZMANN CSNet: NYYUVAL@WEIZMANN.BITNET | | InterNet: NYYUVAL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU | | | | Yuval Tal | | The Weizmann Institute Of Science "To be of not to be" -- Hamlet | | Rehovot, Israel "Oo-bee-oo-bee-oo" -- Sinatra | +-----------------------------------------------------------------------+ ------------------------------ Date: Tue, 15 Aug 89 16:51:00 -0500 From: LUCKSMITH%ALISUVAX.BITNET@IBM1.CC.Lehigh.Edu Subject: Response to query from A.Berman, Yale,8-14-89 (PC) The unknown virus that Andrew Berman referred to in his submission of 14 Aug 89 sounds very much like one encountered here within the last 90 days. Various names exist for it, including Friday the 13th, Israeli, Jerusalem, Black Box and others. The virus is a TSR type that infects .COM and .EXE files replicating itself into the files (once only for .COM and repeatedly for .EXE). (It will infect and replicate itself in ANY executible, no matter the extension..check especially .OVL and .SYS) The virus under certain circumstances will delete files from the disk on Friday the 13th. Norton Utilities is capable of identifying the infected files by searching for the hexadecimal string E9 92 00 73 55 4D 73 44. Those eight bytes invariably occurred in the virus found here. A system can only be certified clean of the virus if the system is cold-booted from a clean system and the source files to be used are checked and found to be clean before they are used. This virus is very contagious...during the cleanup and check phase we infected FluShot+ more than once. There is an article by Yisrael Radai, Hebrew Univ. of Jerusalem, on the "original" Israeli PC virus in April 1989 issue of Computers and Security (UK publication, Elsevier Science Pub., Ltd. Vol.8, No. 2) and a paper by Jim Goodwin on Israeli viruses, available from the moderator of this forum. Based on our recent experience, good luck, and happy cleaning. David Rehbein, Thompson@alisuvax.bitnet Marsha Luckett-Smithson, LuckSmith@alisuvax.bitnet Ames Laboratory USDOE, Iowa State University ------------------------------ Date: Wed, 16 Aug 89 11:46:06 -0400 From: "Computer Emergency Response Team" <cert@SEI.CMU.EDU> Subject: CERT Internet Security Advisory Many computers connected to the Internet have recently experienced unauthorized system activity. Investigation shows that the activity has occurred for several months and is spreading. Several UNIX computers have had their "telnet" programs illicitly replaced with versions of "telnet" which log outgoing login sessions (including usernames and passwords to remote systems). It appears that access has been gained to many of the machines which have appeared in some of these session logs. (As a first step, frequent telnet users should change their passwords immediately.) While there is no cause for panic, there are a number of things that system administrators can do to detect whether the security on their machines has been compromised using this approach and to tighten security on their systems where necessary. At a minimum, all UNIX site administrators should do the following: o Test telnet for unauthorized changes by using the UNIX "strings" command to search for path/filenames of possible log files. Affected sites have noticed that their telnet programs were logging information in user accounts under directory names such as "..." and ".mail". In general, we suggest that site administrators be attentive to configuration management issues. These include the following: o Test authenticity of critical programs - Any program with access to the network (e.g., the TCP/IP suite) or with access to usernames and passwords should be periodically tested for unauthorized changes. Such a test can be done by comparing checksums of on-line copies of these programs to checksums of original copies. (Checksums can be calculated with the UNIX "sum" command.) Alternatively, these programs can be periodically reloaded from original tapes. o Privileged programs - Programs that grant privileges to users (e.g., setuid root programs/shells in UNIX) can be exploited to gain unrestricted access to systems. System administrators should watch for such programs being placed in places such as /tmp and /usr/tmp (on UNIX systems). A common malicious practice is to place a setuid shell (sh or csh) in the /tmp directory, thus creating a "back door" whereby any user can gain privileged system access. o Monitor system logs - System access logs should be periodically scanned (e.g., via UNIX "last" command) for suspicious or unlikely system activity. o Terminal servers - Terminal servers with unrestricted network access (that is, terminal servers which allow users to connect to and from any system on the Internet) are frequently used to camouflage network connections, making it difficult to track unauthorized activity. Most popular terminal servers can be configured to restrict network access to and from local hosts. o Passwords - Guest accounts and accounts with trivial passwords (e.g., username=password, password=none) are common targets. System administrators should make sure that all accounts are password protected and encourage users to use acceptable passwords as well as to change their passwords periodically, as a general practice. For more information on passwords, see Federal Information Processing Standard Publication (FIPS PUB) 112, available from the National Technical Information Service, U.S. Department of Commerce, Springfield, VA 22161. o Anonymous file transfer - Unrestricted file transfer access to a system can be exploited to obtain sensitive files such as the UNIX /etc/passwd file. If used, TFTP (Trivial File Transfer Protocol - which requires no username/password authentication) should always be configured to run as a non-privileged user and "chroot" to a file structure where the remote user cannot transfer the system /etc/passwd file. Anonymous FTP, too, should not allow the remote user to access this file, or any other critical system file. Configuring these facilities to "chroot" limits file access to a localized directory structure. o Apply fixes - Many of the old "holes" in UNIX have been closed. Check with your vendor and install all of the latest fixes. If system administrators do discover any unauthorized system activity, they are urged to contact the Computer Emergency Response Team (CERT). Kenneth R. van Wyk Computer Emergency Response Team cert@SEI.CMU.EDU (412) 268-7090 (24 hour hotline) ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Friday, 18 Aug 1989 Volume 2 : Issue 177 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Response to query from A.Berman, Yale,8-14-89 (PC) 1701/4 Disinfector Need info on Datacrime virus (PC) Correction to the Swap Virus report (PC) --------------------------------------------------------------------------- Date: 16 Aug 89 21:43:49 +0000 From: berman-andrew@CS.YALE.EDU (Andrew P. Berman) Subject: Re: Response to query from A.Berman, Yale,8-14-89 (PC) I want to thank everyone who mailed/posted responses to my posting about the virus which infected my friend's disks. She think's she's cleaned it out by copying only the source codes to new disks, zapping the hard drives, and recompiling everything on the clean hard disks. BTW, there is an article in this month's Popular Science on computer viruses. Once again, Thanks Andrew Berman ------------------------------ Date: Wed, 16 Aug 89 08:36:09 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: 1701/4 Disinfector Forward from John McAfee ============================================================================= Hi folks. I've had a large number of panicky calls, and Ken van Wyk has had at least one 'emergency' message about a possible 1701 virus in the M-1704.EXE disinfector program. What's happening is VIRUSCAN is identifying the 1701 virus code within the disinfector product. The 1701/4 disinfector is the only one of our disinfectors that causes this problem, and because of the very small de-garbling code within the 1701/4 virus, there is no practical way around it. Our choices are: 1. Remove the 1701/4 disinfector from circulation and let people disinfect manually; 2. Change VIRUSCAN to ignore the program (it's the only non-virus program we know of that looks like a virus to VIRUSCAN); or 3. Continue as is. I definitely do not want to change VIRUSCAN to start and 'exclusion' list. This defeats the purpose of the scan program and reduces its reliability. I also believe that the value of the disinfector outweighs the confusion factor. I have stated up front in the documentation for M-1704 that the user should contact us BEFORE trying to use the program so that we can verify over the phone whether there is a possibility that the program really is infected (a slim probability if downloaded from SIMTEL or other reputable source). A second point I'd like to bring up is that people do not need to stockpile disinfector programs. Many of these programs are dangerous if used on uninfected systems and even in infected systems, certain disinfectors can have unpleasant side effects if used improperly. A disinfector should be used AFTER an infection has been verified. It appears that many people are collecting disinfectors and trying them out so that they are prepared for an infection if one occurs. I don't think this is a good idea. My final recommendation is: Read the documentation and follow the instructions. If you're using the M-1704 program, then call before you do anything with it. John McAfee ------------------------------ Date: Thu, 17 Aug 89 10:20:54 -0600 From: <watmath!ctycal!ingoldsb@uunet.UU.NET> Subject: Need info on Datacrime virus (PC) Sorry if you get this message twice, I'm not sure if the first attempt will get to you (its been one of those days :^) I'm sure this has been discussed, but I just got back from vacation and missed the info (we're low on disk and things get purged quickly). Can anyone tell me how to detect if a machine has been infected with the Datacrime virus, what it does (I've heard that it is supposed to erase files on a particular date), and how to get rid of it. I'd appreciate a response to this. It will give me a good opportunity to demonstrate to our security gurus that Usenet can be beneficial to security (instead of the open door that is usually portrayed by the media). Terry Ingoldsby ctycal!ingoldsb@calgary.UUCP Land Information Systems or The City of Calgary ...{alberta,ubc-cs,utai}!calgary!ctycal!ingoldsb ------------------------------ Date: Fri, 18 Aug 89 17:14:11 +0300 From: "Yuval Tal (972)-8-474592" <NYYUVAL@WEIZMANN> Subject: Correction to the Swap Virus report (PC) Hello all! I don't know how many of you had noticed the few small mistakes in the report about the "Swap Virus" but anyway, I am correcting it now. The only mistake I found was in the INFECTION part section C. 1) Instead of bytes 2B4-2E4 correct it to bytes 00B7-00E4 (A sector has only $200 bytes on it. 2) The correct message at the end of the virus is: "The Swapping-Virus. (C) June, 1989 by the CIA" I hope there are no more mistakes! - --Yuval ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Monday, 21 Aug 1989 Volume 2 : Issue 178 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Basic Virus Questions (PC) NEW VIRUS DICOVERED AND DISASSEMBLED Fixing Disinfectors/Virus Finders --------------------------------------------------------------------------- Date: 18 Aug 89 10:52:00 -0400 From: "Andrew R. D'Uva" <aduva@guvax.BITNET> Subject: Basic Virus Questions (PC) After hearing quite a bit about viruses, particularly the Internet 'Worm' of November, 1988, I have a few questions concerning prevention of virus infiltration on IBM PCs/clones using MS-DOS 3.3x or 4.01. 1) Is the possibility of virus infection limited to executable programs (.com or .exe extensions)? Or can an operating system be infected from reading a document file or graphic image? 2) Are there generic "symptoms" to watch for which would indicate a virus? 3) Any suggestions on guidelines for handling system archiving procedures so that an infected system can be "cleaned up"? Thanks for the help. Andrew D'Uva Jnet---> ADUVA@GUVAX Internet---> ADUVA@GUVAX.GEORGETOWN.EDU ------------------------------ Date: Fri, 18 Aug 89 19:07:11 -0500 From: Christoph Fischer <RY15%DKAUNI11.BITNET@IBM1.CC.Lehigh.Edu> Subject: NEW VIRUS DICOVERED AND DISASSEMBLED We just finished to disassemble a new virus, it was sent to us by the university of Cologne. We haven't found any clue that this virus showed up before. Here are the facts we found: 0. It works on PC/MS-DOS ver. 2.0 or higher 1. It infects COM files increasing them by 1206 to 1221 bytes (placing the viruscode on a pragraph start) 2. It infects EXE files in two passes: After the first pass the EXE file is 132 bytes longer; after the second pass its size increased by an aditional 1206 to 1221 bytes (see 1.) 3. The virus installs a TSR in memory wich will infect executable files upon loading them (INT 21 subfunction 4B00) using 8208 bytes of memory 4. The only "function" we found, was an audible alarm(BELL character) whenever another file was successfully infected. 5. It infects COM files that are bigger than 04B6h bytes and smaller than F593h bytes and start with a JMP (E9h) 6. It infects EXE files if they are smaller than FDB3 bytes (no lower limit) 7. It opens a file named "VACSINA. " without checking the return value. At the end it closes this file without ever touching it. The facts 4 and 7 make us belive it is a "Beta-Test" virus that might have escaped prematurely by accident. The word VACSINA is really odd beause of its spelling. All languages I checked (12) spell it VACC... only Norwegians write VAKSINE. Has anybod an idea? We produced an desinfectant and a guardian. The PC room at Cologne (28 PCs) was also infected by DOS62 (Vienna)| We call the virus VACSINA because of the unique filename it uses| Chris & Tobi & Rainer ***************************************************************** * TORSTEN BOERSTLER AND CHRISTOPH FISCHER AND RAINER STOBER * * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET * ***************************************************************** ------------------------------ Date: Fri, 18 Aug 00 19:89:35 +0000 From: utoday!greenber@uunet.UU.NET (Ross M. Greenberg) Subject: Fixing Disinfectors/Virus Finders To Mr. McAfee: (Hi John!) Simply do what I do: encrypt the string you're looking for yourself, then decrypt it when you first run the program. Works like a champ here.... Sheesh! Do i have to tell my competition everything? :-) Ross ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Tuesday, 22 Aug 1989 Volume 2 : Issue 179 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Swap Virus (PC) DEMO Software Disk Infected (Jerusalem, Version B) (PC) Hygeine Questions New German Virus (PC) --------------------------------------------------------------------------- Date: Mon, 21 Aug 89 09:47:00 -0500 From: Craig Minton <U12345C@OSUCC.BITNET> Subject: Swap Virus (PC) I just received my bitnet account about a month ago and just subscribed to this list about a week ago. In the past week, I have seen the Swap Virus mentioned several times. Since I'm sure that it has already been discussed alot on this list, I would appreciate any information on it that I could get. Please send this to me personally unless you feel it hasn't been discussed enough or something new is going on with it. Thanx, Craig ------------------------------ Date: Mon, 21 Aug 89 11:32:19 -0500 From: SDSV@MELPAR-EMH1.ARMY.MIL Subject: DEMO Software Disk Infected (Jerusalem, Version B) (PC) A research and development lab located at Ft. Belvoir Virginia had their PC's infected with the Jerusalem, Version B, Virus. Further investigation uncovered the virus entered the lab through a DEMO software disk from ASYST Software Technologies supplied with a IEEE-488 board from METROBYTE. The infected program is RTDEMO2.EXE. In a conversation with Mr. Dave Philipson from ASYST, to the best of his knowledge, 50 to 100 copies of the infected software were released. The infection entered their facility through software received from their parent company in England. Mr. Brent Davis of METROBYTE informed me that the DEMO disk was supplied with three (3) of their products; MBC-488, IE-488 and UCMBC-488. METROBYTE is in the process of contacting all purchasers of these products. Many thanks to Mr. John McAfee for his assistance, SCAN34 which was used to identify the type of virus, and M-JRUSLM which was used to eradicate the virus. Both ASYST and METROBYTE were extremely helpfull and responded expeditiously to the problem. Many thanks to Mr. Brent Davis and Mr. Dave Philipson for their action and assistance. ************** From the Desk of Mr. James M. Vavrina ************** * Comm 202-355-0010/0011 AV 345-0010-0011 * * DDN SDSV@MELPAR-EMH1.ARMY.MIL * ******************************************************************* ------------------------------ Date: Mon, 21 Aug 89 13:36:00 -0400 From: WHMurray@DOCKMASTER.ARPA Subject: Hygeine Questions >1) Is the possibility of virus infection limited to executable > programs (.com or .exe extensions)? Or can an operating system be > infected from reading a document file or graphic image? While a virus must succeed in getting itself executed, there are a number of solutions to this problem besides infecting .exe and .com. While it will always be sufficient for a virus to dupe the user, the most successful ones are relying upon bootstrap programs and loaders to get control. >2) Are there generic "symptoms" to watch for which would indicate a virus? Any unusual behavior may signal the presence of a virus. Of course most such unusual behavior is simply an indication of user error. Since there is not much satisfaction to writing a virus if no one notices, most are not very subtle. However, the mandatory behavior for a successful virus is to write to shared media, e.g., floppy, diskette, network, or server. (While it may be useful to the virus or disruptive to the victim to write to a dedicated hard disk, this is not sufficient for the success of the virus.) >3) Any suggestions on guidelines for handling system archiving > procedures so that an infected system can be "cleaned up"? WRITE PROTECT all media. Preserve vendor media indefinitely. Never use the backup taken on one system on any other. Be patient when recovering; be careful not to reinfect. (Computer viruses are persistent on media.) Quarantine systems manifesting strange behavior. Never try to reproduce symptoms on a second machine. Never share media gratuitously. (Note that most PC viruses are traveling on shared MEDIA rather than on shared PROGRAMS.) ____________________________________________________________________ William Hugh Murray 216-861-5000 Fellow, 203-966-4769 Information System Security 203-964-7348 (CELLULAR) ARPA: WHMurray@DOCKMASTER Ernst & Young MCI-Mail: 315-8580 2000 National City Center TELEX: 6503158580 Cleveland, Ohio 44114 FAX: 203-966-8612 Compu-Serve: 75126,1722 INET: WH.MURRAY/EWINET.USA 21 Locust Avenue, Suite 2D DASnet: [DCM1WM]WMURRAY New Canaan, Connecticut 06840 PRODIGY: DXBM57A - -------------------------------------------------------------------- ------------------------------ Date: Mon, 21 Aug 89 14:49:57 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: New German Virus (PC) This is a forward from John McAfee: ============================================================================= The VIRUSCAN version V35 now identifies the virus reported by C. Fischer in Germany. As always, the trickiest problem is the name. We can't very well use the host program length increment as the nomenclature this time because the length can change anywhere from 1206 to 1353 bytes (1206 min for COM files; 1221 + 132 max for EXE files). Using the bell sound as a name is questionable since the virus appears to be a prototype version and it seems likely that the bell sound may be removed and replaced in the final? version. I don't like using Vacsina as the name because it is a data string that can be trivially changed without materially affecting the virus. However, conversations with Chris Fischer indicate that he wishes to call the virus Vacsina, so that's what VIRUSCAN displays when the virus is present. P.S. We are still struggling over the name of the "Israeli Boot/ Swap/Fat 12/Whatever" virus reported by Uval Tal. Y. Radai is adamant that it be called the Swap virus. However, no-one that I am aware of has been able to make the the "Swap..." message reported by Yuval replicate onto another diskette. When the virus replicates, the area reported by Yuval to contain the message insists on transferring itself as binary zeros. It seems to me that someone merely placed the text message into the virus thinking that it would replicate along with the virus. Until I am further enlightened, I think that the VIRUSCAN descriptor for this virus should remain as is. John McAfee ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Thursday, 24 Aug 1989 Volume 2 : Issue 180 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Virus Naming Destructive virus... Locking Macintosh disks Re: Swap Virus Name (PC) --------------------------------------------------------------------------- Date: Tue, 22 Aug 89 10:39:00 -0400 From: "Jerry Leichter" <LEICHTER@Venus.YCC.Yale.Edu> Subject: Virus Naming Every new virus report these days seems to lead to a debate about a proper name for the beasts. May I suggest that this matter be settled, once and for all, by adopting long-established traditions used in a variety of sciences, ranging from astronomy to biology to medicine: The discoverer of, or the first person to describe, a planet/microbe/disease has an essentially absolute right to choose a name for it. A poorly-chosen name for something that gets discussed extensively will sometimes fall by the wayside, but that's the exception. The closest match from the traditional sciences is clearly with medicine. The person who gets to choose the name is the person who publishes the first article which describes the disease in some detail. The tone of such articles is quite similar to the tone of the recent analyses of viral code. While the discover can choose any name he likes, traditionally the names chosen reflect either some obvious and distinctive mark or symptom of the disease (AIDS - Acquired Immune Deficiency Syndrome), or the place where it was first noted (Lyme Disease). When the discoverer doesn't choose a name, the disease often gets named after him (Wernickie's Aphasia). Other fields of science have established their own traditions (names of Roman gods for planets; Latin descriptive terms for species - though this gets tempered by humor). Biological viruses have pretty arbitrary names: One large class, the Coxsackie viruses, are named after a town in upstate New York where the first member of the class was isolated; another, the Herpes viruses, I believe have a name derived from Greek via a particular disease caused by one of them. Others have names like "T4 phage". -- Jerry ------------------------------ Date: Wed, 23 Aug 89 11:20:48 -0400 From: (David Gursky) <dmg@mwunix.mitre.org> Subject: Destructive virus... Does anyone on the list have some information about an alleged virus that caused monitors on either older PCs, Ataris, or Amigas (I forgot which plat- form was susceptible) to self-destruct? We were discussing this nasty over lunch the other day and are interested in finding out more. David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: Wed, 23 Aug 89 14:32:02 -0400 From: Daniel Carr <DANIEL%NCSUVM.BITNET@IBM1.CC.Lehigh.Edu> Subject: Locking Macintosh disks i bet this question has been asked before, so please excuse me, but is it possible for a virus to infect a locked macintosh disk? thanks, >>>>>>>>>>>>>>>>>>>>>>>> Daniel C. Carr <<<<<<<<<<<<<<<<<<<<<<<< >>>>>>> North Carolina State University Computing Center <<<<<<< dcc@ncsuvx.ncsu.edu daniel@ncsuvm.BITNET d.c.carr, GEnie ------------------------------ Date: Thu, 24 Aug 89 10:06:12 -0400 From: dmg@retina.mitre.org (David Gursky) Subject: Re: Swap Virus Name (PC) In deference/support to Y. Radai, while it is important to try and be consisten t about the naming convention we use for viruses and so forth, it is not "life- threatening". As the "Swap" virus does not fit into the current naming convention well, and "Swap" is not a "libelous" name (as opposed to calling it the "Jim and Tammy Bakker" virus for example), then why *shouldn't* we call it the "Swap" virus. ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Monday, 28 Aug 1989 Volume 2 : Issue 181 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk [Ed. Sorry for the delay on this digest - I've been out of town for a couple of days.] Today's Topics: RE:locked macintosh disks vaccine source (PC) Collecting a Virus (Mac) (Hardware) Destructive Virus (Story) Infecting applications on locked Mac disks... Monitor destroying virus (PC) Monitor destruction List of Viruses/Antidotes/Vaccines for PC/AT/386 Re: Swap Virus (PC) V-REMOVE (PC) Looking for info in PC viruses lost address... Re: Locking Macintosh disks --------------------------------------------------------------------------- Date: Thu, 24 Aug 89 17:48:47 -0400 From: Sari <3XMQGAA@CMUVM> Subject: RE:locked macintosh disks In reply to Dan Carr's question. No, when you lock a macintosh disk and st ick in the drive, there is absolutley no way for the virus to infect the disk. Acknowledge-To: <3XMQGAA@CMUVM> ------------------------------ Date: Thu, 24 Aug 89 17:05:47 -0700 From: Steve Clancy <SLCLANCY@UCI.BITNET> Subject: vaccine source (PC) I would like to offer our bulletin board system once again to the readers of Virus-L as a source of VIRUSCAN and other "vaccine/scanner" programs that are occasionally mentioned here. I attempt to keep up with the most recent versions I can locate of the various programs, and usually also have the current version of the Dirty Dozen trojan horse/list. The Wellspring RBBS is located in the Biomedical Library of the University of California, Irvine (U.S.A). Numbers and settings are as follows: Line # 1 - (714) 856-7996 300-9600 (HST) N81 - 24 hours Line # 2 - (714) 856-5087 300-1200 baud N81 - Evenings & Weekends Callers from Virus-L should use the following passwords to allow immediate access to downloading of files: First name Last name Password ---------- --------- -------- VL1 BITNET BIT1 VL2 BITNET BIT2 All files are located in the VIR files directory. The system uses standard RBBS commands. I attempt to get my files from the original source whenever possible. % Steve Clancy, Biomedical Library % WELLSPRING RBBS % % University of California, Irvine % 714-856-7996 300-9600 24hrs% % P.O. Box 19556 % 714-856-5087 300-1200 % % Irvine, CA 92713 U.S.A. % % % SLCLANCY@UCI % "Are we having fun yet?" % ------------------------------ Date: Fri, 25 Aug 89 08:25:29 -0400 From: "Gregory E. Gilbert" <C0195@UNIVSCVM> Subject: Collecting a Virus (Mac) How does one go about "capturing" virus code on an infected disk or at least view the offending code? Would one use ResEdit? Any other comments are most welcome. Thanks much. ------------------------------ Date: Fri, 25 Aug 89 07:45:00 -0400 From: WHMurray@DOCKMASTER.ARPA Subject: (Hardware) Destructive Virus (Story) >Does anyone on the list have some information about an alleged virus >that caused monitors on either older PCs, Ataris, or Amigas (I forgot which >platform.... The story is apocryphal. Roots are as follows: 1. Anything a computer can be programmed to do, a virus can do. Thus, if a computer can be programmed for behavior that will damage the hardware, then it can be destroyed by a virus. 2. Early IBM PC Monochrome Adapter had a flaw under which a certain set of instructions could interfere with the normal sweep circuit operation, causing camage to the monitor. 3. Based upon this combination of facts, there has been speculation about the possibility of a virus exploiting this, or similar, flaws. Much of it has been in this list. To my knowledge, no such virus has ever been detected. The number of such PCs is vanishingly small but larger than the ones that such a virus might find. Those that exist are so old that a monitor failure would be attributed to old age. A virus would likely go unnoticed. Of course, it is a little silly to build a computer such that it can be programmed to perform hardware damaging behavior. Such damage is likely to occur by error. That is how the flaw in the IBM's was discovered. William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Fri, 25 Aug 89 08:19:02 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: Infecting applications on locked Mac disks... No. If the write-protect mechanism is working properly, any software operation will be unable to change the contents of the disk. If the write-protect mechanism is somehow faulty, all bets are off. Note: The write-protect mechanism on Mac disks is done in hardware. David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: Fri, 25 Aug 89 08:38:34 -0700 From: Robert Slade <USERQBPP@SFU.BITNET> Subject: Monitor destroying virus (PC) Regarding the request for information on a virus that destroyed monitors: I have had confirmed that there is a command for certain types of monitor adapter cards for the IBM/ISA/MS-DOS world which will turn off the "scanning" of the display. This means that a line or point may "burn in" on the monitor and destroy the phosphors at that point. When used "properly" it may also cause the CRT itself to overheat and burn out. The cards susceptible to this are all older CGA type. As far as I am aware, this code has never been incorporated into a virus. It would not do ttoo mcuh damage in any case, as it is very machine specific. ------------------------------ Date: 25 Aug 89 10:56:49 -0500 From: "Bob Johnson (312) 245-3532" <U27745@UICVM> Subject: Monitor destruction I seem to recall that the the olp IBM PCs ( and clones ) with EGA cards were susceptable to this problem. The cuase was the ability to change the scan rate of a card ( and thus the monitor ). If the scan rate was too high the flyback transformer in the monitor would over heat and catch on fire. I don't remember viruses doing this damage but rather public domain games and the like. Bj << u27745@uicvm.uic.edu >> ------------------------------ Date: Thu, 24 Aug 89 23:46:59 +0000 From: ames!fxgrp!pegasus!lan@uunet.UU.NET (Lan Nguyen) Subject: List of Viruses/Antidotes/Vaccines for PC/AT/386 Hi, I am compiling a list which consists of the following items: 1) Viruses, date first discovered, source(s). 2) Antidotes/Vaccines for the above viruses, latest version, when were they made available. Are they Public Domaine (PD), Shareware (Share) or Commercial (Cmc) products, Author(s). I wonder if such a list has already existed? if so could someone send me a copy preferrable via E-Mail. I will post my findings on the net to all interested parties in about two weeks time. Thank you all in advance for your help. Lan Internet: lan@fx.com UUCP: ...!ames!fxgrp!lan ------------------------------ Date: Fri, 25 Aug 89 17:48:56 +0300 From: "Yuval Tal (972)-8-474592" <NYYUVAL@WEIZMANN> Subject: Re: Swap Virus (PC) I don't think that it is so important how we call the virus. I've decided to call it the swap virus becuase the message "The Swapping-Virus...' appears in it! We can also call him the Israeli Boot Sector or The Dropping Letter virus - it is not important! as long as people know by its name what it should look like! Meaning: Ping-Pong --> there is a ping pong on the screen so I think that calling it "The Dropping Letter Virus" will be just fine. I think that the name "Israeli boot sector" is not such a good name. Think about the simple users who do not care it this virus was written in Israel or in any other place. They also doesn't care if it a boot sector virus or anything else! Again, I think that the name should describe what the virus is doing! - -Yuval Tal +--------------------------------------------------------------------------+ | BitNet: NYYUVL@WEIZMANN Domain: NYYUVAL@WEIZMANN.WEIZMANN.AC.IL | | InterNet: NYYUVAL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU | +-----------------------------------+--------------------------------------+ | Yuval Tal | "Remember the next time you hear a | | The Weizmann Institute Of Science | fighter jet go by - you are hearing | | Rehovot, Israel | the SOUNDS OF FREEDOM" - Major Bill | +-----------------------------------+--------------------------------------+ ------------------------------ Date: Thu, 24 Aug 89 08:36:01 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: V-REMOVE (PC) The HomeBase group is releasing a new disinfector program that is able to remove all known viruses, repair all infected COM files, repair most infected EXE files, replace infected partition tables and boot sectors, and generally make life easier for people with infected IBM PCs. Our previous practice of releasing one disinfector program per virus has given us a terrific maintenance headache, and so V-REMOVE (which does them all) is our next step on the path. What we need now are beta testers with Large virus libraries. Interested parties please contact John McAfee or Colin Haynes at 408 727 4559. Alan ------------------------------ Date: 25 Aug 89 23:00:29 +0000 From: audoire@inria.inria.fr (Louis Audoire) Subject: Looking for info in PC viruses I'm about to release a nice package fighting Macintosh viruses in real-time. I would like to add to my cdev virus eradicator the ability to clean PC files as most Mac now have FDHD drives. Where may I find the methods to remove viruses of PC files ? Yours, Maurice. ------------------------------ Date: Fri, 25 Aug 89 21:08:47 -0400 From: "W. K. (Bill) Gorman" <34AEJ7D@CMUVM.BITNET> Subject: lost address... Would the gentleman from New Zealand who contacted me by mail in response to something I posted on this list please re-contact me, either by E-mail or otherwise? I have lost the address entirely. [Apologies to the list - this is my only chance at relinking with this person.] A RESTRICTED, CONFIDENTIAL COMMUNICATION FROM THE VIRTUAL DESK OF: ............................................................................... |W. K. "Bill" Gorman Foust Hall # 5 | |PROFS System Administrator E-Mail & Message Computer Services | |Central Michigan University Encryption/Security Mt. Pleasant, MI 48859 | |34AEJ7D@CMUVM.BITNET Virus Countermeasures (517) 774-3183 | |_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_| These comments reflect personal opinions held at the time this was written. Copyright (C) 1989 W. K. Gorman. All rights reserved. ------------------------------ Date: 25 Aug 89 22:42:33 +0000 From: trebor@biar.UUCP (Robert J Woodhead) Subject: Re: Locking Macintosh disks DANIEL%NCSUVM.BITNET@IBM1.CC.Lehigh.Edu (Daniel Carr) writes: >i bet this question has been asked before, so please excuse me, but >is it possible for a virus to infect a locked macintosh disk? If the diskette is hardware locked (ie: the little slide is slid so that you can see a hole) then the hardware won't write onto that disk, so if you stick it into an infected machine it won't get infected. If, on the other hand, files on an unlocked disk are locked in _software_, they may be fair game to a persnickety virus. - -- (^;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-;^) Robert J Woodhead, Biar Games, Inc. !uunet!biar!trebor | trebor@biar.UUCP ``I can read your mind - right now, you're thinking I'm full of it...'' ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Tuesday, 29 Aug 1989 Volume 2 : Issue 182 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Suggestion for "Ultimate Virus" Re: Destructive virus... Re: NEW VIRUS DICOVERED AND DISASSEMBLED Re: Destructive virus... List of viruses Antidotes for the DATACRIME family (PC) New PC Virus Re: (Hardware) Destructive Virus (Story) --------------------------------------------------------------------------- Date: 26 Aug 89 05:37:36 +0000 From: ari@eleazar.dartmouth.edu (Ari Halberstadt) Subject: Suggestion for "Ultimate Virus" Hello everyone, I've been thinking lately of how to write the ultimate virus, one that would be very hard to identify with pattern matching techniques, though perhaps single stepping through it would work. At any rate, if my ideas are good [for the viruses, not users], I do not want to post them to the world at large. I was wondering who is a trusted expert on the subject who would be interested in hearing my ideas? I've never written a virus, and I do not intend to write one. If I ever felt foolish enough to do so, it would be a benign experiment -- though it may fill up the disk. This is simply a theoretical exercise. Part of the value of dreaming up an ultimate virus is being a step ahead of the virus makers: if we know where they're going, we can beat them to it. - -- Ari Halberstadt '91, "Long live succinct signatures" E-mail: ari@eleazar.dartmouth.edu Tel: (603) 640-5687 Disclaimer: "Live Free or Die" [Ed. I wonder if that's what RTM thought...] ------------------------------ Date: 25 Aug 89 16:53:27 +0000 From: ucrmath!proton!muon!baumann@ucsd.edu (Michael Baumann) Subject: Re: Destructive virus... In article <0002.8908241743.AA12387@ge.sei.cmu.edu> dmg@mwunix.mitre.org (David Gursky) writes: >Does anyone on the list have some information about an alleged virus that >caused monitors on either older PCs, Ataris, or Amigas (I forgot which plat- >form was susceptible) to self-destruct? We were discussing this nasty over >lunch the other day and are interested in finding out more. I believe that you are thinking of the older PC, with the original IBM Mono adaptor. It is possible in software to shut off the sync signal, and in the original mono monitor, this meant that DC was applied to the flyback transformer. POOF. - ----------------------------------------------------------------------------- Radiation Research Lab |Internet: baumann%proton.UUCP@ucrmath.UCR.EDU Loma Linda Universtiy Medical Center | UUCP: ...ucrmath!proton!baumann Loma Linda, California. (714)824-4077| ------------------------------ Date: Sun, 27 Aug 89 08:33:09 -0400 From: corpane!disk!jcsewell@e.ms.uky.edu (Jim Sewell) Subject: Re: NEW VIRUS DICOVERED AND DISASSEMBLED Regarding the name VACSINA: Vaccine makes no sense as a name for a virus unless it was to be passed off as a vaccine. This program doesn't sound as if it was meant to fool people with that ruse so I suggest that perhaps the name has nothing to do with vaccines. Perhaps it is the Dec VAX or Vacation or Vaccuum as opposed to vaccine. Just a thought. Jim ------------------------------ Date: 25 Aug 89 09:03:25 +0000 From: Sam Wilson <samw@castle.ed.ac.uk> Subject: Re: Destructive virus... In article <0002.8908241743.AA12387@ge.sei.cmu.edu> dmg@mwunix.mitre.org (David Gursky) writes: >Does anyone on the list have some information about an alleged virus that >caused monitors on either older PCs, Ataris, or Amigas (I forgot which plat- >form was susceptible) to self-destruct? I don't know of any virus which does this but a couple of years ago I recall being told about a screen saver for the PC which assumed you were using an {IBM|Hercules} controller. It worked by directly writing to the registers of the controller chip. When you used it with a {Hercules|IBM} card the the controller was different and the values poked into the registers caused the controller to run at some strange scan rate which occasionally caused the monitor and/or the driver hardware on the controller card to burst into flames. Sam Wilson Edinburgh University Computing Service, Scotland - ---------- "What we really need .... ... is a piece of software that actually makes a computer blow up just like in the movies...." ------------------------------ Date: Mon, 28 Aug 89 12:19:00 -0500 From: Craig Minton <U12345C%OSUCC.BITNET@IBM1.CC.Lehigh.Edu> Subject: List of viruses If someone is keeping a list of all of the viruses that have been talked about on this list, I would appreciate it if he/she would send me a list of them in message format. If you don't have them all, I would appreciate what you have. I am trying get a compilation of them for later reference, etc. I need it to say what the virus is, what it does, how it works, and possible remedies. I particularly like the format that was used when the swapping virus was reported. Thanks for any help. .....Craig..... ------------------------------ Date: Mon, 28 Aug 89 13:45:10 -0700 From: fu@unix.sri.com (Christina Fu) Subject: Antidotes for the DATACRIME family (PC) Recently, I have had a chance to investigate the 1280, 1168 and DATACRIME II viruses, and found some interesting differences between the first two versions and DATACRIME II. As a result, I have developed an antidote for both 1280 and 1168, and an antidote for the DATACRIME II. Among the differences between these viruses, the most significant one for developing antidotes is that the DATACRIME II virus generates a mutually exclusive signature set than the other two. Because of the said difference, the antidote for the 1280 and 1168 becomes a de-antidote for the DATACRIME II, and vice versa. Which means, if a file is infected with either 1280 or 1168, it is still vulnerable of contracting DATACRIME II, and vice versa (this situation does not exist between 1280 and 1168, however). If we view these viruses as two different strains, then these antidotes make more sense, otherwise, they can be useless. Another interesting thing is that the DATACRIME II purposely avoids infecting files with a "b" as the second character in the name (such as IBMBIO.COM and IBMDOS.COM), while the other two avoids to infect files with a "d" as the seventh character in the name (such as COMMAND.COM), and aside from that, the DATACRIME II virus can also infect EXE files, unlike the other two. I am looking into providing them to the public free of charge (I do not claim responsibility or ask for donation). Any interested archive sites please let me know. By the way, I need a sample disclaimer for programs distributed in this manner. ------------------------------ Date: Mon, 28 Aug 89 21:10:56 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: New PC Virus A new PC virus has been turned over to the CVIA by RAP Systems of San Bruno, CA. RAP Systems discovered the virus at one of their Northern California client sites on August 17. The virus infects COM and EXE files (with the exception of COMMAND.COM) and increases their size by exactly 2500 bytes. The virus seems to have an activation date of Friday 13, and when activated, it destroys both executable and data files in a seemingly random fashion. Of interest is the fact that the infected client was also infected with the Jerusalem Virus version B. Both viruses appeared able to infect the same files. The virus has been temporarily dubbed the RAP virus. More info. will be reported as we take it apart. Alan ------------------------------ Date: 29 Aug 89 09:09:22 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: (Hardware) Destructive Virus (Story) p.s. I did in fact accidentally test the code to destruction...sigh I didnt beleive at the time that the design could be so abysymally stupid and managed to burn out my monitor at the time!! thoroughly embarrassing!! ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Thursday, 31 Aug 1989 Volume 2 : Issue 183 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Ping-Pong variants (PC) Virus Report from Brazil PC virus list; Swap virus; Israeli virus; Disassemblies CVIA reports new virus at Ohio State (PC) VirusScan updated for New Ohio Virus (PC) nVIR A and nVIR B explained (Mac) VACSINA ... why we called it so (PC) Virus Collection (Mac) Virus Collecting (Mac) --------------------------------------------------------------------------- Date: 28 Aug 89 14:09:10 +0000 From: mcvax!rhi.hi.is!frisk@uunet.uu.net (Fridrik Skulason) Subject: Ping-Pong variants (PC) I have now seen three different variants of the ping-pong virus. The only difference is the character that bounces around the screen. The (original ?) version where the character is a dot is the most common one, but a version that uses the "diamond" (character number 4) is also fairly common here. Finally, I have seen a version that displays a "smiley" (character number 2) at one site. Are the two modified versions known elsewhere in the world or are they just local mutations ? Fridrik Skulason University of Iceland frisk@rhi.hi.is Guvf yvar vagragvbanyyl yrsg oynax ................. [Ed. ^(the above sentence) Huh? :-) ] ------------------------------ Date: Tue, 29 Aug 89 10:44:26 +0300 From: Geraldo Xexeo <COS20001@UFRJ.BITNET> Subject: Virus Report from Brazil I think that the netland could be interested in a Virus Report from Brazil. It is important to say that in Brazil there aren't big networks or lots of Lan's. Most of the virus are distributed by disks. Source: O Globo (nation-wide newspaper) from a research of Modulo Consultants.(21/8/89) Number of micro-computers researched: 550. Viruses detected : disease Brain, Israely : lost of files Ping Pong : a bouncing ball in the video , no harm sUMsDos : slows machine, uses memory, no harm detected Alameda : harm winchester Lehigh : harm any disks (Why Lehigh?) Madonna : While Madonna sings in your video, you looseyour disk Cookie : Shows "Give me a cookie" in the video Water fall : fallof characters(translated from Cascata) Mailson : inversion of characters in video and printer : named after a Brazilian politician Number of detections: Jan: 2 Feb: 4 Mar: 6 Apr: 12 May: 22 Jun: 41 Jul: 66 Avaliation: Most of the virus are harmfull, thenames could not be right but are the used in Brazil.More than 10% are infected. Exponencial growing. From Brazil, Geraldo Xexeo ------------------------------ Date: Tue, 29 Aug 89 16:05:44 +0300 From: Y. Radai <RADAI1@HBUNOS.BITNET> Subject: PC virus list; Swap virus; Israeli virus; Disassemblies For several reasons, one of which is very irregular receipt of VIRUS-L, I've been out of touch with it for several weeks now. So please forgive me if some of the postings referred to below are a few weeks old. PC Virus List ------------- Lan Nguyen asks whether a list of PC viruses, incl. date first dis- covered and source(s), exists. I will soon be submitting to VIRUS-L a considerably updated version of the list I first posted on May 16. Meanwhile, Lan, I'm sending you my list as it currently stands (29 viruses, 70 strains). The Swap Virus -------------- Yuval Tal writes: >I don't think that it is so important how we call the virus. I've >decided to call it the swap virus becuase the message "The Swapping- >Virus...' appears in it! ....... I think that calling it "The >Dropping Letter Virus" will be just fine. Well, "The Dropping Letter Virus" would be a poor choice since (as I mentioned in an earlier posting) this also describes the Cascade and Traceback viruses. Yuval has explained that he originally called it the Swap virus because it writes the following string into bytes B7-E4 of track 39, sector 7 (if sectors 6 and 7 are empty): The Swapping-Virus. (C) June, 1989 by the CIA However, he has not publicly explained how the words SWAP VIRUS FAT12 got into the boot sector of some of the diskettes infected by this virus, so let me fill in the details. As David Chess and John McAfee both pointed out quite correctly, these words are not part of the virus. What happened was that Yuval wrote a volume label SWAP VIRUS onto each infected diskette for identification. Had his system been DOS 3 the label would have been written only into the root directory. But since he was apparently using DOS 4, it was also written into bytes 2Bh-35h of the boot sector. (That still leaves the string FAT12 in bytes 36h-3Ah to be explained. Under DOS4, the field 36h-3Dh is supposed to be "reserved". Anyone got any comments on that?) So although I didn't know at the time that the words SWAP VIRUS came from Yuval, it seems that my (and his original) suggestion to call it the Swap virus is still the best choice. The Israeli/Friday-13/Jerusalem Virus ------------------------------------- In response to a query from Andrew Berman, David Rehbein gave a quite accurate description of the virus, except for one small point: >(It will infect and replicate itself in ANY executible, no matter >the extension..check especially .OVL and .SYS) To the best of my knowledge, no strain of this virus (or, for that matter, of any other virus that I know of) infects overlay or SYS files. Andrew Berman writes concerning this virus: > She think's >she's cleaned it out by copying only the source codes to new disks, >zapping the hard drives, and recompiling everything on the clean hard >disks. It's a pity that so many people try to eradicate the virus by such difficult means when (as has been mentioned on this list and else- where) there is a file named UNVIR6.ARC on SIMTEL20 (in <MSDOS.TROJAN- PRO>) containing a program called UNVIRUS which will easily eradicate this virus and 5-6 others as well, plus a program IMMUNE to prevent further infection. Disassembling of Viruses ------------------------ In response to a posting by Alan Roberts, David Chess replied: >I think it's probably a Good Thing if at least two or three people do >independant disassemblies of each virus, just to make it less likely >that something subtle will be missed. I know my disassemblies (except >the ones I've spent lots of time on) always contain sections marked >with vaguenesses like "Does something subtle with the EXE file header >here". .... I probably tend to lean towards "the more the merrier"! I can appreciate David's point. However, I would like to point out that the quality of (commented) disassemblies differs greatly from one person to another. As Joe Hirst of the British Computer Virus Re- search Centre writes (V2 #174): >Our aim will be to produce disassemblies which cannot be improved upon. And this isn't merely an aim. In my opinion, his disassemblies are an order of magnitude better than any others I've seen. He figures out and comments on the purpose of *every* instruction, and vagueness or doubt in his comments is extremely rare. What I'm suggesting is this: If you have the desire, ability, time and patience to disassemble a virus yourself, then have fun. But unless you're sure it's a brand new virus, you may be wasting your time from the point of view of practical value to the virus-busting community. And even if you are sure that it's a new virus, take into account that there are pros like Joe who can probably do the job much better than you. So what about David's point that any given disassembler may miss something subtle? Well, I'm not saying that Joe Hirst should be the *only* person to disassemble viruses. Even he is only human, so there should be one or two other good disassemblers to do the job indepen- dently. But no more than 1 or 2; I can't accept David's position of "the more the merrier". Btw, disassemblers don't always get the full picture. Take, for example, the Merritt-Alameda-Yale virus, of which I have seen three disassemblies. They all mentioned that the POP CS instruction is invalid on 286 machines, yet none of them mentioned the important fact that when such a machine hangs the virus has already installed itself in high RAM and hooked the keyboard interrupt, so that the infection can spread if a warm boot is then performed! That fact seems to have been noticed only by ordinary humans. Y. Radai Hebrew Univ. of Jerusalem ------------------------------ Date: Tue, 29 Aug 89 12:49:52 -0700 From: portal!cup.portal.com!garyt@Sun.COM Subject: CVIA reports new virus at Ohio State (PC) Forwarded message from John McAfee on the Homebase BBS: A new boot sector virus has been turned in to the CVIA. The virus was first discovered at Ohio State University by Terry Reeves in May of this year. It is a floppy-only variety. It will infect any new diskette as soon as the diskette is accessed (COPY, DIR, DEL, Program Load, etc.), similar to the Pakistani Brain. The virus will freeze the system if a <ctrl><alt><del> is pressed and a cold boot is then required. When the virus activates, the first copy of the FAT becomes corrupted. No other sysmptoms have been reported. More information will be supplied after a detailed analysis. ------------------------------ Date: Tue, 29 Aug 89 21:24:18 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: VirusScan updated for New Ohio Virus (PC) ViruScan V36 now identifies the new virus found at Ohio State University. The scanner identifies the virus as the 'Ohio Virus'. This name was discussed with Terry Reeves at Ohio State (the discoverer) and he has assented to its use. Alan ------------------------------ Date: Wed, 30 Aug 89 14:41:53 -0000 From: LBA002%PRIME-A.TEES-POLY.AC.UK@IBM1.CC.Lehigh.Edu Subject: nVIR A and nVIR B explained (Mac) I spotted this in the August issue of Apple2000 (a UK Mac user group magazine.) It first appeared on the Infomac network and the author is John Norstad of Academic Computing & Network Services, Northwestern University (hope it's OK with you to reproduce this John?) It may be old-hast to all the virus experts but I found it interesting & informative. nVIR A & B There has been some confusion over exactly what the nVIR A & nVIR B viruses actually do. In fact, I don't believe the details have ever been published. I just finished spending a few days researching the two nVIR viruses. This report presents my findings. As with all viruses, nVIR A & B replicate. When you run an infected application on a clean system the infection spreads from the application to the system file. After rebooting the infection in turn spreads from the system to other applications, as they are run. At first nVIR A & B only replicate. When the system file is first infected a counter is initialized to 1000. The counter is decremented by 1 each time the system is booted, and it is decremented by 2 each time an infected application is run. When the counter reaches 0 nVIR A will sometimes either say "Don't Panic" (if MacinTalk is installed in the system folder) or beep (if MacinTalk is not installed in the system folder.) This will happen on a system boot with a probability of 1/16. It will also happen when an infected application is launched with a probability of 31/256. In addition when an infected application is launched nVIR A may say "Don't Panic" twice or beep twice with a probability of 1/256. When the counter reaches 0 nVIR B will sometimes beep. nVIR B does not call MacinTalk. The beep will happen on a system boot with a probability of 1/8. A single beep will happen when an infected application is launched with a probability of 15/64. A double beep will happen when an application is launched with a probability of 1/64. I've discovered that it is possible for nVIRA and nVIRB to mate and sexually reproduce, resulting in new viruses combining parts of their parents. For example if a system is infected with nVIRA and if an application infected with nVIRB is tun on that system, part of the nVIRB infection is replaced by part of the nVIRA infection from the system. The resulting offspring contains parts from each of its parents, and behaves like nVIRA. Similarly if a system is infected with nVIRB and if an application infected with nVIRA is run on that system, part of the nVIRA infection in the application is replaced by part of the nVIRB infection from the system. The resulting offspring is very similar to its sibling described in the previous paragraph except that it has the opposite "sex" - each part is from the opposite parent. it behaves like nVIRB. These offspring are new viruses. if they are taken to a clean system they will infect that system, which will in turn infect other applications. The descendents are identical to the original offspring. I've also investigated some of the possibly incestual matings of these two kinds of children with each other and with their parents. Again the result is infections that contain various combinations of parts from their parents. (Hot stuff!) Rgds, Iain Noble ------------------------------ Date: Wed, 30 Aug 89 19:52:23 -0500 From: Christoph Fischer <RY15%DKAUNI11.BITNET@IBM1.CC.Lehigh.Edu> Subject: VACSINA ... why we called it so (PC) Hi, we called the virus VACSINA because the virus opens a file named VACSINA. It dosen't check the return status of the open call. It never touches the file till the end of the virus code, where it closes the file (again ignoring the return code). We think the virus programmer will add some code in a later version of the virus. (Remember we presumed that this is a prematurely escaped virus). The word vaccine comes from the latin word vacca = cow and is spelled with two c in all languages. Only in Norwegian we found the word to be spelled vaksine. So VACSINA is rather odd and what the virus does with the file it opens is odd too, so we decide to name the virus VACSINA. Anyhow nobody will detect a virus by it's name like cascade or vienna or whatever. The File length is somewhat ambigous and therefor not necessarily suitable. To detect the original virus we found, you can in fact search for the word VACSINA (all capitals). I hope this answers those questions about the name. Chris ***************************************************************** * Torsten Boerstler and Christoph Fischer and Rainer Stober * * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET * ***************************************************************** ------------------------------ Date: Wed, 30 Aug 89 15:35:53 -0400 From: "Gregory E. Gilbert" <C0195@UNIVSCVM> Subject: Virus Collection (Mac) Suppose one has a disk infected with nVir B. How would one go about "capturing" the virus? ------------------------------ Date: Wed, 30 Aug 89 17:11:34 -0400 From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV> Subject: Virus Collecting (Mac) "Gregory E. Gilbert" <C0195@UNIVSCVM> writes: > >How does one go about "capturing" virus code on an infected disk or at >least view the offending code? Would one use ResEdit? Any other >comments are most welcome. Thanks much. > Very carefully. ResEdit is of course the best way of looking at the resources in a given file, but it's of little use if you are attempting do disassemble the code. MacNosy is a good debugger/disassembler combination, once you know where the code is hiding. My suggestion, of course, is to get rid of any virus you find as fast as possible. If you're sure it's new, contact John Norstad at the address in the Disinfectant documentation; he's interested in new viruses, so that he can keep Disinfectant up to date. --- Joe M. ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Friday, 1 Sep 1989 Volume 2 : Issue 184 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Virus Naming re: Virus Report from Brazil Anyone ever hear of this virus? (PC) Is this a virus? (PC) --------------------------------------------------------------------------- Date: 25 Aug 89 18:27:28 +0000 From: ttidca.TTI.COM!hollombe%sdcsvax@ucsd.edu (The Polymath) Subject: Re: Virus Naming EICHTER@Venus.YCC.Yale.Edu (Jerry Leichter) writes: }The closest match from the traditional sciences is clearly with }medicine. The person who gets to choose the name is the person who }publishes the first article which describes the disease in some }detail. ... }... When the discoverer doesn't choose a name, the disease }often gets named after him (Wernickie's Aphasia). I think this is the way to go for simple psychological reasons. Naming a virus for its discoverer is a strong discouragement to the virus writers. Imagine the frustration of writing what you think is a really nifty virus, only to have someone else's name associated with it. Not much incentive there. There's more than one way to fight this war. - -- The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com) Illegitimati Nil Citicorp(+)TTI Carborundum 3100 Ocean Park Blvd. (213) 452-9191, x2483 Santa Monica, CA 90405 {csun|philabs|psivax}!ttidca!hollombe ------------------------------ Date: 31 Aug 89 00:00:00 +0000 From: David M. Chess <CHESS@YKTVMV.BITNET> Subject: re: Virus Report from Brazil Does this imply that the Lehigh virus has been seen in Brazil? That's certainly news if so; first I've heard of it being anywhere outside Lehigh. Given the destructiveness of this virus, if it's gotten into the World at Large, that'd be worth knowing for sure. Did the article give any more details and/or has anyone else heard of the Lehigh virus spreading beyond Lehigh? DC [Ed. I'm not aware of either Lehigh virus having infected anything outside of the Lehigh University campus.] ------------------------------ Date: 31 Aug 89 00:00:00 +0000 From: "Kenneth R. van Wyk" <krvw@sei.cmu.edu> Subject: Anyone ever hear of this virus? (PC) Has anyone out there ever heard anything of a "Columbus Day" virus? If it exists at all (and I have no proof that it does), then it doesn't appear to have been discussed on VIRUS-L. If anyone can substantiate, one way or the other, the existence of this virus, please email me and I'll summarize to the list. Thanks. Ken ------------------------------ Date: Fri, 01 Sep 89 16:26:00 +0300 From: <87303012@KRSNUCC1.BITNET> Subject: Is this a virus? (PC) HI, there. I 'm a college student studying physics. Now I have discovered a suspicious thing about MS-DOS's behavior in my sense. When I copy some files to a floppy but I misput a write protected diskette, I find the error massage "retry, ...". At this time, if I answer "r" to the massage and puting a non-protected diskette, then the FAT and DIRECTORY of the protected diskette is transfered to the second non protected diskette(and the files that I copied to). Is this a DOS's bug or a virus? I look forward to the help from anybody. Thank you. Kim, YunKi <87303012@KRSNUCC1> BITNET Seoul Nat'l Univ. Dep. of Physics ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Tuesday, 5 Sep 1989 Volume 2 : Issue 185 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Anti-Virus/Virus Listing Re: Is this a virus? (PC) RE: capturing viruses (Mac) Columbus Day Virus and Lehigh (PC) Re: Is this a virus? (PC) Virus or no? Help please (PC) Re: is this a virus? (PC) Kim's question concerning FATs (PC) removing a floppy then Retry (PC) Columbus Day "virus" (PC) Re: Virus Naming Appleshare and viruses ? --------------------------------------------------------------------------- Date: Fri, 01 Sep 89 06:28:54 -0700 From: portal!cup.portal.com!Chuck_SirVAX_Staatse@apple.com Subject: Anti-Virus/Virus Listing I teach a class on hard disk management. Naturaly I cover virues, but do not have a list of virus names and what programs are currently available to combat these viruses. Coulde someone please post a list of this information. Could you also include some information about the CV group who are working to combat these viruses. Thanks, Chuck ------------------------------ Date: 01 Sep 89 00:00:00 +0000 From: David M. Chess <CHESS@YKTVMV.BITNET> Subject: Re: Is this a virus? (PC) > ...if I answer "r" to the > massage and puting a non-protected diskette, then the FAT and > DIRECTORY of the protected diskette is transfered to the second non > protected diskette(and the files that I copied to). DOS has always done this, I think. I believe some versions of the documentation Strongly Warn against switching diskettes during the "Abort, Retry..." message. I realize that may not be much consolation! But it's not a virus, at least... DC ------------------------------ Date: Fri, 01 Sep 89 10:19:00 -0400 From: "Alex Z." <ACSAZ@SEMASSU.BITNET> Subject: RE: capturing viruses (Mac) Well, with a virus (take scores for example), you could identify the infected files and then view them with a utility like Fedit+. I think that would be a better way to view the code than Resedit. Alex Z... . . . ------------------------------ Date: Fri, 01 Sep 89 08:11:05 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Columbus Day Virus and Lehigh (PC) Ken van Wyk asks about the Columbus day Virus. It's the same as the DataCrime virus versions one and two (not to be confused with the DataCRime II). Columbus day is October 12. The Datacrime versions 1 and 2 activate on October 12. I would discourage the use of "Columbus Day Virus" as a name, since DatCrime has been an accepted name for quite some time. Also, the Lehigh original virus has been sporadically reported at dozens of installations outside of the university for over a year. It is not a particulary successful replicator -- probably because of the extremely short activation fuse - and it is difficult to detect and report because there are few symptoms prior to activation. Buit there should certainly be no surprise that it's in the public domain. In John McAfee's report to the CVIA on epidemiology he writes - "The belief that viruses can be contained by early counter-action is belied by the Lehigh University experience. I have spoken to a number of individuals at the University who belived that the virus had somehow been contained because "no copies of the virus were distributed to outside organizations". This assumed, of course, that the original virus writer gave up after being foiled at Lehigh and did not insert the virus at any other location, and that all copies of the virus at Lehigh had indeed been accounted for. The first issue rests solely in the hands of the perpetrator and is beyond any containment controls. The second issue relies on an error-free containment process - allowing no possibility for overlooking, losing or mistaking an infected diskette. In any case, the Lehigh virus was by no means contained. I received a copy, as did virtually every virus researcher, in mid-1988, and infection reports issued throughout the year from universities, corporations and individual computer users." I think John said it better than I could, but my sentiments exactly. Alan ------------------------------ Date: Fri, 01 Sep 00 11:51:00 -0400 From: Bob Babcock <PEPRBV%CFAAMP.BITNET@IBM1.CC.Lehigh.Edu> Subject: Re: Is this a virus? (PC) >When I copy some >files to a floppy but I misput a write protected diskette, I find the >error massage "retry, ...". At this time, if I answer "r" to the >massage and puting a non-protected diskette, then the FAT and >DIRECTORY of the protected diskette is transfered to the second non >protected diskette(and the files that I copied to). Is this a DOS's >bug or a virus? This is a known behavior of MS-DOS. The directory and FAT have already been read before the write protect error is sensed, and when you say retry, DOS doesn't know that you have changed disks, so it doesn't reread the directory info. ------------------------------ Date: Fri, 01 Sep 89 12:31:00 -0400 From: <ACSAZ@SEMASSU.BITNET> Subject: Virus or no? Help please (PC) At our university a student came in and described a problem with his AT compatible and wondered if it was a virus. The symptoms follow: 1. lots of garbage on screen. 2. repeat of dos prompt across the screen. 3. I view all my files with .sys and found word BUG . 4 I could't do any work at the time, but following day all seemed okay. Any of you IBM specialists have any ideas on this one? Alex Z... . . . Library Mac Software Chief SMU ------------------------------ Date: Fri, 01 Sep 89 16:55:59 -0500 From: Joe Simpson <JS05STAF@MIAMIU.BITNET> Subject: Re: is this a virus? (PC) In response to the question about the FAT from a locked disk being written to another disk this is a feature of MS-DOS, not a virus. Another chilling scenario conserns running an application such as a word processor, opening a document, exchangeing data diskettes, and saving a "backup" of the file. This often hoses the "backup" disk and sometines affects the origional file. ------------------------------ Date: 01 Sep 89 15:41:00 -0400 From: "Damon Kelley; (RJE)" <damon@umbc2.umbc.edu> Subject: Kim's question concerning FATs (PC) In response to Kim: I'm no expert at MS-DOS or software-stuff, but I've been poking around in my computer's memory long enough to believe that what you are describing may be normal with MS-DOS. Often I see that within memory, data stays in its assigned spot until something moves or writes over it. I notice this effect with a certain software word-processing/graphing/spreadsheet package I have. Sometimes when I am retreiving data with my package, I place a data disk first before putting in the main program disk. The program needs to do something with the disk with the main program first, so the package asks for the main program disk. Whe the directory pops up for the main program disk, it shows a conglomeration of the files on the curent disk PLUS the files that were on the removed data disk and some random garbage. Nothing grave has happened to my files with this package (It came with my computer. It wasn't PD/Shareware, either.), so I feel that this may be either a DOS bug (not writing over completely the FAT) or something normal. Of course, I've never really had an opportunity to look at the directory track on any disks, so I can't confirm that this is absolutely true. I can find out. Has anyone out there found mixed FATs affecting the performance of their disks? jnet%"damon@umbc" damon@umbc.bitnet damon@umbc2.umbc.edu "Would anyone dare let me represent their views? I think not!!!" ------------------------------ Date: Sat, 02 Sep 89 00:00:00 +0000 From: "Prof Arthur I. Larky" <AIL0@LEHIGH.BITNET> Subject: removing a floppy then Retry (PC) > I 'm a college student studying physics. Now I have discovered a > suspicious thing about MS-DOS's behavior in my sense. When I copy some > files to a floppy but I misput a write protected diskette, I find the > error massage "retry, ...". At this time, if I answer "r" to the > massage and puting a non-protected diskette, then the FAT and > DIRECTORY of the protected diskette is transfered to the second non > protected diskette(and the files that I copied to). Is this a DOS's > bug or a virus? It's a "feature" of MSDOS - when you attempt to write on a floppy, MSDOS reads the FAT and Directory and re-writes it when you are done. If you swap floppies, you get the old information on the new disk. The rule is: NEVER NEVER replace a floppy with another in the middle of a write or a write protect error. Pick the Abort option, not the Retry option; then start the process all over. Anyway, it's not a virus, it's just Bill Gates getting even with the world for making him a billionaire. Art Larky CSEE Dept Lehigh University ------------------------------ Date: Sat, 02 Sep 89 16:05:53 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: Columbus Day "virus" (PC) Yes, I have heard of the "Columbus Day 'virus'". What I have heard is a pronouncement from a certain Dr. S. that this thing exists and on Friday, October 13th, this bugger is going to strike and start causing problems. IMO, this sounds suspiciously like the Jerusalem/Hebrew University virus, *at this point*. Emily Lonsford, a fellow MITRE-ite and contributor here, has meet Dr. S., and was less then impressed with him and his techniques. Of course, none of this means that this virus does not exist as a seperate strain from existing viruses. Barring independant confirmation of this virus, my opinion is that no extraordinary action is needed. [Ed. Thanks for the info - in fact, I received a number of replies about the Columbus Day virus. Most replies indicated that it was the DataCrime virus. Thanks to all those who replied!] ------------------------------ Date: 03 Sep 89 18:58:31 +0000 From: dav@eleazar.dartmouth.edu (William David Haas) Subject: Re: Virus Naming In article <0001.8909011255.AA07043@ge.sei.cmu.edu> ttidca.TTI.COM!hollombe%sdc svax@ucsd.edu (The Polymath) writes: <EICHTER@Venus.YCC.Yale.Edu (Jerry Leichter) writes: <}... When the discoverer doesn't choose a name, the disease <}often gets named after him (Wernickie's Aphasia). < <I think this is the way to go for simple psychological reasons. <Naming a virus for its discoverer is a strong discouragement to the <virus writers. Imagine the frustration of writing what you think is a <really nifty virus, only to have someone else's name associated with <it. Not much incentive there. < <There's more than one way to fight this war. And then you will have virus writers 'discovering' their own work to their name on it. ------------------------------ Date: 04 Sep 89 01:18:53 +0000 From: gilbertd@silver.bacs.indiana.edu (Don Gilbert) Subject: Appleshare and viruses ? What are the conditions under which current Mac viruses can infect files on Appleshare volumes? a. All ashare files are susceptible if volume is mounted to an infected Mac. b. Only files in write- AND read-enabled folders are susceptible. c. Files in write-enabled folders are susceptible (read access doesn't matter). d. Files in read-enabled folders are susceptible (write access doesn't matter). e. Gee, the students are back in town, better lock up your file servers. Don Gilbert biocomputing office gilbertd@iubacs.bitnet gilbertd@gold.bacs.indiana.edu biology dept. indiana univ. bloomington, in 47405 usa ------------------------------ End of VIRUS-L Digest ********************* VIRUS-L Digest Wednesday, 6 Sep 1989 Volume 2 : Issue 186 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: New Amiga virus ? Re: Is this a virus? (PC) Capturing a Mac virus II Re: VACSINA ... why we called it so (PC) Killvirus Antivirus Program Inconsistencies Back-to-school Time Ping-Pong Virus vector (PC) Thanks for all the info --------------------------------------------------------------------------- Date: 04 Sep 89 16:41:39 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: New Amiga virus ? This was recently posted to comp.sys.amiga... In article <716@mathrt0.math.chalmers.se> d8forma@dtek.chalmers.se (Martin Fors sen) writes: | | Last night a friend called me, since he suspected he had a virus. | I gladly grabbed my copy of VirusX (3.20) and drove over, but VirusX | reported no virus. However I saw the text from the virus myself, and | a closer look at the diskette showed that the file c/addbuffers had grown, | furthermore a file with a blank name had appeared in devs. | | The main symptom of this virus is that every fourth time you reboots the tex t: | | A Computer virus is a disease | | Terrorism is a transgession | | Software piracy is a crime | | | this is the cure | | BGS9 Bundesgrensschutz sektion 9 | sonderkommando "EDV" | | | On this disk the virus had replaced the file c/addbuffers, the size of this | new file was 2608 bytes. The above text is encoded in the program, but the | string graphics.library can be found, maybe it's normal for addbuffers to ca ll | graphics.library :-) The orginal addbuffers command was stored in a "blank" | file in the devs directory. | The addbuffers command was the second in the startup sequence on this disk. | I think the virus looks in the startup-sequence for somthing (probably | files to infect), since I found the string sys:s/startup-sequence coded | in the virus. | I don't know if this virus does any damage, but the person first infected | hasn't noticed anything. | | | The questions I now ask me is: | | Is this a known virus? | | and if the answer is no, | | What is Steve Tibbets mail adress? | | | MaF | | Chalmers |USENET:d8forma@dtek.chalmers.se | " Of course I'm not lost, | University |SNAIL: Martin Forssen | I just haven't pinpointed | of | Marielundsgatan 9 | exactly where we are at the | Technology |SWEDEN 431 67 Molndal | moment " (David Eddings) - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: 05 Sep 89 13:33:44 +0000 From: decvax!bunker!shap@sei.cmu.edu (Joseph D. Shapiro) Subject: Re: Is this a virus? (PC) In article <0004.8909011255.AA07043@ge.sei.cmu.edu> 87303012@KRSNUCC1.BITNET wr ites: > When I copy some >files to a floppy but I misput a write protected diskette, I find the >error massage "retry, ...". At this time, if I answer "r" to the >massage and puting a non-protected diskette, then the FAT and >DIRECTORY of the protected diskette is transfered to the second non >protected diskette(and the files that I copied to). Is this a DOS's >bug or a virus? Neither. It is normal behavior, given the circumstances. It is obviously not what you _want_ to happen, but then again, the proper answer in the given situation is to _A_bort the operation and start again. - -- __--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__--__ Joe Shapiro "My other car is a \cturbo... ISC-Bunker Ramo ...too." {decvax,yale,philabs,oliveb}!bunker!shap ------------------------------ Date: Tue, 05 Sep 89 10:37:27 -0400 From: "Gregory E. Gilbert" <C0195@UNIVSCVM> Subject: Capturing a Mac virus II Could someone give me a brief description of Fedit+? Freeware? Shareware? Why might it be better than ResEdit? Gregory E. Gilbert Academic Consultant University of South Carolina Columbia, South Carolina 29205 (803) 777 - 6015 ------------------------------ Date: 05 Sep 89 18:51:56 +0000 From: "Manfred J. Pfluegl" <pfluegl%dream-d@ucsd.edu> Subject: Re: VACSINA ... why we called it so (PC) In article <0007.8908311207.AA03884@ge.sei.cmu.edu> RY15%DKAUNI11.BITNET@IBM1.C C.Lehigh.Edu (Christoph Fischer) writes: <stuff deleted> >virus VACSINA. Anyhow nobody will detect a virus by it's name like cascade >or vienna or whatever. The File length is somewhat ambigous and therefor <stuff deleted> Where did the virus "VIENNA" get his name from?? Does anybody know the answer? ************** MM MMPPPP Manfred J. Pfluegl ***** MM M MP P pfluegl@balboa.eng.uci.edu ***** M M MPPPP pfluegl%balboa.eng.uci.edu@ics.uci.edu ***** M MP ------------------------------ Date: Tue, 05 Sep 89 10:55:03 -0400 From: "Gregory E. Gilbert" <C0195@UNIVSCVM.BITNET> Subject: Killvirus Antivirus Program Inconsistencies I was running an old version of virus detective (v. 2.2.1, I think) on a disk on whick I had downloaded a number of files from "MACSERVE at PUCC". The program, I belive, found what it identified as a virus in the KILLLVIRUS software. Upon "resEditing" I noticed what looked like the following: - ------------- | . | | . | | . | | kVir | | nVir | | | - ------------- However, when crossed checked with Virus Detective no bells or whistles were sounded. Could this be a virus? Or is it a bug in the KILLVIRUS software? Thank you very much for your assistance. Gregory E. Gilbert Academic Consultant University of South Carolina Columbia, South Carolina 29205 (803) 777 - 6015 ------------------------------ Date: Tue, 05 Sep 89 10:22:00 -0400 From: WHMurray@DOCKMASTER.ARPA Subject: Back-to-school Time It is back-to-school time. Throughout modern history this has been a time for viruses to manifest themselves. Students congregating in the fall spread them like wildfire. This is going to be particularly bad with computer viruses. Copies which have been lying dormant for the season on unused diskettes will be put into use. Good computer hygiene is going to be particulary important during the next few weeks. Encouraging good practice now may save you a lot of grief during the next few weeks. Regards, Bill William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Tue, 05 Sep 89 19:33:00 -0400 From: WHMurray@DOCKMASTER.ARPA Subject: Ping-Pong Virus vector (PC) Does the Ping_pong virus travel on 3.5" diskettes? William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Wed, 06 Sep 89 14:38:00 +0300 From: <87303012%KRSNUCC1.BITNET@VMA.CC.CMU.EDU> Subject: Thanks for all the info Hi everyone. Thank you, all people having provided me with some helps directly and via the list. Here in Korea, nowadays many BBS's come to beings and plenty of people come to concern Communication. But also some viruses are reported recently, like some Brain viruses modified in Korea to change the configuration of AT, Hebru virus( maybe I misspell ), ANSI bomb and so on. Kim, YunKi <87303012@KRSNUCC1> BITNET Seoul NAt'l Univ. Dep. of Physics ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Thursday, 7 Sep 1989 Volume 2 : Issue 187 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Appleshare and viruses Aborting a write to a write-protected disk (PC) Rumored October 12/13 virus attacks Can a PC Virus get into VMS via VAXPC? --------------------------------------------------------------------------- Date: Wed, 06 Sep 89 11:54:00 -0400 From: Peter W. Day <OSPWD%EMUVM1.BITNET@IBM1.CC.Lehigh.Edu> Subject: Re: Appleshare and viruses >Date: 04 Sep 89 01:18:53 +0000 >From: gilbertd@silver.bacs.indiana.edu (Don Gilbert) >Subject: Appleshare and viruses ? > >What are the conditions under which current Mac viruses can >infect files on Appleshare volumes? I have not attempted to infect any files with a virus, whether on an AppleShare volume or otherwise, but based on what I know about Macintosh, AppleShare and viruses, here is what I think is true. A Mac virus can infect a file only if it can write to the file, no matter where the file is located. A micro cannot access an AppleShare volume directly: it must ask the server to access the AppleShare volume on its behalf. As a result, the server can enforce access privileges. Access privileges apply only to FOLDERS. For the benefit of other readers, the privileges are See Files, See folders and Make Changes. They apply individually to the owner, a group, and everyone. I experimented writing directly to files and folders on an AppleShare volume using Microsoft Word, typing the explicit file path in a Save As... dialog box. For a file to be changeable, the volume and folders in the file path must have See Folders privilege, and the final folder must have See Files and Make Changes privilege. The virus would probably need to search for files to infect, and would only find files along paths with See Folders privs for the volume and folders in the path, and See Files in the final folder. Macintoshes used with shared files are subject to trojans, and the trojan could be infected with a virus. Consider the following scenario: A user has a private folder on a volume shared with others using (say) AppleShare. The volume has a folder containing a shared application named, say, Prog1, and the folder has everyone See Files and See Folders but not Make Changes (i.e. it is read-only). The user makes a private copy of Prog1, and later runs a virus-infected program locally while the shared volume is mounted, and the copy of Prog1 becomes infected. The user now makes his AppleShare folder sharable (See Files, See Folders) to everyone (so that someone can copy a file he has, say). Another user double-clicks on a document created by Prog1, and the Mac Finder happens to find the infected copy of Prog1 before finding the other copy. As a result, the second user's files become infected. Thus I recommend that private folders be readable only by the owner as a matter of policy. Allowing everyone Make Changes creates drop folders so that users can exchange files. Drop Folders are safe enough in that AppleShare does not allow you to overwrite a file when you only have Make Changes priv. However, users should be told to run a virus check on any files that others drop in their folders. ------------------------------ Date: Wed, 06 Sep 89 17:23:34 -0400 From: Bruce_Burrell@um.cc.umich.edu Subject: Aborting a write to a write-protected disk (PC) Several respondants to the "Abort, Retry, Ignore" message have suggested using Abort. I disagree strongly: if you do that, usually you get kicked out to DOS, so e.g. all your current session editing changes are lost. What should be done is to remove the write-protection, and retry. If there's not enough space, most programs will take control and allow a graceful exit. If it fits, but you want it on another disk, so what? Just save again. DONT Abort unless you don't care about the current changes. [Ed. This is probably a better topic for a group like comp.sys.ibmpc since it isn't directly virus related. Nonetheless, it's a fairly fitting end to this subject (right?).] ------------------------------ Date: Wed, 06 Sep 89 16:58:34 -0500 From: IRMSS907%SIVM.BITNET@IBM1.CC.Lehigh.Edu Subject: Rumored October 12/13 virus attacks About the OCT 12/13 rumored virus attack...an article in the Aug 28th issue of Federal Computer Week reports "Sobczak said candidates for the intrusion so far include the following viruses: DATACRIME, a virus that wipes out data by modifying .COM files, alleged to be planed for execution Oct 12 or 13. A West German virus, apparently discussed at a hacker's convention in Amsterdam earlier this month, to be introduced through BITNET. An enhanced version of an earlier Icelandic virus rewritten to avoid detection by constantly changing its location in memory." [Ed. I saw that too (thanks for the FAX, Bruce!) - does anyone have any info about this alleged Icelandic variant?] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Mignon Erixon-Stanford, PROFS Administrator Smithsonian Institution (Washington, D.C.) / Second Office of Information Resource Management \ thoughts Bitnet: IRMSS907 @ SIVM (or SYSADMIN @ SIVM) / are USUALLY Phone : (202) 357-4243 \ wiser. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ------------------------------ Date: Thu, 07 Sep 89 10:24:00 -0100 From: "Christof Ullwer" <xof@apatix.caed.iao.fhg.de> Subject: Can a PC Virus get into VMS via VAXPC? We have this PC emulation VAXPC V1.0 running under VMS V5.1-1 with DECwindows. Is it possible that PC viruses have the same or at least a similar effect on this emulation i.e. deleting/altering files stored on the virtual disk? Or are there any known viruses that jump out of the emulation and affect files under VMS? Sounds stupid but ifever anyone out there in netland has made bad experiences let me know. - -- ullwer@ds0iff5.bitnet alias Christof Ullwer (xof) Voice (if neccessary) +49-711-6868-6879 ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Thursday, 7 Sep 1989 Volume 2 : Issue 188 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: locked macintosh disks Introduction to the anti-viral archives Amiga anti-viral archive sites Apple II anti-viral archive sites Atari ST anti-viral archive sites Documentation anti-viral archive sites IBMPC anti-viral archive sites Macintosh anti-viral archive sites list of unix sites VM Virus Warning (IBM VM/CMS) --------------------------------------------------------------------------- Date: 07 Sep 89 18:16:29 +0000 From: nitrex!rbl@uunet.UU.NET ( Dr. Robin Lake ) Subject: Re: locked macintosh disks In article <0001.8908281204.AA22127@ge.sei.cmu.edu> 3XMQGAA@CMUVM writes: |>In reply to Dan Carr's question. No, when you lock a macintosh disk and stick |>in the drive, there is absolutley no way for the virus to infect the disk. It was my understanding that the locked disk signal is read by software, not by the Mac's hardware. The standard device driver(s) for the floppy may prevent writing to a locked disk, but a virus could override the driver(s) and infect the disk --- if my understanding is correct. Rob Lake BP Research uunet!nitrex!rbl [Ed. VIRUS-L veterans will recognize this topic, much to their consternation. Please folks, let's *PLEASE* not flood the "airwaves" with hearsay. If someone has something that can be substantiated (preferably via a citation from a vendor's technical document) to offer on this, then please do so - otherwise, please let us all RUN LIKE MAD AWAY FROM THIS TOPIC.] ------------------------------ Date: 07 Sep 89 20:18:18 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Introduction to the anti-viral archives # Introduction to the Anti-viral archives... # Listing of 06 September 1989 This posting is the introduction to the "official" anti-viral archives of virus-l/comp.virus. With the generous cooperation of many sites throughout the world, we are attempting to make available to all the most recent news and programs for dealing with the virus problem. Currently we have sites for Amiga, Apple II, Atari ST, IBMPC and Macintosh microcomputers, as well as sites carrying research papers and reports of general interest. We are also in the process of organizing a number of sites for Unix anti-viral and general security issues. More information on that as things progress. If you have general questions regarding the archives, you can send them to this list or to me. I'll do my best to help. If you have a submission for the archives, you can send it to me or to one of the persons in charge of the relevant sites. If you have any corrections to the lists, please let me know. ------------------------------ Date: 07 Sep 89 05:55:00 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Amiga anti-viral archive sites # Anti-viral archive sites for the Amiga # Listing last changed 08 August 1989 cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Amiga index for the virus archives can be retrieved as request: amiga topic: index For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk> ms.uky.edu Sean Casey <sean@ms.uky.edu> Access is through anonymous ftp. The Amiga anti-viral archives can be found in /pub/amiga/Antivirus. The IP address is 128.163.128.6. pd-software.lancaster.ac.uk Steve Jenkins <pdsoft@pd-software.lancaster.ac.uk> No access details yet. uxe.cso.uiuc.edu Mark Zinzow <markz@vmd.cso.uiuc.edu> Lionel Hummel <hummel@cs.uiuc.edu> The archives are in /amiga/virus. There is also a lot of stuff to be found in the Fish collection. The IP address is 128.174.5.54. Another possible source is uihub.cs.uiuc.edu at 128.174.252.27. Check there in /pub/amiga/virus. ------------------------------ Date: 07 Sep 89 05:55:53 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Apple II anti-viral archive sites # Anti-viral archive sites for the Apple II # Listing last changed 08 August 1989 brownvm.bitnet Chris Chung <chris@brownvm.bitnet> Access is through LISTSERV, using SEND, TELL and MAIL commands. Files are stored as apple2-l xx-xxxxx where the x's are the file number. cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Apple II index for the virus archives can be retrieved as request: apple topic: index For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk> pd-software.lancaster.ac.uk Steve Jenkins <pdsoft@pd-software.lancaster.ac.uk> No access details yet. ------------------------------ Date: 07 Sep 89 05:56:44 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Atari ST anti-viral archive sites # Anti-viral archive sites for the Atari ST # Listing last changed 08 August 1989 cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Atari ST index for the virus archives can be retrieved as request: atari topic: index For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk>. pd-software.lancaster.ac.uk Steve Jenkins <pdsoft@pd-software.lancaster.ac.uk> No access details yet. ssyx.ucsc.edu Steve Grimm <koreth@ssyx.ucsc.edu> Access to the archives is through FTP or mail server. With ftp, look in the directory /pub/virus. The IP address is 128.114.133.1. For instructions on the mail-based archiver server, send help to <archive-server@ssyx.ucsc.edu>. ------------------------------ Date: 07 Sep 89 05:57:29 +0000 From: jwright@atanasoff (Jim Wright) Subject: Documentation anti-viral archive sites # Anti-viral archive sites for documentation # Listing last changed 08 August 1989 cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The index for the **GENERAL** virus archives can be retrieved as request: general topic: index The index for the **MISC.** virus archives can be retrieved as request: misc topic: index **VIRUS-L** entries are stored in monthly and weekly digest form from May 1988 to December 1988. These are accessed as log.8804 where the topic substring is comprised of the year, month and a week letter. The topics are: 8804, 8805, 8806 - monthly digests up to June 1988 8806a, 8806b, 8806c, 8806d, 8807a .. 8812d - weekly digests The following daily digest format started on Wed 9 Nov 1988. Digests are stored by volume number, e.g. request: virus topic: v1.2 would retrieve issue 2 of volume 1, in addition v1.index, v2.index and v1.contents, v2.contents will retrieve an index of available digests and a extracted list of the the contents of each volume respectively. **COMP.RISKS** archives from v7.96 are available on line as: request: comp.risks topic: v7.96 where topic is the issue number, as above v7.index, v8.index and v7.contents and v8.contents will retrieve indexes and contents lists. For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk> lehiibm1.bitnet Ken van Wyk <LUKEN@LEHIIBM1.BITNET> new: <krvw@sei.cmu.edu> This site has archives of VIRUS-L, and many papers of general interest. Access is through ftp, IP address 128.180.2.1. The directories of interest are VIRUS-L and VIRUS-P. pd-software.lancaster.ac.uk Steve Jenkins <pdsoft@pd-software.lancaster.ac.uk> No access details yet. unma.unm.edu Dave Grisham <dave@unma.unm.edu> This site has a collection of ethics documents. Included are legislation from several states and policies from many institutions. Access is through ftp, IP address 129.24.8.1. Look in the directory /ethics. ------------------------------ Date: 07 Sep 89 05:58:20 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: IBMPC anti-viral archive sites # Anti-viral archive for the IBMPC # Listing last changed 06 September 1989 cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The IBMPC index for the virus archives can be retrieved as request: ibmpc topic: index For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk> ms.uky.edu Daniel Chaney <chaney@ms.uky.edu> This site can be reached through anonymous ftp. The IBMPC anti-viral archives can be found in /pub/msdos/AntiVirus. The IP address is 128.163.128.6. pd-software.lancaster.ac.uk Steve Jenkins <pdsoft@pd-software.lancaster.ac.uk> No access details yet. uxe.cso.uiuc.edu Mark Zinzow <markz@vmd.cso.uiuc.edu> This site can be reached through anonymous ftp. The IBMPC anti-viral archives are in /pc/virus. The IP address is 128.174.5.54. vega.hut.fi Timo Kiravuo <kiravuo@hut.fi> This site (in Finland) can be reached through anonymous ftp. The IBMPC anti-viral archives are in /pub/pc/virus. The IP address is 128.214.3.82. wsmr-simtel20.army.mil Keith Peterson <w8sdz@wsmr-simtel20.army.mil> Direct access is through anonymous ftp, IP 26.2.0.74. The anti-viral archives are in PD1:<MSDOS.TROJAN-PRO>. Simtel is a TOPS-20 machine, and as such you should use "tenex" mode and not "binary" mode to retreive archives. Please get the file 00-INDEX.TXT using "ascii" mode and review it offline. NOTE: There are also a number of servers which provide access to the archives at simtel. WSMR-SIMTEL20.Army.Mil can be accessed using LISTSERV commands from BITNET via LISTSERV@NDSUVM1, LISTSERV@RPIECS and in Europe from EARN TRICKLE servers. Send commands to TRICKLE@<host-name> (for example: TRICKLE@AWIWUW11). The following TRICKLE servers are presently available: AWIWUW11 (Austria), BANUFS11 (Belgium), DKTC11 (Denmark), DB0FUB11 (Germany), IMIPOLI (Italy), EB0UB011 (Spain) and TREARN (Turkey). ------------------------------ Date: 07 Sep 89 05:59:14 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Macintosh anti-viral archive sites # Anti-viral archive sites for the Macintosh # Listing of 08 August 1989 cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Mac index for the virus archives can be retrieved as request: mac topic: index For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk> ifi.ethz.ch Danny Schwendener <macman@ethz.uucp> Interactive access through SPAN/HEPnet: $SET HOST 20766 or $SET HOST AEOLUS Username: MAC Interactive access through X.25 (022847911065) or Modem 2400 bps (+41-1-251-6271): # CALL B050 <cr><cr> Username: MAC Files may also be copied via SPAN/HEPnet from 20766::DISK8:[MAC.TOP.LIBRARY.VIRUS] pd-software.lancaster.ac.uk Steve Jenkins <pdsoft@pd-software.lancaster.ac.uk> No access details yet. rascal.ics.utexas.edu Werner Uhrig <werner@rascal.ics.utexas.edu> Access is through anonymous ftp, IP number is 128.83.144.1. Archives can be found in the directory mac/virus-tools. Please retrieve the file 00.INDEX and review it offline. Due to the size of the archive, online browsing is discouraged. scfvm.bitnet Joe McMahon <xrjdm@scfvm.bitnet> Access is via LISTSERV. SCFVM offers an "automatic update" service. Send the message AFD ADD VIRUSREM PACKAGE and you will receive updates as the archive is updated. You can also subscribe to automatic file update information with FUI ADD VIRUSREM PACKAGE sumex-aim.stanford.edu Bill Lipa <info-mac-request@sumex-aim.stanford.edu> Access is through anonymous ftp, IP number is 36.44.0.6. Archives can be found in /info-mac/virus. Administrative queries to <info-mac-request@sumex-aim.stanford.edu>. Submissions to <info-mac@sumex-aim.stanford.edu>. There are a number of sites which maintain shadow archives of the info-mac archives at sumex: * MACSERV@PUCC services the Bitnet community * LISTSERV@RICE for e-mail users * FILESERV@IRLEARN for folks in Europe wsmr-simtel20.army.mil Robert Thum <rthum@wsmr-simtel20.army.mil> Access is through anonymous ftp, IP number 26.2.0.74. Archives can be found in PD3:<MACINTOSH.VIRUS>. Please get the file 00README.TXT and review it offline. ------------------------------ Date: Thu, 07 Sep 89 01:00:07 -0500 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: list of unix sites Here is the list of Unix sites as I have it. It obviously is in need of some filling out. Information on access and contents of the archives would be helpful. Also make sure to let me know about any errors in the list. Jim - ------------------------ # Anti-viral and security archive sites for Unix # Listing last changed 06 September 1989 attctc Charles Boykin <sysop@attctc.Dallas.TX.US> Accessible through UUCP. cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk> netCS Hans Huebner <huebner@db0tui6.bitnet> netCS is a public access Unix site in Berlin which is also accessible through UUCP. sauna.hut.fi Jyrki Kuoppala <jkp@cs.hut.fi> Accessible through anonymous ftp, IP number 192.26.107.100. ucf1vm Lois Buwalda <lois@ucf1vm.bitnet> Accessible through wuarchive.wustl.edu Chris Myers <chris@wugate.wustl.edu> Accessible through anonymous ftp, IP number 128.252.135.4. A number of directories can be found in ~ftp/usenet/comp.virus/*. ------------------------------ Date: Thu, 07 Sep 89 14:40:52 -0500 From: IRMSS907%SIVM.BITNET@VMA.CC.CMU.EDU Subject: VM Virus Warning (IBM VM/CMS) I got this from the PROFS-L discussion list...Mignon Erixon-Stanford *** Forwarding note from KIEFFER --UNCANET 09/06/89 19:48 *** Date: Wed, 6 Sep 89 18:16 PDT A computer virus has just appeared in the CERNVM system in the form of a set of files which copy themselves to your A-disk when you execute the commands RELEASE or DROP. The mechanism is that there is a modified RELEASE EXEC which invokes a module called DVHVIR which copies itself, plus other files, to your A-disk. It is sufficient to be linked to a disk containing these viruses to be vulnerable to them. Some of the copied files pretend to be parts of the directory maintenance system and we do not yet know what damage they may cause. Please take the following action: look for any of the following files on your disks and ERASE them at once RELEASE EXEC DVHGMN EXEC DVHGKB EXEC DMSXMS EXEC DVHVIR MODULE We are attempting to find the source of this virus and are taking other preventative measures. User Support ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Monday, 11 Sep 1989 Volume 2 : Issue 189 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: New virus in israel (PC) nVir strikes again (Mac) Virus screening protocol? October 12/13 virus attacks (PC) NOCRIME version 1.1 now available (PC) --------------------------------------------------------------------------- Date: Fri, 08 Sep 89 18:43:43 +0200 From: Uzi Apple <NYAPEL%WEIZMANN.BITNET@VMA.CC.CMU.EDU> Subject: New virus in israel (PC) Hello all this is the first time that i write to virus-l because i really need help. My computer was infected by a new virus that called itself MIX1 virus , its symptoms are : 1) only EXE files are infected 2) the printer prints spelling mistakes 3) i see jumping ball on the screen (and it isnt the ping pong i checked) 4) i cant boot the system 5) the num lock doesnt work i can only write numbers if someone has the Unvirus for this Virus please connect me. Uzi - ------------------------------------------------------------------------------ - Uzi Apple InterNet: NYAPEL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU The Weizmann Inst. Of Science CsNet: NYAPEL@WEIZMANN.BITNET Rehovot BitNet: NYAPEL@WEIZMANN - ------------------------------------------------------------------------------ - ------------------------------ Date: Fri, 08 Sep 89 15:18:25 -0500 From: James Ford <JFORD1%UA1VM.BITNET@VMA.CC.CMU.EDU> Subject: nVir strikes again (Mac) {Taken from the Crimson White, a student newspaper at the University of Alabama in Tuscaloosa.} A computer virus call "nVir" was discovered in early August after it infested itself into a number of University department MacIntosh computer systems. David Benson, Production manager for Student Publications, said the virus has completely infected the computer system of the Publications Building and is still active in the College of Communications and Rose Administration Buildings. Benson said the virus caused his computer to break down and erase 1.5K hours of programming. . . comparison of computer vs human virus deleted. . . Largin said he has approximately 200 disks of his own and noted that the college had "hundreds and hundreds" The program Interferon is being used to track down the virus and another called Vaccination is being used to treat the disks ------------------------------ Date: Fri, 08 Sep 89 19:36:55 -0400 From: UBY%NIHCU.BITNET@VMA.CC.CMU.EDU Subject: Virus screening protocol? I am trying to develop a protocol to insure that PC viruses are not introduced into our site from outside. Can anyone suggest what methods are necessary and sufficient to keep viruses from being imported on diskettes? Are the same methods necessary for information received electronically? Thanks, Jim Blakley ------------------------------ Date: Fri, 08 Sep 89 11:14:01 +0000 From: mcvax!rhi.hi.is!frisk@uunet.UU.NET (Fridrik Skulason) Subject: October 12/13 virus attacks (PC) Some bits of information on the Oct. 12/13 virus attacks. DATACRIME will indeed attack on Oct. 12, but turning off your computer on that day will not provide any protection against it. The first time an infected program is run on Oct. 12 or after that date, the virus will format the first few tracks of drive C: and then display the message: DATACRIME VIRUS RELEASED: 1 MARCH 1989 On a floppy-only computer it will do no damage at all. Two major variants of Datacrime are known to exist, one is 1168 bytes long, the other 1280. Both variants only infect .COM files. This virus originated in Europe, and is rare elsewhere. A new variant (Datacrime II) has appeared recently), but little information is yet available on it. Since I only received a copy of it yesterday I have not yet been able to check if it will behave as the other two variants on Oct. 12. The well-known Jerusalem virus will attack on October 13. So much has been written about that virus that I see no need to repeat that information here. The South-African "Friday the 13." virus reported by Jim Goodwin will attack on Oct. 13. This virus is very rare, and must not be confused with the Jerusalem virus, that also has been named "Friday the 13.". This virus will delete every program run on that date, and sometimes display the message We hope we haven't inconvenienced you This virus is not a great threat, since it is very rare - in fact it is so rare that it took me almost four months to obtain a copy. Recently a new virus was reported by the CVIA, which will probably activate on Oct. 13. (At least they reported that the actvation date was Friday 13.) This virus (named the "RAP virus") has not yet been described in detail. One more "Friday the 13." virus is reported to exist, but it will not become active until 1991. This is the SYS variant of the "Den Zuk" virus. Finally, two more viruses have been mentioned, with activation dates on Oct 12/13. > A West German virus, apparently discussed at a hacker's convention > in Amsterdam earlier this month, to be introduced through BITNET. > An enhanced version of an earlier Icelandic virus rewritten to avoid > detection by constantly changing its location in memory." This may be true, but so far I have not been able to confirm this. These viruses - if they exist - are not likely to have spread widely, and should not pose a serious threat. ------------------------------ Date: Fri, 08 Sep 89 17:10:37 -0700 From: fu@unix.sri.com (Christina Fu) Subject: NOCRIME version 1.1 now available (PC) NOCRM11.UUE is now available. The only difference it has from version 0.1 is that it now discriminates the way DATACRIME viruses discrimanate some files. Christina Fu ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Tuesday, 12 Sep 1989 Volume 2 : Issue 190 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: VM Virus Warning (IBM VM/CMS) Re: Suggestion for "Ultimate Virus" Need help (PC virus) Origin of the name "Vienna" virus (PC) ssyx is no longer October 12th Virus (PC) --------------------------------------------------------------------------- Date: 11 Sep 89 00:00:00 +0000 From: MBDMD@ROHVM1.BITNET Subject: Re: VM Virus Warning (IBM VM/CMS) Does anyone have any additional information on this? [Ed. Text of recent VM/CMS virus warning deleted.] Martin J. Doyle VM Systems Programming Contractor Rohm and Haas Company Philadelphia, Pennsylvania MBDMD@ROHVM1 (215) 752-2296 ------------------------------ Date: Thu, 31 Aug 89 08:51:43 -0400 From: mcf!mibte!dptg!ccd700!root@sharkey.cc.umich.edu Subject: Re: Suggestion for "Ultimate Virus" > I've been thinking lately of how to write the ultimate virus, one > that would be very hard to identify with pattern matching I'm sure a lot of people have !!! > I've never written a virus, and I do not intend to write one. Ditto! For completeness of thought please do not forget MERVs and CLUSTER bombs. How about one of these self extracting archives that goes and executes the extracted bugs until it's killed ?? Nightmares! ...mibte!ccd700!ron tribble ------------------------------ Date: 10 Sep 89 22:44:01 +0000 From: parnes@eniac.seas.upenn.edu (Gary Parnes) Subject: Need help (PC virus) What's an honest programmer to do? At my office today, we discovered that we're the proud receivers of a bloody virus. It causes an exe file to expand exactly 1808 bytes every time the exe is run. We're not familiar with the virus vaccines (if any) out for the IBM. Can someone suggest anything? Gary /=============================================================================\ | "You're obviously misinformed... everything | Gary Parnes | | EAST of the San Andreas Fault is going to | Computer Science Engineer | | fall into the ATLANTIC Ocean." | University of Pennsylvania | | *** parnes@eniac.seas.upenn.edu *** | *NOT* Penn State, Dammit! | \=============================================================================/ ------------------------------ Date: Mon, 11 Sep 89 16:55:43 +0200 From: Y. Radai <RADAI1%HBUNOS.BITNET@VMA.CC.CMU.EDU> Subject: Origin of the name "Vienna" virus (PC) Manfred Pfluegl asks: >Where did the virus "VIENNA" get his name from?? Does anybody know >the answer? Well, the answer is just what one would expect: it was first re- ported in Vienna! That was in Dec 1987 (or perhaps slightly earlier). In April 88 the same virus (or a slight mutation of it) was reported in Moscow, and in Aug 88 it appeared at a summer camp run by Unesco. Someone who didn't know of its prior existence in Austria gave it the name DOS-62, presumably because its method of indicating an already infected file is to set the seconds field of the time entry of the file to 62. I'd like to add one point that was apparently not mentioned by anyone who replied to Kim's question about the foulup which occurs on switching diskettes between an "Abort, Retry ..." message and pressing of the R(etry). This bug has apparently been removed in DOS 4 by the inclusion of a Volume Serial Number which is written into the boot sector (bytes 27h-2Ah) by FORMAT. (This is a random number based on the date and time when FORMAT was performed.) Before allowing the operation to be retried, the critical-error handler checks this number on the diskette. If it does not match, you get the message "Invalid disk change". Y. Radai Hebrew Univ. of Jerusalem ------------------------------ Date: Mon, 11 Sep 89 12:43:52 -0700 From: van-bc!mdavcr!rdr@uunet.UU.NET (Randolph Roesler) Subject: ssyx is no longer I think I seen a notice that ssyx archive-server is no-more. My mail there just bounced with "user unknown" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <imaginary logo here> Randy Roesler MacDonald Dettwiler & Assc. ...!uunet!van-bc!mdavcr!rdr BC Canada 604-278-3411 [Ed. Could somebody please verify this?] ------------------------------ Date: Mon, 11 Sep 89 13:15:14 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: October 12th Virus (PC) Thought the following note posted to the HomeBase board from John McAfee might be of interest: 9-11-89 10:38:15 From: John McAfee Subj: October 12th Virus The press has recently focused on the October 12th (DataCrime) virus as the latest threat to our collective well-being. The mania started, I believe, with Joe Hirst's warning in the advertising flyer for the Virus Bulletin, and was recently fueled by John Dvorak's August column in the San Francisco Chronicle. This virus, however, is a virtual phantom. It does exist, but it is not a major statistical threat to U.S. computers (at least not for the next few months). There have been fewer than 50 reports of infection in Europe and only seven reports here in the U.S. -- including the Tom Patterson Report fron Centel - since the beginning of the year. This compares with over 30 reports per day of the Jerusalem-B virus, and over ten reports per day of the 1701/4 virus. These statistics come from the VIRUSCAN reports. The program distribution, through the FIDONET network, shareware distributors and other channels has reached an estimated 3 million users. This is a large enough statistical base to catch any widespread infection threat - - and the DataCrime simply has not shown up as a major player. I think we would be wiser warning users of the threats that are statistically most likely. The current order of appearance is: Jerusalem-B - 62% 1701/4 - 17% Ping Pong - 9% Stoned - 8% All Others Combined - 4% These figures are for the past 30 days. They do change dramatically from month to month, but the top four are fairly constant. The up and coming virus to watch, by the way, appears to be the Vienna virus. We had no reports at all in the U.S. from January till June 18th of this year. Then one report on the 19th of June, 4 reports through the end of July, 11 in the month of August and 15 in the first ten days of September. Hope this provides some perspective. ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Wednesday, 13 Sep 1989 Volume 2 : Issue 191 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: October 12/13-CORRECTION (PC) Iceland/Saratoga viruses (PC) Virus frequency (PC) Suggestions on subject lines in comp.virus nVIR A Found on Book's Disk (Mac) RE: October 12th 13th Virus (pc) --------------------------------------------------------------------------- Date: Tue, 12 Sep 89 13:55:21 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: October 12/13-CORRECTION (PC) I apologize for any confusion I may have caused, but it seems that the Datacrime viruses (1168 and 1280) do in fact not activate on Oct. 12. The correct activation date is Oct. 13. So: No viruses vill activate on Oct. 12, but quite a few will attack on Friday Oct. 13. Datacrime vill attack the first time an infected program is run, on (or after) Oct. 13. (Thanks to D. Chess for the correction) ------------------------------ Date: 12 Sep 89 00:00:00 +0000 From: David.M..Chess.CHESS@YKTVMV Subject: Iceland/Saratoga viruses (PC) There seem to be three different viruses in this general family: - One is a resident EXE-file infector that infects every tenth EXE file executed, and sometimes will mark a free cluster on a hard disk as bad (the "damage" routine). I've seen this one called the "Saratoga 1". - The second (not that the order I'm listing them in necessarily means anything) is just like the first, except that it checks the segment of the INT13 vector, and if it's not 0070 or F000, it doesn't do anything. I've seen this called the "Saratoga 2", and also the "Icelandic Disk-Crunching virus" (that name is from Fridrik Skulason). - The third differs from the first in that it bypasses INT21 (by means that I suppose I shouldn't mention in public), and doesn't have the "mark a cluster bad" code. It doesn't have the INT13 check that the second version does. Fridrik Skulason calls this, quite reasonably, the "Icelandic Virus, version 2". Does this check correctly with everyone? The Saratoga/Icelandic nomenclature is a bit confusing, and I want to make sure that there's general agreement about the facts, if not the names... DC ------------------------------ Date: Tue, 12 Sep 89 20:58:52 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Virus frequency (PC) It was interesting to see the numbers by John McAfee, regarding the frequency of various PC viruses in the US. Just to illustrate how different things are elsewhere, here is an estimate of the situation here in Iceland. 1701/1704 60 % Ping-Pong 30 % Icelandic 5 % Brain 5 % No other virus has so far been detected here in Iceland, which quite surprising, since some viruses that are very common elsewhere, Jerusalem and Stoned in particular, should have arrived here by now. The major reason the 1701/1704 number is so high is that some large companies have been infected. They include the University of Iceland, the Post & Telephone company and two major computer companies here. In one case there was a company-wide infection, and a good reason for that. It seems that somebody in management had decided that only a handful of men should have permission to install new software. This was done for a number of reasons, one of them to minimize the likelihood of virus infections. What happened was that one person in this group got infected, and within two weeks he had spread the infection all over the company - You see, they were upgrading from DOS 3.2 to 3.3, and he was resposible for distributing the master copies to every department. On every disk was a copy of the Icelandic keyboard program - a program that was executed in AUTOEXEC.BAT. And - this program was infected with 1704. The past week the entire PC support department there has been working overtime cleaning up their mess and running disinfection programs. ------------------------------ Date: 12 Sep 89 09:58:57 +0000 From: d88-sli@nada.kth.se (Stefan Lindmark) Subject: Suggestions on subject lines in comp.virus As a reader of comp.virus and *many* other newsgroups there is one thing that I really appreciate: Intelligent subject lines. Lots of time can be saved if subject lines contain proper information so that uninterested readers may do effective kills. What has this got do to with comp.virus? I am (personally) interested only in articles regarding Macintosh virus strains. Thus I have put in my kill file PC, Amiga etc, so that I don't have to read them. Now this is my idea: Everybody should compose subject lines that show which computer system the article considers. Examples: Subject: New mega-nasty virus strain (Mac) Subject: Disk-destructive virus (Amiga) ... Comments? Suggestions? [Ed. A good point, and I've been promoting good subject lines on VIRUS-L/comp.virus for some time now. And, I do try to put a (PC), (Mac), etc. at the end of subject lines where applicable, if the author has not already.] Stefan Lindmark Email: d88-sli@nada.kth.se Snail-mail: Don't even bother... If everybody helped one newuser today, the world would look a bit happier. ------------------------------ Date: 12 Sep 89 09:04:13 +0000 From: chinet!henry@att.att.com Subject: nVIR A Found on Book's Disk (Mac) I just received the book "Applied HyperTalk" which contains a disk with HyperCard 1.2.2 on it. This disk is infected with nVIR A! The Book: Applied HyperTalk by Jerry Daniels and Mary Jane Mara Brady Utility, Prentice Hall Trade, Simon & Schuster ISBN: 0-13-040882-4 The Disk: Brady HyperCard 1.2.2 infected with nVIR A Also Several stacks and a text file which are not infected. I will be contacting the publisher, the Small Computer Book Club (where I got the book), and Apple about this. If you have a copy of this, PLEASE check it for viruses!!! Henry C. Schmitt Author of Virus Encyclopedia - -- H3nry C. Schmitt | CompuServe: 72275,1456 (Rarely) | GEnie: H.Schmitt (Occasionally) Royal Inn of Yoruba | UUCP: Henry@chinet.chi.il.us (Best Bet) ------------------------------ Date: Wed, 13 Sep 89 11:50:00 -0500 From: Bradley James Bouwkamp <BOUWKAMP%HOPE.BITNET@VMA.CC.CMU.EDU> Subject: RE: October 12th 13th Virus (pc) Everybody (the press ) is talking about the virus and as one person stated "The Mania is started". Well to add to the panic I just heard about it over the RADIO in Grand Rapids Mi. I Didn't here all of it, but mainly it said watch out for it and some "group of people" have a anti-virus for it and to give them a call if you wanted a copy. Brad Bouwkamp ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Thursday, 14 Sep 1989 Volume 2 : Issue 192 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Detecting/fighting the DOS-62/UNESCO virus (PC) Dirty-Dozen list virus mania Datacrime viruses (PC) 12th National Computer Security Conference DataCrime Virus Worries (PC) --------------------------------------------------------------------------- Date: Wed, 13 Sep 89 16:54:21 +0000 From: sal@basp.nmpcad.se (Soren Altemark) Subject: Detecting/fighting the DOS-62/UNESCO virus (PC) My MS-DOS system has been infected by some virus. From descriptions of known viruses I think that the one I've been attacked by is DOS-62 or UNESCO virus. COM files infect (~+650 bytes) COM files only and randomly make infected files initiate a warm-boot. I just want to know if someone out there know the details of this virus and if there is any program that can help identify infected files and otherwise give me guidelines how to fight the virus. Thanks, Soren Soren Altemark, Swedish Institute of MicroElectronics, IM PO Box 1084, S-164 21 KISTA, SWEDEN, Phone: +46 8 7521173, Fax: +46 8 7505430 E-mail: sal@nmpcad.se or {uunet,mcvax,munnari,ukc,unido}!sunic!nmpcad.se!sal ------------------------------ Date: Wed, 13 Sep 89 10:06:54 -0700 From: cgorman@XHMEIA.Caltech.Edu (SHIP O' SHRIMP) Subject: Dirty-Dozen list Does anyone have any information about the Dirty Dozen virus/trojan list? An issue (perhaps the only issue) came out on 5/5/88 and is in the virus-L filelist under the name DIRTY.DOZEN. The list intimates that regular issues of it would be published. However, I have found no further issues, and the author (who asks to be contacted by BBS) BBS number is no longer in service. - - Chris Gorman Cgorman@xhmeia.caltech.edu/cgorman@citchem.bitnet ------------------------------ Date: Wed, 13 Sep 89 12:54:10 -0500 From: Jim Ennis <JIM%UCF1VM.BITNET@VMA.CC.CMU.EDU> Subject: virus mania Hello, I saw a short piece on the CNN 30 minute news show this morning about the October 12th virus. They did point out that only a few people may be affected by this virus. Jim Ennis UCF Computer Services ------------------------------ Date: Wed, 13 Sep 89 11:04:43 -0700 From: portal!cup.portal.com!cpreston@Sun.COM Subject: Datacrime viruses (PC) Since there is sudden increased media attention concerning a "Columbus Day" virus, including warnings being sent out nationwide by government agencies, it may be time to mention again (VIRUS-L V2 #174) that the McAfee Associates VIRUSCAN V36 does successfully locate instances of the 1168 and 1280 (DATACRIME) virus. In addition to detecting the apparently original versions, which format cylinder 0 of a hard disk on or after October 13, the scan string in VIRUSCAN will locate the same viruses with a minor change, specifically, a different activation date. I used the network version of VIRUSCAN on a Novell network to search for and successfully locate a program infected with the 1168 virus. Only those network server areas normally accessible to the person running the program are checked, so it should be run by someone with appropriate privileges. The Homebase BBS number for VIRUSCAN (SCANV36.ARC) is 408-988-4004. For those who cannot obtain a copy of VIRUSCAN,and wish to use a program similar to Norton Utilities to search for these viruses, the search strings used by VIRUSCAN are the following: 1168 EB00B40ECD21B4 1280 00568DB43005CD21 These identifying strings are supplied with the permission of Mr. McAfee. Charles M. Preston 907-344-5164 Information Integrity MCI Mail 214-1369 Box 240027 BIX cpreston Anchorage, AK 99524 cpreston@cup.portal.com ------------------------------ Date: Wed, 13 Sep 89 15:34:00 -0400 From: Jack Holleran <Holleran@DOCKMASTER.ARPA> Subject: 12th National Computer Security Conference Information: 12th National Computer Security Conference Registration: 12th National Computer Security Conference c/o Office of the Comptroller National Institute of Standards and Technology A807, Administration Building Gaithersburg, MD 20899 Dates: October 10-13, 1989 Place: Baltimore Convention Center Payment: $150.00 before September 25, 1989 $175.00 after September 25, 1989 Conference hotels in area, single cost, and local phone numbers: Hyatt Regency $99.00 (301) 528-1234 Days Inn Inner Harbor $59.00 (301) 576-1000 Holiday Inn $69.00 (301) 685-3500 Baltimore Marriott $79.00 (301) 962-0202 Radisson Plaza $80.00 (301) 539-8400 Best Western Hallmark $52.00 (301) 539-1188 Additional information: Tammie Grice (301) 975-2775 Payment: Mastercard, VISA, checks, money orders, training or purchase requests. (payment to "National Institute of Standards and Technology/Computer Security Conference") ------------------------------ Date: 13 Sep 89 00:00:00 +0000 From: David.M..Chess.CHESS@YKTVMV.BITNET Subject: DataCrime Virus Worries (PC) I think the reason that people are writing/talking so much about the DataCrime viruses, despite the fact that they seem to be much rarer than say the Jerusalem, is simply that they're so much more *destructive*. If we're just counting infections, one JV infection equals one DataCrime infection. But if we're counting the actual destruction wreaked, a Jerusalem infection is comparatively mild (some EXE and COM files to be restored/recovered), compared to a worst-case DataCrime activation (large numbers of hard disks with cylinder 0 gone, and all the data unreachable). I suspect that's the basis for the apparently disproportionate worry; I'm not saying it's necessarily - -warranted-, just suggesting an explanation... DC ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Friday, 15 Sep 1989 Volume 2 : Issue 193 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Notes on the SWAP virus (PC) Macintosh Virus List Virus Article in the making ??? Virus (Mac) A question on detecting viruses on bootable disks (PC) Request for info: Apollo Workstations Request for basic info How does one disinfect nVIR from an Appletalked network 12th National Computer Security Conference --------------------------------------------------------------------------- Date: 14 Sep 89 17:49:48 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Notes on the SWAP virus (PC) The SWAP virus that was recently discovered in Israel is somewhat different from other PC boot sector viruses. Normally a BSV replaces the boot sector with virus code, and stores the original boot sector somewhere. In some cases the boot sector is stored in unused space, which is then marked as bad in the FAT (Ping-Pong, Typo, Brain). In other cases the virus stores the boot sector in a sector that is not likely to be used (Yale, Den Zuk, Stoned). One virus (Pentagon) even stores the boot sector in a hidden file. When the computer is booted from an infected disk, the code on the boot sector will read the rest of the virus into memory. The virus will then install itself, read the original boot sector and transfer control to it. SWAP is different - it does not store the original boot sector at all. Instead it assumes that bytes 196-1B4 (hex) on the boot sector contain messages that can be safely overwritten. This is true for most (but not all) boot sectors. It also assumes that the boot sector starts with a JMP instruction. The virus then replaces these bytes with code to read the rest of the virus (which is stored at track 39, sectors 6 and 7) into memory. The virus will then execute the original boot code. The fact that this virus does not store the original boot sector makes it hard (and in some cases impossible) to repair an infected diskette. Fridrik Skulason University of Iceland frisk@rhi.hi.is Guvf yvar vagragvbanyyl yrsg oynax ................. ------------------------------ Date: Thu, 14 Sep 89 11:58:07 -0400 From: "Gregory E. Gilbert" <C0195%UNIVSCVM.BITNET@VMA.CC.CMU.EDU> Subject: Macintosh Virus List If anyone has a list of currently known viruses for the Macintosh I would very much appreciate a copy. Thank you very much! Gregory E. Gilbert Academic Consultant University of South Carolina Columbia, South Carolina USA 29205 (803) 777-6015 ------------------------------ Date: Thu, 14 Sep 89 11:42:04 -0400 From: "Gregory E. Gilbert" <C0195%UNIVSCVM.BITNET@VMA.CC.CMU.EDU> Subject: Virus Article in the making Evidently our institution has come of age and the powers at be have decided that an article on viruses is needed for our newsletter. I would be most grateful if those that have been through this "rite of passage" could forward their prose to me either e-mail or traditional mail. Specifically what I am looking for are works that discuss viruses, trojan horses, worms, etc ... in general; problems that such beasts have caused on other campuses; and specifically how the fixes work (i.e. do fixes insert code into the virus files to render them harmless, are they removed totally, how do various fixes find the offending code?) The article which I am writing is for a nontechnical campus computing news- letter and if any one is interested in reviewing the article before a final draft is made I would welcome the critism. Just send me your e-mail address. Thank you very much I certainly appreciate the effort. Gregory E. Gilbert Academic Consultant University of South Carolina Columbia, South Carolina 29205 (803) 777 - 6015 ------------------------------ Date: Thu, 14 Sep 89 13:34:11 -0400 From: "Gregory E. Gilbert" <C0195%UNIVSCVM.BITNET@VMA.CC.CMU.EDU> Subject: ??? Virus (Mac) Recently we have had problems running Adobe Illustrator on a MacIIcx. When opened a dialog box appears and says that not enough memory is available. Multifinder is not running and other applications are not running so there should be enough memory available. On running Disinfectant 1.2 a number of times nothing was located. Upon view- ing the System file in the System Folder I noted that it had been modified just an hour or two earlier. I "ResEditted" the system file and did not find anything that was extremely obvious. Any clues? Thanks in advance. Gregory E. Gilbert Academic Consultant University of South Carolina Columbia, South Carolina USA 29208 (803) 777-6015 ------------------------------ Date: 14 Sep 89 15:10:00 -0400 From: "Damon Kelley; (RJE)" <damon@umbc2.umbc.edu> Subject: A question on detecting viruses on bootable disks (PC) I've recently read George Woodside's file on how viruses work (obtained from SIMTEL20.ARPA, VIRUS101.001-004). He says that a virus latches on a read/write interrupt to spread itself. Would the instructions the interrupt calls be near or located at the first JMP instruction in the boot sector? From reading a certain reference that concerns the programming of the IBM PC, I have the impression that that JMP instruction in the boot sector is quite consistant for the type of PC a user uses. If that JMP instruction is changed, does that signal a virus present, or have virus writers skipped around that limitation and had the virus write over what code is found at that JMP destination? jnet%"damon@umbc" damon@umbc.bitnet damon@umbc2.umbc.edu ------------------------------ Date: Thu, 14 Sep 89 10:25:55 -0400 From: KARYN@NSSDCA.GSFC.NASA.GOV Subject: Request for info: Apollo Workstations Has anyone ever heard anything about viruses on an Apollo workstation running DOMAIN? *-- *-- *-- *-- *-- *-- *-- *-- *-- Karen Pichnarczyk KARYN@nssdca.gsfc.nasa.gov ARC Professional Services Group 1801 Alexander Bell Drive Reston, VA 20906 703-648-0770 ------------------------------ Date: Fri, 15 Sep 89 00:59:09 -0400 From: "Interface Associates, Inc." <Q4071@pucc.princeton.edu> Subject: Request for basic info If I may be permitted to post a very basic question? Although I have over ten years' experience in DP, and can intuit how viruses might operate, I find myself distressingly unfamiliar with the practical side and jargon. Is there a good reference on the subject with which I can begin to bring myself up to speed? Please reply by E-mail to Q4071@PUCC.PRINCETON.EDU. The retention periods have gotten very short on this system, and I may not log on in time to see posted replies (not to mention the probable duplication). [Ed. I'd be willing to bet that there are others with the same questions - please send a summary of any responses to the list.] ========================================================================= Robert A. West c/o Interface Associates, Inc. (Q4071@PUCC) US Mail: 666 Plainsboro Rd. Office Commons, Suite 1A, Plainsboro NJ 08536 Voice : (609) 275-5711 ------------------------------ Date: 15 Sep 89 06:26:29 +0000 From: Jeff Medcalf <mimsy!oddjob.uchicago.edu!uokmax!jeffm@uunet.UU.NET> Subject: How does one disinfect nVIR from an Appletalked network of macs? The microcomputer lab at the University of Oklahoma has several Macintoshes linked together by Appletalk. The nVIR virus (don't know which variant) has hit them hard, and I would like the answers to some questions for them: 1) How do you disinfect such a network when being attacked? 2) Is there a program available which will not only kill infected folders, but will change each byte that the folder currently represents to null (to delete the virus code entirely, not just the directory entry)? 3) How does one detect other likely viruses (I am new to comp.virus, and have no idea of how to get hold of disinfectant programs). 4) How far can the source of the infection be traced (for example, not at all, to the machine, to the date, to the time, to the user)? 5) Are any programs available which constantly monitor problem files and inform of modifications to them? Thank you very much jeffm@uokmax.UUCP | Arkansas state motto: At Least We're Not Oklahoma. | Jeff Medcalf +-----------------------------------------------------------+ - ----------------| Artificial Intelligence? As opposed to what? | +-----------------------------------------------------------+ ------------------------------ Date: Fri, 15 Sep 89 07:47:14 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: 12th National Computer Security Conference As a follow-up to the recent notes about the 12th National Computer Security Conferences, let me add hotel rooms in the Inner Harbor area are going fast... ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Monday, 18 Sep 1989 Volume 2 : Issue 194 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: RE: How does one disinfect nVIR from an Appletalked net Re: Source of virus reading material October 12'th virus... (PC) Where to Find a Copy of the Dirty Dozen List Mac System File access time Adobe Illustrator/68030 (Mac) Re: A question on detecting viruses on bootable disks (PC) Re: October 12th Virus (PC) Re: Virus? or what? (PC) New .COM virus (PC) --------------------------------------------------------------------------- Date: Fri, 15 Sep 89 09:51:54 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: RE: How does one disinfect nVIR from an Appletalked network To answer your question literally, one Mac at a time.... 1) Get a copy of Disinfectant 1.2. This detects and removes all known versions of nVIR. Also get a copy of Gatekeeper 1.1.1. Both of these are available from the Info-Mac archives on SUMEX-AIM.STANFORD.EDU. When you finally get Disinfectant, and de-Binhex it and de-Stuffit, make sure the diskette you keep it on is write-protected!!! This is very important; a virus cannot infect an application on a write-protected diskette! 2) Pick any Mac on your LAN, and run Disinfectant on the disk. This will list all the infected files. Here you have two options: a) Throw out all the infected files and restore them from the original master diskettes *or* b) Use the disinfect feature of Disinfectant to remove nVIR from the infected applications. a is the more effective treatment, but b may be a more practical solution. 3) Once the disk is "clean", put a copy of Gatekeeper in the System Folder, and reboot the machine. Gatekeeper is a cdev that detects attempts to infect applications and System files. I refer you to the documentation that accompanies Gatekeeper for instructions on how it works, in depth. 4) Repeat steps 1 through 3 for each Mac. After this, you may wish to check floppy disks you have around for infection, but that is up to you. As to your other questions, Disinfectant not only detects and kills nVIR, but the various strains of it (such as MEV#, AIDS, nFLU, and so on), as well as Scores, INIT 29, ANTI, and MacMag. In short, it detects and kills all known Mac viruses. As far as tracing the source, well, that can be a hard thing to do. You can look at the time the infected files were last modified, and this should give you some form of a "traceback", but it is not a certainty that you will be able to garner the source of the infection from it. Lastly, you ask about prgrams that can continually monitor for signs of infection. Gatekeeper is such an application. Other tools that do this are Vaccine (also available on the SUMEX archive), and SAM (a commercial application written by Paul Cozza and published by Symantec, and a very good application from what I understand). David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: Fri, 15 Sep 89 10:47:23 -0500 From: m19940@mwvm.mitre.org (Emily H. Lonsford) Subject: Re: Source of virus reading material Two good books are: "Computer Viruses:a High-Tech Disease" by Ralf Burger, Abacus Software. [contains examples!!] and "Computer Viruses" by Ralph Roberts, COMPUTE! Publications Inc. The "real scoop" from the first few victims can be found in the April 89 issue of Computers & Security. Also IBM has a free publication called "Coping with Computer Viruses and Related Problems" which may be ordered from IBM Thomas J. Watson Research Center, Distribution Services F-11 Stormytown, Box 218, Yorktown Heights, NY 10598. It's difficult to give a comprehensive list because there's a new article or book out almost every day. Good luck and happy reading. * Emily H. Lonsford * MITRE - Houston W123 (713) 333-0922 [Ed. As Emily points out, Ralf Burger's book contains, for better or for worse, source code examples of several viruses. This was a topic of discussion here on VIRUS-L some time back - most people seemed shocked that such a book would ever be published. Indeed, the book is readily available at bookstores as well as from the publisher.] ------------------------------ Date: Fri, 15 Sep 89 16:34:06 -0400 From: angelo@pilot.njin.net (Michael F. Angelo) Subject: October 12'th virus... (PC) Okay, I have heard lots of rumours about this virus. I would like it if someone could PLEASE answer the following questions: 1- What is this viruses signature? 2- Is there any program out there that will locate all the DATACRIME virus strains? ( I think there are 3 -> 5 )... 3- How wide spread is the virus? ( Can be conjecture :-> ). Thanx much... Michael F. Angelo ------------------------------ Date: Fri, 15 Sep 89 14:39:55 -0600 From: Chris McDonald ASQNC-TWS-RA <cmcdonal@wsmr-emh10.army.mil> Subject: Where to Find a Copy of the Dirty Dozen List Version 9.0, Jul 89, of the Dirty Dozen list is available on simtel20. A compressed copy resides on pd1:<msdos.trojan-pro>dirtydz9.arc.1. The file is available on an "anonymous" ftp. Chris Mc Donald White Sands Missile Range ------------------------------ Date: Fri, 15 Sep 89 16:22:00 -0400 From: Peter W. Day <OSPWD%EMUVM1.BITNET@VMA.CC.CMU.EDU> Subject: Mac System File access time Someone recently mentioned that they were having problems loading an application (not enough memory), noticed that the Modified date on their Mac System File had changed, wondered if they had a viral infection, but could not detect any with Disinfectant. The System file gets modified whenever the Chooser is run, so a change in the Modified date does not in itself indicate infection. While I don't know the cause of the suddenly inadequate memory, the user should try removing all INITS from theSystem Folder and then see if the program will load. ------------------------------ Date: Fri, 15 Sep 89 11:07:11 -0400 From: Thomas Neudecker <tn07+@andrew.cmu.edu> Subject: Adobe Illustrator/68030 (Mac) The recent question regarding problems in running Adobe Illustrator '88 on a Mac SE/30 or IIcx is not a virus but rather a bug in the program. Adobe has a bug fix version 1.8.3 that is available to registered owners. ------------------------------ Date: 16 Sep 89 14:20:04 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: A question on detecting viruses on bootable disks (PC) A reply to "A question on detecting viruses on bootable disks (PC)" from Damon Kelley. > I've recently read George Woodside's file on how viruses work > obtained from SIMTEL20.ARPA, VIRUS101.001-004). He says that a virus > latches on a read/write interrupt to spread itself. Most of the boot sector viruses (BSV) do, but not all. The Yale/Alameda virus hooks into the keyboard interrupt, and will only spread when the Ctrl-Alt-Del combination is pressed. A program virus will of course use an entirely different method. > Would the instructions the interrupt calls be near or located at the > first JMP instruction in the boot sector? No. In fact the new interrupt routine does not have to be located in the boot sector at all. Many BSV only store a small part of their code on the boot sector, the rest (and the original boot sector) may be located somewhere else on the diskette. Most, (but not all) boot sectors contain a JMP instruction at the start. All disks formatted by the FORMAT command contain either a 3-byte JMP (DOS 2.x) or a 2-byte JMP (DOS 3.x and 4.x). This JMP instruction transfers control to a sequence of instructions, usually starting like this: CLI XOR AX,AX MOV SS,AX MOV SP,7C00 : : Most BSV replace the original boot sector with a new one. The new boot sector may look very similar to an uninfected one, or it may be obviously different (Not containing the "Not a system disk" message for example) Note that the virus boot sector may contain the same instructions as listed above. > From reading a certain reference that concerns the programming of > the IBM PC, I have the impression that that JMP instruction in the > boot sector is quite consistent for the type of PC a user uses. No, no, no. If the boot sector starts with a JMP instruction at all (and the boot sectors of many "autoboot" games don't) it does not depend upon the type of machine, but rather the program used to format the disk. > If that JMP instruction is changed, does that signal a virus present, Yes, but it is impossible to know if it has been changed, without keeping a copy of the original boot sector. > or have virus writers skipped around that limitation and had the virus > write over what code is found at that JMP destination? No - most of them just replace the boot sector. Fridrik Skulason University of Iceland frisk@rhi.hi.is Guvf yvar vagragvbanyyl yrsg oynax ................. ------------------------------ Date: Sat, 16 Sep 89 15:40:02 -0400 From: Lee Sailer <UH2@PSUVM.PSU.EDU> Subject: Re: October 12th Virus (PC) I am new to this virus watching business. There is a bit of logic that I don't understand. Several of you have said that since there are only seven reported occurrances in the US, it isn't much of a threat. But, since the virus lays low til 10/13, couldn't many people be infected but not know? My environment is a small college with about 200 virus- innocent faculty and staff. Our computer center has only just begun to look for viruses. I bet none of the faculty have a virus detector, and certainly the secretaries don't. If one of these destructive viruses got a foothold in a place like this, couldn't it spread quite a bit between now and 10/13? lee ------------------------------ Date: Sat, 16 Sep 89 10:14:00 -0500 From: hutto@icarus.riacs.edu (Jon Hutto) Subject: Re: Virus? or what? (PC) Well, 've found the probablem, (The one thing after everything doesn't work) I had a messed up cable. Oh well.. Life goes on. ------------------------------ Date: Sun, 17 Sep 89 13:10:03 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: New .COM virus (PC) I though the following message on HomeBase from John McAfee might be of interest: We have received a new encrypting .COM infector from Dave Chess at IBM and have updated the VIRUSCAN program to be able to identify it. Please download SCANV37.ARC and replace your current version of SCAN. We are trying to find out how widespread this virus may be, so if anyone identifies this virus using SCAN, please contact us immediately. We know little about this virus as yet, but three volunteers are currently analyzing it. We should have a report by the 21st. The only indications so far are: It increases the size of infected COM files by 3555 bytes; It is able to infect COMMAND.COM; it has a 50 byte encryption routine, similar to DATACRIME II; It infects COM files at the time that the infected program is loaded - it does not appear to be memory resident; It sometimes cause the message - "Error Writing to Device AUX1" to occur at the time an infected program is executed. We have no indication of activation date or function at this time. Again PLEASE contact the board if SCAN displays the message - "Found 3555 virus". Thanks. John ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Tuesday, 19 Sep 1989 Volume 2 : Issue 195 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Article on Datacrime virus re: Iceland/Saratoga viruses (PC) October 12/13 (PC) VirusDetective questions (Mac) Re: Virus? or what? (PC) TYPO vs. Ping-Pong (PC) More on October 13 virus (PC) --------------------------------------------------------------------------- Date: Mon, 18 Sep 89 08:23:21 -0400 From: "Bruce Guthrie" <BGU%NIHCU.BITNET@VMA.CC.CMU.EDU> Subject: Article on Datacrime virus "Computer Virus Sparks a User Scare" "Some Analysts Say the 'Friday the 13th' Fears Are Overblown" by John Burgess Washington Post, Sep 17 1989, pg H3 A computer "virus" that springs to life destructively on Friday the 13th is on the loose, and across the country computer users are rushing helter-skelter to protect their machines against it. Yet, with fewer than 10 verified sightings in a country with tens of millions of computers, some experts are saying the threat is being absurdly overblown. "At this point, the panic seems to have been more destructive than the virus itself," said Kenneth R. Van Wyk, a security specialist at Carnegie-Mellon University's Software Engineering Institute. He has been taking 20 phone calls a day for advice on the subject. Written as pranks or tools of sabotage, viruses are software programs designed to spread surreptitiously through computer interconnections and the exchange of the floppy magnetic storage disks on which computer programs and data are recorded. Once introduced into a machine, they transmit their own instructions to the computer, causing it to destroy data or display a surprise message on the screen. The new one is known variously as the Datacrime, Columbus Day, and Friday the 13th virus. Aimed at IBM-compatible personal computers, it is designed to lie dormant and unnoticed in a machine until Oct. 13, a Friday, and then activate as soon as an unwitting user turns on the machine and "executes" a program. (Many computers have internal calendars that make such date-activated instructions possible.) At that time, a message flashes on the screen: DATACRIME VIRUS. RELEASED 1 MARCH 1989. Simultaneously, the virus erases a section of the machine's disk storage unit that serves as an index to the information on the disk [the FAT]. People with something more than basic technical knowledge can fix the problem and recover the data, however. The federal government views viruses as a grave threat to the nation's information systems and has set in motion special programs to guard computers against them and to punish people who introduce them. The phenomenon received widespread public attention last fall, when a virus written by a Cornell University graduate student swept through the federally supported Internet research network, replicating itself automatically over and over and temporarily tying up 6,000 machines in one day. The Datacrime virus, however, is targeted at computers that for the most part are not linked in networks. And it comes at a time when publicity has led many users to take the basic precautions of "safe computing," avoiding free software that is posted on bulletin boards, where the viruses may lurk, and using only programs that come in factory-sealed containers. The Software Engineering Institute knows of fewer than 10 cases, Van Wyk said. International Business Machines Corp. said Thursday is it not directly aware of any. "If it was out there in any number," said Bill Vance, director of secure systems for IBM, "it would be spreading and be more noticeable." October 13, he said, is not likely to be "a major event." At Centel Federal Systems of Reston, however, a different mood prevails. It has been operating a toll-free hotline on the virus, with six people working full-time. It has received more than 1,000 calls, according to Tom Patterson, senior analyst for security operations at the federal systems unit, which is owned by independent telephone company Centel Corp. of Chicago. Patterson said he began working on the virus about five weeks ago, after receiving a tip from an acquaintance in Europe that hackers there were planning to modify an existing virus and, by dialing up electronic bulletin boards across the Atlantic, release it in this country. Subsequent investigation turned up specimens in this country fitting the description he had received. Patterson said he had dissected a version of it and, in tests, found that it could penetrate a number of software products that are supposed to keep viruses out. In recent days, he found one on the machines of a Centel client. "The virus is out there," Patterson said. "It's real." Also active in the campaign is John McAfee, a virus-protection specialist based in Santa Clara, Calif., who runs a bulletin board on which he offers anti-viral programs. His phone line has been constantly busy in recent days. Concern has heightened with each new report of the virus in the computer trade press and on at least one wire service, the Associated Press, leading some security specialists to see the panic as a self-fulfilling prophecy by the media. Others wonder whether companies that make anti-viral products are not happy to see the scare being pumped up. "The more panicked people get," said Jude Franklin, general manager of Planning Research Corp.'s technology division, "the more people who have solutions are going to make money." For $25, which it says is necessary to cover the cost of a disc, shipping, and handling, Centel is offering software written by McAfee that searches for the virus. Patterson said Centel would be losing money on the discs [!] but is doing it anyway. "I'm not trying to hype this," he said. "I'm working 20-hour days... to get the word out." ------------------------------ Date: Mon, 18 Sep 89 11:44:14 -0400 From: "Y. Radai" <RADAI1@HBUNOS.BITNET> Subject: re: Iceland/Saratoga viruses (PC) David Chess writes: >There seem to be three different viruses in this general family: > > - One is a resident EXE-file infector that infects every tenth > EXE file executed, and sometimes will mark a free cluster on a > hard disk as bad (the "damage" routine). I've seen this one > called the "Saratoga 1". > - The second ... is just like the first, except that it checks > the segment of the INT13 vector, and if it's not 0070 or F000, > it doesn't do anything. I've seen this called the "Saratoga 2", > and also the "Icelandic Disk-Crunching virus" .... > - The third differs from the first in that it bypasses INT21 ... and > doesn't have the "mark a cluster bad" code. It doesn't have the > INT13 check that the second version does. Fridrik Skulason calls > this, quite reasonably, the "Icelandic Virus, version 2". > >Does this check correctly with everyone? .... The facts reported by David are correct, except that the first ver- sion infects every *second* EXE file executed instead of every tenth one. Btw, though it was originally reported that the Saratoga was disco- vered "some months earlier" than the first Icelandic virus, it later turned out that the Saratoga is actually a hack of Icelandic-1. Since I recently tried to clarify for myself the same question which David raises, I can present the following table summarizing the main differences between the versions: Version: Saratoga Icelandic-1 Icelandic-2 -------- ----------- ----------- File length increase(*): 642 656 632 Infects 1 file out of every 2 10 10 DOS services via interrupts? Yes Yes No Marks a cluster as bad? Yes Yes No Checks Int 13h Segment? No Yes No Signature(**): PooT 18 44 19 5F 18 44 19 5F First appearance: July 89 June (Feb?) 89 July 89 (*) The total length is rounded up to the next higher multiple of 16, if necessary. (This happens with *any* EXE-infecting virus.) (**) This is the last 4 bytes of the virus (used to determine if a file is already infected). I consider the bypassing of interrupts which Icelandic-2 performs to be very significant. I think ARC513.EXE (a hacked version of SEA's ARC) also did this, but it was a Trojan, not a virus. Among viruses, I heard of a strain of the Jerusalem virus which infects by direct BIOS access instead of by Int 21, though I'm not sure if that strain ever spread publicly. At least one version of the Vienna virus (not the one in Ralf Burger's book) is worthy of mention here since it overwrites 1 out of 8 files with code containing a far jump to the BIOS initialization routine. Have I forgotten any cases? The important thing about all this is that although the spreading of such viruses has been predicted for a long time, the authors of most monitoring programs, such as FluShot+, have either failed to find a solution or have ignored these predictions entirely. As far as I know, there is only one program so far which can stop such viruses and Trojans, and that is Fridrik Skulason's F-LOCK. If anyone knows of any other such program, I'd like to hear of it. Y. Radai Hebrew Univ. of Jerusalem ------------------------------ Date: Mon, 18 Sep 89 12:22:00 -0500 From: Meesh <ACS1W@uhvax1.uh.edu> Subject: October 12/13 (PC) I'm the editor of our university's computing newletter. I need to know how users can detect the October 12/13 virus ahead of time. Is there a way at all? I don't want to alarm users, but I feel they should know about the possible existence of this problem. Thanks. [Ed. In VIRUS-L volume 2 issue 192, Charles M. Preston <portal!cup.portal.com!cpreston@sun.com> states that a) Viruscan V36 can detect Datacrime and that b) Datacrime can be identified by the hex string EB00B40ECD21B4 (1168 version) or 00568DB43005CD21 (1280 version). Note that a hex string search can be done via the DEBUG 'S' command (e.g., "S CS:100 FFFF hex_string" at the DEBUG prompt), if my memory of MS-DOS is correct.] Michelle Gardner Coordinator, Information Services Information Technology University of Houston ------------------------------ Date: 18 Sep 89 20:53:56 +0000 From: awinterb@udenva.cair.du.edu (Richard Nixon) Subject: VirusDetective questions (Mac) Has anyone used VirusDetective for the Mac? We've used it, but it seems to detect viruses in files that we doubt are affected. How reliable is this bit of software? ...!ncar!udenva!awinterb or according to rumor awinterb@du.edu ------------------------------ Date: Mon, 18 Sep 89 14:30:23 -0400 From: dmg@retina.mitre.org (David Gursky) Subject: Re: Virus? or what? (PC) Interesting that a new virus ("3555") should show up so soon after the stories about the alleged Datacrime attack, set for Oct. 13., especially one that has some resemblence to Datacrime. BTW, the Washington Post ran an article on Computer Viruses in yesterday's Business section. Ken Van Wyk is quoted extensively, which probably accounts for the article's general sanity (vis-a-vis some "Sky is falling" type articles). David Gursky ------------------------------ Date: Tue, 19 Sep 89 00:36:29 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: TYPO vs. Ping-Pong (PC) I just finished examining the Typo virus. This virus is rather new - it was first detected in Israel this summer. It creates errors in printouts, by (sometimes) replacing some characters or digits. (By the way - a surprisingly large number of viruses seems to have originated in Israel. First to arrive were the two versions of the April 1. virus (sURIV 1.0 and sURIV 2.0) that later were merged into one virus, (sURIV 3.0) which evolved into the well-known Jerusalem virus (sUMsDos) variant. That virus was then used as a basis for the "Fu Manchu" virus. Later the two boot sector viruses, Typo and SWAP, arrived. Finally, just a few days ago a new virus, MIX1 was reported. Anyhow - as has been reported before (Y. Radai and others) the TYPO virus is closely related to the Ping-Pong or "Italian" virus, which is one of the most common viruses around. In fact, the viruses are so similar that some anti-virus programs even identified Typo as the Italian virus. This is not so surprising, since the boot sectors are almost identical. Almost - but not quite. The differences between the boot sectors are: Some local variables have been moved. For example, the word containing the location of the original boot sector is now located two bytes earlier than before. The signature (two bytes that the virus uses to see if a diskette has already been infected) has been changed. The activation times have been changed. Ping-Pong had an "activation window" (a second or so long) every half hour. Typo will become active 112.5 seconds after power-on, and will stay active most of the time. The major differences between the two viruses are in the other part of the virus code, which is not stored in the boot sector, but in the cluster the viruses mark as "bad" in the FAT. Of course, there are quite a few interesting things the viruses have in common. Typo contains the same "bug" as Ping-Pong does, that prevents it from working on '286 and '386 machines. It is possible to remove Typo with some programs designed to remove Ping-Pong. Since the signature is stored in the same place on both viruses, it is possible to inoculate diskettes against one of them, but not both. Fridrik Skulason University of Iceland frisk@rhi.hi.is Guvf yvar vagragvbanyyl yrsg oynax ................. ------------------------------ Date: 19 Sep 89 08:42:00 +0700 From: "Hartmut Haberland,03.1.5" <hartmut@jane.RUC.dk> Subject: More on October 13 virus (PC) Danish TV (Channel 2) had a brief report on the October 13 virus in the evening news yesterday. It has obviously emerged at the Danish Post Giro office in Copenhagen and created a lot of panic. The report was the usual sort of journalists' blather, basically implying that Viruses are God's punishment for pirate copying. Still, one gets nervous. I'll take a backup of all harddisks here at Roskilde University just before the date (something one should do anyway ...), I mean in our department, but what else can one do? Please advise (I'm following the newsletter, of course) ... Hartmut Haberland hartmut@jane.ruc.dk or RUCHH@NEUVM1 (on what some people call Because It's There NET) ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Tuesday, 19 Sep 1989 Volume 2 : Issue 196 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Macintosh Virus oct 13 virus (PC) nbbs virus simulator (PC) 123 protected mode virus (PC) F-PROT anti-virus package (PC) have you a name for (what might be) a virus (PC) --------------------------------------------------------------------------- Date: Tue, 19 Sep 89 09:48:00 -0400 From: "JOHN P. BRADLEY" Subject: Macintosh Virus Howdy! Well it was bound to happen - why should we be any different? We believe we have discovered a virus in our microcomputer lab. So far, we have only found one contaminated diskette. This is a MAC station disk used for booting a MAC to work with Appleshare. We ran VIRUS Rx and it confirmed a user's suspicion. The report from VIRUS Rx detected the presence of the SCORES virus (or so it seemed to indicate). Has anyone else had a similar experience and could offer any ideas on how to proceed? At present, we are beginning to check all station disks and offering to check any user's disks for a virus. Next step, is education of the users, hoping that this won't get out of hand. Any ideas would be greatly appreciated. ========================================================================== ! John P. Bradley ! U.S. Mail : Hawkins Hall, Room 029 ! ! Senior Programmer/Analyst ! SUNY ! ! Computing Support Center ! Plattsburgh, NY 12901 ! ! State University of New York ! (518) 564-4433 ! ! College at Plattsburgh ! BitNet : BRADLEJP@SNYPLAVA ! ! ! POSTMAST@SNYPLAVA ! ========================================================================== ------------------------------ Date: Mon, 18 Sep 89 19:39:00 -0400 From: IA96000 <IA96%PACE.BITNET@VMA.CC.CMU.EDU> Subject: oct 13 virus (PC) can the october 13th virus be fooled into triggering early by advancing the date on the system? if so, if someone loads an intercept program like sentry2 or another good program, will it intercept and warn you of impending disaster? ------------------------------ Date: Mon, 18 Sep 89 19:39:00 -0400 From: IA96000 <IA96%PACE.BITNET@VMA.CC.CMU.EDU> Subject: nbbs virus simulator (PC) does anyone know where we can obtain the nbbs simulator. we are doing some research here and it would be of great vakue to us. thanks. ------------------------------ Date: Mon, 18 Sep 89 18:50:00 -0400 From: IA96000 <IA96%PACE.BITNET@VMA.CC.CMU.EDU> Subject: 123 protected mode virus (PC) It would appear that a new virus is on the scene. it seems that some strain attacks >only< the large (700k+) plus file supplied with lotus 123 version 3. basically what happens seems to be as follows: 1) The file grows in size (one time) by 3907 bytes. 2) Any spreadsheet saved after the virus has infected the file is exactly half the size of what it should be. in other words if you have a spreadsheet 100 x 100 cells in size, after you save it and then retrieve again, it is exactly 50 x 50 in size. I call this a virus because the file does grow in size one time and if you erase the file, restore the file from a backup and run lotus again, the file grows again in size. It also seems to cause files which run in protected mode/dos mode to grow as well. makes me feel that this is a virus geared to extended memory programs. in any event as soon as the code is isolated i will make it available to homebase so they can figure out a test to see if it is present. this has not damaged anything at the univerisity. this is strictly on observation based on outside experiences. w.r. ------------------------------ Date: Tue, 19 Sep 89 15:27:34 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: F-PROT anti-virus package (PC) Some time ago I sent out several copies of my F-PROT anti-virus package. Those copies were only beta-release, and not intended for general distribution, although they were uploaded to SIMTEL by mistake. Now I have fixed all the problems reported to me and added a number of new features. F-PROT will be made available soon, but it is now in final testing at around 20 sites here in Iceland. I am still speculating on how to distribute it. Is the idea of shareware, where you will automatically receive the next major update for a contribution of $15 (or equivalent) acceptable ? I would be very interested in knowing how much interest there is for this set of programs. If you would like to see it distributed on SIMTEL, comp.binaries.ibm.pc etc, please let me know. (A short reply saying just "yes" will do). If there seems to be sufficient interest in this program, it will made available later this month. F-PROT includes a number of anti-viral programs, including: 1) A device driver that provides full protection against most viruses. The program will check every program run for infection by any of the following viruses: April 1. (sURIV 1.0 and sURIV 2.0) Cascade (1701, 1704) DataCrime DataCrime-II 405 Friday 13. (Miami, Munich) Fu Manchu Icelandic (incl. Saratoga) Jerusalem (incl. sURIV 3.0) Lehigh Traceback Vienna (DOS 62) In addition the program will also provide protection against the following boot sector viruses: Ping-Pong (Italian) Brain Stoned (New Zealand) Den Zuk Alameda/Yale Typo It is also able to stop (but not identify) new boot sector viruses. The viruses listed above are responsible for over 99% of infections. The best part is that this program only occupies around 1K of memory, and is totally invisible unless an attempt is made to run an infected program. 2) A program that will look for infections and remove them. This program can handle all the viruses listed above, and in addition it will detect infections by the following viruses: Pentagon Swap Nichols Agiplan 2730 These viruses are very rare, but code to remove them will be added as soon as I obtain a copy of them. The following viruses have been reported, but are extremely rare and certainly not a serious threat (yet). Dbase Oropax Ohio RAP MIX1 Code to detect and remove them will be added as soon as possible. 3) A program that will modify any .EXE or .COM file and add code to it, so that the program will check itself for infection by ANY virus when run. This will provide full protection against any new program viruses. This addition to the program will not interfere with normal execution. 4) A TSR program that will watch out for suspicious activity: Attempts to write to the FAT. Formatting of the hard disk. Making Read-Only .EXE or .COM files Read/Write. Writing to a .EXE and .COM file Other similar programs exist, but this one is also able to: .... stop viruses that bypass INT 21 when performing DOS functions (like the Icelandic virus does). .... prevent all four methods used in the TRYOUT program in Dr. Solomon's Anti-Virus Toolkit from working. As far as I know, no other similar program can do this. 5) A number of utilities: Memory-mapping program Inoculation program Checksum program Disk locking program + a few more. - -------------------------------------------------------------------- Fridrik Skulason University of Iceland frisk@rhi.hi.is Guvf yvar vagragvbanyyl yrsg oynax ................. ------------------------------ Date: 19 Sep 89 16:49:48 +0000 From: trw@hrc63.uucp (Trevor Wright "Marconi Baddow") Subject: have you a name for (what might be) a virus (PC) I've heard of a virus (possibly) whereby the screen randomly scrolls up either over its full width, or restricted to a small window covering 8 lines in the top left, ie, the bottom line scrolls up and obliterates the intermediate lines. I'm told there are no harmful effects, and it's been seen on several makes of system and MS-DOS 3.2 and 3.3, both inside applicationsand just in MS-DOS command mode.. Anyone got a name for this virus ?? ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Wednesday, 20 Sep 1989 Volume 2 : Issue 197 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: More on October 13 virus (PC) VirusDetective Info (Mac) Description of known virus actions Re: Macintosh Virus Re: Macintosh Virus Centel Corp. and ViruScan --------------------------------------------------------------------------- Date: Tue, 19 Sep 00 19:89:48 +0000 From: davidsen@crdos1.crd.ge.com Subject: Re: More on October 13 virus (PC) If you have a program to backup just the FAT it may be effective with this virus. Not that I would neglect backing up the whole disk... but if you have a FAT cache program you might save a lot of time just restoring that. bill davidsen (davidsen@crdos1.crd.GE.COM -or- uunet!crdgw1!crdos1!davidsen) "The world is filled with fools. They blindly follow their so-called 'reason' in the face of the church and common sense. Any fool can see that the world is flat!" - anon ------------------------------ Date: Tue, 19 Sep 89 16:16:49 -0500 From: ST1083%SIUCVMB.BITNET@IBM1.CC.Lehigh.Edu Subject: VirusDetective Info (Mac) I have used VirusDetective for almost a year. The program originally detected the nVIRb strain here at SIU-C. I have and use the most recent update of the program and it works excellent. To me it has been reliable for detecting all known viruses. For more information or to own your own copy contact: Jeff Shulman P.O. Box 521 Ridgefield, CT. 06877-0521 ------------------------------ Date: Tue, 19 Sep 89 18:38:00 -0600 From: LMCOUNTS%UALR.BITNET@VMA.CC.CMU.EDU Subject: Description of known virus actions Has there been a list published here or elsewhere that lists the known PC and MAC virus and how they might possibly be noticed by the everyday user? Neta Counts University of Arkansas at Little Rock ------------------------------ Date: 19 Sep 89 23:07:04 +0000 From: consp11@bingvaxu.cc.binghamton.edu Subject: Re: Macintosh Virus In article <0001.8909191859.AA09184@ge.sei.cmu.edu> JOHN P. BRADLEY writes: >... > Well it was bound to happen - why should we be any different? We >believe we have discovered a virus in our microcomputer lab. So far, we >have only found one contaminated diskette. This is a MAC station disk >used for booting a MAC to work with Appleshare. We ran VIRUS Rx and it >confirmed a user's suspicion. The report from VIRUS Rx detected the >presence of the SCORES virus (or so it seemed to indicate). >... I suggest you get your hands on a copy of the PD program Disinfectant. (I believe it's up to version 1.2, but 1.0 should work fine.) It will scan the disk, find, and eradicate the virus. - --Brett Kessler ------------------------------ Date: 20 Sep 89 03:32:15 +0000 From: mmccann@hubcap.clemson.edu (Mike McCann) Subject: Re: Macintosh Virus In article <0001.8909191859.AA09184@ge.sei.cmu.edu>, JOHN P. BRADLEY writes: > Well it was bound to happen - why should we be any different? We > believe we have discovered a virus in our microcomputer lab. So far, we > have only found one contaminated diskette. This is a MAC station disk > used for booting a MAC to work with Appleshare. We ran VIRUS Rx and it > confirmed a user's suspicion. The report from VIRUS Rx detected the > presence of the SCORES virus (or so it seemed to indicate). > Has anyone else had a similar experience and could offer any ideas > on how to proceed? At present, we are beginning to check all station disks > and offering to check any user's disks for a virus. Next step, is > education of the users, hoping that this won't get out of hand. Our Macintosh labs were hit rather hard by the Scores virus quite some time ago and the steps we took to get rid of the virus seemed to work rather well: 1) Remove the virus from all infected hard drives and boot diskettes with a good anti-virus program like Disinfectant (I only wish it was available then). 2) Place a memory resident anti-virus program (like Vaccine or GateKeeper) on all hard drives and boot diskettes. 3) Examine every diskette a student brings into the lab to use on the computers. It only takes a few seconds to scan a floppy disk and the user is usually happy to know that all of his/her disks are virus free. 4) Continue to scan all hard drives and boot diskettes for viruses on a regular basis for a while (not all students think it is important that you check all of their diskettes). 5) Distibute copies of anti-virus program to the users. Most ShareWare anti-virus programs are free and perform better than any commercial anti-virus programs that I have tested (my personal preferences are toward Disinfectant and Vaccine). This should help keep your labs virus free. Hope this helps, - -- Mike McCann (803) 656-3714 Internet = mmccann@hubcap.clemson.edu Poole Computer Center (Box P-21) UUCP = gatech!hubcap!mmccann Clemson University Bitnet = mmccann@clemson.bitnet Clemson, S.C. 29634-2803 DISCLAIMER = I speak only for myself. ------------------------------ Date: Tue, 19 Sep 89 19:18:02 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Centel Corp. and ViruScan John McAfee posted this message on HomeBase and asked that it be sent to VIRUS-L and other lists: A number of press releases issued by Centel Corp. of McLean VA have implied or directly stated that they were "selling" a diskette containing the VIRUSCAN program to combat the alleged DataCrime threat. In response I would like to state that there has been no agreement between Centel and myself to allow such distribution, nor have I at any time indicated to Centel that I was interested in such an arrangement. Any such distribution is taking place without my consent and authorization, and I am strongly opposed to having VIRUSCAN promoted in the fashion being conducted by Centel. I have no financial link to Centel and receive no part of of any incomes sent to Centel to "purchase" the software. Nuff said. John McAfee ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Wednesday, 20 Sep 1989 Volume 2 : Issue 198 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Macintosh Virus datacrime question (PC) Possible virus? (VAX/VMS) RE: VirusDetective questions (Mac) RE: Centel Corp. and ViruScan Re: VirusDetective questions (Mac) DataCrime antidote: NOCRM11.ARC availability (PC) --------------------------------------------------------------------------- Date: 20 Sep 89 11:56:23 +0000 From: shull@scrolls.wharton.upenn.edu (Christopher E. Shull) Subject: Re: Macintosh Virus In article <0001.8909191859.AA09184@ge.sei.cmu.edu> JOHN P. BRADLEY writes that he has found the Macintosh Scores virus, and asks about how to proceed with eradication and user education. Since the Decision Sciences Department teaches the largest Mac-based course at the University of Pennsylvania, we have taken the lead in user education. Who else on campus has a captive audience of >600 students each year? :-) Our instructors encourage students to drop Vaccine 1.1.1 into their system folders (explaining that it was like practicing safe sex, but less intrusive). We also taught them how to use Disinfectant 1.2. Although we resent having to take time from teaching to cover this, the peace of mind of the students is well worth the effort. Furthermore, the hot-line and walk-in consulting staff have many fewer problems since students are encouraged to pass along the programs and the minimal knowledge required to use them. If we didn't have a captive "seed" group, I would probably try to run some special noon-time seminars on Mac virus detection, removal, and prevention. We are just now trying to get offices which have frequent contact with student diskettes to go further than just protecting themselves, and perform first tier advice to their "clients". (In some cases, we are still trying to get them to protect themselves -- one Mac II user I worked with yesterday had 44 nVIR A and B infections on his hard disk, and didn't have the foggiest idea!) At the very least, the latest versions of the tools mentioned above, plus GateKeeper (for sophisticated users) should be readily available in a well publicized location. (My teaching lab remains the only one on campus. :-( ) Good luck, - -Chris Christopher E. Shull shull@scrolls.wharton.upenn.edu Decision Sciences Department shull@wharton.upenn.edu The Wharton School University of Pennsylvania Philadelphia, PA 19104-6366 215/898-5930 - --------------------------------------------------------------------------- "Damn the torpedoes! Full speed ahead!" Admiral Farragut, USN, 1801-1870 - --------------------------------------------------------------------------- ------------------------------ Date: Tue, 19 Sep 89 19:13:00 -0400 From: IA96000 <IA96%PACE.BITNET@VMA.CC.CMU.EDU> Subject: datacrime question (PC) if you use fdisk to create a dummy partition of lets says 2 cylinders and then create a second normal active dos partition will this prevent the virus from destroying track zero? seems like it might to me...how about some comments! ------------------------------ Date: Wed, 20 Sep 89 08:59:00 -0400 From: System Manager <MANAGER@JHUIGF.BITNET> Subject: Possible virus? (VAX/VMS) I recieved this from Info-VAX today. I think it may be of interest. Damian Hammontree System Programmer, Johns Hopkins School of Medicine MANAGER@JHUIGF.BITNET Message follows: Comments: From IVERS@CMR.MFENET on 19-SEP-1989 23:36:02.73 EDT Comments: To: info-vax@kl.sri.com On Monday morning, our users (including the system manager) were surprised to find that they could no longer log in to our VAX 11/750 (VMS V4.5). Coincidentally, one user reported the appearance of several files in his directory with names like WARNING., VIRUS., and ATTACK.. He thought it was a joke and said nothing at the time the files appeared. The system was booted with UAFALTERNATE =1. It appeared that SYSUAF.DAT was intact, but the passwords were no longer valid. A SYSUAF.DAT file was restored from a backup set and new passwords were issued. The problem is that now when more than 2 users attempt to use the system, a message of the type LICENSED NUMBER OF SYSTEM USERS EXCEEDED appears. As for the "virus" files - all that remains are subdirectories of names similar to the files reportedly seen by the user (one of them is called [.DEADLY-VIRUS]). Any ideas as to the cause or cure of the LICENCED NUMBER OF... problem, or insight into the nature of the "virus" would be appreciated. Thanks in advance, Tom Ivers (system manager) Columbia U. Plasma Physics Lab Internet: IVERS@CUPLVX.APNE.COLUMBIA.EDU MFEnet: IVERS@CMR ------------------------------ Date: Wed, 20 Sep 89 09:22:55 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: RE: VirusDetective questions (Mac) What version are you using? The latest and greatest is 3.0.1. I've been using it with no problems. [On the other hand, the systems I am using it on are clean according to it and Disinfectant 1.2...] ------------------------------ Date: Wed, 20 Sep 89 09:36:26 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: RE: Centel Corp. and ViruScan Why does McAfee's note about Centel and Viruscan bug me? Correct me if I'm wrong, but is not Viruscan shareware? I certainly understand John's concern about the possible loss of revenue because people mistakenly believe they have "purchased" Viruscan, rather than paid Centel for the distribution cost (as an aside, I somehow find $25 to be awfully high for what Centel is purporting to be doing). In any event, it strikes me that the tone of John's message is to the effect of "I want you to get your information from me and no one else". If my interpretation is indeed correct (and I apologize in advance if it is not), is this the type of attitude VIRUS-L wishes to promote? It is not in anyone's interest to restrict the flow of information on countering viruses. [Ed. VIRUS-L wishes to _facilitate_ the open discussion of virus issues and information, neither endorsing nor condemning the opinions of its contributors.] Disclaimer: Dis is soup. Dis is Art. Soup. Art. [Apologies to L. Tomlin.] David Gursky ------------------------------ Date: Wed, 20 Sep 89 14:33:49 +0000 From: yale!slb-sdr!sdr.slb!shulman@uunet.UU.NET (Jeff Shulman) Subject: Re: VirusDetective questions (Mac) awinterb@udenva.cair.du.edu (Richard Nixon) writes: >Has anyone used VirusDetective for the Mac? We've >used it, but it seems to detect viruses in files that >we doubt are affected. I have (but then again I wrote it! <standard disclaimers>). VirusDetective (VD) is only as good as the search strings used. VD 3.0.1 (the latest) is distributed with search strings that detect all known *active* Mac viruses. With the latest search patterns I have seen NO cases of "false" alarms. Some earlier search strings (say CODE Size xxx) to test for a virus *could* match legitimate CODE resources. So, without knowing what version you are running nor the search strings you are using you may very well be getting matches where no virus actually exists. Standard example of Garbage In, Garbage Out. >How reliable is this bit of software? I have not seen any known virus get past VD 3.0.1. VD is the only program (to my knowledge) that can be user configured to search for any new virus (or *any* resource for that matter) as soon as a virus is discovered thus you do not need to obtain a new version (costing $$ from commercial vendors) when a new virus is discovered. NOTE: I *do* send out notification of new search strings to my registered users but you are apt to see them in Usenet first. Jeff Shulman VirusDetective author - -- uucp: ...rutgers!yale!slb-sdr!shulman CSNet: SHULMAN@SDR.SLB.COM Delphi: JEFFS GEnie: KILROY CIS: 76136,667 AppleLink: KILROY Disclaimer: VD has absolutely nothing to do with my "day" job at SDR and opinions, etc. herein should not be construed as coming from SDR. ------------------------------ Date: Wed, 20 Sep 89 11:09:27 -0500 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: DataCrime antidote: NOCRM11.ARC availability (PC) Version 1.1 of NoCrime has been sent to the IBMPC anti-viral archive sites. This program is meant to combat the DataCrime virus strains receiving so much publicity lately. This file, NOCRM11.ARC, replaces version 0.1 sent out previously under the name NOCRIME.ARC. NOCRM11.ARC Fights the DataCrime viruses. Jim ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Thursday, 21 Sep 1989 Volume 2 : Issue 199 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: NIST Virus Management Guide Issued The McAfee Posting Discussion Re: Centel Corp. and ViruScan New Virus (PC) MIX1 Virus (PC) Software company distributing viruses (PC) New variant of Ping-Pong found (PC) Re: disinfecting nVIR from Appletalk (Mac) Re: VirusDetective questions (Mac) Re: Macintosh Virus "Spanish (?) cookie virus" (PC) --------------------------------------------------------------------------- Date: Wed, 20 Sep 89 15:35:17 -0400 From: krvw@sei.cmu.edu Subject: NIST Virus Management Guide Issued Computer Virus Guide Issued The National Institute of Standards and Technology (NIST) has issued a new publication on computer viruses. It is entitled "Computer Viruses and Related Threats: A Management Guide", NIST Special Publication 500-166, by John P. Wack and Lisa J. Carnahan of the Computer Security Management Group at NIST. The guide is intended to help managers prevent and deter virus attacks, detect when they occur, and contain and recover from an attack. It provides general guidance for management and users, plus more specific guidance for multi-user computer environments and for personal computer environments. It also contains a list of suggested readings. The guide is available from the U.S. General Printing Office, (202) 783-3238. Ordering Information: "Computer Viruses and Related Threats: A Management Guide" NIST Special Publication 500-166 GPO #003-003-02955-6 $2.50/copy ------------------------------ Date: Wed, 20 Sep 89 13:27:20 -0600 From: Chris McDonald ASQNC-TWS-RA <cmcdonal@wsmr-emh10.army.mil> Subject: The McAfee Posting Discussion I think David Gursky overlooked the "subtle" point of Mr. McAfee's posting. If indeed Centel is charging customers $25.00 for VIRUSCAN and claims that it is losing money, then something SMELLS. I registered my copy of VIRUSCAN with Mr. McAfee's company for $15.00. More importantly, while the VIRUSCAN program is shareware, it does have a copyright. The legal advice I received was that, if a shareware package has a copyright and if the author states that a fee or registration payment is required, then I as a govenment employee was legally bound to pay the fee. If individuals are familiar with VIRUSCAN, the wording on payment is direct and to the point. It is not one of those "pay if you like type of requests." I think it may also be argued that, if Mr. McAfee wanted to ensure a financial "killing" for a product which has had several independent verifications as to its effectiveness, then he would not have made it so readily available over BBSs and the INTERNET in general. Chris Mc Donald White Sands Missile Range ------------------------------ Date: 20 Sep 89 23:36:29 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: Centel Corp. and ViruScan Not as a flame but you have to remember that the term SHAREWARE does NOT mean Freeware or Public Domain...Centel was attempting to illegally capture shareware profits belonging legally to John Mcafee.(btw Its one thing to redistribute freely...its entirely another to charge $20.00 for the FREE distribution without permission of the author...) WE call that theft of intellectual property rights where I come from!!...While John Mcafee and CVIA wish to encourage the free flow of Antiviral information... the research, collation and codification into VIRUSCAN is a cost intensive process!! therefore John Mcafee logically should be able to determine who can redistribute his software for a FEE and Who shouldnt be able to...(for those that are interested John does have a quite attractive OEM and site licensing agreement!) Sorry to get on the soapbox but people who receive and use shareware repeatedly should be paying fees... This move would greatly improve the quality of software available from shareware authors!!!. cheers kelly p.s. flames to /dev/null ------------------------------ Date: Wed, 20 Sep 89 17:22:54 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: New Virus (PC) Well, it's happening again. We've just received a new virus from Randy Dean at the U.C. Davis bookstore. The virus infects COM and EXE files, including COMMAND.COM, increases the size of infected files by 1800 bytes, and infects through the DOS COPY command, as well as program loads. The virus contains the words - "The Dark Avenger, copyright 1988, 1989 and the message - "This program was written in the city of Sofia. Eddie lives.... Somewhere in Time!". The virus bears no resemblance to the Jerusalem despite the similarity in sizes. ViruScan V38 identifies the virus. By the way, I'd also like to respond to the comments about ViruScan and John McAfee. If I had written a shareware program that was being distributed by some other company for money, I would be pretty ticked off. John has the right to determine who can sell it and who can't, as I see it. [Ed. Has V38 been sent out to the VIRUS-L/comp.virus archive sites?] ------------------------------ Date: Thu, 21 Sep 89 08:39:20 +0200 From: "Yuval Tal (972)-8-474592" <NYYUVAL%WEIZMANN.BITNET@VMA.CC.CMU.EDU> Subject: MIX1 Virus (PC) There is a new virus in Israel. It has been going around in Israel since August. The name of the virus is MIX1 becuase of its signature. Ori Berger (the author of JIV - an anti-viral software which was written in Israel) made a program that identifies the virus and exterminates it. (I myself, got the virus but didn't look at it yet. After I disassemlies it, I'll report back). This following report was made by him: Virus Name..............: The Mix1 Attacks.................: .EXE files Virus Detection when....: 22.August.1989 at......: Israel Length of virus.........: 1. The infected .EXE files are growing bigger in 1618-1634 bytes. 2. 2048 bytes in RAM. Operating system(s).....: PC/MS DOS version 2.0 or later. Identifications.........: 1) The signature at the EOF of each infected file is - MIX1 . 2) Byte 0:33C=77h. Type of infection.......: .EXE files only. The virus is put at the end of the .EXE file and the header is changed to point to the virus beginning at the file. Infection trigger.......: EXE file execution through interrupt 21h service 4bh. Interrupt hooked........: 14h,17h,21h, optionally 8,9 (after 6th level of infection). Damage..................: Garbled output on parallel and serial connections, optionally boot is disabled, num-lock is constantly on. Damage trigger..........: Loading of infected file. After 6th level infection vectors 8 and 9 are hooked. Particularities.........: 1) All output through vectors 14h and 17h is garbled. 2) Booting may crash the computer(possibly a bug). 3) Memory allocation is done through direct MCB control. 4) Does not allocate stack, and therefore makes some files unusable. 5) Infects only files which are bigger than 16K (This makes disassembly very hard). - -Yuval +--------------------------------------------------------------------------+ | BitNet: NYYUVL@WEIZMANN Domain: NYYUVAL@WEIZMANN.WEIZMANN.AC.IL | | InterNet: NYYUVAL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU | +-----------------------------------+--------------------------------------+ | Yuval Tal | "Remember - the next time you hear a | | The Weizmann Institute Of Science | fighter jet go by - you are hearing | | Rehovot, Israel | the SOUNDS OF FREEDOM" - Major Bill | +-----------------------------------+--------------------------------------+ ------------------------------ Date: Wed, 20 Sep 89 17:39:39 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Software company distributing viruses (PC) A few days ago I posted a note describing the distribution of PC viruses here in Iceland. One interesting fact was that 1701/1704 is the most common virus here, but it is only in second or third place elsewhere. I just got a phone call explaining why. One software company here has been infected with this virus (1704-A) for some time. They have sent out a number of updates to their programs recently, with all .COM files infected. This was discovered where one site received an update to one program and used a virus-checking program, "just to be sure". What was most serious about the whole thing was the ignorance of the software company in question. Their first response when they were told of this was something like: "We can't have a virus - there are no pirated games here" I guess this will happen elsewhere, but until now there have been very few occurrences of software companies distributing viruses (only 4 that I know of). ---- frisk ------------------------------ Date: Wed, 20 Sep 89 17:16:26 +0000 From: Fridrik Skulason <frisk@RHI.HI.IS> Subject: New variant of Ping-Pong found (PC) I recently gave a copy of a Anti-Ping-Pong program to a person with an infected computer. He had seen the bouncing ball on the screen some time earlier and contacted me. Much to my (and his) surprise, the program refused to remove the virus, saying: This boot sector is not infected with the Italian virus. When I took a closer look I discovered the following: 1) He was using a '286 machine (but normally Ping-Pong only works on '88 or '86 machines) 2) The ball could be activated as normally. (By typing TIME 0, followed by a command that will cause a read) 3) The signature in the boot sector was identical (1357). 4) A NOP byte had been placed in the middle of the string this program used for identification. 5) The code had been modified a bit, and the most significant change was that the MOV CS,AX instruction had been replaced with a sequence of instructions to do the same thing. I will publish a full report soon - but I just wanted to know if anybody else has heard of this variant. ------------------------------ Date: 21 Sep 89 04:49:46 +0000 From: chinet!henry@att.att.com Subject: Re: disinfecting nVIR from Appletalk (Mac) In article <0001.8909181146.AA03502@ge.sei.cmu.edu> dmg@lid.mitre.org (David Gu rsky) writes: > When you finally get Disinfectant, and de-Binhex it and > de-Stuffit, make sure the diskette you keep it on is > write-protected!!! This is very important; a virus cannot infect > an application on a write-protected diskette! This is a good idea, but not entirely necessary with Disinfectant. Disinfectant is resistant to all currently known viruses and will refuse to run if it has been changed in any way. I have run Disinfectant on a System infected with nVIR A with SAM Intercept active to let me see when nVIR attempts to infect anything. Even when I allow nVIR to access Disinfectant, it cannot infect it! Another thing to note is that Disinfectant _can_ disinfect the currently running System. This means that once you have Disinfectant, you can put it on a floppy, disinfect the floppy, lock it and use it to disinfect everything else. Please note that this method should be used only when you don't have a clean copy of the System. In fact Disinfectant should only be used to disinfect when you have no clean master for a program. Henry Schmitt Author of Virus Encyclopedia H3nry C. Schmitt | CompuServe: 72275,1456 (Rarely) | GEnie: H.Schmitt (Occasionally) Royal Inn of Yoruba | UUCP: Henry@chinet.chi.il.us (Best Bet) ------------------------------ Date: 21 Sep 89 05:05:58 +0000 From: chinet!henry@att.att.com Subject: Re: VirusDetective questions (Mac) In article <0004.8909191146.AA07427@ge.sei.cmu.edu> awinterb@udenva.cair.du.edu (Richard Nixon) writes: >Has anyone used VirusDetective for the Mac? We've >used it, but it seems to detect viruses in files that >we doubt are affected. > >How reliable is this bit of software? How certain are you that these files are not infected? Have you checked them with other programs such as Disinfectant and Virus RX? The latest version of VirusDetective (3.0.1 if memory serves) seems quite reliable. It was the program with which I discovered the nVIR A infection on the disk which came with the Brady Utility book _Applied HyperTalk_. If VD is reporting a virus, I'd be sure to check those files with another detection utility before dismissing it as a false alarm. I'm not saying that VD will never give a false alarm, but since the different utilities use different detection methods the probability of both giving false alarms on the same file is small. Personally I never trust only one program to tell me whether or not I have a virus. I run at least two on a weekly basis. Henry C. Schmitt Author of Virus Encyclopedia H3nry C. Schmitt | CompuServe: 72275,1456 (Rarely) | GEnie: H.Schmitt (Occasionally) Royal Inn of Yoruba | UUCP: Henry@chinet.chi.il.us (Best Bet) ------------------------------ Date: 21 Sep 89 05:23:45 +0000 From: chinet!henry@att.att.com Subject: Re: Macintosh Virus In article <0001.8909191859.AA09184@ge.sei.cmu.edu> JOHN P. BRADLEY writes: > Well it was bound to happen - why should we be any different? We >believe we have discovered a virus in our microcomputer lab. >education of the users, hoping that this won't get out of hand. ...[stuff deleted]... > Any ideas would be greatly appreciated. John - The first thing I recommend is to pick up Disinfectant 1.2 by John Norstad of Northwestern University. It is available from a number of places such as BBSs and Mac Users' Groups as well as FTP. Read the documentation that comes with it, especially his recommendations. He explains the policy they use at Northwestern to combat viruses. This will allow you to find and remove existing viruses. Note that you should replace infected files with known clean copies whenever possible, rather than disinfecting. Use this on a regular basis! To help prevent future infections, get a Virus prevention INIT such as Vaccine, or GateKeeper. Prevention INITs also come with commercial packages as well. Put a copy on every Startup disk you can find. Note this will not help in cases where users bring in their own startup disks (like myself). It will definitely help to educate your users. Might I recommend (here comes the commercial :-) my HyperCard stack Virus Encyclopedia. It is available from the same places as Disinfectant (I'm not sure about FTP, I'm working on that) and also BudgetBytes and Educorp. I wish you success in fighting viruses. Henry C. Schmitt Author of Virus Encyclopedia H3nry C. Schmitt | CompuServe: 72275,1456 (Rarely) | GEnie: H.Schmitt (Occasionally) Royal Inn of Yoruba | UUCP: Henry@chinet.chi.il.us (Best Bet) ------------------------------ Date: 21 Sep 89 13:07:00 +0200 From: Antonio-Paulo Ubieto Artur <hiscont@cc.unizar.es> Subject: "Spanish (?) cookie virus" (PC) I heard recently about a virus here in Spain known as "the cookie virus" ("virus de la galleta"). I don't know if this virus originated here in Spain or somewhere in Europe. Although I haven't seen this virus yet (I got the following from hackers here outside of our University) I think it really exists and seems to be really a nasty virus, so I provide the following information to avoid possible trouble. This "cookie virus" seems to activate itself only when you are using a word-processing program. At random moments it flashes you something like "give me a cookie...!" ("dame una galleta"...!). If you type "have a cookie" ("toma una galleta"), the virus seems to deactivate itself after prompting "thank you" ("gracias"). If you do not "give it a cookie" and escape some other way, it asks two minutes after for a cookie again. If you escape again and afterwards you save your text and exit the word-processor, you will find the next time you try to load your text that all its extent has been replaced with the string "this because you didn't give me a cookie" ("esto por no darme una galleta")... In a first approach to the detection of this virus, any search for the string "cookie" ("galleta") was no use. The only string found was something like "kiecoo" ("etagall"), and the virus seemed to be in "IBMBIO.COM" and "IBMDOS.COM" files, but time and date stamp seemed to be untouched... Somebody out there has suffered effects like the described ones?. Any detection and preventive methods?. Antonio-Paulo Ubieto Artur. Department of Modern and Contemporary History. Zaragoza University. 50071 Zaragoza (Spain-Europe). hiscont@cc.unizar.es ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Monday, 25 Sep 1989 Volume 2 : Issue 200 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: More on the CUPLVX Virus (VAX/VMS) Virus humour RE: McAfee Posting Viruscan (PC) re: datacrime & fdisk (PC) Re: October 12/13 (PC) correction to NOCRIME.DOC (PC) Is this a virus? (PC) should we fight fire with fire? safety protocols Write-protecting Disinfectant (Mac) (Was Re: disinfecting nVIR... Latest V-Alert on a "good virus" --------------------------------------------------------------------------- Date: Thu, 21 Sep 89 09:27:00 -0400 From: John McMahon - NASA GSFC ADFTO - 301-286-2045 <FASTEDDY@DFTBIT> Subject: More on the CUPLVX Virus (VAX/VMS) The following mail messages were posted to the INFO-VAX mailing list in response to the message "Virus or Coincidence" posted by Tom Ivers at the Columbia U. Plasma Physics Lab (IVERS@CUPLVX.APNE.COLUMBIA.EDU). The message was posted to VIRUS-L in a previous isse. Tom Ivers original mail message indicated that the VAX that had the problem was running VMS 4.5. VMS 4.4 through 4.7 had a fairly nasty security hole in it that DEC has subsequently patched. Perhaps this system wasn't patched ? Assuming the security hole wasn't patched, and LOGINOUT.EXE was replaced then this type of attack has occurred before. The last major outbreak was when the Chaos Computer Club broke into machines on the "World DECnet" (SPAN/HEPnet/Etc...) during the Summer of 1987. ***> From: "FIDLER::LEVINE" <levine%fidler.decnet@NWC.NAVY.MIL> ***> ***> I got your message from info-vax, and passed it on to other ***> system managers at NWC. One of them just called and said he had part of ***> your problem once. The user limit message is a micro VMS message only, ***> and he told me that the login problem was due to a bad floating point ***> unit on his 750. Apparently the password hashing suborutine (HPWD) uses ***> some Floating point instructions. He will be sending me a full ***> desription of the problem next week which I will pass on to you. ***> As for the VIRUS stuff, he had no trace of that. ***> Michael N. LeVine Naval Weapons Center, China Lake, Ca 93555, USA ***> From: "Richard B. Gilbert" <dragon@NSCVAX.PRINCETON.EDU> ***> ***> I think you've been well and truly screwed. The safest thing to do is ***> to scrub your disk and restore from a backup that you are certain is ***> clean. ***> ***> I have this horrible feeling that SYS$SYSTEM:LOGINOUT.EXE has been ***> patched or replaced. Only extensive checking would reveal what else has ***> been tampered with. You had better assume that any sensitive ***> information on your system has been compromised and that _anything_ may ***> have been tampered with! ***> ***> Even after you restore your system, you will still be vulnerable to a ***> repetion of the same attack! You will need to read and heed the "Guide ***> to VMS Security". You should probably have security alarm ACLs on ***> SYS$SYSTEM:SYSUAF.DAT, SYS$MANAGER:SYSTARTUP.COM or SYSTARTUP_V5.COM, ***> SY$MANAGER:SYLOGIN.COM and perhaps a couple of other things. This will ***> not prevent a breakin but it will make it tougher to do it tracelessly. ***> Check your modem lines if any. Are they all set /MODEM /HANGUP /DIALUP? ***> If not, they provide a potential entry point for a cracker. ***> ***> Priveleged accounts such as FIELD, and SYSTEST should be kept turned off ***> with /FLAGS=DISUSER and enabled only when needed. ***> ***> The default DECnet account also provides a potential point of entry. ***> ***> I'm real glad I'm not in your shoes. ***> From: "Kevin V. Carosso" <KVC%FRIDAY.A-T.COM@CUNYVM.CUNY.EDU> ***> ***> The fact that you are running VMS V4.5 and getting the "USERS EXCEEDED" ***> message is an important clue. User limits for MicroVMS were enforced by ***> code in LOGINOUT.EXE. When you upgraded your license on your MicroVAX, ***> say from 2 users to 8, DEC sent you a VMSINTAL kit which patched ***> LOGINOUT. ***> ***> The fact that your 750 suddenly has a user limit of 2 (indeed any limit ***> at all) and is not running VMS V5 means that you may be running with a ***> LOGINOUT.EXE copied from a MicroVMS system. One distinct possibility is ***> that someone took the LOGINOUT.EXE from a MicroVMS system, possibly ***> patched in their own trapdoor, and copied it to your 750 replacing the ***> standard SYS$SYSTEM:LOGINOUT.EXE. ***> ***> A couple of years ago there were a rash of breakins to VMS machines ***> characterized, in part, by patched LOGINOUT.EXE's being left behind. ***> ***> You should consider restoring LOGINOUT.EXE from tape. You also might ***> want to save the suspicious one and check it out with ANALYZE/IMAGE ***> (which will report PATCH information unless the image was patched ***> without using the standard VMS PATCH utility). ***> ***> /Kevin Carosso kvc@friday.a-t.com ***> Innosoft kvc@ymir.bitnet /------------------------------------+---------------------------------------\ |John "Fast Eddie" McMahon | Span: SDCDCL::FASTEDDY (Node 6.9) | |Advanced Data Flow Technology Office| Arpa: FASTEDDY@DFTNIC.GSFC.NASA.GOV| |Code 630.4 - Building 28/W255 | Bitnet: FASTEDDY@DFTBIT | |NASA Goddard Space Flight Center |GSFCmail: JMCMAHON | |Greenbelt, Maryland 20771 | Phone: 301-286-2045 (FTS: 888-2045) | +------------------------------------+---------------------------------------+ |Invest heavily in SPAM futures... | \----------------------------------------------------------------------------/ ------------------------------ Date: Thu, 21 Sep 89 08:08:10 -0700 From: Robert Slade <USERQBPP%SFU.BITNET@VMA.CC.CMU.EDU> Subject: Virus humour Bit of trivia here. I recently received a copy of issue 6 of the now (unfortunately) defunct humour digest 'NutWorks'. It contains an article on a computer virus - a real organic virus that (supposedly) attacked the latest development in computer memory, BRAM, Bacterial Reproducible Active Memory. The article was written in 1984. ------------------------------ Date: Thu, 21 Sep 89 11:57:45 -0400 From: dmg@cornea.mitre.org (David Gursky) Subject: RE: McAfee Posting [Caveat Emptor: My copy of Virus-L V2 #198 seems to have been eaten by the net, so I do not have my original message in front of me as a source.] I believe both Chris McDonald and Kelly Goen missed the point of my message about John's message, (which message? who? what? ;-) I agree wholeheartedly with Chris' characterization of Centel. If they are indeed purporting to be selling Viruscan for $25, they are in flagrant violation of the law. I deliberately tempered my remarks about Centel as the only source of information I have about their "offer" comes from a Washington Post article, and is consequently at least third-hand (whereas my comments about John's posting were based directly on his message). For example, we know Viruscan is on the disk, but how do any of us know that other utilities that Centel may have developed are on the disk?? I could carry on these arguments for awhile, but I suspect I've made my point here. Relating this back to my message about John McAfee's posting, I found his language confrontational in the extreme, with no explanation as to why such a tone needed to be adopted. Kelly is levelling a rather serious charge at Centel. If indeed Centel was suggesting to purchasers of the disk with Viruscan that they were buying the application, rather than covering distribution costs, he is absolutely right, but as I suggest above, we do not have enough information present to make this judgement. Again, John's message had no information backing this up. The question has also been raised about charging for the distribution of software. I'm no lawyer, but I have the strong suspicion this is perfectly legal (although as I stated about, a $25 distribution charge "smells", to quote Chris). Consider that several companies in the United States sell disks full of public-domain, freeware, and shareware applications. When shareware is involved, these companies (at least the better ones) explicitly state that a seperate payment is needed. Also remember that this is how many user groups generate revenue (through the charge of a nominal distribution fee for a disk of pd/fw/sw software. Another question was raised about what say the author has in the distribution of his or her work, when done under the auspices of the "Shareware" label. There is no question that when a piece of shareware code is included in a commercial application or disk, the author is fully within their right to demand payment, or place restrictions on dissemination, or a host of other things. I am not aware of a precedent that allows a shareware offer to say in the general case that a piece of shareware can be available from source A, but not source B. Furthermore, such an example (you can get the software from source A, but not B) appears contrary to the philosophy behind shareware. ------------------------------ Date: Thu, 21 Sep 89 12:10:40 -0400 From: dmg@cornea.mitre.org (David Gursky) Subject: Viruscan (PC) The recent discussions of Viruscan have reminded me of something. The Computer Center folks recently asked me about Anti-virus packages for PCs. I wanted to pass on to them information about Ross Greenberg's "FluShot Plus" and John McAffee's "Viruscan". Anyone out there care to synopsize these two (please include information about finding out about site licensing... Thanks! David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: Thu, 21 Sep 89 13:18:42 -0500 From: "Rich Winkel UMC Math Department" <MATHRICH@UMCVMB.BITNET> Subject: re: datacrime & fdisk (PC) >From: IA96000 <IA96%PACE.BITNET@VMA.CC.CMU.EDU> >if you use fdisk to create a dummy partition of lets says 2 >cylinders and then create a second normal active dos partition >will this prevent the virus from destroying track zero? It depends on how it accesses the disk. If it uses bios calls (INT 13H), it will still attack physical cyl 0 on the disk. If it uses the dos absolute disk write call (INT 26H) it will wipe out whatever the starting track of the dos partition is. Even if it uses the bios call though, and you've partitioned the disk so it doesn't touch dos's FAT and directory, it will still wipe out the master boot sector where the partition table is stored. That wouldn't be so bad if you could make FDISK simply put a new master boot sector on the disk, but unfortunately FDISK insists on doing some general housecleaning which may finish the job that datacrime started. I'm not sure of the extent of the housecleaning, so I can't say for sure. Rich ------------------------------ Date: 20 Sep 89 19:29:03 +0000 From: ttidca.TTI.COM!hollombe%sdcsvax@ucsd.edu (The Polymath) Subject: Re: October 12/13 (PC) In article <0003.8909191146.AA07427@ge.sei.cmu.edu> ACS1W@uhvax1.uh.edu (Meesh) writes: }I'm the editor of our university's computing newletter. I need to }know how users can detect the October 12/13 virus ahead of time. Is }there a way at all? ... How about backing up the hard disk, then setting the system date ahead to October 13 and re-booting? [Ed. Sounds (to me) kind of like testing to see if the mines in an inert minefield are "ert" by having someone walk through it. :-)] - -- The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com) Illegitimis non Citicorp(+)TTI Carborundum 3100 Ocean Park Blvd. (213) 452-9191, x2483 Santa Monica, CA 90405 {csun|philabs|psivax}!ttidca!hollombe ------------------------------ Date: Thu, 21 Sep 89 18:29:38 -0700 From: fu@unix.sri.com (Christina Fu) Subject: correction to NOCRIME.DOC (PC) I have to thank Jim Wright for pointing out to me the mistake I have made in the NOCRIME documentation. I referred to "NOCRIME.DOC" as "DATACRM.DOC." Correction has been made, but I do not intend to make it a new version. I apologize for the confusion. Those who receive copies directly from me starting Sep. 20 will have the corrected copy. Sincerely, Christina H. Fu p.s. Please try to obtain copies from archive sites. I have trouble keeping up with my mail lately. Thank you very much. ------------------------------ Date: 22 Sep 89 00:00:00 +0000 From: Christoph.Fischer.RY15@DKAUNI11 Subject: Is this a virus? (PC) Hi, we just had an inquiery about 4 strange files that appeared on a Microsoft WORD installation. All 4 files are hidden system and readonly. The filenames are: MWA. MW.COD MW.COM MW.DAT 256 47296 27902 24442 bytes file length The file MWA is text and contains: Copyright 1984 by Microsoft Word Freedom Fighters: Richard Brodie Jabe Blumenthal Jeff Harbers Doug Klunder Bruce Leak Frank Liang Carl McConnell David Palmer Chris Peters Jeff Raikes Tom Reeve Ken Shapiro Charles Simonyi Greg Cox Pat Th.... File dates showed a 1985 creation date Has anyone seen this before?????? These guys there have a bunch of problems, but we couldn't find a virus yet| Chris and Torsten ***************************************************************** * Torsten Boerstler and Christoph Fischer and Rainer Stober * * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET * ***************************************************************** ------------------------------ Date: Fri, 22 Sep 89 02:57:00 -0400 From: CZMUREK%DREW.BITNET@VMA.CC.CMU.EDU Subject: should we fight fire with fire? [Ed. The following message was sent to VALERT-L, not VIRUS-L/comp.virus (where it should have gone). Please send any follow-ups here to VIRUS-L/comp.virus. Also, there are already a number of responses to this message in this (and the next) digest. I've included most of them since they present different reasons for vetoing Chris's idea of creating a virus fighting virus. I will try to keep the number of redundant messages on this to a minimum.] It would seem to me, as probably to most of you, that the creation of yet one more virus would be the last straw. But the other day I had an idea that might have occured to the rest of you, or maybe not. I began to design a virus algorythm that would eventually serve as the platform for the destruction of other viruses. It's purpose would be to infect single programs, single disks, or multiple disks in the first, second and third versions respectively. Before any alarm sets in here about my intentions, I would like to say that the purpose here is to aid in the effort to combat these little nasties. I am posting this info in the hopes that some of you will respond with your thoughts on the moral, ethical, and legal aspects of such an act as producing and spawning a virus that is intended to find and/or kill off other viruses that it comes into contact with without causing harm to any other software. I have thought of many ways to detect and defeat viruses in this manner. I have not as of yet done any coding beyond the replication stages. The two methods that I am using are by the boot sector and by piggy-backing com and exec files. There are others, but for obvious reasons I am not posting the source code or other more elaborate techniques. Please send me your insightful comments on this subject. I would also like to know what you think about designing the software to infect only the original user's system (this can be done) assuming it was to be sold commercially. Thank you in advance for your help in this ethical dilema... Chris (poet) ------------------------------ Date: Fri, 22 Sep 89 03:08:00 -0400 From: <CZMUREK%DREW.BITNET@VMA.CC.CMU.EDU> Subject: safety protocols In a recent digest, Jim Blakely requested some help in developing a protocol for the prevention of contamination from outside viruses. I would suggest to him and to any of you the following: When confronted by the problem of constant disk swapping and usage of disks from the outside, you should set up a machine that is not connected in any way to any other. Then in the event that a new disk is to be used (one from the outside), this disk should be tested on the new machine by one or more of the most trusted anti-virus programs on the market. This will insure that its introduciton into the working environment of the facility will not cause any harmful results. If a disk were to be found infected, the user can then be almost certain that his/her home machine was also infected. By implementing this policy it would help to insure a safer environment for all. ------------------------------ Date: 22 Sep 89 12:29:31 +0000 From: HUUSKONEN@hylka.Helsinki.FI (TANELI HUUSKONEN, DEPT MATH, HELSINKI, FI NLAND) Subject: Write-protecting Disinfectant (Mac) (Was Re: disinfecting nVIR... In article <0008.8909211142.AA16502@ge.sei.cmu.edu>, chinet!henry@att.att.com w rites: >> When you finally get Disinfectant, and de-Binhex it and >> de-Stuffit, make sure the diskette you keep it on is >> write-protected!!! This is very important; a virus cannot infect >> an application on a write-protected diskette! > > This is a good idea, but not entirely necessary with Disinfectant. > Disinfectant is resistant to all currently known viruses and will > refuse to run if it has been changed in any way. ... Two objections: 1) You need to get a new copy of Disinfectant if a virus attacks it and makes it refuse to run. 2) Someone _may_ write a Disinfectant-specific virus that prevents it from checking itself and from noticing the virus. ------------------------------ Date: Fri, 22 Sep 89 00:00:00 +0000 From: "David A. Bader" <DAB3%LEHIGH.BITNET@VMA.CC.CMU.EDU> Subject: Latest V-Alert on a "good virus" I don't care who you are - good, bad.. it doesn't matter, I don't want *ANY* viruses! This is *MY* computer system. I prefer knowing what's going on in here. In order for you to create something that will detect and erradicate all viruses but not harm any software or applications - that is just a contradiction... I don't want to see my files grow in size for any reasons. Viruses are sometimes modified by hackers and new strains appear, so what is stopping someone from modifying your virus into a *bad* virus that looks JUST LIKE the "good" one with the capability of replacing the "good" one and wreaking havoc?? If you started programming... stop. That's my suggestion. -David Bader ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Monday, 25 Sep 1989 Volume 2 : Issue 201 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Centel Corp. and ViruScan New IBMPC anti-viral programs should we fight fire with fire? Re: Should we fight fire with fire? NO! Macintosh Lock-up Anti-virus virus Re: Software company distributing viruses (PC) The anti-virus virus MIX1 (PC) RFC: Guide to Fighting Macintosh Viruses:... A boincing diamond star (What is it???) SCANV38 (PC) Is this a virus ? --------------------------------------------- Date: Fri, 22 Sep 89 08:21:07 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: Re: Centel Corp. and ViruScan In (ewiles@iad-nxe.global-mis.dhl.com) writes... The creator of VirusX for the Amiga certainly feels this way, [that "I want you to get your information from me and no one else"], and for a very good reason: It's the only way to make certain that the program hasn't been tampered with to make it a virus spreader instead of a stopper. It just so happens that I agree with him. What better way for some sleazo to get a virus or trojan horse spread than to make it look like it's a common, otherwise trusted, shareware virus killer program? - ----- I have no qualms with any of this per se. If the author of a package wants to limit the sources from which his or her work is available, fine! But by doing so you forfeit the right to label your work as shareware! Shareware, by definition, is software that is shared with other users for the purpose of preliminary evaluation. If the user finds the application useful, the user is honor- and legally-bound to pay the requested fee for the software. Shareware works because the distribution system is the users themselves. The author has only a minimal say in the distribution. Certainly if the author wants to more strictly limit the dissemination of his or her work, he or she is welcome to do so. The proper manner is a commercial distributor; anything that tries to mix commercial and shareware, "isn't kosher". As far as Ed's other argument goes (about using trusted shareware virus killer programs as a carrier for a virus), I can't be the only one who has failed to notice that despite that this is a common fear, it has not happened recently or often (the last case I know of was a "version" of Ross Greenberg's original FluShot, that was a Trojan Horse that destroyed FATs or some-such; even then, this wasn't a virus but a trojan). Let me take this one step further. Anti-virus applications (IMO) make a poor carrier for a virus. In order for a virus to succeed, it must go undetected. This means that prior to the activation of the virus' logic-bomb or time-bomb, it cannot interfere with the normal operation of the computer or the applications in use on the computer. To do so greatly improves the chances the virus will be discovered (to wit, the Jerusalem virus). If we work under the assumption that when a user acquires an anti-virus application, they actually use it (in fact we must work under this rule; otherwise the virus would not spread), the virus necessarily undergoes an increased chance of detection because an application is running that looks for viruses! Standard disclaimers apply. David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: Fri, 22 Sep 89 09:14:40 -0500 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: New IBMPC anti-viral programs More programs for the IBMPC anti-viral archives. columbus.arc Program to backup track zero of a hard drive and restore track zero. Meant for disaster recovery, such as that from "Columbus Day" virus. Includes source! m-3066.arc Program to repair damage due to the new "3066" virus. Checks and repairs and entire drive. Use with caution. scanres7.arc Memory resident program to check each program for viruses before it is executed. This replaces the previous release of scanres. scanv37.arc Scans hard drives or floppies for viruses. This replaces the previous release of scanv. virsimul.arc Program to simulate the non-destructive effects of various viruses. Very useful in figuring out what everyone else is talking about. COLUMBUS.ARC Save & restore track zero of hard drive. M-3066.ARC Recover from the 3066 virus. SCANRES7.ARC Resident program to detect viruses. SCANV37.ARC Scans drives and reports presence of viruses. VIRSIMUL.ARC Simulates non-destructive behavior of viruses. Jim ------------------------------ Date: Fri, 22 Sep 89 11:42:25 -0400 From: "Ronald Johnson," <RJOHNSON%BCSC02.BITNET@VMA.CC.CMU.EDU> Subject: should we fight fire with fire? *** Reply to note of 09/22/89 00:11 The proposed "solution" is not acceptable. 1. It would be the beginning of a new "ARMS RACE" with each side trying to overpower the other with increasingly sophisticated viruses. 2. The possibility for abuse is frightening. . Regards, Ronald Johnson, acting Data Security Manager Security Services, LDB, Vancouver, 254-5711 ext. 353 ------------------------------ Date: Fri, 22 Sep 89 09:51:53 -0700 From: well!odawa@apple.com (Michael Odawa) Subject: Re: Should we fight fire with fire? NO! Thank you for bringing this issue up with others before you acted. We have had previous discussions about this issue, and here are some of the considersations: a) Virus technology is still relatively primitive; there is much we do not know about the interaction of viruses with other software functions, such as real-time, cycle counting procedures. Hence even a well-intentioned virus writer can not anticipate all the effects his code may produce. b) It is highly likely that bugs and unintended side effects will be present in any complex piece of software. Thus even an intended "beneficial" virus is likely to take action beyond what was designed by the author. c) The existence of "good" viruses in the environment would create a massive identification problem for the anti-viral software routines which currently exist and which are being developed. How could a virus detector distinguish between a "good" virus and a "bad" virus that was masquerading as a "good" one? d) One of the worst aspects of virus propagation is that it alters the contents of other people's computers and storage media without their consent. This is a very serious ethical principle which cannot be broached even in the name of public service. You simply do not have permission to muck with people's computing hardware without asking them first. For these reasons and others, we ask you not to become seduced by the temptation to create a "good" virus. Indeed, we believe that, The only good virus is a dead one. Michael Odawa Sofware Development Council odawa@well.uucp ------------------------------ Date: Fri, 22 Sep 89 13:26:00 -0500 From: "Chris_C.Conner" <13501CCC%MSU.BITNET@IBM1.CC.Lehigh.Edu> Subject: Macintosh Lock-up This is the first time I've written to the digest and I hope someone out there has some information on my topic. I work at the Graphics Lab in Michigan State University's Computer Center, so we get plenty of people coming through to use our MacII and scanner. A fellow came in the other day and when he inserted his disk into the Mac, the machine locked up. We run VACCINE, and Disinfectant 1.2. After restarting the machine, I checked the hard-disk and found nothing, so I inserted his disk again (while Disinfectant was still running) and it locked up again. I was wondering if anyone knew about this. If it is some kind of virus it could be a real nuisance. You couldn't use the disk, or reformat it because you couldn't put it into a machine. The only thing I can think of doing is using a bulk eraser. If anyone has anything, help me out... CCC ------------------------------ Date: Fri, 22 Sep 89 16:02:39 -0500 From: Joe Simpson <JS05STAF%MIAMIU.BITNET@VMA.CC.CMU.EDU> Subject: Anti-virus virus Recently another proposal to create an anti-virus virus was made on valert-l. I posted a note that discussion belonged in virus-l and that I would be responding here. [Ed. Thank you!] Concerning writing an anti-virus virus. Such an entity would make unauthorized use of equipment not owned or operated by this virus's creator. The creator would be acting in just as immoral a fashion as the creators of joke, political, or deliberately desctructive viruses. In fact, I prefer not to make moral judgements based upon the intent of the virus creator. I would prefer that they simply refrain from this anti-social behavior no matter what the motivation. ------------------------------ Date: 22 Sep 89 12:57:23 +0000 From: bnr-di!borynec@watmath.waterloo.edu (James Borynec) Subject: Re: Software company distributing viruses (PC) In article <0006.8909211142.AA16502@ge.sei.cmu.edu>, frisk@rhi.hi.is (Fridrik S kulason) writes: > "We can't have a virus - there are no pirated games here" > I guess this will happen elsewhere, but until now there have been very > few occurrences of software companies distributing viruses (only 4 > that I know of). Software companies may be the largest source of virus contamination around. After all, they send disks everywhere and no one worries about 'shrink wrap' software being 'unclean'. I have only been hit by two viruses - both came from software companies - one of which was Texas Instruments. The guy in the office next door was hit by a copy of a virus on his (shrink wrap) copy of WordPerfect. I think it is shocking that people are told just to watch out for viruses when engaged in software 'swapping'. Everyone should regard EVERY disk that enters their machine with suspicion. J.b. - -- UUCP : utzoo!bnr-vpa!bnr-di!borynec James Borynec, Bell Northern Research Bitnet: borynec@bnr.CA Box 3511, Stn C, Ottawa, Ontario K1Y 4H7 ------------------------------ Date: Sat, 23 Sep 89 11:49:00 -0500 From: <CTDONATH%SUNRISE.BITNET@VMA.CC.CMU.EDU> Subject: The anti-virus virus (regarding a note of 9/22/89 on VALERT-L) Using a virus to destroy other viruses is a good idea IN THEORY. It assumes two points: 1. the AVV (anti-virus virus) is assumed to work properly under all conditions; 2. the virus-writers are assumed to not create new anti-anti-virus-virus viruses i.e. start a viral arms race. Regarding point 1: Robert Morris Jr. seemed to want his worm to be "well behaved", with only one rather tame worm living on each system on Internet. However, one little bug (from what little I know) caused the worm to run out of control. Like the author of the Internet worm, the authors of the AVV would probably be crucified if anything went wrong. In fact, the virus hysteria would cause a major uproar even if it worked (would you like a virus to appear on your system without your permission even if it did no damage?) Point 2: I assume one reason that viruses are written is because it "lives", i.e. it exists, multiplies, travels, and survives in a way resembling, say, a flea. The existance of a virus that "eats" viruses would be seen as a challenge that would become a "survival of the fittest" contest. A viral war would break out between the "bad" virus writers and the "good" virus writers. The battlefield would be computers in general. - -=- CTDONATH@SUNRISE -=- ------------------------------ Date: Sat, 23 Sep 89 13:59:23 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: MIX1 (PC) Actually I was not planning to write more about viruses from Israel for a while, but I just could not resist. You see, the latest virus reported there, the MIX1 virus, is in fact just a variant of the Icelandic virus. I would not be surprised, if this was in fact the variant mentioned some time ago, as "...a hacked variant of the Icelandic virus, that a group of hackers intends to distribute to various BBS..." Fortunately, it is just a variant of the Icelandic-1 virus, like Saratoga. If the authors of MIX1 had instead based their variant on Icelandic-2, we might be seeing the start of a serious problem. I have now almost finished disassembling MIX1, and here are a few details not mentioned by Yuval Tal in his report: The virus has been modified in several places, in order to fool virus detection programs. The changes include replacing instructions with other equivalent ones. Examples XOR AX,AX ---> MOV AX,0000 MOV ES,AX ---> PUSH AX POP ES Also, NOP instructions have been inserted in several places, including inside the identification strings used by VIRUSCAN and most other similar programs. This seems to be a response by virus writers to anti-virus programs that look for infection by using identification strings. This method has so far only been used in two viruses that I know of, MIX1 and the '286 variant of the Ping-Pong virus. Apart from these changes, two parts of the virus are almost identical to other variants of the Icelandic virus. In the installation part, the code to check INT 13 has been removed. (as in Saratoga and Icelandic-2). The infection routine has been modified in the following ways: Infect every file (instead of every tenth program run.) Do not infect a program, unless it is at least 16K long. The Icelandic virus was first detected in June, disassembled a week later, and the disassembly was made available around the beginning of July. The MIX1 virus appeared in Israel in August - which is a very short time for a virus to spread around the globe. Now - the question is: How did the authors of MIX1 obtain the Icelandic virus ? It is almost certain that these viruses do not have the same author, because then the virus would surely have been based on Icelandic-2, which is a much more dangerous and effective variant. I see the following possibilities: 1) The author of MIX1 obtained a copy of Icelandic-1 from somebody who got infected with it, disassembled it and created a new virus. This sounds reasonable, but there is one major problem, which is that the Icelandic virus has (as far as I know) not been detected outside of Iceland. 2) The author obtained a disassembly, modified it and re-released it as MIX1. It is already known that at least one virus writer has access to virus disassemblies, that were only intended for virus specialists. The problem is that obtaining well-commented virus disassemblies is not hard, and I would not be surprised if a number of new variants of viruses, based on them would appear in the near future. MIX1 and Ping-Pong '286 may be just the first of this new generation. ---- frisk ------------------------------ Date: 23 Sep 89 20:36:15 +0000 From: shull@scrolls.wharton.upenn.edu (Christopher E. Shull) Subject: RFC: Guide to Fighting Macintosh Viruses:... Macintosh Virus Experts: I have just finished the second draft of a roughly two page guide to fighting machintosh viruses. (The first draft was proofread only within my group, so don't feel left out if you didn't see it.) This set of instructions is fundamentally the advice I have been loosing my voice repeating. To save my voice, I have written it down. Please mail your comments, suggestions and constructive criticism to shull@wharton.upenn.edu, so I can enhance this document. In the meantime, if you are tired of explaining how to defend against viruses and you like what I have written, please feel free to distribute my "Guide to Fighting Macintosh Viruses: Instructions for the Rest of Us", subject only to terms of the Copyright Notice. Thanks in advance! - -Chris %--cut here------------------------------------------------------- R E Q U E S T F O R C O M M E N T Guide to Fighting Macintosh Viruses: Instructions for the Rest of Us September 23, 1989 Christopher E. Shull The Wharton School University of Pennsylvania Shull@wharton.upenn.edu Disclaimer and Copyright Notice This document may help you understand and cope with Macintosh viruses. It may however fail in this objective. Use it at your own risk. Neither the author, Christopher E. Shull, nor his employer, the University of Pennsylvania, make any warranty, either express or implied, with respect to the information contained herein. Copyright 1989, University of Pennsylvania. Permission is granted to make and distribute copies of this document, provided this disclaimer and copyright notice are preserved on all copies. The document may not, however, be sold or distributed for profit. Instructions This file describes how to cope with Macintosh viruses. 1) Do Not Panic. As of this writing, all known Macintosh viruses are easily detected, destroyed and prevented. 2) Read these instructions from front to back, and then follow them step by step. 3) Using Disinfectant to Find and Kill Viruses. a) Obtain a boot-able diskette containing the program Disinfectant from a trusted source. Disinfectant was written by John Norstad of Northwestern University. The current version is 1.2, dated August 4, 1989. (This is also a good time to get copies of Vaccine and GateKeeper, which are described in steps 5) and 6). b) Write Lock this diskette by sliding the write protect tab to the open position (so you can peek through the little hole). c) Start or Restart your Mac from this diskette. d) Run Disinfectant by doubling clicking on its icon, and then following the simple on-screen instructions: Please read the instructions before running Disinfectant for the first time. Click on the About button. Special key summary. Hold down the key(s) while clicking on the Scan or Disinfect button. (See the instructions for details.) No keys = Scan or disinfect the selected disk. Option key = Scan or disinfect a single folder or file. Command key = Scan or disinfect a sequence of floppies. Option and Command keys = Scan or disinfect all drives. Note that Disinfectant suggests that you read its documentation first (by clicking the About button.) This is an excellent idea. However, if you are in a hurry and willing to risk using software you don't understand, just read the summary above and then click on the Disinfect button while holding down the appropriate key(s) (Scanning before Disinfecting has no benefit for normal folks). e) Disinfectant will report the details of its work in its center window. f) Examine the summary report to make sure all viruses were removed and no errors were encountered. If there were errors, try to fix the problems and disinfect the problem files or device again. If they do not go away, you need to read the instructions or get help from a Mac expert. g) When Disinfectant reports that no Viruses have been found, your main disk is clean. After disinfecting, be sure to restart your computer so memory resident viruses are destroyed! This is an excellent time to Disinfect all of your diskettes using the command key-Disinfect button combination. The next step is to make sure you don't get any more viruses in the future. 4) Using Disinfectant to Prevent Viruses. a) Disinfectant can be used to prevent the spread of viruses simply by scanning and disinfecting every new diskette that you ever use on your Mac, and every diskette that you use on someone else's Mac, and every program you buy or download. b) Because this requires a conscious, methodical and conscientious effort, an automatic method of preventing the spread of viruses is desirable. 5) Using Vaccine to Prevent Viruses. a) Vaccine, by Donald Brown of CE Software, Inc. is a Control Panel Document. The current and last version is 1.0. (The author declines in advance to fuel the escalating viruses and defenses game.) b) To use Vaccine, just copy it into your System Folder and restart your computer. You do not want to do this until your System Folder has been disinfected (see step 3), or your computer may not be able to start. c) Vaccine is now at work. No further configuration is required, although some is possible. d) To configure Vaccine, select Control Panel from the Apple menu, then select the Vaccine icon on the Control Panel, and follow the Instructions therein. e) As Vaccine's instructions explain, it may prevent some viruses. For more rigorous defense, you will need to use GateKeeper. 6) Using GateKeeper to Prevent Viruses. a) GateKeeper, by Chris Johnson, is also a Control Panel Document. The current version is 1.1.1, dated June 26, 1989, and is much easier to configure than version 1.1. b) Using GateKeeper requires more study on the part of the user, but should result in a more rigorously defended system. c) The first step in using GateKeeper is therefore to read, from front to back, the GateKeeper Introduction and the GateKeeper Release Notes documents, which come with GateKeeper in MacWrite format and are therefore readable in most Macintosh word processing programs. d) Following the instructions therein you can tighten your Mac's defenses against Viruses. 7) If Vaccine or GateKeeper Detects a Virus, return to Step 3) to remove it. 8) Join a Macintosh Users' Group so you can keep abreast of virus developments. This is important, because new viruses will appear that manage to circumvent the safeguards above, but we will simply develop new programs to combat them. ------------------------------ Date: Mon, 25 Sep 89 07:44:33 +0100 From: sajn@loglule.se Subject: A boincing diamond star (What is it???) A friend of mine has a PC that recently has been infected by some sort of a virus. The thing that happens is that a small diamond star is randomly bouncing like a ball on the screen. My questions : .Does anyone know what damage this virus might do ? .Is there any virus removal software developed for it ? ------------------------------ Date: Mon, 25 Sep 89 01:00:12 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: SCANV38 (PC) ViruScan V38 is out and has been sent to Compuserve and the comp.binary sites. This version identifies the MIX1, the New Ping Pong, the Dark Avenger, Syslock (3551) and a new Vacsina string identifier. The MIX1, by the way, is identified by SCAN as an Icelandic varient, since it is 85% or more the original Icelandic virus. All earlier viruses are still identified by SCAN and the strings have not changed for this version. SCANRES has also been updated to prevent a system from being infected by any of the above viruses. Its version is SCANRES8. Alan ------------------------------ Date: 25 Sep 89 18:54:15 +0000 From: mcvax!kannel.lut.fi!huopio@uunet.UU.NET (Kauto Huopio) Subject: Is this a virus ? My Taiwanese-origin Comper AT ( a 12 MHz-machine with 1 meg of RAM) ran into trouble last night. My friend was playing Tetris (the original version), and after that I begun to test WordPerfect 4.2. I looked to some directories and there was some *VERY* odd characters in the directory listings, blinking high intensity white. Quite often there was a "smiley face"-character, also blinking high intensity white. Also, there was some ODD characters just at the beginning of the next line after the command prompt, when giving a DOS command. When I edited a small text with WP and tried to save it..the hard disk light just stayed on and.. I think you can guess the rest. I booted my AT with a floppy disk and ran DIAGS. To my suprise, the hard disk came back! This morning I put up the system, and it worked for a couple of minutes, but died again (Sector not found error on drive C: ) I am running DOS 3.30. Now, I have some questions: 1) What is the right size of DOS 3.30 COMMAND.COM ? 2) Should I do a low-level format with Ontrack Disk Manager 3.2 and try to do a clean system. 3) If this is caused by a virus, what is the bogus program ?? All help is welcome!! - --Kauto PS: Sorry about my poor English.. ****************** Kauto Huopio (huopio@kannel.lut.fi) ********************** *US Mail: Kauto Huopio, Punkkerikatu 1 A 10, SF-53850 Lappeenranta, Finland * *Project: Learn some GNU Emacs first.. :-) * ***************************************************************************** ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Monday, 25 Sep 1989 Volume 2 : Issue 202 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Columbus Day Virus (PC) (long) [Ed. Due to its length, I've included this Press Release from NIST in a separate VIRUS-L digest.] --------------------------------------------------------------------------- Date: 22 Sep 89 23:54:00 -0400 From: "STEINAUER, DENNIS" <steinauer@ecf.ncsl.nist.gov> Subject: Columbus Day Virus (PC) (long) FOR IMMEDIATE RELEASE: Jan Kosko Sept. 22, 1989 301/975-2762 TN-XXXX COMPUTER SECURITY EXPERTS ADVISE STEPS TO REDUCE THE RISK OF VIRUS ATTACKS To reduce the risk of damage from potentially serious computer viruses, including one called "Columbus Day," experts at the National Institute of Standards and Technology (NIST), the National Computer Security Center (NCSC), and the Software Engineering Institute (SEI) are recommending several measures plus commonsense computing practices. "This advice is being offered to encourage effective yet calm response to recent reports of a new variety of computer virus," says Dennis Steinauer, manager of the computer security management and evaluation group at NIST. While incidents of malicious software attacks are relatively few, they have been increasing. Most recently, a potentially serious personal computer virus has been reported. The virus is known by several names, including "Columbus Day," Datacrime and "Friday the 13th." In infected machines it is designed to attack the hard-disk data-storage devices of IBM-compatible personal computers on or after October 13. The virus is designed to destroy disk file directory information, making the disk's contents inaccessible. (A fact sheet on this virus is attached and includes precautionary measures to help prevent damage.) While the Columbus Day virus has been identified in both the United States and Europe, there is no evidence that it has spread extensively in this country or that it is inherently any more threatening than other viruses, say the computer security experts. "Computer virus" is a term often used to indicate any self- replicating software that can, under certain circumstances, destroy information in computers or disrupt networks. Other examples of malicious software are "Trojan horses" and "network worms." Viruses can spread quickly and can cause extensive damage. They pose a larger risk for personal computers which tend to have fewer protection features and are often used by non- technically-oriented people. Viruses often are written to masquerade as useful programs so that users are duped into copying them and sharing them with friends and work colleagues. Routinely using good computing practices can reduce the likelihood of contracting and spreading any virus and can minimize its effects if one does strike. Advice from the experts includes: * Make frequent backups of your data, and keep several versions. * Use only software obtained from reputable and reliable sources. Be very cautious of software from public sources, such as software bulletin boards, or sent across personal computer networks. * Don't let others use your computer without your consent. * Use care when exchanging software between computers at work or between your home computer and your office computer. * Back up new software immediately after installation and use the backup copy whenever you need to restore. Retain original distribution diskettes in a safe location. * Learn about your computer and the software you use and be able to distinguish between normal and abnormal system activity. * If you suspect your system contains a virus, stop using it and get assistance from a knowledgeable individual. In general, educating users is one of the best, most cost- effective steps to take, says Steinauer. Users should know about malicious software in general and the risks that it poses, how to use technical controls, monitor their systems and software for abnormal activity, and what to do to contain a problem or recover from an attack. "An educated user is the best defense most organizations have," he says. A number of commercial organizations sell software or services that may help detect or remove some types of viruses, including the Columbus Day virus. But, says Steinauer, there are many types of viruses, and new ones can appear at any time. "No product can guarantee to identify all viruses," he adds. To help deal with various types of computer security threats, including malicious software, NIST and others are forming a network of computer security response and information centers. These centers are being modeled after the SEI's Computer Emergency Response Team Coordination Center, often called CERT, established by the Defense Advanced Research Projects Agency (DARPA). The centers will serve as sources of information and guidance on viruses and related threats and will respond to computer security incidents. In addition, NIST recently has issued guidelines for controlling viruses in various computer environments including personal computers and networks. NIST develops security standards for federal agencies and security guidelines for unclassified computer systems. NCSC, a component of the National Security Agency, develops guidelines for protecting classified (national security) systems. SEI, a research organization funded by DARPA, is located at Carnegie Mellon University in Pittsburgh. -30- NOTE: Computer Viruses and Related Threats: A Management Guide (NIST Special Publication 500-166) is available from Superintendent of Documents, U.S. Government Printing Office, Washington, D.C. 20402. Order by stock no. 003-003-02955-6 for $2.50 prepaid. Editors and reporters can get a copy from the NIST Public Information Division, 301/975-2762. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Sept. 22, 1989 FACT SHEET Columbus Day Computer Virus Several reports of a new computer virus recently have been published in the media and throughout the data processing community. This virus has been referred to as "Columbus Day," "Friday the 13th," as well as "Datacrime I" or "Datacrime II." It attacks IBM-compatible personal computers running the MS-DOS/PC- DOS operating system. If activated, the virus will destroy disk file directory information, making files and their contents inaccessible. The following information has been compiled by NIST, NCSC, and SEI from several sources and is being made available for system managers to use in taking precautionary measures. NOTE: As with many viruses, there may be other, yet unidentified, variants with different characteristics. Therefore, this information is not guaranteed to be complete and accurate for all possible variants. NAMES OF VIRUS: Columbus Day, Friday the 13th, Datacrime I/II EFFECT: Performs a low-level format of cylinder zero of the hard disk on the target machine, thereby destroying the boot sector and File Allocation Table (FAT) information. Upon activation it may display a message similar to the following: DATACRIME VIRUS RELEASED:1 MARCH 1989 TRIGGER: The virus is triggered by a system date 13 October or later. (Note that 13 October 1989 is a Friday.) CHARACTERISTICS: Several characteristics have been identified:. 1. The virus, depending on its variant, appends itself to .COM files (except for COMMAND.COM), increasing the .COM file by either 1168 or 1280 bytes. In addition, the Datacrime II variant can infect .EXE files, increasing their size by 1514 bytes. 2. The 1168 byte version contains the hex string EB00B40ECD21B4. 3. The 1280 byte version contains the hex string 00568DB43005CD21. This virus reportedly was released on 1 March 1989 in Europe. It is unlikely that significant propagation could occur between the release date and mid-October; therefore, U.S. systems should be at a low risk for infection. If safe computing practices have been followed, the risk should be practically nil. However, managers believing their site may be at risk should consider taking precautionary measures, including one or more of the following actions: 1. Take full back-ups of all hard disks. If the disks are later found to have been infected and attacked by the virus, lost data can be recovered from the back-ups. Operating system and application software can be restored from original media. A full low-level disk format should be performed on the infected hard disk prior to restoration procedures. 2. Consider using a commercial utility that can assist in restoration of a disk directory and recovery of data. There are a number of such utilities on the market. Note that these utilities normally must be run prior to data loss to enable disk and file restoration. 3. Avoid setting the system date to 13 October or later until the systems have been checked for virus presence. 4. Attempt to determine if the virus is present in one or more files through one of the following techniques: a. If original file sizes are known, check for increased sizes as noted above. b. Use DEBUG or other utility to scan .COM and .EXE files for the characteristic hexadecimal strings noted earlier. c. Copy all software to an isolated system and set the system date to 13 October or later and run several programs to see if the virus is triggered. If activation occurs, all other systems will require virus identification and removal. d. Use a virus-detection tool to determine if this (or another) virus is present. Commercial products intended to detect or remove various computer viruses are available from several sources. However, these products are not formally reviewed or evaluated; thus, they are not listed here. The decision to use such products is the responsibility of each user or organization. - 30 - ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++A Suggested Readings List for Computer Viruses and Related Problems: Prepared by: John Wack National Institute of Standards and Technology September 22, 1989 ABSTRACT This document provides a list of suggested readings for obtaining information about computer viruses and other related threats to computer security. The primary intended audience is management as well as other technically-oriented individuals who wish to learn more about the nature of computer viruses and techniques that can be used to reduce their potential threat. The suggested readings may range from general discussions on the nature of viruses and related threats, to technical articles which explore the details of various viruses, the mechanisms they attack, and methods for controlling these threats to computer security. BASIC TERMS The following list provides general definitions for basic terms that are commonly used throughout the applicable literature. Some of the terms are relatively new and their definitions are not widely agreed upon, thus they may be used differently elsewhere. Computer Virus: A name for a class of programs that contain software that has been written to cause some form(s) of damage to a computing system's integrity, confidentiality, or availability. Computer viruses typically copy their instructions to other programs; the other programs may continue to copy the instructions to more programs. Depending on the author's motives, the instructions may cause many different forms of damage, such as deleting files or crashing the system. Computer viruses are so named because of their functional similarity to biological viruses, in that they can spread rapidly throughout a system. The term is sometimes used in a general sense to cover many different types of harmful software, such as trojan horses or network worms. Network Worm: A name for a program or command file that uses a computer network as a means for adversely affecting a system's integrity, reliability, or availability. From one system, a network worm may attack a second system by first establishing a network connection with the second system. The worm may then spread to other systems in the same manner. A network worm is similar to a computer virus in that its instructions can cause many different forms of damage. However a worm is generally a self-contained program that spreads to other systems, as opposed to other files. Malicious Software: A general term for computer viruses, network worms, trojan horses, and other software designed to deliberately circumvent established security mechanisms or codes of ethical conduct or both, to adversely affect the confidentiality, integrity, and availability of computer systems and networks. The software may be composed of machine-language executable instructions, or could be in the form of command files. Unauthorized User(s): A user who knowingly uses a system in a non-legitimate manner. The user may or may not be an authorized user of the system. The actions of the user violate established security mechanisms or policies, or codes of ethical conduct, or both. Trojan Horse: A name for a program that disguises its harmful intent by purporting to accomplish some harmless and possibly useful function. For example, a trojan horse program could be advertised as a calculator, but it may actually perform some other function when executed such as modifying files or security mechanisms. A computer virus could be one form of a trojan horse. Back Door: An entry point to a program or system that is hidden or disguised, often created by the software's author for maintenance or other convenience reasons. For example, an operating system's password mechanism may contain a back door such that a certain sequence of control characters may permit access to the system manager account. Once a back door becomes known, it can be used by unauthorized users or malicious software to gain entry and cause damage. Time Bomb, Logic Bomb: Mechanisms used by some examples of malicious software to cause damage after a predetermined event. In the case of a time bomb, the event is a certain system date, whereas for a logic bomb, the event may vary. For example, a computer virus may infect other programs, yet cause no other immediate damage. If the virus contains a time bomb mechanism, the infected programs would routinely check the system date or time and compare it with a preset value. When the actual date or time matches the preset value, the destructive aspects of the virus code would be executed. If the virus contains a logic bomb, the triggering event may be a certain sequence of key strokes, or the value of a counter. Anti-Virus Software: Software designed to detect the occurrence of a virus. Often sold as commercial products, anti-virus programs generally monitor a system's behavior and raise alarms when activity occurs that is typical of certain types of computer viruses. Isolated System: A system that has been specially configured for determining whether applicable programs contain viruses or other types of malicious software. The system is generally disconnected from any computer networks or linked systems, and contains test data or data that can be restored if damaged. The system may use anti-virus or other monitoring software to detect the presence of malicious software. Computer Security: The technological safeguards and management procedures that can be applied to computer hardware, programs, data, and facilities to assure the availability, integrity, and confidentiality of computer based resources and to assure that intended functions are performed without harmful side effects. SUGGESTED READINGS Brenner, Aaron; LAN Security; LAN Magazine, Aug 1989. Bunzel, Rick; Flu Season; Connect, Summer 1988. Cohen, Fred; Computer Viruses, Theory and Experiments; 7th Security Conference, DOD/NBS Sept 1984. Computer Viruses - Proceedings of an Invitational Symposium, Oct 10/11, 1988; Deloitte, Haskins, and Sells; 1989 Denning, Peter J.; Computer Viruses; American Scientist, Vol 76, May-June, 1988. Denning, Peter J.; The Internet Worm; American Scientist, Vol 77, March-April, 1989. Dvorak, John; Virus Wars: A Serious Warning; PC Magazine; Feb 29, 1988. Federal Information Processing Standards Publication 83, Guideline on User Authentication Techniques for Computer Network Access Control; National Bureau of Standards, Sept, 1980. Federal Information Processing Standards Publication 73, Guidelines for Security of Computer Applications; National Bureau of Standards, June, 1980. Federal Information Processing Standards Publication 112, Password Usage; National Bureau of Standards, May, 1985. Federal Information Processing Standards Publication 87, Guidelines for ADP Contingency Planning; National Bureau of Standards, March, 1981. Fiedler, David and Hunter, Bruce M.; Unix System Administration; Hayden Books, 1987 Fitzgerald, Jerry; Business Data Communications: Basic Concepts, Security, and Design; John Wiley and Sons, Inc., 1984 Gasser, Morrie; Building a Secure Computer System; Van Nostrand Reinhold, New York, 1988. Grampp, F. T. and Morris, R. H.; UNIX Operating System Security; AT&T Bell Laboratories Technical Journal, Oct 1984. Highland, Harold J.; From the Editor -- Computer Viruses; Computers & Security; Aug 1987. Longley, Dennis and Shain, Michael; Data and Computer Security McAfee, John; The Virus Cure; Datamation, Feb 15, 1989. NBS Special Publication 500-120; Security of Personal Computer Systems: A Management Guide; National Bureau of Standards, Jan 1985. NIST Special Publication 500-166; Computer Viruses and Related Threats: A Management Guide; National Institute of Standards and Technology, Aug 1989. Parker, T.; Public domain software review: Trojans revisited, CROBOTS, and ATC; Computer Language; April 1987. Schnaidt, Patricia; Fasten Your Safety Belt; LAN Magazine, Oct 1987. Shoch, J. F. and Hupp, J. A.; The Worm Programs: Early Experience with a Distributed Computation; Comm of ACM, Mar 1982. Spafford, Eugene H.; The Internet Worm Program: An Analysis; Purdue Technical Report CSD-TR-823, Nov 28, 1988. Thompson, Ken; Reflections on Trusting Trust (Deliberate Software Bugs); Communications of the ACM, Vol 27, Aug 1984. Tinto, Mario; Computer Viruses: Prevention, Detection, and Treatment; National Computer Security Center C1 Tech. Rpt. C1- 001-89, June 1989. White, Stephen and Chess, David; Coping with Computer Viruses and Related Problems; IBM Research Report RC 14405 (#64367), Jan 1989. Witten, I. H.; Computer (In)security: infiltrating open systems; Abacus (USA) Summer 1987. ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Tuesday, 26 Sep 1989 Volume 2 : Issue 203 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Warning - Mac software NoteWriter infected 123 virus (PC) More Datacrime hoopla, propoganda, and general paranoia re: should we fight fire with fire A book with a long title... centel corp. and viruscan Self Replicating Virus Hunter / Seekers anti-virus software accessibility --------------------------------------------------------------------------- Date: Mon, 25 Sep 89 11:52:57 -0400 From: GATEH%CONNCOLL.BITNET@VMA.CC.CMU.EDU Subject: Warning - Mac software NoteWriter infected Forwarded warning from Info-Mac. (Ken, if this has already appeared in a VIRUS-L digest, please ignore. Apologies to all if this is a duplicate!) - - Gregg TeHennepe gateh@conncoll - --- Forwarded mail from Info-Mac@sumex-aim.stanford.edu Date: Tue, 19 Sep 89 10:46 EDT From: <PJORGENS%COLGATEU.BITNET@forsythe.stanford.edu> (Peter Jorgensen) Subject: WARNING NoteWriter Software Infected! A few words of warning for potential and actual NoteWriter users. We bought two copies of NoteWriter Software and both disks were infected with Scores and nVir. Attempting to install the (copyprotected) software on a Mac II running Vaccine failed, and rendered the original unusable. The backup disk which we ordered was also infected. The publisher has been very unhelpful. Their tech support doesn't know anything about viruses, virus protection programs (like Vaccine) or most of what else we tried to ask them. Peter Jorgensen Microcomputer specialist Colgate University - Hamilton, NY 13346 AppleLink - U0523 BITNET - PJORGENSEN@COLGATEU tel - 315-824-1000 ext 742 - --- End of forwarded message from Info-Mac@sumex-aim.stanford.edu ------------------------------ Date: Mon, 25 Sep 89 18:47:00 -0400 From: IA96000 <IA96%PACE.BITNET@VMA.CC.CMU.EDU> Subject: 123 virus (PC) for lack of a better name and until/if someone objects with a legitimate reason, i feel the name for the virus targeted at release 3 of lotus 123 should be called 123nhalf since it causes your spreadsheet to be saved exactly one half the size it should be. in any event, an update is in order. we have now discovered that this virus will only, repeat only infect the 123dos.exe file, when running on a machine with a '286 processor. it will not infect the file on a '386 system. we are attempting to determine the exact reason for this strange coincidence. it is felt at the current time that the way a '386 creates virtual machines may have something to do with it. the virus also will not infect files unless there is a minimum of 3 megabytes of extended memory. expanded memory does not matter and does not come into the picture. a scan program is now available which quickly checks the 123dos file in three different locations to determine if the virus is present. a copy is on the way to mr. mcafee of mcafee associates for his observations. hopefully mr. mcafee will post it on homebase so the rest of the readers can benefit from this program. the name of the scan program is 123scan.exe and it should be at mcafee associates bythe end of this week. we have no way of uploading to the mainframe here, so i cannot convert it to a .uue file for transit through the nets. however the program is shareware and will soon be available. for those of you who are not familiar with this virus, it infects the large file named 123dos.exe which is now used in release 3 of lotus 123. there is only one symptom, but that is all this one needs. if your copy of 123dos.exe is infected, no matter what size spreadsheet you create and save, it will only be saved as one half the size. in other words, a 100 x 100 cell spreadsheet will only be saved as a 50 x 50 cell spreadsheet. as you can imagine this can be quite a problem. well, that's it for now! ------------------------------ Date: Mon, 25 Sep 89 19:13:23 -0400 From: dmg@retina.mitre.org (David Gursky) Subject: More Datacrime hoopla, propoganda, and general paranoia. I've just spent the past three hours reading and re-reading various forms of hype about the alleged upcoming attack on October 13 of the Datacrime virus. I would like to make a couple comments about this. First and foremost, there is no doubt in my mind (nor has there ever been any doubt in my mind), that Datacrime is a real virus, causes real problems, and will next strike on October 13 (it is, after-all, a "time-bomb" virus, that activates on specific dates, in this case, Friday the 13ths). I have real doubts however that this virus has made any inroads into the United States beyond the 10 cases John McAfee has cited previously. I suppose it is a good thing that the NoCrime application has been updated to detect a new strain of DataCrime, and that all sorts of other PC-based applications have been updated to detect DataCrime, (as an aside, the people who make "Quarantine" for the MS-DOS called me today to let me know they are sending me a demo copy of their application to beat on, and they made a point to let me know it detects DataCrime!), *however*, all of this does not an epidemic make! Sure people are updating their applications to fight Datacrime; Datacrime is a known virus that uses established infection techniques! It's not that hard (I would imagine) to make the changes to the applications to fight Datacrime. When it all comes down to it, if the desktop computers of the United States were under attack right now by Datacrime (or any of dozens of other viruses), we would be seeing signs of it, and Virus-L would be full of reports of infections. No infections, no virus. Now can everyone please calm down? The sky is not falling. Disclaimer: Dis is soup. Dis is art. Soup. Art. [Apologies to L. Tomlin.] David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: Mon, 25 Sep 89 18:47:00 -0400 From: IA96000 <IA96%PACE.BITNET@VMA.CC.CMU.EDU> Subject: re: should we fight fire with fire i do not think a new anti-virus is the answer. i think software manufacturers have to take the initiative in the virus war. for instance, the 123scan.exe program which detects the 123nhalf virus, uses the new selftest (tm) module to detect any changes made to the program file after it was compiled. selftest (tm) is not perfect, but what is these days? in any event in three months of testing, a program protected by selftest (tm) has never failed to indicate that a change has been made. selftest (tm) was written by and for shareware authors. it adds just a few seconds to the load time of a program, and detects a change in file length, or bit level changes made to the file. i think it is time that the manufacturers who have raked in the money for years get more involved in the fight against viruses. the opinions expressed in this message are my own. ------------------------------ Date: Mon, 25 Sep 89 19:19:31 -0400 From: dmg@retina.mitre.org (David Gursky) Subject: A book with a long title... John McAfee has just published a book on viruses entitled: "Computer Viruses, Worms, Data Diddlers, Killer Programs, and other Threats To Your System: What The Are, How They Work, and How to Defend Your PC or Mainframe Environment" (By McAfee and Colin Hayes, from St. Martin Press -- $24.95 hardback, $16.95 softback). My questions about the propriety of calling Viruscan "shareware" aside, I've had a copy of the book set aside and I'm picking it up tonight. John's work in this area is well-known, and I anxiously look forward to reading this (but at 350 pp, don't count on hearing any comments from me soon about it!) And would someone from Homebase *please* ask John to make the title of his next book shorter! <Grin> David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: Mon, 25 Sep 89 19:14:00 -0400 From: IA96000 <IA96%PACE.BITNET@VMA.CC.CMU.EDU> Subject: centel corp. and viruscan in a recent message to this list from david gursky, he made a statement which needs to be corrected. he made the statement "if the author of a package wants to limit the sources from which his or her work is available, fine! but by doing so you forfeit the right to label,your work as shareware!" this is not so. shareware is for the most part copyrighted and mr. mcafee's software does indeed carry a copyright! as the owner of a work which is copyrighted, j. mcafee caN CALL IT SHAREWARE OR ANY OTHER NAME HE DESIRES, EVEN FREEWARE, AND STILL MAINTAIN THE ABSOLUTE RIGHT TO DETERMINE WHO MAY OR MAY NOT DISTRIBUTE HIS COPYRIGHTED WORK! A copyrighted work is the sole property of the holder of the copyright.like it or not, that is the law of the land. until such time a case comes to court, copyrighted shareware remains the property of the copyright holder, who may decide who has the right to distribute such work. the opinions expressed here are my own. ------------------------------ Date: Tue, 26 Sep 89 03:51:38 GMT From: utstat!davids@uunet.UU.NET (David Scollnik) Subject: Self Replicating Virus Hunter / Seekers In a recent posting CZMUREK%DREW.BITNET@VMA.CC.CMU.EDU writes ... % I began to design a virus algorythm that would eventually serve % as the platform for the destruction of other viruses. It's purpose % would be to infect single programs, single disks, or multiple disks in % the first, second and third versions respectively. Before any alarm % sets in here about my intentions, I would like to say that the purpose % here is to aid in the effort to combat these little nasties. I thought many of you might be interested to know that at least one such "utility" has been written and distributed for the Amiga. The one I have heard of is called "System-Z" , which is composed of two parts , namely the System-Z "installer" and the Sys-Z "bootblock". When an Amiga is booted up from a disk containing the Sys-Z bootblock, it announces to the user that it is now present in memory ( until the machine in question is de-powered ) by way of a quick rainbow screen and a short series of musical notes. This program will identify a variety of Amiga specific viruses located in other disk's bootblocks, and allow the user the option of overwriting the bootblock of the infected disk with the Sys-Z bootblock. Apparently it does NOT write itself indiscriminately to other disk's bootblocks, but only when the user selects to do so. Many Amiga users do not consider this to be a virus , but many others do. In fact , at least one Virus Checker / Disinfectant / Obliterator I know of considers it to be a virus , and identifies it as such. The reason many do consider it a virus is the fact that it locates itself in the bootblock. I believe that this "utility" hails from Europe , and might even of been of a commercial nature. Perhaps someone else out there has more info on this creature. I have never actually seen it in action , only seen documentation on it in forums like this and in one Virus Killer's documentation. -- David P.M. Scollnik | UUCP: utstat!davids University of Toronto | bitnet: davids@utstat.utoronto Deptartment of Statistics | arpa: davids@utstat.toronto.edu (hi mom !!!) ------------------------------ Date: Sat, 23 Sep 89 11:11:00 -0400 From: IA96000 <IA96%PACE.BITNET@VMA.CC.CMU.EDU> Subject: anti-virus software accessibility some universities have no pratical way of allowing students or faculty to download software acquired over the network. this can be a problem for many reasons. i know that homebase exists, however to call there once a week or so to obtain the latest copies of the viral software packages can get to be expensive. does anyone know of any reliable bbs in the new york area which maintains copies of the latest viruscan, etc; programs? if not, i would be willing to make copies and distribute them to anyone who sends a disk and return postage. of course, this is only if mr. mcafee would give his permission, and if i can get clean copies to begin with. ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Tuesday, 26 Sep 1989 Volume 2 : Issue 204 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Administrative announcement Re: Good viruses? New versions of scanv and scanres (PC) IBM Virus (from EXPERT-L list) (PC) Re: Copyrights and shareware... Security procedures on LANs re: 123 virus (PC) re: More Datacrime hoopla, propoganda, and general paranoia re: datacrime & fdisk (PC) preventing virus attacks (PC) --------------------------------------------------------------------------- Date: Tue, 26 Sep 89 07:00:00 From: krvw@sei.cmu.edu (Kenneth R. van Wyk) Subject: Administrative announcement It seems like just yesterday that I took a vacation and VIRUS-L was down for a week... Well, it's going to happen again. This time I'll be in Hawaii for two weeks on my honeymoon, far away from any computer and very much out of SkyPager range. I'll be leaving Friday, October 6 and returning on Monday, October 23. During this time, no VIRUS-L digests or comp.virus articles will be distributed. However, feel free to send in messages for subsequent posting upon my return. Also, VALERT-L will remain active and (as always) unmoderated, but is to be used for VIRUS WARNINGS ONLY (violators will face my wrath when I get back :-). Also as always, the CERT can be contacted via cert@SEI.CMU.EDU or (412) 268-7090 (24 hour hotline) for Internet security issues. Sorry about any inconvenience. Things will return to their normal (hectic) pace when I get back. Ken van Wyk ------------------------------ Date: Tue, 26 Sep 89 07:38:39 -0400 From: dmg@retina.mitre.org (David Gursky) Subject: Re: Good viruses? A good virus is an oxymoron. All a potential attacker would do is take the infector code and transplant a logic-bomb or time-bomb code to it. This does raise an interesting question though for health checks. Suppose a company has stringent rules about protecting desktop computers from viruses. How do you go about ensuring the rules are being followed? One thought I had was the user of "Tiger Teams". What this Tiger Team would do is work at night and attempt to infect some of the corporation's desktop computers with a "benign" virus (one that produces a warning message, but takes no malicous action, akin to the MacMag virus). The Tiger Team would operate under strict supervision, and a computer that was successfully penetrated would be "quarantined" until the following day. The next day, the user would get a visit from the Computer Center folks and get a nice (or not so nice; depending on how often in the past the user had been successfully "attacked" by the Tiger Team) lecture on anti-virus methods. Obviously, the virus would have to be carefully controlled. The disks would have to be kept under lock and key when not in use, and under supervision when in use. Comments? David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: Tue, 26 Sep 89 07:14:43 -0500 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: New versions of scanv and scanres (PC) Recent updates, hot off the presses! scanv38.arc Update to replace previous versions of viruscan. Note that the documentation has an incorrect version number in it. This is how the archive was released. (The updates have been fast and furious, so it's understandable.) Also note that the size of the executable is larger than what John McAfee promised it would always be. I guess when he said "always", he didn't forsee the number of revisions of the program he'd be releasing. Executable is version 0.5v38. scanres8.arc Update to replace previous versions of scanres. It is possible that the previous version I sent was identical to an even more previous version I sent. In any case, this one's NEW. :-) Again, note that the docs and the program disagree on version number. Executable is version 0.8v38. SCANV38.ARC Scans hard drives and reports viruses found. SCANRES8.ARC Resident program scans progs for viruses before executing. Jim ------------------------------ Date: Thu, 21 Sep 89 20:38:00 -0400 From: Ken Hoover <consp21@bingvaxu.cc.binghamton.edu> Subject: IBM Virus (from EXPERT-L list) (PC) [Ed. This message was forwarded from the BITNET mailing list, EXPERT-L.] Original-Date: Mon, 18 Sep 89 17:38:00 EDT Original-From: Sanjay Hiranandani <GDO@CRNLVAX5.BITNET> On Friday morning at 8:00 AM, I came into the Sibley facility, sat down at IBM #18, and invoked Foxbase. Instead of the familiar welcome screen, the machine hung. Other pieces of software throughout in the facility had recently quit working for no apparent reason. Gregg said "I think there might be a virus here," (or words to that effect); from that time to now, Gregg and I have spent most of our waking hours trying to figure this out. This comes at a specially bad time for Gregg because he's in the middle of training new operators and so on. Here is a brief summary of what is now known about the virus: 1. Approximately seven of the Sibley facility's IBM PS/2's have been found to be infected with a highly contagious IBM virus "time bomb". Gregg and I have developed a reliable test for the program and will soon complete its eradication from the facility. Some users' personal applications and disks, however, are probably infected. 2. The DMPC program (disk manager) which is intended to restrict users from copying or deleting our software, is effective in protecting programs from being corrupted -- but only for those programs for which DMPC has been properly configured to monitor. 3. The virus rewrites *.EXE and *.COM files with many changes including the virus code itself. In most cases, these changes are tolerated by the program and it continues to work. In the case of Word Perfect (WP.EXE) and Foxbase (FOXPLUS.EXE), the changes make the program completely nonfunctional. In other programs, small difference are noticed: small rectangles of the screen display may get misplaced, for example. 4. An infected *.EXE file can be recognized by the hex string 10078419C5, a five byte string which apparently takes over the 21st through 25th bytes near the beginning of the file. This is not the only change, but it is a consistent one. Infected copies of WP.EXE, FOXPLUS.EXE, APL.EXE, ED.EXE, NU.EXE, etc., etc., all had this same string in the exact same location. No uninfected software had this string anywhere. Uninfected IBM's had no sign of this string anywhere on their hard disks. 5. This same string also occurs in what appears to be the virus code itself, which is written to the "slack area" of *.EXE files between the end-of-file and the end of the file's actual allocated disk space. Often, maybe always, the end-of-file marker is overwritten. Secondly, a certain fixed distance after the occurence of 10078419C5 is the ascii text "COMMAND.COM", a further clue for identifying this virus. 6. Files modified by the virus show NO SIGN AT ALL of any change to the DOS directory command. The number of bytes and the date and time of last modification are unchanged, when in fact a file is infected. 7. When a file is fragmented on the disk, individual fragments may become separately infected. 8. Setting a file's attributes to "read-only" or "hidden" does NOT protect it. 9. Setting the write protect tab on a diskette appears to protect diskettes in the 3.5" drives at Sibley. Executing a program from a locked 3.5" diskette on an infected machine generates a "Write protect error writing drive A" message. The program on the diskette remains uninfected. 10. When an infected machine's internal clock-calendar is changed to register a date of 10-13-89 (Friday the 13th), all *.EXE and *.COM files will DELETE themselves when a user tries to execute them (for example, if a user types WP, for WordPerfect, the WP.EXE file would be deleted, and the message "Bad command or file name" would be displayed on the screen). This condition applies when the system date is 10-13-89, but not 10-12-89 or 10-14-89 (we speculate that it may apply to every Friday the 13th, but this has not been tested). Attempts to execute a program from an unlocked diskette will cause the deletion of the program, regardless of whether it was previously infected. The virus deletes programs in a normal fashion, and these files are probably recoverable. Of course, all these recoverable files are infected anyway, and not really worth recovering (unless the virus begins to kill data files as well). 11. When the system date is 10-13-89, the virus attempts to delete DMPC-protected software (the warning bleep sounds), but fails. Such programs continue to work even on machines heavily infected with non-DMPC protected software. 12. After working all day Friday fighting this virus, I spoke with my girlfriend, who had heard something on National Public Radio about a virus which becomes active on October 13. In the meantime, Gregg heard a rumor about an October 12th virus. From a friend in Michigan, I heard about an October 12th virus which supposedly would attach itself to *.COM files and disable the hard disk by overwriting track 0. I don't know whether these other reports are of the same exact virus (with a few wrong facts), or whether there is some national "collective action" to write lots of different viruses which all spring into view on the same day or so. (I incline toward the first view, Gregg toward the second). Please let me know if I can be of any further assistance in getting rid of this thing. Larry Kestenbaum, Sibley PTOP Gregg Cirielli, SIbley FTOP ------------------------------ Date: Tue, 26 Sep 89 09:20:16 -0400 From: dmg@retina.mitre.org (David Gursky) Subject: Re: Copyrights and shareware... In Virus-L Digest V2 #203, an anonymous author (IA9600 -- <IA96%PACE.BITNET@VMA.CC.CMU.EDU>) writes: this is not so. shareware is for the most part copyrighted and mr. mcafee's software does indeed carry a copyright! as the owner of a work which is copyrighted, j. mcafee caN CALL IT SHAREWARE OR ANY OTHER NAME HE DESIRES, EVEN FREEWARE, AND STILL MAINTAIN THE ABSOLUTE RIGHT TO DETERMINE WHO MAY OR MAY NOT DISTRIBUTE HIS COPYRIGHTED WORK! A copyrighted work is the sole property of the holder of the copyright.like it or not, that is the law of the land. until such time a case comes to court, copyrighted shareware remains the property of the copyright holder, who may decide who has the right to distribute such work. - ----- I do not contest that the author of a computer application (especially a copyrighted application) is entitled to set whatever conditions they want on the use or distribution of their work, and I have stated so before. But this is a different issue than whether such an application qualifies as "Shareware", "Freeware", etc. Shareware has a specific meaning: software (copyrighted or otherwise) that is distributed outside of commercial channels, that is paid for if the user decides to use it. Freeware is a subset of this; the cost of a freeware application is zero. Nowhere in this definition is there a prohibition of the distribution of copyrighted software! Any author is welcome to put whatever restrictions they want on their work, no question about it. When those restrictions go beyond a certain point, they author cannot fairly call their work Shareware, IMO. This is getting/has gotten outside of the scope of Virus-L. If individuals wish to send me e-mail about it, fine. Otherwise I consider the subject closed. ------------------------------ Date: Tue, 26 Sep 89 10:04:00 -0400 From: "No trouble, please" <BARGERK%UNCG.BITNET@VMA.CC.CMU.EDU> Subject: Security procedures on LANs Here at the University of NC at Greensboro, we have taken the step of putting all of our network login software on notchless diskettes. This means that nothing can be writtien to this diskette, and nothing can be written to the network itself (except to personal account areas). So, any viruses that someone brings in are confined to his/her own diskettes. It also saves us from the thankless task of going through everything periodically and erasing files users have left on our disks! [Ed. That is the same setup that we used at Lehigh University. It seemed to work pretty well but you still have to trust the security of the network OS (Lehigh uses Novell) and the physical security of the file servers. What are other LANned sites doing to address this (on PCs and on Macs)?] Kyle Barger UNCG Student & Academic Computer Center Part-Time Employee BARGERK@UNCG.BITNET DISCLAIMER: these are my opinions; not neccessarily those of UNCG ------------------------------ Date: 26 Sep 89 00:00:00 +0000 From: David.M..Chess.CHESS@YKTVMV Subject: re: 123 virus (PC) Not sure I entirely understand this; if the virus infects -only- 123DOS.EXE, how did you get it? How would it spread? (Why, that is, would an infected copy of 123DOS.EXE ever find itself running with access to an uninfected copy; why would there ever be two different copies of the file on the same machine?) DC ------------------------------ Date: 26 Sep 89 00:00:00 +0000 From: David.M..Chess.CHESS@YKTVMV Subject: re: More Datacrime hoopla, propoganda, and general paranoia. > (it is, after-all, a "time-bomb" virus, that activates on specific > dates, in this case, Friday the 13ths). No, no! The DataCrime viruses activate whenever the date is October 13th -or later-; no Friday-check. (Sorry to pick on you, but people keep getting this wrong! Other points are well taken.) DC ------------------------------ Date: Tue, 26 Sep 89 10:16:50 -0400 From: "A.R. PRUSS" <2014_5001@uwovax.uwo.ca>, 2014_5001@uwovax.uwo.ca Subject: re: datacrime & fdisk (PC) re: datacrime & fdisk (PC) In article <0005.8909251230.AA29228@ge.sei.cmu.edu>, MATHRICH@UMCVMB.BITNET (Ri ch Winkel UMC Math Department) writes: >>From: IA96000 <IA96%PACE.BITNET@VMA.CC.CMU.EDU> >>if you use fdisk to create a dummy partition of lets says 2 >>cylinders and then create a second normal active dos partition >>will this prevent the virus from destroying track zero? > > It depends on how it accesses the disk. If it uses bios calls (INT > 13H), it will still attack physical cyl 0 on the disk. If it uses the > [correct info deleted to conserve space] Is it not simpler to back the FAT/boot sectors up to floppy and then restore them? You can use Norton Utilities Advanced for that, or a quick little utility that I will release within a week. What I would like to know, however is whether just rewriting the boot and FAT sectors will be sufficient? Alexander Pruss, at one of: Department of Applied Mathematics, Astronomy, Mathematics, or Physics University of Western Ontario pruss@uwovax.uwo.ca pruss@uwovax.BITNET A5001@nve.uwo.ca ------------------------------ Date: 26 Sep 89 17:06:57 +0000 From: usenet@saturn.ucsc.edu (Usenet News Account) Subject: preventing virus attacks (PC) subject mentioned, so here goes (with a dumb idea). Will changeing a file attribute to READ ONLY stop or slow down a virus? What about write locking a whole Directory? Does hiding a file or directory have any effect??? I'm guessing that a virus will disregard any attribute settings. -ted- ted@helios.ucsc.edu From: ted@helios (Ted Cantrall) Path: helios!ted ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Wednesday, 27 Sep 1989 Volume 2 : Issue 205 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Is this a virus? (PC) Anti-virus virus re: IBM Virus (from EXPERT-L list) (PC) LAN boot disks. (PC) ACS Demo - is it a virus? (Apple) Information wanted about Selftest (tm) notchless disks (PC) Atari ST VIRUS ALERT!! Lotus Virus Re: IBM Virus (from EXPERT-L list) (PC) Tiger Teams Re: Software company distributing viruses (PC) Tiger Teams & Viruses Disk Killer Virus (PC) Re: SCANV38 (PC) --------------------------------------------------------------------------- Date: 26 Sep 89 16:13:44 +0000 From: carroll1!dnewton@uunet.UU.NET (Dave Newton) Subject: Re: Is this a virus? (PC) In article <0008.8909251230.AA29228@ge.sei.cmu.edu> Christoph.Fischer.RY15@DKAU NI11 writes: >Hi, > we just had an inquiery about 4 strange files that appeared on a >Microsoft WORD installation. All 4 files are hidden system and readonly. > >The file MWA is text and contains: > >Copyright 1984 by Microsoft >Word Freedom Fighters: [names deleted] >Charles Simonyi ^^^^^^^^^^^^^^^ I only recognize this name as being a guy who worked/works at microsoft, he was profiled in the microsoft press book _Porgrammers at Work_. Plus it's pretty unlikely that microsoft would copyright a virus. Of course, it could just be a ruse... David L. Newton | dnewton@carroll1.UUCP | Quote courtesy of (414) 524-7343 (work) | dnewton@carroll1.cc.edu | Marie Niechwiadowicz, (414) 524-6809 (home) | 100 NE Ave, Waukesha, WI 53186 | Boston College. [Q]: How many surrealists does it take to screw in a light bulb? [A]: The fish. ------------------------------ Date: 26 Sep 89 16:40:00 +0000 From: carroll1!dnewton@uunet.UU.NET (Dave Newton) Subject: Anti-virus virus One of the arguments raised against AVV's is the possible escalation of of viral warfare. It seems to me that this has already happened with the vaccine programs. I'd be almost certain that most virus writers will try to circumvent detection by writing (perhaps) a self-modifying virus, or a resident virus that will attempt to detect detection. If any comp.virus readers have read any of William Gibson's "Cyperpunk" novels, in which software protection (ICE) is handled by AI, the concept of AVV's will be nothing new. From a technological standpoint, they provide an interesting challenge, both for the virus writer and anti-virus virus writer. David L. Newton | dnewton@carroll1.UUCP | Quote courtesy of (414) 524-7343 (work) | dnewton@carroll1.cc.edu | Marie Niechwiadowicz, (414) 524-6809 (home) | 100 NE Ave, Waukesha, WI 53186 | Boston College. [Q]: How many surrealists does it take to screw in a light bulb? [A]: The fish. ------------------------------ Date: 26 Sep 89 00:00:00 +0000 From: David.M..Chess.CHESS@YKTVMV Subject: re: IBM Virus (from EXPERT-L list) (PC) Sounds basically like the Jerusalem Virus; in particular, the little signature string given occurs in the JV. Not sure why they aren't seeing files change in size when they're infected. Perhaps the fact that a file gets infected when it executes (rather than when the original infected file executes) is causing confusion. The multiple infections that they're seeing (and attributing to disk fragmentation) are also characteristic of the JV. Or, of course, it could be some Brand New nasty... DC ------------------------------ Date: Tue, 26 Sep 89 14:39:00 -0500 From: Reality is not an Industry Standard <PETERSON@LIUVAX.BITNET> Subject: LAN boot disks. (PC) If your LAN o/s and cards support the function - try auto boot roms. We run Novell nets with various cards that all autoboot from a server. (Novell 2.1x allows you to have multiple boot files for different pcs) This method keeps the boot code very safe, allows for global changes, and the students just need a blank formatted disk. In addition, any new software gets installed from an account that does *not* have supervisor's (operator) status - one dept. forund that out the hard way. J. Peterson/Sys Eng LIU-Southampton PETERSON@LIUVAX.BITNET ------------------------------ Date: 26 Sep 89 18:22:15 +0000 From: carroll1!dtroup@uunet.UU.NET (Dave Troup) Subject: ACS Demo - is it a virus? (Apple) I was just looking at the disk (just unpacked) of the ACS Demo. Should the Catalog of the disk be : WHAT ARE.YOU LOOKING FOR END OF DATA ] Im just a little leary, someone wanna check on this for me. thanks... "We got computers, we're tapping phone lines, knowin' that ain't allowed" _______ _______________ |David C. Troup / Surf Rat _______)(______ | |dtroup@carroll1.cc.edu : mail _______________________________|414-524-6809______________________________ ------------------------------ Date: Tue, 26 Sep 89 14:27:35 -0400 From: wayner@svax.cs.cornell.edu (Peter Wayner) Subject: Information wanted about Selftest (tm) Someone recently mentioned a shareware product called "selftest." Can anyone provide me with any information about how to find the selftest program or perhaps something about its design? Thank you, Peter Wayner (wayner@cs.cornell.edu) ------------------------------ Date: Tue, 26 Sep 89 15:15:38 -0400 From: Marcus J. Ranum <mjr@cthulhu.welch.jhu.edu> Subject: notchless disks (PC) Don't let notchless disks give you a sense of false confidence! I have a drive on my system at home with the notch detect jumpered off on one of the drives from when I used to be a student at a place where they used exactly the protection scheme you describe. - --mjr(); ------------------------------ Date: Tue, 26 Sep 89 13:23:00 -0500 From: Holly Lee Stowe <IHLS400%INDYCMS.BITNET@VMA.CC.CMU.EDU> Subject: Atari ST VIRUS ALERT!! At least 2 instances of the "Key" virus have been found on ORIGINAL WordUp 2.0 disks from Neocept for the Atari ST and Mega computers. If you have WordUp 2.0, please use Virus Killer 2.2 or some other virus checking program to check your disks! Holly Lee Stowe, Faculty/Staff Consulting ....................................................................... He has all the subtlety and wit of a speed bump. - paraphrased from Oleg Kisilev in alt.flame +---------------------------------------------------------------------+ | @@@ @@@ @@@ @@@@@@@@@ @@@ @@@ @@@ Holly Lee Stowe | | @@@ @@@ @@@ @@@ @@@ @@@ @@@ @@@ Bitnet: IHLS400@INDYCMS | | @@@ @@@ @@@ @@@@@@@@@ @@@ @@@ @@@ IUPUI Computing Services | | @@@ @@@@@@@@ @@@ @@@@@@@@ @@@ 799 West Michigan Street | | Indiana U. - Purdue U. at Indianapolis Indianapolis, IN 46202 | +---------------------------------------------------------------------+ ------------------------------ Date: Tue, 26 Sep 89 13:50:23 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Lotus Virus The new Lotus 123 virus is being turned over to Lotus Corp (a CVIA member) for analysis and disassembly. It is imbedded in an 800K EXE file and no-one other than Lotus was willing to attempt a disassembly. The CVIA will publish results as soon as we get them. Alan ------------------------------ Date: Tue, 26 Sep 89 16:16:10 -0400 From: Chris Haller <CJH@CORNELLA.cit.cornell.edu> Subject: Re: IBM Virus (from EXPERT-L list) (PC) >From: Ken Hoover <consp21@bingvaxu.cc.binghamton.edu> >Subject: IBM Virus (from EXPERT-L list) (PC) > >Original-Date: Mon, 18 Sep 89 17:38:00 EDT >Original-From: Sanjay Hiranandani <GDO@CRNLVAX5.BITNET> > [text omitted] Oh well, I was considering writing to VIRUS-L about this anyway, and this posting precipitates a response. Here is the current situation about the virus that showed up at Sibley Hall at Cornell University. John McAfee's VIRUSCAN v36 identified this virus as Jerusalem B, and its appearance and behavior correspond with this identification, AS FAR AS I KNOW. (Would some kind soul please send me a type description of "Jerusalem B" so I can verify the identification more completely? I think this is the version of the Israeli that attacks both .COM and .EXE files on both floppy and hard disks, that was modified (probably in the U.S.) to be less obtrusive, and that WordPerfect and FoxBase catch in the act because they detect its alteration of their file.) We are using UNVIRUS, which we retrieved from the archive at Kansas State, to clean up. Incidentally, we find VIRUSCAN and SCANRES very useful and intend to ask Mr. McAfee about site licensing arrangements for Cornell University. (That's why we haven't sent in our shareware fees yet! Most of us on the staff here won't use software without paying for it, except preliminarily.) However, do not let this kind of endorsement of one person's (or group's) efforts deter those of you who are writing other protective software. No single program, indeed no single way of addressing the problem, will be sufficient to protect a diverse computing community like this from the threat of viruses. This semester we may recommend SCANRES, but we are counting on there still being a lot of people using FLU_SHOT+ here, and next semester we may recommend something else, or a newer version of FLU_SHOT, or a program that checks CRC polynomials to detect altered files or disk sectors. The idea is that in a large and diverse community like a major university, a virus may get started locally but it won't get very far before it sets off an alarm on someone's system. If everyone using PC's were using the same kind of protection, a virus written to evade that particular protection would spread farther. This is not a new idea, it's one I learned from reading this list! Thank you all. - -Chris Haller, Research and Analysis Systems, Cornell University BITNET: <CJH@CORNELLA> Internet: <CJH@CornellA.CIT.Cornell.edu> Acknowledge-To: <CJH@CORNELLA> ------------------------------ Date: Tue, 26 Sep 89 18:12:26 -0400 From: Steve <XRAYSROK%SBCCVM.BITNET@VMA.CC.CMU.EDU> Subject: Tiger Teams Maybe I just don't understand, but I personally think the "Tiger Team" idea put forth (by David Gursky) on this list is a little ridiculous because: 1) Most viruses are not spread by someone sneaking in at night and against your wishes copying something onto your computer. Rather, they are usually spread voluntarily (but unknowingly) by the user exposing the computer to foreign contaminated disks or programs. If I always (almost always anyway) operate within a closed system, how is letting someone *tamper* with my computer going to help me? I'd feel much safer just scanning for known viruses, which brings up the next point. 2) What corporation (or employee for that matter) is willing to take the risk of letting someone (outsiders or corporation employees) *tamper* with the computers which the company (and the employee) depends upon, especially when proper operating procedures (regular backups, etc.) will offer you very good protection? 3) Can you guarantee that the "Team" will not do damage? No, you cannot. And if they are introducing live viruses, we already know that no one can guarantee that the viruses will be benign in every situation (as has been discussed many times by others on this list), or that they will not get away. Acknowledge-To: <XRAYSROK@SBCCVM> ------------------------------ Date: 26 Sep 89 21:43:51 +0000 From: chinet!ignatz@att.att.com Subject: Re: Software company distributing viruses (PC) In article <0007.8909251241.AA29279@ge.sei.cmu.edu> bnr-di!borynec@watmath.waterloo.edu (James Borynec) writes: >Software companies may be the largest source of virus contamination >around. After all, they send disks everywhere and no one worries >about 'shrink wrap' software being 'unclean'. I have only been hit by >two viruses - both came from software companies - one of which was >Texas Instruments. The guy in the office next door was hit by a copy >of a virus on his (shrink wrap) copy of WordPerfect. I think it is >shocking that people are told just to watch out for viruses when >engaged in software 'swapping'. Everyone should regard EVERY disk >that enters their machine with suspicion. It's probably been mentioned before, but it can't hurt to repeat. Some software houses--especially discount stores--have a very liberal return policy. Unfortunately, it seems that shrinkwrap equipment is neither very expensive nor difficult to obtain, and some stores will accept such returned software, repackage and re-shrinkwrap it, and return it to the store shelf. Thus, you really can't be certain that the sealed shrink-wrap you bought *hasn't* been tampered with at some point along the line. It really is starting to look like either there will have to be tamper-proof shrinkwrap (as resulted from the Tylenol disaster in the OTC consumer market), or a general practice of scanning *any* purchased software for contamination... Dave Ihnat ignatz@homebru.chi.il.us (preferred return address) ignatz@chinet.chi.il.us ------------------------------ Date: Tue, 26 Sep 89 20:24:00 -0500 From: <CTDONATH%SUNRISE.BITNET@VMA.CC.CMU.EDU> Subject: Tiger Teams & Viruses Someone has suggested that "Tiger Teams" use (as one of their tests) viruses. A "controlled" atmosphere is suggested. Like the idea of an anti-virus virus, this usage may run out of control and cause more damage than expected. If the tiger team fails to exterminate ALL copies of the virus (which is very likely in the chaotic user environment), there is the possibility of virus parinoia (i.e. lawsuits), files that grow in size for no good reason (very dangerous when a disk is full or nearly so [programs abend or refuse to run]), and the possibility of lost data thru virus malfunctions. Another problem is the nature of a tiger team using a virus: the virus would be released in a (probably) unsuspecting work area. The presence of strangers insisting on checking every disk that leaves the area (and don't forget the problem of LANs and file transfers) would cause chaos. Remember, a "good" virus used for a "good" purpose would have to be working perfectly. And we all know how programs work perfectly under all conditions all the time :-) ------------------------------ Date: Tue, 26 Sep 89 18:50:40 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Disk Killer Virus (PC) The CVIA has isolated the "Disk Killer" virus after 6 months of work and over three dozen reports. The virus activates after a random time period which varies from a few days to a few months, and when it activates, it performs a low level format of the hard disk - thereby destroying itself along with everything else. As it formats, it displays the message - "Disk Killer -- Version 1.00 by COMPUTER OGRE. Don't turn off the power or remove the diskettes while Disk Killer is processing. I wish you luck." The first organization to report this virus was Birchwood systems in San Jose in early Summer. Additional reports were received from Washington, Oklahoma, Minnesota and Arizona. We finally isolated it at Wedge Systems in Milpitas California and discovered that it is a boot sector infector that infects hard disks and floppies. The internal messages do not appear in sector zero, but are stored in sector 152 on floppy disks and an as yet undetermined location on hard disks. This had always added to the confusion over the virus because message remnants were sometimes discovered in the middle of executable files, and it was assumed that the virus was a COM or EXE infector. The virus appears to be very widespread and everyone should watch out for it. If your boot sector does not contain the standard DOS error messages, then immediately power down and clean out the boot. (Infected boot sectors begin with FAEB). This is a nasty virus and should be treated cautiously. ViruScan V39 identifies the virus, but it will not be posted till the 29th due to major revisions in SCAN's architecture for version 39. Alan ------------------------------ Date: 26 Sep 89 15:30:08 +0000 From: bnr-fos!bmers58!mlord@watmath.waterloo.edu (Mark Lord) Subject: Re: SCANV38 (PC) In article <0012.8909251241.AA29279@ge.sei.cmu.edu> portal!cup.portal.com!Alan_ J_Roberts@Sun.COM writes: >ViruScan V38 is out and has been sent to Compuserve and the >comp.binary sites. This version identifies the MIX1, the New Ping ViruScan V37 was recently uploaded to SIMTEL20, and a question about it's authenticity has been posted to one of the .ibm.pc newsgroups. Apparently the length of the SCAN program is 34 bytes longer than the constant (??) length that the author said would be preserved for all versions. Is this a valid copy, or might it have a little parasite attached ? - -Mark ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Thursday, 28 Sep 1989 Volume 2 : Issue 206 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Cookie (monster) virus (PC) viruses in anti-virals Tiger Teams Re: Preventing virus attacks (PC) Anti-virus viruses Hyperspace virus ? (PC) Final word on Centel Corp and Viruscan Viruses in Commercial Software Re: October 12/13 (PC) Compiled list of viruses... Anti-viral hard disk controllers Review of NIST anti-virus paper... Anti-virus Virus Columbus Day Virus attacks the military? Tiger Teams (Was Re: Good viruses?) Virus signatures --------------------------------------------------------------------------- Date: 27 Sep 89 12:56:00 +0200 From: Antonio-Paulo Ubieto Artur <hiscont@cc.unizar.es> Subject: Cookie (monster) virus (PC) I haven't yet got VIRUS-L Digests #197 to #199. It seems that my contributions about the "Cookie virus" was included in one of these. Just after receiving some kind postings about this item, I found on the French magazine "Soft & Micro" (september 1989, p. 156) a description and a photo of the "Sesame Street virus". The described version seems to be old, the virus is said to have been one of the first virus around in some American colleges. No harm is described: the only requirement was to write "cookie" when the text "I want a cookie !" appeared on the screen. Incidentally, on the photo, the virus appears on a dBASEIII screen, not on a word-processing program. I have to apologize. I described what seems to be a Spanish hack - -or at least translation- of the "Sesame Street virus" or "Cookie monster virus". This version seems to be more violent, as there were lost files due to this virus. I insist: I haven't yet seen this virus, neither has it caused any damage -as far as I know- at my University. But if there is something I awfully hate in computing is to loose data and having to rekey them again. Therefore my contribution was more intended as a warning message. If someone out there avoids only one of this loosings by "giving a cookie", I thing it was worth the effort. Of course, any preventive or removal method against this virus would be appreciated. As it was said in one recent VIRUS-L Digest, "the best virus is the dead one". And my colleagues here at the University -some of them recently threathened by the "Friday-13 virus" (sUMsDos variant)- would also have a little more peace of mind. Thank you very much. Antonio-P. Ubieto. Department of Modern and Contemporary History. Zaragoza University (Zaragoza, Spain - Europe). hiscont@cc.unizar.es ------------------------------ Date: 27 Sep 89 12:38:00 +0700 From: "Okay S J" <okay@tafs.mitre.org> Subject: viruses in anti-virals In VIRUS-L.V2NO201 David Gursky(DMG@LID.MITRE.ORG) >Let me take this one step further. Anti-virus applications (IMO) make >a poor carrier for a virus. In order for a virus to succeed, it must >go undetected. This means that prior to the activation of the virus' >logic-bomb or time-bomb, it cannot interfere with the normal operation >of the computer or the applications in use on the computer. To do so >greatly improves the chances the virus will be discovered (to wit, the >Jerusalem virus). If we work under the assumption that when a user >acquires an anti-virus application, they actually use it (in fact we >must work under this rule; otherwise the virus would not spread), the >virus necessarily undergoes an increased chance of detection because >an application is running that looks for viruses! The only problem with this is that with a virus or other destructive program masking itself as an anti-viral, you would think that the person would have ripped the detection code out for the particular virus he is trying to spread, or just chopped it out altogether. It would be kind of funny to have a virus you are trying to spread zapped by its own carrier! :). But then again, some criminals can be pretty stupid....(which is all any of us can really hope for) ----Steve Stephen Okay Technical Aide, The MITRE Corporation x6737 OKAY@TAFS.MITRE.ORG/m20836@mwvm.mitre.org ------------------------------ Date: Wed, 27 Sep 89 09:05:57 -0400 From: Joe McMahon <XRJDM%SCFVM.BITNET@VMA.CC.CMU.EDU> Subject: Tiger Teams Dave Gursky asked about the tiger team approach. It depends on several things: - - Is the computer in question a computer which belongs to the installation, or one which belongs to the person? - - Is the virus completely self-limiting (i.e., if the date becomes anything other that the date of infection, the virus removes itself? - - Is the company willing to risk destroying this user's files and possibly wasting large amounts of time and money to replace them? Apple's statement on Mac viruses is that you should never trust a once-infected file, even if it is "cleaned up". I tend to side with that approach. I know that if I had been following procedures, and some expletive-deleted from Security futzed around with my machine behind my back, I'd be angry. Especially if it trashed my files. --- Joe M. ------------------------------ Date: Wed, 27 Sep 89 13:40:46 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Preventing virus attacks (PC) > Will changeing a file attribute to READ ONLY stop or slow down a virus? > What about write locking a whole Directory? > Does hiding a file or directory have any effect??? This is a very common question, but in general the answer is NO. Boot sector viruses are of course not affected by the read-only protection, since they do not infect files. Some viruses can be stopped my making program files read-only, but right now I can only think of two such viruses: South African "Friday 13." (and the related VIRUS-B) Lehigh However, those two viruses are very rare. The rest of the PC viruses remove the read-only attribute from files, before infecting them. Most of them restore it later ("Icelandic" does not). So - making files read-only will not provide any protection from viruses like: Jerusalem (Israeli Friday 13.) and relatives (Fu Manchu) Vienna (DOS-62) Traceback DataCrime Icelandic and relatives (MIX1 and Saratoga) The main use of read-only protecting .EXE and .COM files is really to protect the user from his own mistakes. Hiding a file is equally ineffective. --- frisk ------------------------------ Date: Wed, 27 Sep 89 14:25:25 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Anti-virus viruses I have been following the anti-virus-virus discussion with some interest, but I have not yet seen anybody mention the fact that one such virus already exists. The virus is the "Den Zuk" (Translation: The Search) virus, which was written to fight the Brain virus. When this virus finds a Brain-infected diskette, it removes Brain and puts a copy of itself in place. It also looks for old versions of itself and "upgrades" them if necessary. The virus resides on track 40 on diskettes (normally 360K diskettes only have tracks numbered 0-39), and thus takes up no usable space. So far, so good. However - this virus also demonstrates what can (and will) go wrong with anti-virus-viruses. The programmer did not anticipate 1.2M or 3.5" diskettes. When the virus infects a disk of that type, it will destroy data. Also, several "hacked" versions of this virus have been reported, including one that will disable the SYS command and destroy all data on drive C: on September 13. 1991. (One more of those "Friday the 13th viruses. Why can't virus writers have a little more imagination :-) ) So - the conclusion is simple: "The only good virus is a dead one." ---- frisk ------------------------------ Date: Wed, 27 Sep 89 14:39:45 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Hyperspace virus ? (PC) Has anybody heard of a virus or trojan that will produce the following effect ? Suddenly the computer will switch to graphic mode, and dots will appear, coming from the center of the screen, going faster and faster. Then a flash of light will appear on the screen, followed by the text "Welcome to HYPERSPACE" Finnally the computer will svitch back to text mode, and everything will be back to normal. I have not seen this, only heard of it. --- frisk ------------------------------ Date: Wed, 27 Sep 89 10:51:56 -0400 From: KARYN@NSSDCA.GSFC.NASA.GOV Subject: Final word on Centel Corp and Viruscan I decided to look into this Centel Corporation problem. As they are situated just down the street, I called their office, and they sent me the information alluded to in the Washington Post article. I received a license agreement and a letter sent to various businesses addressed to "Security Colleague". Centel does not seem to be distributing Viruscan. The second paragraph of the Preamble of the License agreement is: In response to this threat [referring to DATACRIME viruses] Centel Federal Systems, in conjunction with American Computer Security Industries, Inc. ("ACSI"), has developed certain scanning software ("VCHECKER") that is capable of detecting certain forms of the virus, and is offering that software to computer users for a nominal handling fee of $25.00. It is presently believed that VCHECKER is capable of detecting two of the unknown number of strains of the virus that are in existence. However, because of the unpredictability of the virus and its various strains, and because of the many uncertainties surrounding its propagation and detection, neither Centel Federal nor ACSI is able to warrant that VCHECKER software will succeed in detecting the virus as it may exist in any particular computer system. Users of VCHECKER should also understand that VCHECKER is designed only to detect the possible existence of the virus, and that removal of the virus from a particular computer system, or repair of any damage that the virus may cause, is the responsibility of the user. An excerpted paragraph of the distribution letter follows: ...One company, ASCI, has developed a program called VCHECKER that looks for the known signatures of what they call the Columbus Day Virus... It seems to me that ASCI got its hands on the DATACRIME signatures that John McAfee distributed and wrote a program to check computers for it, and decided to sell it. Hopefully this will stop all the hoopla about this subject and clean up Centel Corp's reputation. I hate to see reputations ruined over misunderstandings. Standard Disclaimer: I am in no way affilliated with Centel Corp, or ASCI, and all the ideas presented are my own and in no way reflect attitudes of anyone I work for. *-- *-- *-- *-- *-- *-- *-- *-- *-- *-- *-- *-- Karen Pichnarczyk KARYN@nssdca.gsfc.nasa.gov 703-648-0770 ------------------------------ Date: Wed, 27 Sep 89 11:53:00 -0400 From: TMPLee@DOCKMASTER.ARPA Subject: Viruses in Commercial Software In commenting on viruses being distributed (accidentally, of course) through commercial software someone recently mentioned that someone near him had been hit by a virus that was in a shrink-wrapped copy of WordPerfect. I'm skeptical -- WordPerfect is such a widely-sold program that had there been one copy infected there would have been thousands and the din would have been deafening. Could someone who follows this closely summarize exactly which commercial packages have definitely been identified as having been shipped infected? (i.e., the virus was found on them before there was any chance whatsoever they could have been written to by the user's machine.) (I'm not doubting that commercial software is a good vector for distributing viruses or that it has happened before, I just want to make sure that a company with good anti-virus practices doesn't get falsely accused; in the case in point I have no idea what WP Corp's practices are.) ------------------------------ Date: 26 Sep 89 19:07:49 +0000 From: ttidca.TTI.COM!hollombe%sdcsvax@ucsd.edu (The Polymath) Subject: Re: October 12/13 (PC) In article <0006.8909251230.AA29228@ge.sei.cmu.edu> ttidca.TTI.COM!hollombe%sdc svax@ucsd.edu (The Polymath) writes: }}I'm the editor of our university's computing newletter. I need to }}know how users can detect the October 12/13 virus ahead of time. Is }}there a way at all? ... } }How about backing up the hard disk, then setting the system date ahead to }October 13 and re-booting? Since posting this, I've been advised that some viruses are designed to detect and avoid this test. They do so by keeping track of date increments to make sure they occur one day at a time. Typically, they store a week's worth of dates, possibly more. Assuming a one week buffer, you'd have to implement the sequence "increment date, re-boot, run infected program" at least 8 times to bypass such a check. It's getting nasty out there. }[Ed. Sounds (to me) kind of like testing to see if the mines in an }inert minefield are "ert" by having someone walk through it. :-)] I did say to back up the hard drive first. That way you can resurrect your mine tester if it happens to step on an "ert" mine. (-: The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com) Illegitimis non Citicorp(+)TTI Carborundum 3100 Ocean Park Blvd. (213) 452-9191, x2483 Santa Monica, CA 90405 {csun|philabs|psivax}!ttidca!hollombe ------------------------------ Date: Wed, 27 Sep 89 14:44:01 -0500 From: Dave Boddie <DB06103%UAFSYSB.BITNET@VMA.CC.CMU.EDU> Subject: Compiled list of viruses... I may be asking quite a big question, but I want to know: Is there a compiled list of viruses, symptoms, cures, source, whathaveyou that I can somehow obtain? I am mostly looking for PC viruses, cures and symptoms to most know viruses. If there is one, could someone PLEASE send it or any like it to me? Thanks much in advance. David Boddie Remote Lab Operator University of Arkansas. ------------------------------ Date: 27 Sep 89 20:37:15 +0000 From: ginosko!cg-atla!mallett@uunet.UU.NET (Bruce Mallett) Subject: Anti-viral hard disk controllers Seems to me that virus infestation in companies could be controlled through a little bit of dicipline and with the help of a modified hard disk controller. The scheme is to partition the hard disk into an executable partition and into a data partition. All executables are kept on the bootable, outer partition. The modified disk controller has: switches which indicate the last track number of this outer partition a switch out the back to enable/disable writes to this outer partition. Probably a rotary requiring a screw-driver or other tool to change. In a corporate environment where systems are controlled I would think that this would work quite well. Virus software must be able to write to executables to spread, and they would not be able to since the partition containing them is hardware protected. Without hardware assist, software is always defeatable so no software solution is going to guarantee protection against all infestations. Dicipline is needed in several areas: administration to ensure that systems get properly setup, environments defined correctly, etc.; software packages must not maintain/modify data out of their executable directories; users must not fiddle with the switch nor import foreign, unknown software (by write-enabling the partition), etc. Note that programs run from the floppy can still wreak havoc to the un- protected partition, but they cannot spread via the HD. Is this workable? [Ed. There is at least one commercial product that does exactly that, but it's name escapes me.] ------------------------------ Date: Wed, 27 Sep 89 15:43:11 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: Review of NIST anti-virus paper... Recently, the National Institute of Standards and Technology (NIST, the successor to the National Bureau of Standards) published a short paper entitled: _Computer Viruses and Related Threats: A Management Guide_. I have had a chance to read through it, and here are my comments: NIST Virus study comments First and formost, the NIST paper is an excellent, broad summary of knowledge of prevention measures for "electronic threats". It does not deal with the specifics of protecting this system, or that system, but rather looks at two classes of systems (multi-user and single-user) in two different environments (stand-alone or networked) and discusses six aspects of the security issue: General Policies, Software Management, Technical Controls, Monitoring, Contingency Planning, and Network Concerns. As much as I want to say this is an excellent paper, I find two flaws that hold it back: 1 -- The paper is not always consistent in its tone and advice 2 -- Some advice presented in the paper is based on false assumptions Inconsistency -- The authors of the paper appear to have a problem accepting that any successful policy to deal with electronic threats must rely on the cooperation of the user community. At certain points, it explictly states system managers must *prevent* users from performing actions of questionable risk altogether, and later on it states that users can do the same thing under controlled circumstances. The problem of electronic threats is *everyone's* problem, and *everyone* must be part of the solution. The underlying attitude of the authors seems to be "users cannot be counted on". For better or for worse, users *must* be counted on, and when that is not possible, made accountable. Other examples of where the authors make one statement, and then back down from it elsewhere in the paper exist; this is the one that I happen to have picked up. By the same token, there are only a few instances of this type of hemming and hawing. False Assumptions -- The paper forwards the myth that programs obtained from public sources (bulletin boards; public network libraries) are inheritely tainted, and that shareware/freeware/etc. should really be avoided. Certainly applications obtained from these sources are riskier, but these risks can be minimized through careful selection of sources, (i.e. public sources with a large pool of experienced users feeding from it), by judicious testing of software obtained from these sources, and by maintaining an internal library of these applications. This last step (completely overlooked by Wack and Carnahan) of providing users access to shareware from a corporate-sanctioned libraray can go far in ensuring that applications from riskier, public sources are not brought into the corporate computing environment. By the same token, the paper forwards the myth that commercially obtained applications are inheritly untainted. The Aldus Freehand infection (among others) demonstrates that this is clearly not true. Summary -- Summarizing, I would say this paper is a very good source for technical users looking to gain information about how to go about addressing the virus problem, and a good source for corporate managers looking at the same question. The paper's inconsistency on the role users must play in a successful anti-virus strategy, and it's partial reliance on a false assumption hold it back from being excellent on both counts. Copies of the NIST paper can be obtained for $2.50 from the U.S. Government Printing Office, 202.783.3238. The document is NIST Special Publication 500-166, GPO #003-003-02955-6. The opinion expressed in this review is mine, and does not in any way reflect the official policy of the MITRE Corporation, or any of MITRE's clients. Please do not redistribute this review without my consent first. Thank you. Submitted 27 September 1989 David M. Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: Wed, 27 Sep 89 20:13:00 -0400 From: WHMurray@DOCKMASTER.ARPA Subject: Anti-virus Virus Chris Poet invites comment on the idea of an anti-virus virus. Chris you are correct. The idea is not original and has been discussed here ad nauseum. The consensus appears to be that it is not a good idea. Certain behavior is reprehensible regardless of its motive or intention. One such class of behavior is misrepresentation. Nice people do not resort to lies, regardless of motive. A subset of misrepresentation is stealth. Nice people do not intrude unannounced and univited. Good intentions in such cases rarely excuse the behavior. Finally, some behavior is so potentially dangerous that it cannot be justified by good intentions. Spreading any kind of computer code by automatic replication is dangerous and not justified by the intent or value of the code so distributed. Nor is it justified by any superiority of this method of distribution over any other. The decision to employ protection is a personal one. Open distribution by overt channels is preferred. I am glad that you sought advice before embarking on this ill-advised scheme. Having sought it and received it, I hope that you will heed it. [Ed. I agree with Dr. Murray in that this topic has been discussed here ad nauseum - the general concensus of which is that it is not a good idea. Unless anyone has anything significant to add to the conversation, let's please consider this topic closed. Ok? Please? :-)] ____________________________________________________________________ William Hugh Murray 216-861-5000 Fellow, 203-966-4769 Information System Security 203-964-7348 (CELLULAR) ARPA: WHMurray@DOCKMASTER Ernst & Young MCI-Mail: 315-8580 2000 National City Center TELEX: 6503158580 Cleveland, Ohio 44114 FAX: 203-966-8612 Compu-Serve: 75126,1722 INET: WH.MURRAY/EWINET.USA 21 Locust Avenue, Suite 2D DASnet: [DCM1WM]WMURRAY New Canaan, Connecticut 06840 PRODIGY: DXBM57A --------------------------------------------------------------------- ------------------------------ Date: Thu, 28 Sep 89 02:59:00 -0400 From: CZMUREK%DREW.BITNET@VMA.CC.CMU.EDU Subject: Columbus Day Virus attacks the military? Once again there is some frightening news about the Columbus DAy Virus!!! As I was watching the Monday edition of computer chronicles there was a segment on the problem that exists for the military. It seems that all branches have been put on the watch for this one because of the recent HUGE number of finds in the Air Force and Navy. The implications of this are wuite scary indeed. Did anyone else hear abou this or does anyone else have any light to shed on the severity of the infection? One last question- do the armed forces have any plan of action for such an occurance as the downing of a large number of their systems at one time or for the vaccination of military hardware? ------------------------------ Date: 27 Sep 89 19:34:37 +0000 From: chinet!ignatz@att.att.com Subject: Tiger Teams (Was Re: Good viruses?) In article <0002.8909261721.AA06193@ge.sei.cmu.edu> dmg@retina.mitre.org (David Gursky) writes: ... >Suppose a company has stringent rules about protecting desktop >computers from viruses. How do you go about ensuring the rules are >being followed? One thought I had was the user of "Tiger Teams". And goes on to describe a "Tiger Team" which would prowl the halls after-hours, looking for unsecured desktop machines which it could then infect with an "approved" virus, preparatory to an upleasant visit by the PC Police the next day. Presumably, the purpose of actually infecting the machine is to provide an object lesson to the unhappy employee careless enough to not lock the system. This, however, is Not A Good Idea, for many reasons. First, you've disrupted the productivity of a probably useful employee for at least half a day, or more, while his/her machine is zoned out. Next, you're tying up one or more people comprising the "Tiger Team"; as proposed, worse, they're having to put in non-prime hours performing what is essentially an overhead (read "costs money, makes none") task; you're setting up the kind of confrontational situation that can cause stressful relations between employees; and it's not necessary. Not to mention that there are other security holes that are unaddressed, such as terminals left logged into multi-user systems which nevertheless can be used to corrupt or destroy company data and programs. Also, how about desktop or cubicle multi-user and/or multi-tasking systems, such as small Unix/Xenix boxes, VAX/VMS workstations, etc.? Look at finding access to these, and then corrupting them, and you'll start to see that this is a form of sanctioned cracking which is beneficial to none, and detrimental to all. More useful, and actually used in many client sites I've been assigned to, is to simply have the guard--who must make rounds anyway--also made responsible for checking certain criteria for computer equipment. Such things as locked access when applicable, no media left lying about unattended, login-protected terminals (whether remote timesharing, desktop multi-task/user, etc.) logged off whenever unattended, etc. would be grounds for a report by the guard. At the same time, the unsafe condition would be corrected as well as possible by the guard--media collected and secured, accounts either logged off or reported to system operators for deactivation, unlocked single-user desktop machines either locked in the office, if possible, or the power supply secured, etc. The same desired benefits are obtained: the employee is made amply aware of his/her faux pas, and security is maintained. Anyone who's ever worked in a security environment is aware of these and other methods; they're actually used, as I mentioned before. The military does make use of "Tiger Teams" that attempt to penetrate security and leave proof of their success. Usually, however, they are employed in an environment where they're attempting to subvert or circumvent active security measures, such as the deck guard on a nuke sub that's docked, or access to a presumably secured and monitored area. ------------------------------ Date: Wed, 27 Sep 89 16:26:48 +0300 From: Luiz Felipe Perrone <COS99284%UFRJ.BITNET@VMA.CC.CMU.EDU> Subject: Virus signatures A few weeks ago I received one VIRUS-L digest (unfortunately I do not remember which one) which had the signatures of two versions of the Datacrime virus. I happened to loose the listings and to make matters worse I found out I also had discarded the digest from my mailbox. I wonder if someone could send me this signatures as soon as possible and also show me an effective way to look for them in my hard disk. As a matter of fact it would be of great help to receive all the known virus signatures, although I guess I might be asking too much. I study at COPPE/UFRJ in Rio de Janeiro and a couple of months agoall this fuss about computer viruses was like Science Fiction for me. I had never seen any kind of it, and thought that it would take a long time before I had any trouble with them. In Brazil there are no networks like CompuServe, The Source, PCMagnet, etc. so I thought that the "problems" that affect Europe or North America couldn't reach us so fast for they would not be downloaded. But I was quite wrong. About two moths ago I have seen Bouncing-ball and JV infect the whole Lab in which I work. And worse than that : they have got to my hard disk. After running a program that kill BB and JV I have run Norton Utilities to look for the string "sUMsDos" and it found four instances of it. I still do not know if they belong to sectors in use by .EXE or .COM filesbut I must say I'm worried. There is a strong possibily that other evil creatures lurk in my system just waiting for the day to come up and make a big mess. I would be very grateful if someone could help me to make a list of methods to take this orcs out from our hard disks and develop anti-virus programs. I have appreciated the help contained in the VIRUS-L disgests but sometimes I feel I have missed a lot of the basic information. [Ed. From an earlier editorial comment (v2i195): In VIRUS-L volume 2 issue 192, Charles M. Preston <portal!cup.portal.com!cpreston@sun.com> states that a) Viruscan V36 can detect Datacrime and that b) Datacrime can be identified by the hex string EB00B40ECD21B4 (1168 version) or 00568DB43005CD21 (1280 version). Note that a hex string search can be done via the DEBUG 'S' command (e.g., "S CS:100 FFFF hex_string" at the DEBUG prompt), if my memory of MS-DOS is correct. ] Thanks a lot and greetings from Brazil Luiz Felipe Perrone COS99284@UFRJ - Bitnet ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Friday, 29 Sep 1989 Volume 2 : Issue 207 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Tiger Team comments DATACRIME II INFO (PC) Tiger teams attempting to penetrate corporate machines at night New virus on a PC ?? Virus detector program (PC) Re: Anti-viral hard disk controllers Re: Review of NIST anti-virus paper... When is a virus not a virus? Cascade in Sargon III (PC) ViruScan Length (PC) Oct 13 PC virus question FixCrime.arc (PC) --------------------------------------------------------------------------- Date: Thu, 28 Sep 89 07:41:32 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: Re: Tiger Team comments In Virus-L #205, Steve <XRAYSROK@SBCCVM.BITNET> and <CTDONATH@SUNRISE.BITNE> had some good comments about my Tiger Team suggestion. Here are some answers to their comments: RE: Most viruses are not spread by someone sneaking in at night... Absolutely true. The objective of this proposal would be to ensure that users are following a published anti-virus strategy, beyond simply backing up the data. If the user targeted by the Tiger Team is following the procedures properly, then the virus should not be able to get in. For instance, say the policy reads "All Macintosh computers shall run Gatekeeper". Gatekeeper is very effective at stopping nVir. If the Tiger Team attempts to infect a Mac with nVir, and the attempt fails, the user of the system is not properly following the established procedure. RE: What corporation is willing to take the risk of letting someone *tamper* with the computers which the company depends upon, especially when proper operating procedures will offer you very good protection? Good question. I would hope any company worth its salt. The objective of the "Tiger Teams" is to help ensure the corporate anti-virus policy is being adhered to. "Proper operating procedures" per se do not prevent an infection, *following* those procedures do. RE: Can you guarantee that the "Team" will not do damage?... In order for this proposal to be effective, the TT must do a complete backup of the system's data before proceding (I suspect an image backup would be preferred in this instance), and a restore afterward, regardless of whether the team succeeds or fails. RE: If they are introducing live viruses, ... no one can guarantee the virus will be benign in all situations... I have a problem with this suggestion. Viruses (even nasty ones) such as nVIR, (c) Brain, Lehigh, and so on are well understood. If I start with a "known" strain of one of these (and there are libraries out there of unmodified versions of these and other viruses), I know exactly how a virus will behave under any set of conditions. Please also remember that I proposed using a "neutered" version of a virus. Using (c) Brain as an example, if the logic-bomb or time-bomb is removed from it, leaving only the infector, it's hard to say that such a neutered virus proposes a serious threat to a user when used by a TT to check for the use of anti-virus procedures. RE: If the tiger team fails to exterminate ALL copies of the virus there is the possibility of virus parinoia (sic), files that grow in size for no good reason, and the possibility of lost data thru virus malfunctions. See my earlier comment about backups and neutered versions. RE: The virus would be released in a unsuspecting work area. The presence of strangers insisting on checking every disk that leaves the area would cause chaos. As described above, the virus would not be released in an unsuspecting work area. Tiger Teams are used as a method to test the effectiveness of a given policy. If the users within a given work area are not following an established anti-virus policy (it is taken as a given the suggestion of TT is only valid where such a policy exists, for the exact reason you point out) then they are at risk for a virus infection, and poss a risk for other computing resources (oops! Poss = pose). RE: "Controlled" environment Such environments are possible. They are routinely used for the handling of classified materials for example. Again, the effectiveness of the controls directly depends on how well you adhere to them. ------------------------------ Date: 28 Sep 89 23:03:57 +0000 From: edvvie!eliza!andreas@relay.EU.net (Andreas Brandl) Subject: DATACRIME II INFO (PC) Hello out there, a few days ago I read a article about the DATACRIME- virus and how I can find it with search-strings. Yesterday I read in an info-paper from a very, very, very big corporation about them. This paper tells about three versions of DATACRIME. The first two versions only infect COM-files. Their functions are identical, only their increase-sizes are different. One increases the file size by 1168 bytes, and the other by 1280 bytes. DATACRIME II virus is the third version and infects COM and EXE files. In this version COM files grow by 1514 bytes and EXE by a similar, but variable, size. I possibly know the search-string for the third version. But I can give no warranty, that my info is absolut right. The search-string is like the following: 5E81EE030183FE00742A2E8A9403018DBC2901. I hope this is a little help to locate and destroy this virus. Bye bye, Andreas - -- ------------------------------------------------------------------ EDV Ges.m.b.H Vienna Andreas Brandl Hofmuehlgasse 3 - 5 USENET: andreas@edvvie.at A-1060 Vienna, Austria/Europe Tel: (0043) (222) 59907 (8-16 CET) ------------------------------ Date: 28 Sep 89 13:27:06 +0000 From: cpsolv!rhg@uunet.UU.NET (Richard H. Gumpertz) Subject: Tiger teams attempting to penetrate corporate machines at night Why should such a "tiger team" work under cover of dark? Why not "surprise inspections"? "We're from virus security and we're here to help you ..." - -- ========================================================================== | Richard H. Gumpertz rhg@cpsolv.UUCP -or- ...uunet!amgraf!cpsolv!rhg | | Computer Problem Solving, 8905 Mohawk Lane, Leawood, Kansas 66206-1749 | ========================================================================== ------------------------------ Date: 28 Sep 89 20:57:36 +0000 From: cosc75a@uhnix1.uh.edu (Parameshwaran Krishnan) Subject: New virus on a PC ?? Hi, I am working in the College Of Business Admn, of the Univ of Houston. And I am in the RICS Deptt. I manage Novell Networks there. Today there was a report of a virus in a floppy disk. I am listing down its features any body who would have seen it before please inform me 1. how destructive it can be . 2. How can it be disinfected. Features : 1. It seemingly attaches to an exe file. When u try to execute the file it says that the very same file was not found (??). and asks for a path (in this specific instance it was a Wordperfect file. If u executed wp, it said wp.exe not found Please give a path likd c:\wp\wp.exe. I have a feeling that it does this to infect the harddisk too). If the path is given then it goes bonkers. 2. In this case it created a hidden file called Wordperf.cet. It also screws some exe files on the hard disk It took up 660Bytes extra and wrote the wp.exe back again on the disk. I think this might be the virus code. If u want any other feedback please e-mail me and i will send it to u. Thanks in advance, P Krishnan (cosc75a@uhnix1.uh.edu) (create a virus free computer world) ------------------------------ Date: Thu, 28 Sep 89 13:48:53 -0400 From: unhd!stm@uunet.UU.NET (Steven T Mcclure) Subject: Virus detector program (PC) I would be very interested in seeing this program posted, as I don't know much at all about viruses. I have an AT&T PC6300 with MS-DOS 3.0 with a HD, and would like to be able to find out if I have any viruses currently, and would also like to be told if a new one is being introduced into the system. I don't have ftp access, so I would rather see it posted to c.b.i.p, and there are probably other people who know about as much as I do who would be interested also, but aren't news/ftp/bbs wizards. Thanks. -- Steve ------------------------------ Date: Thu, 28 Sep 89 21:02:15 +0000 From: time@oxtrap.oxtrap (Tim Endres) Subject: Re: Anti-viral hard disk controllers Virus infection is not *spread* via hard disks. Floppies and modems are the *movement* medium. I am not sure what advantage this read only hard disk has over simply monitoring the checksum of an application. More importantly, not all computer systems have "read-only" executables. Most notably, the Macintosh stores code in the resource fork of an application, which is *frequently* modified. The move to distributed execution from file servers is slowly changing this, but it remains an issue. We have a program, that once run against an executable, makes it IMPOSSIBLE for a virus to infect that application and be executed. Infection is still possible, but the application will never execute again, thus stopping propogation. This is simply a check sum of the executable set up in a way to inhibit execution once infection has occurred. The use of a quick key word entered by the user at run time prevents the virus from "intelligently" by-passing the check sum. This solves only one facet of the problem, but a large facet it be. ------------------------------ Date: Thu, 28 Sep 89 21:07:32 +0000 From: time@oxtrap.oxtrap (Tim Endres) Subject: Re: Review of NIST anti-virus paper... > Discussion of the NIST virus paper... The paper forwards the myth that programs obtained from public sources (bulletin boards; public network libraries) are inheritely tainted, and that shareware/freeware/etc. should really be avoided. By the same token, the paper forwards the myth that commercially obtained applications are inheritly untainted. Sounds like the committee was seated with commercial software vendors! ------------------------------ Date: 28 Sep 89 20:38:05 +0000 From: mrsvr!gemed.mrisi!davej@csd4.csd.uwm.edu (David Johnson) Subject: When is a virus not a virus? The following article copied without permission from the Milwaukee Sentinel, Thursday, September 28, 1988 to promote discussion on the ethics involved, legal implications (especially if Lab Force didn't answer their phone on a Saturday :-)), etc. I have no interest nor association with any of the parties mentioned in the article below; I just thought it would provide some interesting beginnings for discussion. I'm especially interested in hearing about "good faith" legal ramifications of the software described below. === BEGIN ARTICLE "FIRM SAYS 'VIRUS' ENSURES PAYMENT" By Mike Mulvey Sentinel staff writer The "viruses" that allegedly infected a computer system serving three Milwaukee-area hospitals were actually fail-safe devices installed by the manufacturer to ensure payment on the system, the company's president said Wednesday. Robert C. Lewis, president of Lab Force Inc. in Dallas, Texas, vehemently denied allegations that his company intentionally introduced viruses to sabotage the computer network that provided laboratory test results. "The allegations are totally without merit," Lewis said. "It is insane." "We have not and never will cause a virus to disrupt a computer system." Federal Judge John W. Reynolds issued a temporary restraining order Tuesday barring the Dallas company from introducing any more alleged viruses into the computer system. The computer network run by Franciscan Shared Laboratory Inc. services St. Michael and St. Joseph's Hospitals in Milwaukee and Elmbrook Memorial Hospital in Brookfield. Franciscan, of 11020 W. Plank Ct., Wauwatosa, file a lawsuit Tuesday in Federal Court, alleging Lab Force introduced a computer virus that disabled the system Sept. 16 and another virus scheduled to be activated Nov. 15. The suite alleged actions by Lab Force were endangering the lives of patients at the three hospitals. A hearing on the case is scheduled for Oct. 6 in Federal Court "We will let the evidence speak for itself. We've done what we believe is in the beset interest of our client and its patients," said attorney John Busch, who is representing Franciscan. "Lewis may deny allegations of sabotage, but he doesn't deny the fact that the system was down." Lewis said the system began operation in April 1988, although Lab Force still is adding to the network. He said the system always had had a "key," a device that locks out the user if a payment schedule isn't kept or a licensing agreement isn't honored. Although Franciscan had been making its payments on time, the key that originally was set to shut down the system Sept. 16 was not rescheduled for a later date because of a mistake by a Lab Force technician, Lewis said. When the technician was notified that the computer system shut down Sept. 16, he immediately corrected the problem by rescheduling the key for Nov. 15, said Jerry Levine, a consultant for Lab Force. "It was a mistake. Our operator screwed up. There has never been a virus in there. There has only been a simple key." "Keys are commonly used by hundreds, if not thousands, of software companies," Levine said. "Until software is accepted and paid for, the only protection a software company has against the equipment being stolen is to place a key in the system." Lewis said Lab Force was considering filing a countersuit against Franciscan for damage done to the Dallas company's reputation. === END ARTICLE - -- David J. Johnson - Computer People Unlimited, Inc. @ GE Medical Systems gemed!python!davej@crd.ge.com - OR - sun!sunbird!gemed!python!davej "What a terrible thing it is to lose one's mind." - Dan Quayle ------------------------------ Date: Thu, 28 Sep 89 12:30:50 +0000 From: Fridrik Skulason <frisk@RHI.HI.IS> Subject: Cascade in Sargon III (PC) I just received a report of a shrink-wrapped and write-protected copy of Sargon III arriving infected with the cascade (1704-A) virus. The store selling the program did not have any more copies, but since they do not allow the return of games, the disk must have been infected outside of Iceland. Has anybody else seen found an infected original of this program ? --- frisk ------------------------------ Date: Thu, 28 Sep 89 07:19:19 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: ViruScan Length (PC) John McAfee asked me to forward the following message: My apologies to the VIRUSCAN user community about my premature announcement some months back that VIRUSCAN would always remain 34400 bytes long. I am old enough to have known better. Architectural changes brought about by newer viruses have necessitated a changing size for some versions. Version 39 in particular, has been virtually re-written to double its speed, link with the SHEZ program to scan archived files and provide an individual file scan if requested. Such changes can't be squeezed into the original 34400 bytes. I accept the title of idiot from anyone who wishes to confer it on me. Future versions of SCAN will contain the file size in the documentation, and sizes will be appropriately advertised. John McAfee ------------------------------ Date: Thu, 28 Sep 89 14:48:00 -0600 From: Frank Simmons <FSIMMONS%UMNDUL.BITNET@VMA.CC.CMU.EDU> Subject: Oct 13 PC virus question I am the editor of our Computer center newsletter. I want to include an article in our early October issue about this Oct 13 virus. Has anyone any concrete facts about this I can relate and secondly what hope/vaccines can I offer my readership? Frank Simmons ------------------------------ Date: Thu, 28 Sep 89 18:47:36 -0500 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: FixCrime.arc (PC) New anti-viral, sent directly to me by the author. fixcrime.arc Will fix files infected by DataCrime virus. Operates only on .COM files, not .EXE. Has programs to combat three different strains of DataCrime. *Use with caution!* FIXCRIME.ARC Removes infections of DataCrime virus Jim ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Monday, 2 Oct 1989 Volume 2 : Issue 208 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: How can I get SCANV3x ??? paper comparing biological and computer viruses MILIVIRUS REPLY Re: MILIVIRUS REPLY Jerusalem virus infection, query (PC New virus? (Mac) Followup on new virus (Mac) Re: F-PROT anti-virus package (PC) Virus Protection Apple II Viruses Flushot+ and Artic speech package (PC) RE: Tiger teams at night RE: Review of NIST anti-virus paper... RE: Tiger Teams --------------------------------------------------------------------------- Date: 28 Sep 89 19:01:39 +0000 From: smg%eedsp@gatech.edu (Steve McGrath) Subject: How can I get SCANV3x ??? Could some kind soul please tell me where I can get a copy of the SCANV program (or send it to me, if, as I believe, it is shareware)? I have been trying to call the BBS at (408)988-4004 with no success, and the more I read about the viri which are out there the more apprehensive I am getting. I don't, by the way, have access to Compuserve. Thanks in advance, Stephen - -- Stephen McGrath Georgia Tech, School of EE, DSP Lab, Atlanta, GA 30332 (404)894-3872 smg@eedsp.gatech.edu ------------------------------ Date: Thu, 28 Sep 89 11:19:13 -0400 From: Peter Jaspers-Fayer <SOFPJF@UOGUELPH.BITNET> Subject: paper comparing biological and computer viruses This is an outline for a semi-serious paper on the similarities between biological and computer viruses, and the efforts to understand and combat them. I present it here in the hopes that others may wish to contribute a paragraph or so (sorry no money, but I'll give credit for any material I receive). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Loosely termed, a virus is a "piece of information" that replicates itself by using it's host's own machinery. Methods of entry into the host system are various. The infection often has a latency period that differs from one species of virus to another. They may, in fact, appear to be entirely benign. Viruses often "hide" in specific parts of the infected system, sometimes multiplying there, sometimes completely dormant, until some external event triggers the onset of the symptoms. Concerning the effort to understand and combat biological and computer viruses; there are also many correspondences between the identification, classification, taxonomy, evolutionary theory and epidemiology of the two disciplines. Often in reading the network discussion list "VIRUS-L", I am struck by the familiarity (my own background is biology) of the arguments that have arisen about: - - How best to identify a new virus, - - What to name it, - - When it started, - - Where it originated, - - It's relation to other viruses, - - The possible evolutionary path, - - What methods of infection there are, - - The ways a virus can combat detection and defences, - - How quickly it spreads, - - The percentage of the host population that is infected, - - What the latency period is, and how the onset of symptoms are triggered. The only absolutely sure way to understand the virus is to dis- assemble it into it's component parts, and read the code. Unfortunately, we are only recently able to disassemble the simplest of the biological virus, and the ability to understand all of the approximately 10K instructions of that simple virus is many years away. What other analogies can you see? Can you expand on any of the above? Stretching things just a little bit further, there are analogies between: Biological Computer - -------------------------------- ----------------------------- Atlanta Center for Disease Control - Computer Virus Industry Association DNA viruses - Boot-Sector Viruses RNA viruses - .EXE, .COM resident viruses AIDS - A (as yet uninvented - I hope) virus that seeks out and destroys only anti-viral programs, leaving you prone to infection by other viruses. I'd like to flesh this out a bit. Suggestions need not be serious, and flights of fancy welcomed. The material may be used in a talk we are giving on computer viruses and other ills. Please reply directly to me at SofPJF@VM.UoGuelph.Ca, or SOFPJF@UOGUELPH.BITNET Thanks. /PJ ------------------------------- First Law of Wing Walking: Never leave hold of what you have got until you have got hold of something else. ------------------------------ Date: Thu, 28 Sep 89 11:06:00 -0500 From: JEWALSH%FORDMURH.BITNET@VMA.CC.CMU.EDU Subject: MILIVIRUS REPLY Although I haven't gotten my feet too wet with the administrative functions of the Army, as far as I can tell: a. In the combat service support branches, e.g.: Adjutant General Finance Corps, etc., the only C.O.A. for dealing with system malfunctions is to call the programmers in. b. On the combat support level, e.g.: branches like Air Defense Artillery may operate with safeguards and procedures when dealing with viruses. Considering that it is equipment that safeguards our nation's defense, one would HOPE that it is resistant to viruses. But, more than anything else, I have a feeling that it's relegated to the knowledgable computer operators to resolve problems with the systems. c. Combat Arms branches, e.g.: Infantry, Artillery, and Armor, don't do a lot with computer systems except on the unit level. (Within individual tanks, or on the platoon level for troop movement, etc.) The level to which it is prone to viruses is, in my estimation, minimal, and the ease by which the components can be replaced takes away the risk. If anyone knows more about the Army's Plan on Viruses, please post! I'd be interested to learn about it. Jeffrey Walsh Fordham University BITNET%"JEWALSH@FORDMURH" ------------------------------ Date: Thu, 28 Sep 89 14:46:25 -0400 From: "Dennis G. Rears (FSAC)" <drears@PICA.ARMY.MIL> Subject: Re: MILIVIRUS REPLY Jeffrey, you write: > a. In the combat service support branches, e.g.: Adjutant General > Finance Corps, etc., the only C.O.A. for dealing with system > malfunctions is to call the programmers in. Also Ordnance, Transportation, JAG, & Chaplain Corps. > b. On the combat support level, e.g.: branches like Air Defense > Artillery may operate with safeguards and procedures when dealing > with viruses. Considering that it is equipment that safeguards > our nation's defense, one would HOPE that it is resistant to > viruses. But, more than anything else, I have a feeling that > it's relegated to the knowledgable computer operators to resolve > problems with the systems. Air Defense is a combat arms branch. Signal, Military Police, Military Intelligence, and Chemical Corps are service. >If anyone knows more about the Army's Plan on Viruses, please post! I'd be >interested to learn about it. Overall DOD has done little or anything. They were one of the last to know about the worm incident. They care more about administrative security than real security issues. (My opinion only!) Dennis ------------------------------ Date: Fri, 29 Sep 89 08:46:48 -0500 From: Jeff Medcalf <jeffm%uokmax@uokmax.ecn.uoknor.edu> Subject: Jerusalem virus infection, query (PC) The PC lab at the Engineering Computer Network, University of Oklahoma, has detected multiple virus infections (mostly Jerusalem virus) on its PCs. The viruses were found and removed with Unvirus, with thanks to its authors. However, I would like to find some programs which would detect and remove more than 7 viruses. Any information regarding anti-viral archive sites, anti-viral programs, and documentation would be greatly appreciated. Also, how many viruses have been identified, and which are the largest threats to security in the United States of America? Thank you ------------------------------ Date: 29 Sep 89 15:02:38 +0000 From: jap2_ss@uhura.cc.rochester.edu (Joseph Poutre) Subject: New virus? (Mac) We here at the University of Rochester may have discovered a new virus, or a variation on a theme. What it does is infect Macwrite and the Chooser, so that when a document is printed, Macwrite crashes. The virus changes the name to Macwight or Macwite, but this is the only clue so far. I am trying to get more data, more none is forthcoming. I will do what i can today and tommorrow, and give furthr reports. Disinfectant 1.1 doesn't work, so please email me the latest version of disinfectant to try. The sooner the better, because the Vice-Provost's office is infected, and they may lose a 75 page report for the government. (What, no backups? What do you think. Argh.) The Mad Mathematician jap2@uhura.cc.rochester.edu Understand the power of a single action. (R.E.M.) ------------------------------ Date: 29 Sep 89 19:22:37 +0000 From: jap2_ss@uhura.cc.rochester.edu (Joseph Poutre) Subject: Followup on new virus (Mac) This is a followup to my earilier report. I will try to give more details from my and others investigations. The virus definatly attacks Macwrite. It adds a str ID 801 and modifies the icon to say Macwite instead of the standard application icon. The application increases in size by 104 bytes, 56 in the string. they are added in sector 014F, according to Fedit Plus 1.0. It also attacks the system, in an unknown fashion. I was able to induce it to do something by repeated Get Infos. This may be a counter towards a more fatal outcome. Some of the disks have crashed after giving the This is not a Macintosh disk. Shall I initialize it? warning. This happens almost immediatly after attempts to print. The chooser is unable to find printer resources, and claims there are none. When the File locked, Lock, Bozo and File Protect bits are set, the virus apparently cannot infect. It doesn't appear able to attack a disk write protected by the corner tab, either. Tommorrow I will be performing further experimenets, and will upload exact locations for the added code, and probably the string listing, too. No anti-virus program has been able to find it, including Interferon, Virus Rx, Anti-pan, and Disinfectant 1.2. If this is recognized by anyone, please email me ASAP at the address below with devirusing help. If not, I will try to do everything I can. Thank you for your time and effort. The Mad Mathematician jap2@uhura.cc.rochester.edu Understand the power of a single action. (R.E.M.) ------------------------------ Date: Fri, 29 Sep 89 17:44:08 -0400 From: dptg!att!ll1a!nesac2!jec@rutgers.edu Subject: Re: F-PROT anti-virus package (PC) Yes, there's probably enough interest to warrant posting the program. But will you be able to keep it current, and get the current version to registered users as fast as the virus? John - --- USnail: John Carter, AT&T, 401 W. Peachtree, FLOC 2932-6, Atlanta GA 30308 Video: ...att!nesac2!jec ...attmail!jecarter Voice: 404+581-6239 The machine belongs to the company. The opinions are mine. ------------------------------ Date: Fri, 29 Sep 89 19:33:00 -0400 From: JHSangster@DOCKMASTER.ARPA Subject: Virus Protection It seems to me that this whole problem will be largely solved when and only when the vendors all start "signing" their software with a digital signature based on public key cryptography. At least then any one who wishes to check a program for authenticity need only check to see that it passes the digital signature check with the alleged vendor's public key. Of course you also have to know that the checking program hasn't been tampered with, the hardware hasn't been tampered with, etc., etc., but at least we would have a starting point for software authentication. The signature approach and the use of signature checking seem to me the only way to make definitive progress against viruses. All other approaches are dependent on details of the viruses code, which as we have seen change with time and with each new virus. Digital signatures will let us check that at least a trusted source has put its signature on the code, and that it has not been altered since then. Software developers will then have to get serious about preventing viruses from creeping in at the factory if they are not already serious. If members of the appropriate software standards body are listening, I hope they give consideration to such a standard ASAP. The standard should allow for both existing and future developers as well as private individuals (hobbyists who may develop freeware) to have a unique public key. Then software users who neglect to check the signature use the software at their own risk, but if they experience damage and can prove it, they will be in a position to apply some heat to the vendor who provided the signed, but infected, software. The ideal way to implement checking would be to build it into the loader. This may become feasible if a worldwide standard is adopted. Meanwhile checking could be implemented in a way which did not require ROM modifications. The standard could provide for inclusion of the vendor's public key and the resulting signature in the format of any loadable file. - -John Sangster SPHINX Technologies, Incorporated (617) 235-8801 / P.O. Box 81287, Wellesley Hills, MA 02181 ------------------------------ Date: Fri, 29 Sep 89 19:48:56 -0500 From: davidbrierley@lynx.northeastern.edu Subject: Apple II Viruses If any readers of VIRUS-L have any information on viruses affecting Apple II series computers I would be very appreciative if they could e-mail it to me. I am especially interested in public domain and shareware antiviral programs. Please note that I have virus information posted in Info-Apple. Thank you. David R. Brierley davidbrierley@lynx.northeastern.edu ------------------------------ Date: Fri, 29 Sep 89 22:54:00 -0400 From: Yahn Zawadzki <S72UZAW%TOE.TOWSON.EDU@IBM1.CC.Lehigh.Edu> Subject: Flushot+ and Artic speech package (PC) I am new to this list, and don't know much abot various anti-viral programs for the IBM - but I have run into some problems I think may be caused by one of them. In our labs, I am setting up a workstation for visually impaired - the major role plays there a package called ARTIC - hardware/software driven speech synthesizer. Part of that program is a memory-resident code which can intercept any program, and provide support for ARTIC's hardware from within. This way, one can have the machine read the screen, or just read the key combinations, etc. Now, on the same drive I have installed Flushot+ (students have access to the station). I am not familiar with Flushot or Flushot+, so I can't tell what is happening: at all times, there is a '+' in the top right corner of the screen, and some of the functions of ARTIC are for some reason disabled. I dug through ARTIC's manuals - there is no mention of anything which could explain the situation.. Anyone out there - PLEASE tell me whether it is Flushot intefering with ARTIC here (I suspect '+' signifies something!) or am I looking in the wrong direction... If anyone out there has used ARTIC business version - and knows of an anti-virus which will not react to ARTIC's software - please let me know..! Thanks - Yahn. - ------------------------------------------------------------------------------- Yahn Zawadzki Bitnet: S72UZAW @ TOWSON Student Lab Assistant INET: yahn@towson.edu Towson State Univ. Disclaimer: Any Views Expressed Above Are Those Of Mine And Not Of The Towson State University. A N D Y E S - I A M A M A C P E R S O N !!! - ------------------------------------------------------------------------------- ------------------------------ Date: Sat, 30 Sep 89 09:18:16 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: RE: Tiger teams at night In the VIRUS-L Digest V2 #207, cpsolv!rhg@uunet.UU.NET (Richard H. Gumpertz) writes: > Why should such a "tiger team" work under cover of dark? Why not "surprise > inspections"?... Because people use their computers during the day. If the Tiger Team finds the person is following all the proper anti-viral procedures, why should the Tiger Team interrupt the user's normal workday? ------------------------------ Date: Sat, 30 Sep 89 09:30:38 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: RE: Review of NIST anti-virus paper... In the VIRUS-L Digest V2 #207, time@oxtrap.oxtrap (Tim Endres) writes: > Sounds like the committee was seated with commercial software vendors! The NIST paper was written by two staff members there, and is not a committee report. I've received some feedback from NIST on my comments to the effect of "Good point. We did not intend the bias towards commercial software, but it is certainly there". ------------------------------ Date: Sat, 30 Sep 89 14:39:00 -0400 From: "Thomas B. Collins, Jr." <TBC101@PSUVM.BITNET> Subject: RE: Tiger Teams Another thought on the Tiger Teams... It doesn't make much sense to me. If I don't add any new software to my system at work, I'm not going to worry about viruses. Say I get my new system, put all the software on it, and run a few virus scanners that turn up nothing. I then run all applications from my hard drive, and don't use any floppy disks. It wouldn't make sense for me to check my hard drive every day for viruses, because they don't just pop up from nowhere. If I did add software to my system, I would check it for viruses before adding it. I think it would make more sense for the Tiger Teams to come in in the middle of the day, ask you to please save your work, and then run a virus checker on your system. If anything is found, you are "cited" as letting a virus into your system. If you're clean, you go back to work, and the Tiger Team moves on. - ------- Tom "Shark" Collins Since ICS is comprised of 2 people, my views tbc101@psuvm.psu.edu are the opinion of at least 50% of the company. ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Monday, 2 Oct 1989 Volume 2 : Issue 209 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Introduction to the anti-viral archives Amiga anti-viral archive sites Apple II anti-viral archive sites Atari ST anti-viral archive sites Documentation anti-viral archive sites IBMPC anti-viral archive sites Macintosh anti-viral archive sites UNIX anti-viral archive sites Why not change OS? M-1704.EXE (PC) Follow up on Tiger Team comments. Configuring FluShot (PC) Re: Tiger Team comments Future AV software (PC) The book you've all been waiting for? --------------------------------------------------------------------------- Date: 30 Sep 89 09:23:48 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Introduction to the anti-viral archives # Introduction to the Anti-viral archives... # Listing of 30 September 1989 This posting is the introduction to the "official" anti-viral archives of virus-l/comp.virus. With the generous cooperation of many sites throughout the world, we are attempting to make available to all the most recent news and programs for dealing with the virus problem. Currently we have sites for Amiga, Apple II, Atari ST, IBMPC, Macintosh and Unix computers, as well as sites carrying research papers and reports of general interest. If you have general questions regarding the archives, you can send them to this list or to me. I'll do my best to help. If you have a submission for the archives, you can send it to me or to one of the persons in charge of the relevant sites. If you have any corrections to the lists, please let me know. ------------------------------ Date: 30 Sep 89 09:25:11 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Amiga anti-viral archive sites # Anti-viral archive sites for the Amiga # Listing last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Amiga index for the virus archives can be retrieved as request: amiga topic: index For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk> ms.uky.edu Sean Casey <sean@ms.uky.edu> Access is through anonymous ftp. The Amiga anti-viral archives can be found in /pub/amiga/Antivirus. The IP address is 128.163.128.6. uk.ac.lancs.pdsoft Steve Jenkins <pdsoft@uk.ac.lancs.pdsoft> Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. uxe.cso.uiuc.edu Mark Zinzow <markz@vmd.cso.uiuc.edu> Lionel Hummel <hummel@cs.uiuc.edu> The archives are in /amiga/virus. There is also a lot of stuff to be found in the Fish collection. The IP address is 128.174.5.54. Another possible source is uihub.cs.uiuc.edu at 128.174.252.27. Check there in /pub/amiga/virus. ------------------------------ Date: 30 Sep 89 09:27:01 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Apple II anti-viral archive sites # Anti-viral archive sites for the Apple II # Listing last changed 30 September 1989 brownvm.bitnet Chris Chung <chris@brownvm.bitnet> Access is through LISTSERV, using SEND, TELL and MAIL commands. Files are stored as apple2-l xx-xxxxx where the x's are the file number. cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Apple II index for the virus archives can be retrieved as request: apple topic: index For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk> uk.ac.lancs.pdsoft Steve Jenkins <pdsoft@uk.ac.lancs.pdsoft> Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. ------------------------------ Date: 30 Sep 89 09:28:26 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Atari ST anti-viral archive sites # Anti-viral archive sites for the Atari ST # Listing last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Atari ST index for the virus archives can be retrieved as request: atari topic: index For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk>. panarthea.ebay Steve Grimm <koreth%panarthea.ebay@sun.com> Access to the archives is through mail server. For instructions on the archiver server, send help to <archive-server%panarthea.ebay@sun.com>. uk.ac.lancs.pdsoft Steve Jenkins <pdsoft@uk.ac.lancs.pdsoft> Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. ------------------------------ Date: 30 Sep 89 09:28:58 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Documentation anti-viral archive sites # Anti-viral archive sites for documentation # Listing last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The index for the **GENERAL** virus archives can be retrieved as request: general topic: index The index for the **MISC.** virus archives can be retrieved as request: misc topic: index **VIRUS-L** entries are stored in monthly and weekly digest form from May 1988 to December 1988. These are accessed as log.8804 where the topic substring is comprised of the year, month and a week letter. The topics are: 8804, 8805, 8806 - monthly digests up to June 1988 8806a, 8806b, 8806c, 8806d, 8807a .. 8812d - weekly digests The following daily digest format started on Wed 9 Nov 1988. Digests are stored by volume number, e.g. request: virus topic: v1.2 would retrieve issue 2 of volume 1, in addition v1.index, v2.index and v1.contents, v2.contents will retrieve an index of available digests and a extracted list of the the contents of each volume respectively. **COMP.RISKS** archives from v7.96 are available on line as: request: comp.risks topic: v7.96 where topic is the issue number, as above v7.index, v8.index and v7.contents and v8.contents will retrieve indexes and contents lists. For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk> lehiibm1.bitnet Ken van Wyk <LUKEN@LEHIIBM1.BITNET> new: <krvw@sei.cmu.edu> This site has archives of VIRUS-L, and many papers of general interest. Access is through ftp, IP address 128.180.2.1. The directories of interest are VIRUS-L and VIRUS-P. uk.ac.lancs.pdsoft Steve Jenkins <pdsoft@uk.ac.lancs.pdsoft> Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. unma.unm.edu Dave Grisham <dave@unma.unm.edu> This site has a collection of ethics documents. Included are legislation from several states and policies from many institutions. Access is through ftp, IP address 129.24.8.1. Look in the directory /ethics. ------------------------------ Date: 30 Sep 89 09:29:52 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: IBMPC anti-viral archive sites # Anti-viral archive for the IBMPC # Listing last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The IBMPC index for the virus archives can be retrieved as request: ibmpc topic: index For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk> ms.uky.edu Daniel Chaney <chaney@ms.uky.edu> This site can be reached through anonymous ftp. The IBMPC anti-viral archives can be found in /pub/msdos/AntiVirus. The IP address is 128.163.128.6. uk.ac.lancs.pdsoft Steve Jenkins <pdsoft@uk.ac.lancs.pdsoft> Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. uxe.cso.uiuc.edu Mark Zinzow <markz@vmd.cso.uiuc.edu> This site can be reached through anonymous ftp. The IBMPC anti-viral archives are in /pc/virus. The IP address is 128.174.5.54. vega.hut.fi Timo Kiravuo <kiravuo@hut.fi> This site (in Finland) can be reached through anonymous ftp. The IBMPC anti-viral archives are in /pub/pc/virus. The IP address is 128.214.3.82. wsmr-simtel20.army.mil Keith Peterson <w8sdz@wsmr-simtel20.army.mil> Direct access is through anonymous ftp, IP 26.2.0.74. The anti-viral archives are in PD1:<MSDOS.TROJAN-PRO>. Simtel is a TOPS-20 machine, and as such you should use "tenex" mode and not "binary" mode to retreive archives. Please get the file 00-INDEX.TXT using "ascii" mode and review it offline. NOTE: There are also a number of servers which provide access to the archives at simtel. WSMR-SIMTEL20.Army.Mil can be accessed using LISTSERV commands from BITNET via LISTSERV@NDSUVM1, LISTSERV@RPIECS and in Europe from EARN TRICKLE servers. Send commands to TRICKLE@<host-name> (for example: TRICKLE@AWIWUW11). The following TRICKLE servers are presently available: AWIWUW11 (Austria), BANUFS11 (Belgium), DKTC11 (Denmark), DB0FUB11 (Germany), IMIPOLI (Italy), EB0UB011 (Spain) and TREARN (Turkey). ------------------------------ Date: 30 Sep 89 09:30:43 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Macintosh anti-viral archive sites # Anti-viral archive sites for the Macintosh # Listing last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Mac index for the virus archives can be retrieved as request: mac topic: index For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk> ifi.ethz.ch Danny Schwendener <macman@ethz.uucp> Interactive access through SPAN/HEPnet: $SET HOST 20766 or $SET HOST AEOLUS Username: MAC Interactive access through X.25 (022847911065) or Modem 2400 bps (+41-1-251-6271): # CALL B050 <cr><cr> Username: MAC Files may also be copied via SPAN/HEPnet from 20766::DISK8:[MAC.TOP.LIBRARY.VIRUS] rascal.ics.utexas.edu Werner Uhrig <werner@rascal.ics.utexas.edu> Access is through anonymous ftp, IP number is 128.83.144.1. Archives can be found in the directory mac/virus-tools. Please retrieve the file 00.INDEX and review it offline. Due to the size of the archive, online browsing is discouraged. scfvm.bitnet Joe McMahon <xrjdm@scfvm.bitnet> Access is via LISTSERV. SCFVM offers an "automatic update" service. Send the message AFD ADD VIRUSREM PACKAGE and you will receive updates as the archive is updated. You can also subscribe to automatic file update information with FUI ADD VIRUSREM PACKAGE sumex-aim.stanford.edu Bill Lipa <info-mac-request@sumex-aim.stanford.edu> Access is through anonymous ftp, IP number is 36.44.0.6. Archives can be found in /info-mac/virus. Administrative queries to <info-mac-request@sumex-aim.stanford.edu>. Submissions to <info-mac@sumex-aim.stanford.edu>. There are a number of sites which maintain shadow archives of the info-mac archives at sumex: * MACSERV@PUCC services the Bitnet community * LISTSERV@RICE for e-mail users * FILESERV@IRLEARN for folks in Europe uk.ac.lancs.pdsoft Steve Jenkins <pdsoft@uk.ac.lancs.pdsoft> Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. wsmr-simtel20.army.mil Robert Thum <rthum@wsmr-simtel20.army.mil> Access is through anonymous ftp, IP number 26.2.0.74. Archives can be found in PD3:<MACINTOSH.VIRUS>. Please get the file 00README.TXT and review it offline. ------------------------------ Date: 30 Sep 89 09:31:34 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: UNIX anti-viral archive sites # Anti-viral and security archive sites for Unix # Listing last changed 30 September 1989 # Note that this listing is preliminary, and will likely change. # I know the information is far from complete, but I thought it would # be a good idea to get this out now instead of wait. attctc Charles Boykin <sysop@attctc.Dallas.TX.US> Accessible through UUCP. cs.hw.ac.uk Dave Ferbrache <davidf@cs.hw.ac.uk> NIFTP from JANET sites, login as "guest". Electronic mail to <info-server@cs.hw.ac.uk>. Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index For further details send a message with the text help The administrative address is <infoadm@cs.hw.ac.uk> netCS Hans Huebner <huebner@db0tui6.bitnet> netCS is a public access Unix site in Berlin which is also accessible through UUCP. sauna.hut.fi Jyrki Kuoppala <jkp@cs.hut.fi> Accessible through anonymous ftp, IP number 128.214.3.119. (Note that this IP number is likely to change.) ucf1vm Lois Buwalda <lois@ucf1vm.bitnet> Accessible through... wuarchive.wustl.edu Chris Myers <chris@wugate.wustl.edu> Accessible through anonymous ftp, IP number 128.252.135.4. A number of directories can be found in ~ftp/usenet/comp.virus/*. ------------------------------ Date: Sat, 30 Sep 00 19:89:04 +0000 From: ficc!peter@uunet.uu.net Subject: Why not change OS? Rather than go through all this trouble to keep viruses out of Macs and IBM-PCs, why not abandon the unprotected operating systems wherever possible and switch to UNIX? If you need to run DOS or MacOS software, there are ways of running it under UNIX in both cases: A/UX supports Macintosh software, and the various 80386 versions of UNIX have two DOS emulators that run in the virtual 8086 emulation mode. With no direct access to the hardware possible, and with multiuser security preventing writes to files (at least in the 80386 case), the worst the virus could do would be to infect user-written programs. When they attempted to format the hard disk, or infect installed software, they would simply trap and abort the virtual DOS image. UNIX-based software is extremely unlikely to be infected, since a UNIX virus would have to infect source code to transfer out of a machine. To defuse arguments about the Internet Worm, let us note that this program was restricted to two brands of computer: VAXes and 68000-based Suns. And it infected a network that was deliberately designed to be insecure. No, UNIX is not immune to trojan horses and viruses, but by and large this sort of program is kept uninfectious and benign by the nature of the system. [Ed. I hope that you're wearing asbestos skivvies... :-) ] ------------------------------ Date: Sat, 30 Sep 89 16:38:52 -0500 From: James Ford <JFORD1@UA1VM.BITNET> Subject: M-1704.EXE (PC) I recently downloaded M-1704.ZIP from the Wellspring BBS. After downloading it, I ran SCAN V35 (old, I know) and to my amazement, it said that the file M-1704.EXE was infected with the "1701/1704 Version B virus"! Does this program include a string in it that might cause SCAN to indicate a virus (a false alert) or can I assume that this file is infected?? Please reply direct to me, *not* to VALERT-L....or then again, maybe the response should be posted here. I am under the impression that the Wellspring BBS (1-714-8567996) is an anti-viral storage site. James Ford (205) 348-1713 JFORD1@UA1VM.BITNET ------------------------------ Date: Sun, 01 Oct 89 01:09:25 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: Follow up on Tiger Team comments. There have been a couple messages regarding my Tiger Team suggestion, some of which have some good criticisms, others of which seem to have misread or read something into my message that wasn't there. First and foremost, I must emphasize that this would be one part of an overall anti-virus strategy, and you must take the use of Tiger Teams in a "positive manner", i.e. not to *punish* users who do not follow anti-virus procedures, but to *find* such users, and having found such users, ensure that they do follow the established anti-virus procedures in the future. Punishing users that fail to do so only gets the users mad, and mad users help no one. Second, a couple people have suggested this proposal leaves live viruses floating around desktop computers in the office, after the Tiger Team had successfully penetrated one. I believe I stated in my original proposal that the first step the Tiger Team would take is to create an *image* backup of the system they will try to infect. Regardless of the success or failure in infecting the computer, the disk would be restored from the image backup taken originally. Now should the TT successfully infect the system, the computer would be "disabled"; applying a large label over the CRT would effectively tell a user they are not to use their computer until they have gone over the anti-virus procedures with someone from the "computer services" department went over these procedures with the user. Backing away from the specific subject of Tiger Teams, I wish to emphasize the problem TTs are addressing; enactment of anti-viral procedures. As an example, it is illegal in most states to sell alcohol to adults under 21. In parts of the country which have these laws and *enforce* these laws, the ease of which an adult under 21 can purchase liquor is reduced (that is to say it is harder) over parts of the country which have the laws and do not enforce them well, or do not have the laws. It is a great first step if Acme Industries issues a set of anti-viral guidelines, but unless Acme does something to see to it the employees are following these procedures, then those policies are nothing more than pieces of paper in the users wastebaskets! ------------------------------ Date: Sat, 30 Sep 89 19:56:54 -0700 From: RSRANCH@UCLASSCF.BITNET (Ran Chermesh) Subject: Configuring FluShot (PC) I've d/l FluShot ver. 1.7 from Simtel. When I tried to install it, it looked for the FLUSHOT.DAT file in drive A. If I'm not mistaken, this kind of search was not part of FluShot in the past. I looked for instruction how to configure it to drive C, but couldn't find. Did I miss anything? Can anyone suggest a way to override this default? Temporarily I did override it by preceding the FSP instruction with an ASSIGN a=c instruction. Still, this couldn't be the appropriate solution. Ran Chermesh RSRANCH@UCLASSCF.BITNET p.s. Since I'm not a member of the VIRUS-L, I'll appreciate receiving your solution directly to me. If it is the norm on this list to summarize responses and to resubmit them to the list, please let me know and I'll be glad to comply. ------------------------------ Date: 01 Oct 89 08:23:20 +0000 From: chinet!ignatz@att.att.com Subject: Re: Tiger Team comments The author of the original "Tiger Team" concept responded to a couple of critical postings with some rebuttals. As I read them, he defended the TT concept by emphasizing, several times, that the TT would be checking compliance with anti-viral policies. I ask, if this *is* the goal, couldn't the corporation provide a configuration test program that checked for the existence of corporation-approved software and methods without introducing a virus, and requiring all the intermediate overhead of special backups, etc.? Dave Ihnat Analysts International Corporation, Chicago ignatz@homebru.chi.il.us (preferred return address) ignatz@chinet.chi.il.us ------------------------------ Date: 01 Oct 89 17:58:41 +0000 From: carroll1!tkopp@uunet.UU.NET (Tom Kopp) Subject: Future AV software (PC) I had a thought earlier about a possible future Anti-viral system. It would be software based, therefore subject to its own corruption, however it seems to me to be a mix of the work of Anti-Viral gurus McAfee and Greenberg. It works something like this: A version/variant of ViruScan would run, searching not for viral-identifying code, but rather for the interrupt calls that write to a disk (a la Flu_Shot techniques). When it finds one, it looks in a table to see if that code is allowed. This table could consist of the following format: filename;offset of interrupt;filesize CRC; with the possible inclusion of just WHICH interrupt was attempting to be invoked. The user of the software could either add to the table for software that he/she has written, or wait for updated database listings from whoever wrote/maintained such a program. Also in the vein of Flu_Shot, a list could be maintained of files to 'ignore'. I do see a problem in that setting up the original database to cover the countless programs existing is a truly arduous task, however for a purpose such as this, I would think reputable software companies would provide as much assistance as possible, which could be a lot if the code was written in assembler. Is there some other fundamental element I'm missing, or is this a plausible idea? tkopp@carroll1.cc.edu or uunet!marque!carroll1!tkopp Thomas J. Kopp @ Carroll College 3B2 - Waukesha, WI ------------------------------ Date: Sun, 01 Oct 89 17:58:04 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: The book you've all been waiting for? John McAfee of Interpath, National Bulletin Board Society, and Computer Virs (Virus, not Virs) Industry fame has written a book. Entitled _Computer Viruses, Worms, Data Diddles, Killer Programs, and Other Threats to Your System: What They Are, How They Work, and How to Defend Your PC, Mac, or Mainframe_, it is co-authored with Colin Haynes, and published by St. Martin's Press. I finished reading it today, and this is some preliminary thoughts I have on the book (this message would be more detailed, but I have to catch a plane to New Orleans tonight and I leave in thirty minutes). I do not like this book. I found it to be (at various points) contradictory, incomplete, and alarmist. Before the flame wars begin, let me emphasize that the whole book is not constantly contradictory, incomplete, and or alarmist, nor is any one section all three of those things. Some sections (most notably the first third of the book and the last chapter) are very alarmist. In the final chapter for instance, McAfee quotes some NBBS users about what type of viruses do they see "looming in the distance". One example cited is a modification to the electronic switches used by the phone company to reroute a call placed by caller n to the number dialed by called n-1. A second example would have the computers controlling the nation's traffic lights (the computers are made by one of three companies) all turn green in all directions on a given Friday. I leave it as an exercise to Virus-L readers to find where these are flawed, other than the obvious one that neither of these are viruses per se, but are examples of destructive measure viruses could be put to. In between the beginning and the end of the book, McAfee focuses on a technical discussion of viruses, and he does, alright. There are much better books (IMO) on the market about PC viruses (such as the Compute book) or viruses in general (Ralf Burger's _Computer Viruses, A High Tech Disease_), but if you are comfortable with McAfee's paradigm's, then his work is acceptable. If you are not comfortable with McAfee's paradigm, or if you are concerned with viruses in the Macintosh environment (or to a lesser degree, the mainframe environment), you will get awfully confused. The book has a very heavy PC bias, and (for example) trying to fit McAfee's generic description of viruses into the Macintosh paradigm does not work easily. I will be out of town for two weeks, and Virus-L will be on vacation by the time I get back. When I do get back into town, I will write a more comprehensive review for Virus-L. What it all comes down to is this. McAfee & Haynes' book is no great shakes; it simply is not well written. This is not to call John McAfee names or anything, but "he should not give up his day job". My advice is to buy a copy of the NIST paper (which is shorter, more concise, and has a greater proportion of useful information) and a good set of anti-virus tools for your computer. Viruscan is one of the best for the PC from what I understand, and a bargain at $15. ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Tuesday, 3 Oct 1989 Volume 2 : Issue 210 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: re: Why not change OS? re: Future AV software (PC) List of PC viruses VGA2CGA.ARC (or .ZIP) infected with virus (PC) Re: Future AV software (PC) Re: Posting to VALERT-L re: M-1704 (PC) nVIR B (Mac) Re: Viruses in Commercial Software New PC Virus (AIDS Virus) --------------------------------------------------------------------------- Date: 02 Oct 89 00:00:00 +0000 From: David.M..Chess.CHESS@YKTVMV Subject: re: Why not change OS? Hm. You seem to be assuming, among other things, that: - If a virus can't talk directly to the hardware or to files belonging to other folks, it can't do any serious harm, and - UNIX programs are exchanged only as source, not as binaries. I'd disagree with both of those claims; the Jerusalem virus, one of the most widespread and troublesome in the PC world, doesn't talk directly to the hardware, and doesn't rely on being able to write out of the user's own space. I imagine everyone on the list can think of a number of nasty/destructive/confusing things that a virus could do even if it only had access to the user's own data files, and couldn't write direct to hardware (I won't list any here, hehe!). As UNIX and UNIX-derived systems continue to spread beyond the programmer community, program exchange among groups using the same hardware will tend, I would expect, to include more exchange of binaries. I wouldn't expect to see a virus that could infect more than one or two hardware platforms in the near future (cross fingers), but a virus that could spread to any machine in one of the more popular UNIX hardware categories would be quite enough to cause problems for lots of folks! While I don't know of any UNIX viruses at the moment, I would disagree with the suggestion that UNIX is inherently virus-resistant enough to make it worthwhile switching OS's in hopes of being able to forget about virus protection! The same applies to any other general-purpose OS around; viruses *don't* need insecure systems to spread and do Bad Things. That's the whole point... DC IBM T. J. Watson Research Center UNIX is a trademark of AT&T (or Bellcore, or someone like that) ------------------------------ Date: 02 Oct 89 00:00:00 +0000 From: David.M..Chess.CHESS@YKTVMV Subject: re: Future AV software (PC) Unfortunately, it's just about impossible to scan for new viruses by examining the on-disk image of programs, and looking for things like INTs. Three (at least) of the families of PC viruses out in the world today store themselves on disk in "garbled" form, with only a little "degarbler" stored in clear. That degarbler doesn't contain any INTs or other suspicious instructions, and the garbled part of the virus appears to be random data. The nasty instructions don't appear until the virus executes, and the degarbler converts the garbled stuff to code. So it's really only possible to catch these things at runtime (as Flushot+ and similar programs try to do), not on disk... DC ------------------------------ Date: Mon, 02 Oct 89 17:54:26 +0200 From: Y. Radai <RADAI1%HBUNOS.BITNET@VMA.CC.CMU.EDU> Subject: List of PC viruses On May 16 I submitted a list of 20 PC viruses to VIRUS-L. Since then, the Terrible Twenty have become the Threatening Thirty (Plus Two). Here's the list updated to the present (well, actually, only to yesterday; at the current rate there'll probably be at least five more today :-) ). PC-DOS/MS-DOS Viruses ===================== No. of First Names Strains Type Appearance ----- ------- ---- ---------- 1. Brain, Pakistani, Ashar 8 Boot sector 7K F Jan? 86 2. Merritt, Alameda, Yale 8 Boot sector 1K F Apr? 87 3. South African, Friday 13th 2 COM D ? 87 4. Lehigh 2 COMMAND.COM RO 0 Nov 87 5. Vienna, Austrian, Dos-62, Unesco 3 COM D 648 Dec? 87 6. Israeli, Friday-13, Jerusalem 12 COM/EXE R 1813/1808 Dec 87 7. April-1-Com, Suriv-1 1 COM R 897 Jan 88 8. April-1-Exe, Suriv-2 1 EXE R 1488 Jan 88 9. Ping-Pong, Bouncing-Ball, Italian 3 Boot sector 2K Mar 88 10. Marijuana, Stoned, New Zealand, 2 Boot sector 1K; Early 88 Australian partition record on hard disk 11. Nichols 1 Boot sector Apr 88 12. Missouri 1 Boot sector May 88 (89?) 13. Agiplan 1 COM R 1536 Jul 88 14. Cascade, Autumn, Blackjack 6 COM R 1701/1704 Sep 88 (87?) 15. Oropax, Music 1 COM RD 2756 to 2806 Feb 89 16. DenZuk, Venezuelan, Search 6 Boot sector 7K F Early 89? 17. Dbase 1 COM/EXE R Mar? 89 18. DataCrime 2 COM D 1168/1280 Mar 89 19. 405 1 COM DO 405 Apr? 89 20. Screen 1 COM R May? 89 21. FuManchu 1 COM/EXE R 2086/2080 May? 89 22. Ohio 1 Boot sector May 89 23. Icelandic, Saratoga 3 EXE R 656/642/632 Jun? 89 24. Typo 1 Boot sector 2K Jun 89 25. Traceback 1 COM/EXE RD 3066 Jun 89 26. Disk Killer 1 Boot sector Jun? 89 27. Swap 1 Boot sector 2K Jul 89 28. DataCrime II 1 COM/EXE D 1514 Jul 89 29. Vacsina 1 COM/EXE R 1206 Aug 89 30. Mix1 1 EXE R 1618 Aug 89 31. Syslock, 3555 1 COM D 3555 Sep 89 32. Dark Avenger 1 COM/EXE 1800 Sep 89 -- Total no. of strains 77 Summary by type: Boot = 11, COM = 10, EXE = 3, COM/EXE = 7, COMMAND.COM = 1. Among file viruses, Resident = 12, Direct = 6, Resident-Direct = 2. Notes: 1. In the "Type" column, "COM" or "EXE" indicates the type of files infected. "R" stands for "resident", meaning that when an infected program is run the virus makes itself RAM-resident (hooking one or more interrupts); usually such a virus infects subsequently executed programs of the appropriate type, e.g. COM files. "D" stands for "direct", meaning that it searches the disk for an uninfected file and infects it; normally such a virus does not stay resident. (However, it is possible for a virus to be both resident and direct in this sense.) "O" indicates that the virus overwrites the beginning of the file instead of appending or prepending itself to it. The number(s) after the "R" or "D" indicate the number of bytes by which the virus extends files which it infects (however, in the case of EXE files, the total size of the file after infection will get rounded up to the next multiple of 16 if it is not already such a multiple). The number after the "O" is the number of bytes overwritten. In the case of a boot-sector virus, the number of the form "nK" indicates the amount of RAM which the virus occupies. "F" means that the virus infects only diskettes. 2. I include only those viruses which have spread publicly, as opposed to localized test viruses (of which there may be hundreds). (The "Pentagon virus" is deliberately excluded since as far as I know it has not spread publicly; in fact, in the form it was received in the UK, it cannot spread at all.) 3. By definition of "virus", this list does not include non-replica- ting software. 4. Questionable cases: (a) I suspect that the "Lotus 123 virus" and the "Cookie virus" repor- ted recently in VIRUS-L may not be true viruses, and I have therefore decided not to include them, at least for the time being. (b) Although I have included the Dbase and Screen viruses reported by Ross Greenberg, no one else currently on VIRUS-L seems to have encoun- tered them. Jim Goodwin claimed that Dbase does not replicate and hence is not a virus, though it's possible that Jim and Ross were talking about two different things. (c) In May 88 I read about a "retro-virus" which infects 3 specific programs and is capable of reinfecting files after apparently being eradicated. Does anyone have any further info on this virus? (d) I have heard of spreadsheet viruses which occasionally change a value by a small amount, but I have not included them in the table. Further info would be appreciated. We frequently find new viruses which have evidently been created by using an existing virus as a starting point and then modifying it. When should the new creature be considered a new virus and when should it be considered as merely a new strain of the same virus? The cri- terion I have tried to follow (though I probably haven't been entirely consistent) is as follows: If the "damage" part of the virus has been qualitatively altered, or if a virus has been altered to infect additional files (e.g. EXE files where the original infected only COM files), then I classify it as a separate virus. (E.g. although FuManchu, Typo, DataCrime-2, and Mix1 are based on Israeli-Friday13, Ping-Pong, DataCrime-1 and Icelandic-1, resp., I consider these as separate viruses.) If code has been altered, but only by something minor, such as changing a target date or the number of infections required to trigger the damage, or if the alteration seems to be merely an attempt on the author's part to *improve* the code of an existing virus without adding new features, then I regard it as a different strain of the same virus. If the only difference is that only strings (e.g. messages or volume labels) have been modified, then I do not consider it as even a sepa- rate strain. Corrections and additions to this list are welcome. (I'm particu- larly curious about those questionable dates.) Please send your cor- rections directly to me; I'll post an updated version of this table from time to time. I have received suggestions to include additional info in the table, such as the symptoms and damage caused by each virus, what types of disks it infects, etc. While I agree that such information would be very useful, it is beyond the intended scope of this table, both be- cause of the difficulty of describing this information in such a short space and because the answers often depend on the particular strain of the virus. This would make the table much more complicated than it was intended to be. Those interested in further information on the viruses listed here will eventually find it in various catalogs under preparation, e.g. one by David Ferbrache and another by the Virus Test Center at the Univ. of Hamburg (these include non-PC viruses as well). Acknowledgments: I have drawn on information provided by many people. Postings in VIRUS-L are too numerous to mention individual names, but among those who have corresponded with me personally, I would like to thank Dave Ferbrache, Dr. Alan Solomon, Joe Hirst, Prof. Klaus Brunnstein, Fridrik Skulason, John McAfee, Bernd Fix, Otto Stolz, and David Chess. Y. Radai Hebrew Univ. of Jerusalem ------------------------------ Date: Mon, 02 Oct 89 11:08:00 -0600 From: Keith Petersen <w8sdz@WSMR-SIMTEL20.ARMY.MIL> Subject: VGA2CGA.ARC (or .ZIP) infected with virus (PC) A BBS operator in the Detroit area received an MSDOS program infected with a virus. The file, VGA2CGA.ARC (or .ZIP) - a program which claims it can display VGA graphics on a CGA display, has not been distributed in Detroit and no systems were affected as far as we know. The date/time stamps of the member files in this archive are April 1, 1989 (April fools day). The BBS in California where this file was obtained has been notified to remove the file. Please let me stress that SIMTEL20 does NOT have this program in its archives. I am just acting as a go-between to pass the warning to this newsgroup. [Ed. See followup, on "AIDS" virus, from Alan Roberts in this digest.] - --Keith Petersen Maintainer of SIMTEL20's CP/M, MSDOS, and MISC archives Internet: w8sdz@WSMR-SIMTEL20.Army.Mil [26.2.0.74] Uucp: {ames,decwrl,harvard,rutgers,ucbvax,uunet}!wsmr-simtel20.army.mil!w8sdz ------------------------------ Date: 02 Oct 89 21:32:49 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Re: Future AV software (PC) In article <0014.8910021145.AA27888@ge.sei.cmu.edu> carroll1!tkopp@uunet.UU.NET (Tom Kopp) writes: | A version/variant of ViruScan would run, searching not for | viral-identifying code, but rather for the interrupt calls that write | to a disk (a la Flu_Shot techniques). When it finds one, it looks in | a table to see if that code is allowed. There is a program to do this already. CHK4BOMB will scan a program and report on anything "suspicious" it finds. This was originally meant to find Trojan Horses, but could work against some viruses as well if used in conjunction with other programs. One thing it cannot find is code which is self-modifying, thus hiding the actual low-level access to the disk controller. - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: Mon, 02 Oct 89 18:18:56 -0500 From: James Ford <JFORD1%UA1VM.BITNET@VMA.CC.CMU.EDU> Subject: Re: Posting to VALERT-L re: M-1704 (PC) I recently posted a question on VALERT-L about the file M-1704.EXE. SCAN V36 stated that it was infected. I now know, from McAfee and others, that the 1704 virus is encrypted. Since it is, M-1704 must have a specific hex search string in it....one that will indeed cause SCAN to flag it. This is *normal* (thats as technical as I can get....I don't know more, and what I just said is probably techincally wrong). I hope that my posting of the VALERT-L message does not reflect negatively on the Wellspring BBS. The Wellspring BBS is a top-notch BBS, and its anti-viral file collection is among the best in the country. If I gave you a wrong impression of Wellspring, I apologize. I would post this statement about the Wellspring BBS on VALERT-L, but have been informed that VALERT-L is not suppost to be carrying such postings. JF Acknowledge-To: <JFORD1@UA1VM> ------------------------------ Date: Mon, 02 Oct 89 19:46:00 -0500 From: <CTDONATH@SUNRISE.BITNET> Subject: nVIR B (Mac) I recently came across the nVIR B virus on a cluster of Macs. I removed it using Disinfecant 1.5 and appears to be gone. What problems does nVIR B cause? Does it delete files, do annoying things, or simply spread? Being a semi-public cluster, how much of a concern is its presence? ------------------------------ Date: 03 Oct 89 02:23:01 +0000 From: bnr-di!borynec@watmath.waterloo.edu (James Borynec) Subject: Re: Viruses in Commercial Software In article <0008.8909281133.AA14331@ge.sei.cmu.edu>, TMPLee@DOCKMASTER.ARPA wri tes: > In commenting on viruses being distributed (accidentally, of course) > through commercial software someone recently mentioned that someone > near him had been hit by a virus that was in a shrink-wrapped copy of > WordPerfect. I'm skeptical... It happened. A co-worker bought a copy of WordPerfect for his Amiga. When it came to him, it was infected. Those are the facts as he told them to me. If anyone wants more details I am willing to supply them. It probably won't do any good because the problem has been fixed. If anyone is collecting historical information and wants more details send E-mail. (BTW. to the person who sent me E-mail on this topic, did my reply get through to you?) The story behind this goes something like: WP sold the distribution and support rights for the Amiga version of WP for Canada to a company in Ontario. That company had some problems. That company no longer has the redistribution rights. I personally have been hit TWICE by viruses in commercial software. From different vendors. Once when I was examining a popular speech synthesis package for my Mac, and once when we got our TI micro-explorer. Just the thing, factory loaded viruses. To summarize: It happens. Treat ALL software entering your system with caution. James Borynec - -- UUCP : utzoo!bnr-vpa!bnr-di!borynec James Borynec, Bell Northern Research Bitnet: borynec@bnr.CA Box 3511, Stn C, Ottawa, Ontario K1Y 4H7 ------------------------------ Date: Mon, 02 Oct 89 21:45:03 -0700 From: portal!cup.portal.com!Alan_J_Roberts@SUN.COM Subject: New PC Virus (AIDS Virus) A new PC virus was submitted to the CVIA from Keith Peterson (who maintains the SIMTEL20 MSDOS archives). This virus replicates in COM files and has the unusual capability of infecting generic COM files internally - without changing the real size of the file (unlike the zero-bug virus which maintains an "apparent" constant infected file size). Small COM files are infected externally, and the files sizes, for all files under 10K, changes to 13952 bytes - another unusual characteristic. The virus displays a full screen graphic with the the word "AIDS" occupying the bottom half of the screen. The top half contains a long rambling message from the author informing the user of how stupid he has been for using public domain software. SCANV40 has been updated to identify the virus. It is not yet known how destructive the virus may be (all tests have been done with a disabled hard disk). More info forthcoming. ViruScan identifies the virus as the AIDS Virus. Thanks to Keith Peterson for his quick identification of the virus and for his timely response. Alan ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Wednesday, 4 Oct 1989 Volume 2 : Issue 211 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: New virus? - further report (Mac) Lost mail in U.K. Tiger Teams Re: Followup on new virus (Mac) Columbus Day Virus in the Military Virus protection (PC) NIST Special Publication Re: viruses in Commercial Software Correction to previous posting (Mac) new IBMPC anti-virals UNIX virus proof?! (UNIX) Jerusalem Virus -B (PC) --------------------------------------------- Date: 03 Oct 89 14:49:03 +0000 From: jap2_ss@uhura.cc.rochester.edu (Joseph Poutre) Subject: New virus? - further report (Mac) Here is a further report on the possible virus at the U of R. The student consultants at the University computing center made copies of programs they believed infected and sent them to our computer center. I had an infected copy of Macwrite 5.01 for a while., where I discovered the added STR and the changed ICN. I have had reports of Macwrite II being attacked, but the info I have is inconplete. I am still trying to get another infected program, but I am never around when an infected disk is found. When I get one those that requested a copy will be sent one via email, if it works. The infected System on the consultants' hard drive is 6.0.2, and the only symptom it has shown so far is the "Last Modified" date and time change at irregular intervals, including this morning. I was able to induce a change by repeatedly doing a Get Info on the system. The virus probably found its way onto the disk when a consultant put recovered files from a disk showing what may be sysmptoms of the virus onto the hard drive. Vaccine is installed in teh System folder, and did nothing. The system also has NVIR immunity. The applications known to be attacked, so far, are Macwrite 5.01, Macwrite II, the System and its associated files. All of them, even the clipboard. I just watched to Last Modified date change on Laserwriter change during a copy. (Needless to say the consultants are working on replacing and File Locking everything. This appears to protect against the virus.) I will obtain copies of the infected stuff and try to do some comparisons using Resedit. To repeat, Disinfectant 1.2 has no effect, and Vaccine does not protect against it, at least from infecting within a disk. I plan to spend today working with infected and non-infected programs, and report my findings, and those of the others working on tis problem. Joseph Poutre (The Mad Mathematician) jap2_ss@uhura.cc.rochester.edu Understand the power of a single action. (R.E.M.) ------------------------------ Date: Mon, 02 Oct 89 09:40:10 -0000 From: "David.J.Ferbrache" Subject: Lost mail in U.K. Due to disruption of the mail gateway at Heriot-Watt University mail during the month of September has been intermittent. Anyone who has sent mail to me and not received a reply, please accept my apologies and resend the letter. The info-server facility is currently clearing a backlog of requests and should return to normal service shortly. Many thanks - ------------------------------------------------------------------------------ Dave Ferbrache Internet <davidf@cs.hw.ac.uk> Dept of computer science Janet <davidf@uk.ac.hw.cs> Heriot-Watt University UUCP ..!mcvax!hwcs!davidf 79 Grassmarket Telephone +44 31-225-6465 ext 553 Edinburgh, United Kingdom Facsimile +44 31-220-4277 EH1 2HJ BIX/CIX dferbrache - ------------------------------------------------------------------------------ ------------------------------ Date: 03 Oct 89 14:03:00 +0700 From: "Okay S J" <okay@tafs.mitre.org> Subject: Tiger Teams In VIRUS-L V2NO208 "Thomas B. Collins, Jr." <TBC101@PSUVM.BITNET> writes: >Say I get my new system, put all the software on >it, and run a few virus scanners that turn up nothing. I then run all >applications from my hard drive, and don't use any floppy disks. It >wouldn't make sense for me to check my hard drive every day for viruses, >because they don't just pop up from nowhere. You're discounting the fact that your machine could be on a network. Having an infected machine on a network where one transfers files between machines can be just as bad as sticking a floppy in the machine. One shot does not cure all >If I did add software to my system, I would check it for viruses before >adding it. I think it would make more sense for the Tiger Teams to come >in in the middle of the day, ask you to please save your work, and then >run a virus checker on your system. It would cause too much of a loss of productivity and interruption of the work routine. Night is better if you're going to do it. Plus the public embarrasment of having ones machine checked. Seriously, its kind of like any test for drugs or AIDS or anything like that. Its not so much as to whether you are infected, but just the idea that it was done. After all, why have a test done if there isn't some suspicion...This at least would be the view of most people around those who had their machines tested. 'Did you hear George got busted by the Tiger Team last week?---They didn't find anything, but you never know....' >If anything is found, you are "cited" as letting a virus into your system. >If you're clean, you go back to work, and the Tiger Team moves on. What exactly does 'cited' mean? Disciplined?, public marked as a electronic leper in the company? fired? --Now that we've established how they would operate, what should be the penalties for those 'caught'? Stephen Okay Technical Aide, The MITRE Corporation x6737 OKAY@TAFS.MITRE.ORG/m20836@mwvm.mitre.org 'Geez...I actually have to use a disclaimer now, I must be getting important!' Disclaimer:Its mine, mine, mine, mine, mine !!!!!!!!!!!!!! ------------------------------ Date: 03 Oct 89 16:14:59 +0000 From: eplrx7!milbouma@uunet.UU.NET (milbouma) Subject: Re: Followup on new virus (Mac) >No anti-virus program has been able to find it, including Interferon, >Virus Rx, Anti-pan, and Disinfectant 1.2. If this is recognized by anyone, >please email me ASAP at the address below with devirusing help. I tried to e-mail but the message bounced. I do not recognize the virus by your description, but if it is new then no one will including the antiviral apps that you mention. I can recommend Symantec's new antiviral package, SAM, which will flag any abnormal writes from an application (like Vaccine if you're familiar with it, but better than Vaccine). SAM will at least protect your machines from getting infected and also has a Virus scanner program that scans for known viruses and can also repair irreplaceable apps that are infected. Part of the protection init also will ask you if you want to scan a floppy for known viruses whenever you insert one. I also recommend that you contact Symantec and give them a copy of your virus so they can update their Virus scanner program. Symantec can be contacted at (408) 253-9600, (800) 441-7234. Please keep the net posted on further developments with this virus. I would especially be interested to know if the SAM INIT flags infection attempts by the virus. Thanks (I do not work for Symantec) ------------------------------ Date: Tue, 03 Oct 89 11:10:34 -0600 From: Chris McDonald ASQNC-TWS-RA <cmcdonal@wsmr-emh10.army.mil> Subject: Columbus Day Virus in the Military While I did not see the computer chronicles report referenced by a poster in a recent Virus-L edition, I would propose that there really is no accurate way at the present time to gauge any computer viral infection within the military given existing policies and organizational structures. The diversity of organizations has resulted in differing policies as to whether such reporting is or is not mandatory. This "discretionary" rather than "mandatory" reporting ensures in my opinion that viral infections go unreported. Indeed, I am aware of an outbreak of the Israeli B virus strain which infected several PCs at a particular Army activity which I subsequently learned was not reported through its chain-of-command. In all fairness the written policies applicable to that activity do not make reporting mandatory. In so far as the Columbus Day virus is concerned, the Army's Information Systems Command through a variety of sources has tapped the resources of Virus-L to alert its users as to the potential threat. An advisory message on the subject has been distributed utilizing information first seen on Virus-L. Other Army Commands have retransmitted the same information. I would like to propose that the military subscribers to Virus-L perhaps pursue the problem of reporting by answering these questions: 1. Has your site experienced a viral infection? 2. What viruses were present? 3. Was it reported to the next level of command? I am volunteering to compile the results and then post a summary of the responses received to Virus-L. I will of course ensure the confidentiality of the identity of all sites. Responses should be sent to me directly at <cmcdonal@wsmr-emh10.army.mil>. If this is unacceptable, then perhaps someone out there in NETLAND has a better idea. Parenthetically, I wonder if Ken might provide a breakdown of who actually subscribes to Virus-L in terms of military, university, and contractor subscribers? This would be important to assess the level of participation. [PS: Congratulations on your marriage!] [Ed. Thanks! It would be extremely difficult to quantify the different VIRUS-L subscribers, particularly since we're now distributing VIRUS-L via the comp.virus Usenet newsgroup. I can tell you, however, that the actual mailing list contains just shy of 1300 subscribers, over 200 of which are redistribution points. These sites represent a solid cross-section of educational, commercial, military, and government sites in several countries. Most (perhaps 70%) of the sites are educational, with approximately equal numbers of com, mil, and gov sites. Let me stress that these are not accurate numbers for any sort of statistical analysis.] ------------------------------ Date: Tue, 03 Oct 89 14:01:11 -0600 From: Brian Piersel <S1CH@SDSUMUS.BITNET> Subject: Virus protection (PC) I'm a new owner of an IBM AT compatible computer, and so I am not very familiar with the various anti-virus programs. Could someone explain to me how these work, and/or recommend one to get? Respond directly to me, if possible. Thanks in advance... ------------------------------ Brian Piersel BITNET: S1CH@SDSUMUS ICBM: 96.50W 44.20N INTERNET: S1CH%SDSUMUS.BITNET@VM1.NoDak.EDU (The Internet address doesn't always work) "Live long and prosper." ------------------------------ Date: Tue, 03 Oct 89 14:16:52 -0600 From: Chris McDonald ASQNC-TWS-RA <cmcdonal@wsmr-emh10.army.mil> Subject: NIST Special Publication I would like to add some additional thoughts to those who have already commented on the NIST "Computer Viruses and Related Threats: A Management Guide." 1. I believe there is a signifiant error on page 2-6. The report in discussing the INTERNET Worm states: "It was unclear what the network worm's objective was, as it did not destroy information, steal passwords, or plant viruses or Trojan horses." I think there is substantial evidence to prove that the Worm in causing denial of service attacks did indeed destroy information. Donn Seeley has made the point that the author of the Worm program specifically "deleted" an audit file so as to hide his location. There are also numberous reports that the program successfully "captured" passwords on other hosts to which the Worm author was not entitled. The NIST authors reference Dr. Spafford's report on page A-1 which addresses the "stealing" of passwords. Both Seeley's and Spafford's analysis of the incident can be found, along with other related papers, in the Jun 89 edition of the "Communications of the ACM." This ACM edition is probably the best reference on the entire incident available in the public domain. I think it should have been included in the NIST reference list. 2. I differ from several commentators who suggest that the document is "prejudiced" against the use of public domain and shareware products. I think on pages 3-3 and 5-3 the document stresses only that organizations should develop a clear policy on the acquisition and on the use of such software. 3. I am struck by the lack of any reference to Virus-L, RISKS Forum and other INTERNET services which have for years provided we users the best available, open source information on the subject of computer viruses. There is also little in the way of reference to the work of professional associations such as ACM, IEEE, the Computer Security Institute, and the Information Systems Security Association in addressing the computer virus phenomenon. Surely "technical managers", who are the audience for this publication, could use such resources to implement the virus prevention suggestions in the NIST publication. Chris Mc Donald White Sands Missile Range ------------------------------ Date: Tue, 03 Oct 89 12:11:00 -0400 From: <ACSAZ@SEMASSU.BITNET> Subject: Re: viruses in Commercial Software We too have been hit, though not recently. Last semester, a freehand disk from Aldus had scores on it right out of the box. These 'professionals' should pay more attention to what they are doing. Alex Z... . . . ------------------------------ Date: Tue, 03 Oct 89 20:31:00 -0500 From: <CTDONATH@SUNRISE.BITNET> Subject: Correction to previous posting (Mac) Sorry, folks, I spread a little misinformation without realizsing it. I have Disinfectant 1.2, not 1.5. (BTW- does anyone know where the latest versions can be obtained as they become available?) I had gotten swamped with requests for 1.5. Sorry! ------------------------------ Date: Tue, 03 Oct 89 21:37:54 -0500 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: new IBMPC anti-virals New additions to the archives. For the most recent site listings, see vol 2 num 209 of VIRUS-L (or better yet, save those monthly site lists!). All the files in this batch are shareware. bootchk.exe Program to verify boot sector of disk. Performs comparison with secure copy of boot sector. To be used in autoexec.bat. Sent to me by author. Version 1.00 (first release). Self-extracting zip. m-1704.arc Update to previous file of same name. Only change is in docs to warn of possible false alert issued by viruscan. Direct from author's BBS. netscan.arc Network compatible program to scan disks for known viruses. Version 0.4v33, update to previous releases. Direct from author's BBS. scanrs39.arc Resident program to scan executables for viruses before loading. Version 0.9v39, update to previous releases. Note minor change in spelling of archive name. Direct from author's BBS. scanv40.arc Program to scan disk and report any viruses found. Version 0.7v40, update to previous releases. Direct from author's BBS. shez48.exe Shell program for manipulating archives which, with this new release, is compatible with viruscan. Version 4.8. From HomeBase where it was placed by author. Self-extracting LZH archive. [ I was unable to get the viruscan aspect to work as advertised ] [ but I only put forth a minimal effort. -- jrw ] BOOTCHK.EXE Verifies boot sector against secure copy, v1.00 M-1704.ARC Repairs and removes infections of 1704A and 1704B viruses NETSCAN.ARC Network compatible program to scan for viruses, 0.4v33 SCANRS39.ARC Resident program to check for viruses, 0.9v39 SCANV40.ARC Scans disks and reports viruses found, 0.7v40 SHEZ48.EXE Shell for archive manipulation w/ virus checking, v4.8 Jim ------------------------------ Date: Tue, 03 Oct 00 19:89:58 +0000 From: ficc!peter@uunet.uu.net Subject: UNIX virus proof?! (UNIX) I wouldn't say UNIX is virus-proof (I posted a hoax article about a UNIX virus over a year ago, just before the Internet Worm incident), but it's sure a hell of a lot more virus-resistant than DOS. ------------------------------ Date: 04 Oct 89 07:14:43 +0000 From: consp06@bingvaxu.cc.binghamton.edu Subject: Jerusalem Virus -B (PC) SUNY Binghamton has been hit by the Jerusalem Virus. It seems to be spreading pretty well. We are looking for: 1) Advice. 2) SCAN38, SCANRES, etc... any of those. 3) UNVIRUS We have SCAN28, and we want to know where to get everything else we need to arm ourselves against this nasty villain. Thank you very much. -Robert Konigsberg ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Wednesday, 4 Oct 1989 Volume 2 : Issue 212 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Virus Commentary Re: Virus Commentary The invincible virus (Ghost virus) (Atari ST) Information wanted Re: New virus? (Mac) nVIR B Details (Mac) Submission for comp-virus New Mac Virus - Further Diagnostic Help Where to Get Mac Anti-Virals datacrime II antidote (PC) OGRE virus in Arizona (PC) --------------------------------------------------------------------------- Date: Sun, 24 Sep 89 15:12:00 -0600 From: Frank Starr <55srwlgs@sacemnet.af.mil> Subject: Virus Commentary Sabotaged Program Reactions - An Editorial Review by Frank Starr The continuing threat of virus and Trojan Horse programs - which I prefer to call sabotaged programs, has begun to spark some reaction from the upper levels of the Department of Defense. Concurrent with the discovery of the so-called "Columbus Day Time Bomb", previously known as the Datacrime Virus, has come a series of directives which may serve to eliminate the use of all forms of shareware by D.O.D. personnel on D.O.D. microcomputers. Air Force users first received word of the Columbus virus from a message published by the USAF Office of Special Investigation, republished and mass mailed through MILNET/DDN, the D.O.D. e-mail system. Two suspected sources have been listed - a European extremist group in the spiritual sway of Bader Meinhoff, and a Norwegian group displeased with celebrations honoring Columbus, while ignoring Norse discoveries preceeding those of European explorers. Later communiques identified the virus as the Datacrime variety, capable of trashing the FAT area of a hard drive. From the first message to all others received to date, a prevailing directive has been to cease using all software downloaded from private bulletin boards. Various interpretations have gone so far as to conclude that only vendor supplied software should be used, to the absolute exclusion of everything else, whether shareware available for purchase after an initial test period, or freeware for which no fee or donation is ever asked. All of this confusion promises to cause a lot of D.O.D. micro users to cut themselves off from anything except commercial software, purchased through government contracting channels. This in spite of the fact that there have even been reports about commercial software occasionally being sabotaged by temporary employees (as reported in an issue of Government Computer news about a year ago. Sorry, specific issue forgotten). There are a number of micro bulletin boards in D.O.D., some of which offer shareware software for evaluation to potential customers. Some of the SYSOPs of these systems forsee a call to close down operations, based on reactions to sabotaged software threats, and rough drafts of official regulations to control software on D.O.D. micros (see the September/October C2MUG bulletin, page 5). Although there are some advisories for users to back up all software on D.O.D. micros, more attention seems to be going towards the elimination of all non-contract software on D.O.D. micros. Since sabotaged programs are more often reported in connection with softwaree downloaded from public RBBS systems, this game plan can be understood, if not readily supported. However, with micro user education still a lower priority object in many areas, and software backup not a widespread practice, it seems that, especially with funding cuts a now and future reality, more attention would better be given to how to defend against sabotaged programs, and perhaps the avoidance of all forms of shareware could be reevaluated. Frank Starr ------------------------------ Date: Sun, 24 Sep 89 18:03:00 -0600 From: "Frank J. Wancho" <WANCHO@WSMR-SIMTEL20.ARMY.MIL> Subject: Re: Virus Commentary Frank, I just read and reread your editorial. I fear that possibly many people will misread it, overlooking certain key words and phrases, such as "may" in "may serve to eliminate," "various interpretations," "foresee," "seems" in "more attention seems to be," etc. The actual point of your editorial, with which I agree, is in your last sentence, which should have been a paragraph by itself (starting with the word, "However," and broken into several sentences: Micro user education is still a low priority activity in many areas, and software backup not a widespread practice. With funding cuts a now and future reality, more attention should be given to defending against sabotaged programs. Then, perhaps, the trend toward avoiding all forms of shareware could be reevaluated. - --Frank ------------------------------ Date: 03 Oct 89 14:17:35 +0000 From: erwinh@solist.htsa.aha.nl (Erwin d'Hont) Subject: The invincible virus (Ghost virus) (Atari ST) First I would like to make my excuse for not giving enough information in my last (and first in my career) message to usenet. I asked some information about the Ghost Virus on the Atari ST, well I forgot to mention the computersystem and the kind of information I requested Well here goes all or nothing : Since a few months I'm being bugged by a virus that inverses the mousepointer. So after I figured that it could be a virus, I pulled out my trusty Viruskiller (VDU - Virus Destruction Utility V1.4) and became aware of this "Ghost Virus". After wiping the virus from all my disks I thought I would be save, but none could be more true. This virus returned every time. Maybe it is a link-virus that somehow manages to copy itself into the bootsector so that it can begin it's faul work again. But the VDU doesn't reconize any link-virus on any of my disks, so my question to all of you is : Is there some way to get rid of this virus without formatting all my disks ?? Erwin WARNING : Never crunch a file or disk without checking it !!!!!!!!!!!!!! ------------------------------ Date: 04 Oct 89 02:50:40 +0000 From: cvl!cvl!umabco!bgoldfar@uunet.UU.NET (Bruce Goldfarb) Subject: Information wanted I am looking for addresses (phone numbers ideal) for the Computer Virus Industry Association and the National Bulletin Board Society. Any and all help is deeply appreciated. Bruce Goldfarb umabco!bgoldfar@cvl.umd.edu (or) cvl!umabco!bgoldfar ------------------------------ Date: Mon, 02 Oct 89 16:05:35 -0400 From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV> Subject: Re: New virus? (Mac) >Subject: New virus? (Mac) I'm afraid so... >We here at the University of Rochester may have discovered a new >virus, or a variation on a theme. What it does is infect Macwrite ... (sundry details omitted) > ... Disinfectant 1.1 doesn't work, so please email me the >latest version of disinfectant to try... I'm afraid it won't help. You should send some mail to John Norstad *immediately* and let him know about it. He may request a copy of your infected files. His net address is in the Disinfectant documentation. >The virus definitely attacks Macwrite. It adds a str ID 801 and >modifies the icon to say Macwite instead of the standard application >icon. The application increases in size by 104 bytes, 56 in the >string. they are added in sector 014F, according to Fedit Plus 1.0. Actually, you should check it out with ResEdit and see what resource they get added to. Ditto for the System; look for INIT resources. There are a few that are supposed to be there, but the virus may add new ones. (more details omitted) This sounds very much like a new virus. Have you Vaccine or GateKeeper installed? Either should keep infections from spreading, unless the virus is doing its own disk I/O at the driver level (very dangerous and could lead to screwed-up disks). Things to try: - Write-protect a known-clean version of MacWrite and try running it on the infected system. - Change another application's signature (type/creator) to MacWrite's and see if the virus tries to infect it. - Name MacWrite something else and see if it is attacked. - Look at the system healp with Macsbug and and try to identify all of the resources loaded into it. This may help in tracking down the infection mechanism. I'd appreciate hearing further details; post them to me personally if you'd like. --- Joe M. ------------------------------ Date: Tue, 03 Oct 89 10:16:41 -0400 From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV> Subject: nVIR B Details (Mac) <CTDONATH@SUNRISE.BITNET> asks: >I recently came across the nVIR B virus on a cluster of Macs. I removed >it using Disinfecant 1.5 and appears to be gone. > >What problems does nVIR B cause? Does it delete files, do annoying things, >or simply spread? Being a semi-public cluster, how much of a concern >is its presence? It does annoying things (beeps or says "Don't Panic"). Since it also grabs space in the system heap AND installs a VBL task, it can cause memory problems and timing problems, causing printing failures and crashes. Its presence is always a concern. Think of it as a public health problem. Your cluster, if left infected, would be a reservoir of infection and a potential source of spread, no matter how much time other clusters spent cleaning themselves up. Get Vaccine or GateKeeper installed on those Macs. Now. You must have either not had them installed, or someone has been turning them off. If you suspect that someone is deliberately infecting the cluster, you might want to set up a virus-scanning station that all disks must be passed through before they are used on your cluster. The Disinfectant documentation will tell you how to do this. --- Joe M. ------------------------------ Date: 04 Oct 89 13:08:50 +0000 From: kkk@ohdake.uta.fi (Kimmo Kauranen) Subject: Submission for comp-virus Where could I get a copy of "Proceedings..." Hey! There is been in some articles a mention about the book "Stephen J. Ross (ed.) Computer Viruses - Proceedings of an Invitational Symposium, Oct 10-11,1988. New York: Deloitte, Haskings & Sells, 1989." I 'd like to get it, but where could I order it? Thanks beforehand Kimmo Kauranen ------------------------------ Date: Wed, 04 Oct 89 09:51:17 -0400 From: Joe McMahon <XRJDM%SCFVM.BITNET@VMA.CC.CMU.EDU> Subject: New Mac Virus - Further Diagnostic Help Try using GateKeeper and shutting down ALL accesses to files. See if that will show you what's being copied into the files. It should be in the GateKeeper Log. --- Joe M. ------------------------------ Date: Wed, 04 Oct 89 09:46:05 -0400 From: Joe McMahon <XRJDM@SCFVM.BITNET> Subject: Where to Get Mac Anti-Virals CTDONATH@SUNRISE.BITNET asks: ...where can we get the most recent versions {of anti-viral software} ? On BITNet, the LISTSERV at our node (SCFVM) has a virus-removal package consisting of Disinfectant, Virus Rx, Vaccine, GateKeeper, and some other files. You can subscribe to this package and receive updates automatically by obtaining a LISTSERV password and AFD ADDing the package. On Internet, sumex-aim.stanford.edu has anti-virals in the /info-mac/virus directory. apple.apple.com in the pub/dts/mac/tools directory has the newset version of Virus Rx. Hope this helps. --- Joe M. ------------------------------ Date: 04 Oct 89 18:14:00 +0700 From: NOAM@SARA.NL Subject: datacrime II antidote (PC) On or after the 12th of October, an undetermined number of computer 'viruses' are scheduled to start erasing the data of their unsuspecting hosts. One virus in particular, known as 'DATACRIME II', is an especially nasty specimen, as it not only spreads very rapidly, but also formats the hard disk of any computer it infests, permanently destroying all of the contents. DATACRIME was first detected in the Netherlands, and the leading computer publication of that country, PERSONAL COMPUTER MAGAZINE, commissioned computer expert Rikki Cate to write an 'antidote' program for its readers. Cate, an American who lives in the Netherlands, is a programmer specialized in this kind of work. Cate's Cure was an overnight sensation. Featured on radio, television and in Holland's leading newspapers, thousands of copies were distributed within the first few days and it has already inspired a number of hastily composed imitations. Even the Dutch police have begun distributing a version of their own. Cate's Cure, however, claims superiority to all of these. It is much faster, it actually removes the virus, it repairs damaged programs, it automatically searches all the directories on the hard disk, and it provides permanent protection against formating of the hard disk or new infections by the virus. None of the other programs released have any of these features. This is believed to have been confirmed in an independent test carried out by the Dutch Railways. In view of the huge demand and the clear anxiety indicated by that, Cate has decided, with the approval of PCM, to make the antidote more widely available at a cost of $10 per disk. Additional information can be obtained from her directly by calling 31-20-981963 in Amsterdam. Fax: 31-20-763706, telex 12969 neabs nl, Fido 2:280/2, electronic mail 31-20-717666, all marked to her attention. [Ed. Any chance of getting a copy of Catee's Cure on this side of The Pond, for electronic distribution?] ------------------------------ Date: Wed, 04 Oct 89 10:18:00 -0700 From: <WIER@NAUVAX.BITNET> Subject: OGRE virus in Arizona (PC) Original_From: Paul Balyoz A new, extremely nasty virus has been discovered on some IBM PCs in the state of Arizona. This virus, known as OGRE, has been found on some disks in Flagstaff and nearby areas. This is the first recognition of said virus that has come to my attention. This memo gives a description of the virus and possible ways of recognizing and removing it. DESCRIPTION The OGRE virus tries to infect any disks it sees that haven't yet been infected with itself. It counts the number of disks it has infected as it goes along. It does no harm until after it has infected a certain number of disks. After that point it will display a message on the screen at boot time identifying itself as the COMPUTER OGRE dated April 1, and telling you to leave your machine alone as it begins "stomping" blocks on the disk randomly, by writing blocks full of one character all over the disk. This holds true for both floppy disks and hard disks. The damage done in this manner is virtually irrepairable. Once this happens the hard disk usually needs to be reformatted (which effectively erases everything on on disk). If backup copies of the files from that disk were made, it can be restored back onto the reformatted disk, and all is well again (until the next time). If you see this message appear on your screen, ignore the warning and TURN YOUR COMPUTER OFF IMMEDIATELY! The quicker you turn it off, the less damage it will have done. The first blocks it destroys are the boot blocks and file and directory information; files go after that. If stopped in time, the files on the disk may be retrieved using various disk utility programs. TECHNICAL DETAILS The OGRE virus spreads by writing copies of itself onto 3 unused blocks on the disk. It then marks those blocks as being "bad," so that normal disk usage won't ever choose those blocks for storing ordinary data. Thus the virus can stay on the disk without being bothered. The important step is when it modifies the boot blocks of the disk so that next time the disk is booted, the special code on those three blocks is executed, and the virus can try to infect new disks. Thus, every time the disk is booted thereafter, the OGRE code is executed, and can do what it has been programmed to do. Because the OGRE virus operates at such a "low level," none of the existing virus detection/elimination programs currently in existence for the IBM PC will work. Note that OGRE doesn't create or modify any of the files on the disk at the time of infection, nor does it effect the FAT in any way. Thus it is virtually undetectable by present means, until special programs are developed to detect and remove it. RECOGNIZING THE VIRUS If you have a "disk zap" or "sector edit" type of program, you can use that to see if the OGRE virus has infected each of your disks. You'll want to search the disk for the string "OGRE" (those four upper-case ascii characters) or "COMPUTER OGRE" to be sure. You will know by the surrounding text if each occurrance of the string is truly the virus or not. The software package "Norton Utilities" has a program that can do this sort of disk-searching function. The most important place to look are the boot- blocks on the disk. If the string exists in that area, your disk is probably infected. Note: It is possible for normal information on the disk to spell out the string "OGRE" just by chance. As I understand it, that string being found in the boot-blocks nearly guarantees infection. The text before and after the string must be viewed to be sure. There is a date of April 1, and a copy- right notice, as well as the English text that it can display. You will know from the context whether your disk is infected or not. CLEANING AN INFECTED DISK File copying will "clean" an infected disk. Because OGRE doesn't effect any files, per se, a good method for cleaning up an infected disk that hasn't been "stomped on" yet would be to copy all of the files off that disk onto a freshly formatted one. Of course you'll want to be sure that the virus isn't running while you do this, or it will quickly infect the new disk as well! Boot your computer from an original system disk that was distributed with your computer. Make sure it is write-protected before booting. If this disk has never been un-write-protected, then it can't ever have been infected. Then go ahead and format the new disk, and copy your files to it. The infected disk you just copied all the files off of can now be formatted to clean it up, and files copied back onto it again. FUTURE VIRUS DETECTION IDEA Checksum the boot blocks. A program should be written to run a set of checksums on the boot blocks of your disk, and remember the number somewhere. When run thereafter it can recompute the checksum and compare it to the one recorded previously. If the two checksums do not match exactly then the boot blocks have been modified, which is not a normal thing to have happen. The program can then notify the user that, "The boot blocks on this disk have changed; you may have a virus." If this program were written and launched from the AUTOEXEC.BAT file on all bootable disks, then the user would know immediately if they were infected. Of course, the OGRE virus would have already been executed once by then, since the disk was booted before the AUTOEXEC.BAT file was read, so it may have infected another disk; but it won't have gone on the rampage yet. The user would thus have pre-knowledge of the infection, and can combat it before any damage is done. DISCLAIMER I have not personally seen the virus nor any disks damaged by it. SOURCE INFORMATION This new virus was discovered by members of the staff at Computer Solutions here in Flagstaff Arizona. They are working on disassembling the virus and will hopefully come up with a virus removal procedure or program. The current theory is that it originated somewhere in the Phoenix area, but nothing is sure yet. Computer Solutions is trying to contact as many people as they can to warn them about this new problem. You are encouraged to make copies of this memo in any form and distribute them to anyone who might need to know this information. You can contact Computer Solutions at 602-774-1272 during the day. submitted by: *usual disclaimers* --------------------------------------------------------------------- - Bob Wier Northern Arizona University Ouray, Colorado & Flagstaff, Arizona ...arizona!naucse!rrw | BITNET: WIER@NAUVAX | WB5KXH ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Thursday, 5 Oct 1989 Volume 2 : Issue 213 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Pointer to Cohens publications Re: Followup on new virus (Mac) Re: Why not change OS? About the DH&S proceeding(s)... Re: OGRE virus in Arizona (PC) Increasing rate of virus appearances Binghamton Jerusalem-B virus - The day after. (PC) M-1704 question (PC) WSMR newspaper article on Anti-Virus program --------------------------------------------------------------------------- Date: Wed, 04 Oct 89 19:18:50 -0500 From: Christoph Fischer <RY15@DKAUNI11.BITNET> Subject: Pointer to Cohens publications Hello I need the exact bibliographic data of Fred Cohen's dissertation and publications in the field of computerviruses. If there exists an downloadable printfile with such material I would be very happy about any hints. Thanks Chris ***************************************************************** * Torsten Boerstler and Christoph Fischer and Rainer Stober * * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET * ***************************************************************** ------------------------------ Date: 04 Oct 89 18:09:20 +0000 From: ut-emx!chrisj@cs.utexas.edu (Chris Johnson) Subject: Re: Followup on new virus (Mac) In article <0004.8910041115.AA07054@ge.sei.cmu.edu> eplrx7!milbouma@uunet.UU.NE T (milbouma) writes: >I can recommend Symantec's new antiviral package, SAM, which will flag >any abnormal writes from an application (like Vaccine if you're >familiar with it, but better than Vaccine). SAM will at least protect >your machines from getting infected and also has a Virus scanner >program that scans for known viruses and can also repair irreplaceable >apps that are infected. Part of the protection init also will ask you >if you want to scan a floppy for known viruses whenever you insert >one. Of course, as an alternative to SAM, you can save yourself a lot of money and go with GateKeeper 1.1.1, which has not only been stopping viruses around the world 6 months longer than SAM (and all the other johnny-come-lately commercial systems), but is completely free. Furthermore, I gather that GateKeeper is significantly more configurable than SAM insofar as it maintains a privilege list which can be easily viewed and edited (I've never used SAM, so I don't speak from first-hand experience on this point, but people assure me that it's a *very* important difference in practice). If you need telephone support, though, SAM is clearly better for you... the closest thing to interactive support available with GateKeeper is email. GateKeeper doesn't provide a virus-scanner, but with Disinfectant available (also for free) it's not much of a problem. One other thing that makes GateKeeper unique in the world of Macintosh anti- virus systems is that it keeps a log file that details exactly what virus related operations have been attempted, when, by whom and against whom. GateKeeper 1.1.1 (as well as Disinfectant) is available from most archive sites, including a local system, ix1.cc.utexas.edu in the microlib/mac/virus directory. Well, happy virus hunting no matter what system you choose, - ----Chris (Johnson) - ----Author of GateKeeper ------------------------------ Date: Wed, 04 Oct 89 17:01:06 -0400 From: Tim Endres <time@oxtrap.aa.ox.com> Subject: Re: Why not change OS? Better than changing OS to get better virus "resistance", why not encourage the systems designers at Apple and IBM to implement protection in their respective operating systems? An entire document dedicated to stopping virus acitivity at the OS level was mailed to John Sculley at Apple. Yet, to this day, even with an entire new OS release, not one of the suggestions given has been implemented! I am sure that there are many complex issues facing a company such as Apple, with regards to this problem, and changes at the OS level to deal with viruses will, and probably should, be slow. Further, I must give Apple credit for the action they did take when Macintosh viruses first surfaced. In some cases, they sent their own engineers to infected sites for investigation and assistance. They were the first to engage in "Virus Awareness" campaigns. Unfortunately, we have seen no work at the OS level. What users should be doing, is overtly pressuring computer manufacturers to address this need at the OS level, and start buying equipment from vendors who move in that direction. ------------------------------ Date: Wed, 04 Oct 00 19:89:18 +0000 From: utoday!greenber@uunet.UU.NET (Ross M. Greenberg) Subject: About the DH&S proceeding(s)... I wasn't too happy with the end result of what DH&S (Steve Ross works for them) produced. The invitational excluded a number of people (including me, so this might be a biased report). The only person there really familiar with the world of PC and other micro viruses was Pam Kane (Panda Systems & Dr. Panda Utilities - good stuff!). They spent a great deal of time on nomenclature. Something like two days. Very little on practical "how-to's" or anything at all of a technical nature. The conclusion of the report is basically a sales-promo piece on why you should hire DH&S consultants if you have a virus problem or wish to make sure you don;t get one. I consider this mailing list *considerably* more informative, objective, and honest. Note: I ended up attending the symposium, then being asked to leave when I mentioned that it seemed inappropriate to give this little meeting any credibility when only three or four people there, out of the 50 or so who presented, had *ever* seen a virus. To be honest, I was a gate crasher. Ross M. Greenberg Author, FLU_SHOT+ ------------------------------ Date: 04 Oct 89 23:15:47 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Re: OGRE virus in Arizona (PC) In article <0011.8910041808.AA09177@ge.sei.cmu.edu> WIER@NAUVAX.BITNET writes: | Because the OGRE virus operates at such a "low level," none of the | existing virus detection/elimination programs currently in existence | for the IBM PC will work. | | FUTURE VIRUS DETECTION IDEA | | Checksum the boot blocks. The new program BootChek goes one better than this. It will compare the entire boot block with a secured copy. Since it is small, this comparison is fast, and better than a checksum. If a change is detected, the computer is halted. WARNING: This will detect any *change* in the boot block. If you start with an infected system, this won't help. - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: Wed, 04 Oct 89 20:39:29 -0400 From: RREINER@YORKVM1.BITNET Subject: Increasing rate of virus appearances It is my impression, judging primarily from reports on VALERT-L, that the rate at which new viruses are appearing has accelerated substantially in recent weeks. There was previously what seemed a stable rate of one new virus every few weeks; this seems now to have become one new virus every few days. Has anyone been keeping more careful records? What is the rate of increase of the rate of increase? Richard J. Reiner BITNET == rreiner@vm1.yorku.ca Internet == grad3077@writer.yorku.ca Compu$erve == 73457,3257 ------------------------------ Date: 05 Oct 89 04:31:42 +0000 From: consp06@bingvaxu.cc.binghamton.edu Subject: Binghamton Jerusalem-B virus - The day after. (PC) Thanks to all of you who responded so quickly to my messages for help. We now have several programs that will arm us in controlling the virus. Any more messages, although appreciated, are unnecessary. It's good to see that people are so eager to help when a crisis occurs. -Robert Konigsberg ------------------------------ Date: Wed, 04 Oct 89 15:07:00 -0400 From: Jim Shanesy <JSHANESY%NAS.BITNET@VMA.CC.CMU.EDU> Subject: M-1704 question (PC) We (Don Kazem of our Technical Systems group, and myself, a programmer/analyst) have just downloaded M-1704.ARC from the Homebase bulletin board and found upon reading the documentation that SCANV40 is supposed to detect M-1704.EXE as a virus. It does not. We both ran SCANV40 (also obtained from Homebase) on our respective hard disks and SCAN reports them both as clean. Don's machine is a PS/2 Model 70 with ESDI-controlled 120 Meg hard disk, and mine is a PS/2 Model 60 with ESDI-controlled 66 Meg hard drive. We are reluctant to run this program until we verify that it is not indeed infected, since its behavior is different from that described in the documentation. Any comments, Mr. McAfee? [Ed. I believe that the newer ViruScan versions were modified to *not* produce this false alarm; perhaps Mr. McAfee can confirm this.] ********************************************************************** Jim Shanesy JSHANESY@NAS.BITNET Office of Computer and Information Technology National Academy of Sciences 2101 Constitution Ave., NW Washington, DC 20418 (202)-334-3219 ********************************************************************** ------------------------------ Date: Wed, 04 Oct 89 12:58:00 -0600 From: Chris McDonald ASQNC-TWS-RA <cmcdonal@wsmr-emh10.army.mil> Subject: WSMR newspaper article on Anti-Virus program THE WSMR ANTI-VIRUS PROGRAM The subject of computer "viruses" has attracted considerable attention in the last three years. The publicity of a Columbus Day virus and the continuing infection rates of several Friday the 13th viruses has pointed out the necessity of ensuring all users are aware of common sense policies and procedures to minimize the threat of viral attacks. This article attempts to describe our virus defense program at the Range. We at White Sands have a unique history in viral research. In the summer of 1984 we at White Sands Missile Range sponsored a computer virus "experiment" by a University of Southern California (USC) undergraduate, Mr. Fred Cohen. Fred went on to obtain his PhD and has written and lectured extensively on the computer virus phenomenon. So we have had some direct experience in the area at a rather early stage. The definition of a "virus" from Dr. Cohen's original research work is short, but extremely important to understand some recent viral attacks. He defined a "virus" as "a computer program that can infect other programs by modifying them to include a possible evolved copy of itself." With the infection property a virus can spread throughout a computer system or network using the authorizations of every user who might use it to infect their own programs. Viruses can spread on personal computers as well as on mainframes. For a variety of reasons we have seen the majority of viruses infecting personal computers. An Israeli researcher has published a catalog of 77 identified MS-DOS viruses, including their variations, as of 2 Oct 89. Other researchers have identified at least 10 Macintosh viruses, including variations, as of 3 Oct 89. "Variations" occur as individuals receive a copy of an original virus and then make some change to it for the purpose of creating a "new" virus. If a "computer virus" is similar to a "biological virus," then could one apply the defenses or at least the methodology used to counter infectious human diseases to the issue of automation security? On the assumption that the comparison holds, then prevention, treatment and education would seem logical control measures. We can limit our exposure to computer viruses by controlling and by monitoring the source of our software. We can "buy" from reputable sources. We can apply the two-person rule to the development and to the review of software which we develop in-house. If we must use public domain and shareware software, then we have an obligation to observe the policies and procedures which our particular organization has for the acquisition, control and testing of such software. Users should also be aware that certain tenant activities at WSMR prohibit the use of public domain software. We have at our disposal both commercial and shareware software products to detect known computer viruses. We have advertised over the Workplace Automation System (WAS) electronic bulletin board the availability of VIRUSCAN which specifically detects several Friday the 13th and Columbus Day viruses identified as the DatacrimeI and DatacrimeII viruses. Users can contact either Bob Rothenbuhler, the installation systems security manager, at 678-4236, or Chris Mc Donald, an ISC information systems management specialist, at 678-4176 for assistance. There are a variety of "disinfectant" programs for the MS-DOS and for the Macintosh worlds which we maintain in the event of a viral outbreak. We also have access to the resources of the National Computer Security Center (NCSC), the Computer Virus Industry Association (CVIA), and the Computer Emergency Response Center (CERT) in the event of viral attacks. While it is impossible to stockpile all possible "treatment" remedies, we have at least a good foundation. Finally, an article such as this serves to "educate" you, the user community, as to the threats and to some of the defenses applicable to the computer virus problem. We have available a briefing on computer viruses entitled "Everything the New England Journal of Medicine will never tell you!" which discusses this subject in some detail. The Information Systems Command has also initiated an eight hour training class, "Protection of Automation Resources", which will address the whole subject of automation security, to include viruses. Both Bob and Chris are always available to answer specific questions and to assist users within their respective fields of interest. While we cannot eliminate computer viruses, we can maintain a program of prevention, detection and education to minimize the possibly negative impact on our computing environment. Using good common sense computing practices can reduce the likelihood of contracting and spreading any virus. - Backup your files periodically - Control access to your PC or terminal and limit use to those people whom you know and trust - Know what software should be on your system and its characteristics - Use only software obtained from reputable and reliable sources - Test public domain, shareware, and freeware software before you use it for production work - If you suspect your PC contains a virus, STOP using it and get assistance ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Thursday, 5 Oct 1989 Volume 2 : Issue 214 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: paper comparing biological and computer viruses CNN coverage of Columbus Day Virus and Friday 13th Virus The DataCrime viruses (PC) Two new PC viruses That's the news... --------------------------------------------------------------------------- Date: 05 Oct 89 06:07:51 +0000 From: munnari!gara.une.oz.au!pmorriso@uunet.UU.NET (Perry Morrison MATH) Subject: Re: paper comparing biological and computer viruses SOFPJF@UOGUELPH.BITNET (Peter Jaspers-Fayer) writes: > This is an outline for a semi-serious paper on the similarities > between biological and computer viruses, and the efforts to understand > and combat them. I present it here in the hopes that others may wish > to contribute a paragraph or so (sorry no money, but I'll give credit > for any material I receive). I wrote a short paper published in the Futurist which introduces the analogy of software and organic viruses. For historical adequacy of your paper, I'd appreciate it if you included it in your bibliography: Morrison, P.R. "Computer Parasites May Cripple Our Computers", The Futurist, 1986, 20(2), 36-38. _ _______________________W_(Not Drowning...Waving!)______________________ Perry Morrison Ph.D, V.D (and scar). SNAIL: Maths, Stats and Computing Science, UNE, Armidale, 2351, Australia. perrym@neumann.une.oz or pmorriso@gara.une.oz Ph:067 73 2302 ------------------------------ Date: Thu, 05 Oct 89 08:51:37 -0500 From: Jim Ennis <JIM@UCF1VM.BITNET> Subject: CNN coverage of Columbus Day Virus and Friday 13th Virus Hello, Viruses were covered on the CNN 'AT&T Information and Technology' segment of the CNN Daybreak show Weds, 10/4/89. There was a good non-techie description of what a virus is, how it spreads and some safe computing (safe sex) practices. They did not mention how to detect the virus and remove, or who you could contact for more information. They had short pieces with Winn Schwartau 'American Computer Security', Richard Carr 'NASA', and Ross Greenberg 'Software Author'. The show seems to be lumping all computer security problems as 'viruses', it did not attempt to differentiate (sp?) the different types of problems facing computers. Also, they said that the virus will not affect many people, they did not give any estimates on the number of possible infections (which from following this list is pretty small). The segment might run on Sunday during the 'Science & Technology' half hour show (usually in the early afternoon). It was only about 3-4 minutes long. Jim Ennis UCF Computer Services ------------------------------ Date: Thu, 05 Oct 89 17:13:10 +0200 From: Y. Radai <RADAI1%HBUNOS.BITNET@VMA.CC.CMU.EDU> Subject: The DataCrime viruses (PC) In August, Alan Roberts, David Chess, and Kelly Goen discussed the DataCrime II virus on VIRUS-L, but only from one point of view: that it's encrypted and that the decryption code includes a routine which prevents looking at the code with a single-step utility. Unless I missed something, none of them thought of telling us anything else concerning how DC-2 differs from the original DC. Much later, however, we did learn several additional differences, for example: (1) DC-2 infects EXE as well as COM files. (2) It increases file size by 1514 bytes. (3) Whereas DC avoids infecting COM files whose 7th letter is "D" (thus avoiding infection of COMMAND.COM), DC-2 avoids infecting COM files whose 2nd letter is "B" (presumably so as not to infect IBMBIO.COM and IBMDOS.COM). So far, so good. But I have since discovered that there was one very important difference which (again, assuming that I haven't missed anything) was not mentioned by anyone on the List: Whereas DC per- forms its damage (low-level format of cylinder 0 of the hard disk) on any day between Oct 13 and Dec 31 of any year, DC-2 does it on any day between Jan 1 and Oct 12, except on Sundays! Y. Radai Hebrew Univ. of Jerusalem ------------------------------ Date: Thu, 05 Oct 89 14:33:43 +0200 From: Y. Radai <RADAI1%HBUNOS.BITNET@VMA.CC.CMU.EDU> Subject: Two new PC viruses Two new viruses have been discovered in Israel. One of them is called the Alabama virus. It infects EXE files and increases their size by 1560 bytes. Unlike many other resident viruses, it does not use Int 21h function 31h to stay resident. It loads itself 30K under the highest memory location reported by DOS, but (unlike MIX1) it does not lower the amount of memory reported by BIOS or DOS. It hooks Int 9 and checks for Ctrl-Alt-Del. (It uses IN and OUT commands to confuse anti-virus people.) When it identifies this com- bination it causes an apparent boot but remains in RAM. After 1 hour of operation (the virus checks the time on each Int 9 or Int 21 call), the following flashing boxed message appears: SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW.............. Box 1055 Tuscambia ALABAMA USA. This virus does not necessarily infect the file which is currently being executed. First it looks for an uninfected file in the cur- rent directory, and if it finds one it infects it. Only if it does not find one does it infect the executed file. But sometimes, when it finds an uninfected file, instead of infect- ing it, it will *exchange* it with the currently executed file without renaming it, so that the user will think that he is executing one pro- gram while he is actually executing another one! I have less information about the other virus (not even a name for it). It adds 4096 to all infected files (both EXE amd COM, incl. COMMAND.COM). But when you perform DIR you don't see the increase in file size since the virus shows you the *original* (uninfected) sizes. Like the Alabama and MIX1, it does not use the usual TSR function. It also uses INs and OUTs to confuse single-step utilities. My thanks to Eli Shapira for this info. Y. Radai Hebrew Univ. of Jerusalem ------------------------------ Date: Thu, 05 Oct 89 16:00:00 EDT From: "Kenneth R. van Wyk" <krvw@SEI.CMU.EDU> Subject: That's the news... To quote Saturday Night Live's Dennis Miller, That's the news and I am out of here! VIRUS-L/comp.virus will be back on-line when I return from Maui/Kaui on Oct. 23. Until then, use VALERT-L for *VIRUS ALERTS* only. Please do not use VALERT-L for anything other than virus alerts. Aloha, :-) Ken van Wyk ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Friday, 6 Oct 1989 Volume 2 : Issue 215 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: IBM-supplied antivirus software (IBM PC) re: The DataCrime viruses (PC) The not so new virus (Mac) New Mac Virus Appears in Sweden (Mac) Viruses that inhabit "bad" blocks (PC) Re: Why not change OS? Tiger Teams (General) Re: UNIX virus proof?! (UNIX) New Mac Virus Not In 'Moria' But in SuperClock3.5! Re: OGRE virus in Arizona (PC) Now I'm *REALLY* going... --------------------------------------------------------------------------- Date: Thu, 05 Oct 89 16:18:45 -0400 From: "E.C. Greer" <rs0xeg%rohvm1@VMA.CC.CMU.EDU> Subject: IBM-supplied antivirus software (IBM PC) Below is the text of an announcement recently made by IBM. We got this from our IBM representative. It's not particularly clear to me exactly which viruses this software works for, but I thought I'd pass it along. There is a number to call for more information. September 29, 1989 MEMORANDUM TO: IBM Business Partners SUBJECT: Personal Computer Virus Detection There is an increasing awareness in the industry of the existence of disruptive computer viruses. Several personal computer viruses exist which are expected to activate after October 12, 1989. These viruses can erase a DOS or OS/2* file or render the files on the fixed disk inaccessible. Although the number of reported occurrences is low, this is to alert you to the potential risk of these viruses and to provide you with a program to assist you in detecting them. Enclosed are 3.5 inch and 5.25 inch diskettes with the IBM Virus Scanning Program for personal computers and its license agreement. At your discretion, you may make copies for your customers. Also included are a fact sheet on the IBM Virus Scanning Program and a virus question and answer document. We recommend that you and your customers run the IBM Virus Scanning Program on all of your personal computers using DOS and/or OS/2 as soon as possible prior to October 12th. If you provide customers a copy of these diskettes, you must also pro- vide them with a copy of the license agreement. To ensure a virus free copy, you must follow the instructions in the READ.ME file on the diskette. You should "write protect" all copies of the original disk- ettes. The READ.ME file also contains additional information on the IBM Virus Scanning Program. There is a $35.00 charge for this program. Payment is to be made by the customer directly to: IBM Corporation Grand Central Station P.O. Box 2646 New York, NY 10163 Alternatively, your customer may order the IBM Virus Scanning Program (part number 64F1424) at a cost of $35.00, with a major credit card, directly from the IBM fulfillment center by calling 1-800-426-7282. IBM Virus Scanning Program Fact Sheet + _____________________________________ WARNING - BEFORE USING THE IBM VIRUS SCANNING PROGRAM MAKE CERTAIN THAT THE COPY YOU INTEND TO USE COMES FROM A SECURE UNINFECTED SOURCE, AND THAT THE DISKETTES' WRITE PROTECT TAB IS IN PLACE IF THE DISKETTE IS NOT PERMANENTLY WRITE PROTECTED. The IBM Virus Scanning Program has been developd by IBM to aid in the detection of some computer viruses and is being used internally by IBM to detect computer viruses. The program is designed to scan boot records and executable files looking for signatures of viruses known to IBM when the program was written. A signature is a bit pattern that is indicative of a particular virus. The files that are scanned by the IBM Virus Scanning Program must be in their native executable form (e.g., not encrypted and not packed) in order for signature matching to occur. There may be other viruses that currently exist, or will exist in the future, that the IBM Virus Scanning Program will not detect. We know of no available, guaranteed solution to computer viruses, so we recommend regular backups of your data, caution in acquiring and using software and good security practices. Description of the IBM Virus Scanning Program +_____________________________________________ The program tests executable files on disks for signature strings that are found in some common DOS computer viruses. For each drive specified it will also test the drive for boot sector viruses. To use it, simply type at the command prompt (for example) VIRSCAN C: to scan the executable files on the C: drive or VIRSCAN A: to scan the executable files on the A: drive or VIRSCAN n: n: n: to scan multiple drives (n = drive id) Type VIRSCAN without any arguments for some help. Files infected with a virus should be erased and replaced with uninfected copies (obtained from the original source, such as original manufacturer's diskettes, in-house source code, backup copies, etc). NOTE: Prior to restoring any files, run the program against the diskette from which you plan to restore to ensure it is virus-free. Technical Detail: +________________ VIRSCAN.EXE is the executable program. It will run under DOS 2.0, 2.1, 3.1, 3.2, 3.3, 4.0 and OS/2* 1.0, 1.1, and 1.2. It will not support OS/2 1.2 with high performance file system names. Virus detection programs and services are available from other companies and you may also wish to advise your customers of these. The IBM Virus Scanning Program will not detect all personal computer virus possibili- ties and should be considered complementary to, and not a substitute for, established security and backup procedures. If you have any questions, please call the NDD National Support Center at 1-800-IBM-PROD or contact your IBM marketing representative. R. F. Martino Vice President Marketing Enclosures * Trademark of the IBM Corporation ------------------------------ Date: 05 Oct 89 00:00:00 +0000 From: David.M..Chess.CHESS@YKTVMV Subject: re: The DataCrime viruses (PC) > DC-2 does it on any day > between Jan 1 and Oct 12, except on Sundays! That's not true for the sample that I've seen. I suspect someone's just misreading the code (it's easy to do; that area is rather convoluted). It could be a new variant, of course, but if it really *did* do its damage between Jan 1 and Oct 12, wouldn't it have basically Gone Off by now? I think your source is just misinformed. There does seem to be a day-of-the-week check in there, but I'm not sure what it does at the moment (not damaging on Sundays is possible, but I wouldn't want to promise anyone!). In summary, the important differences that I know of between the DataCrime (1168 and 1280 strains) and the DataCrime II are that the II: - Makes COM files 1514 bytes longer when it infects them - Also infects EXE files - Stores itself garbled on disk (except for the degarbler) - Has a slightly different message ("* DATACRIME II VIRUS *") Otherwise, it's the same beast, with the same damage conditions. Of course there may be more variants that I haven't seen! DC ------------------------------ Date: 05 Oct 89 20:59:34 +0000 From: jap2_ss@uhura.cc.rochester.edu (Joseph Poutre) Subject: The not so new virus (Mac) Enclosed is a mail message written by a fellow consultant. When it first appears, it's just a form of the nVIR virus which AntiPan works very well to eradicate. But it seems to be a self modifying code which causes it to mutate to an unrecognizable form. SO, what do we do about it, you ask? Well, we have had exceedingly good success in both TAGGING and ERADICATING the virus with a program called SYMANTEC ANTI-VIRUS CLINIC. If the virus is tagged, it can be eradicated with AntiPan, or it can be eradicated with SAM, the SYMANTEC ANTI-VIRUS CLINIC. So when people bring you their disks to have checked, please run SAM on them. It's very easy, there will be instructions at the desk. Copies of this message and an infected application will be sent to all those who requested copies, and any others who also ask. This is _not_ an endorsement of any sort for SAM, or Anti-pan. Joseph Poutre (The Mad Mathematician) jap2_ss@uhura.cc.rochester.edu ------------------------------ Date: Thu, 05 Oct 89 22:41:25 +0700 From: Bertil Jonell <d9bertil@dtek.chalmers.se> Subject: New Mac Virus Appears in Sweden (Mac) Here on Chalmers, we've found an STR id 801 in the game MORIA (Recently posted on comp.binaries.mac), I havent gotten time to check it yet byt it *might* have come with moria. (Altough some signs seam to indicate that it has been around for a long time) Any information on the virus, It's effects and possible techniques to combat it will be geatly appriciated. - -- Bertil K K Jonell @ Chalmers University of Technology, Gothenburg NET: d9bertil@dtek.chalmers.se VOICE: +46 31 723971 / +46 300 61004 "Don`t worry,I've got Pilot-7" SNAILMAIL: Box 154,S-43900 Onsala,SWEDEN (Famous last words) "So for more than a decade, Tiamat had been observing Lucifer with every possible kind of instrumentation" A.C.Clarke '2061' ------------------------------ Date: Thu, 05 Oct 89 19:26:00 -0400 From: MAS-Polecat <MASERIK@ubvmsc.cc.buffalo.edu> Subject: Viruses that inhabit "bad" blocks (PC) I was just reading about the OGRE virus when I noticed a pattern. Since a lot (is it a lot?) of viruses mark the sectors they are using as bad, why not just write a utility that will look up the bad sectors on a disk and erase them. There are utilities available now that will analyze EACH sector on a disk to see if it is bad or not. If it is marked bad, but seems ok they will put that sector back into the available sector list. I think SpinRight (sp?) and perhaps PCTools do this. Even if not all of the virus is eradicated, it seems that it would at least be fatally crippled. Has anyone tried this? Erik Bryant Student Assistant Programmer University at Buffalo ------------------------------ Date: Thu, 05 Oct 89 21:35:04 -0400 From: ficc!peter@uunet.uu.net Subject: Re: Why not change OS? time@oxtrap.aa.ox.com (Tim Endres) writes: > Better than changing OS to get better virus "resistance", why not > encourage the systems designers at Apple and IBM to implement > protection in their respective operating systems? I don't know about the Mac... its system software is a lot cleaner than Messy-DOS, albeit rather unconventional. But this is pretty much impossible with MS-DOS. I suspect you would have to write a complete new operating system with an MS-DOS emulator. The reason for this is that the original MS-DOS was so incompetant (for example, the serial driver code never worked right for anything better than dumping to a printer, and it's never been fixed) that any decent program was forced to go direct to the hardware. And of course if you're going to go to a new O/S, why not use an off-the-shelf one that's already achieved wide acceptance? I once sat down and tried to write a terminal emulator that was entirely well-behaved. I was able to keep up with 1200 baud using the XT bios to put stuff on the screen, by heavy use of curses-style heuristics, but I broke down and went straight to the serial port. Of course, OS/2 is supposed to fix all this. For some bizzarre reason, though, it's still got no security features. Anyway, the reason Apple and IBM aren't doing anything is because there's no great call from the user community to do anything, and nobody's willing to consider a better alternative if it means risking their cherished soft- ware investment. Which is only reasonable, but there's no reason new installations can't be based on something like UNIX. - --- Peter da Silva, *NIX support guy @ Ferranti International Controls Corporation. Biz: peter@ficc.uu.net, +1 713 274 5180. Fun:peter@sugar.hackercorp.com. `-_-' ``I feel that any [environment] with users in it is "adverse".'' ------------------------------ Date: Fri, 06 Oct 89 08:18:43 -0400 From: "Andy Wing" <V2002A@TEMPLEVM.BITNET> Subject: Tiger Teams (General) Hi, I think that your average non-sophisticated user would be offended by computer support personnel checking their personal machine for "infection". An alternative would be to have the Tiger Teams simply state that they are doing "regular preventative maintenance". People shouldn't have problems with that. The end user doesn't need to know the gruesome details of a PM call. Actually Tiger Team duties should be assigned to a companys regular maintenance people (with a software expert supervising them of course). I guess the best anti-virus protection is one that is both transparent to the end user and in the hands of a well trained support staff. The original Tiger Team idea would work best if slightly modified. Every football team has both an offence and a defense. Right now the anti-viral defense really has no one to practice against. I think what we need is a group of developers that will try to "bust" Gatekeeper/Flushot/etc. These people would be in close contact with the anti-viral developers. The Tiger Team would document their methods and only use benign infections. I guess my real concern is that anti-virus developers take a reactive stance instead of an active one. If I were a anti-virus developer, I would want to encounter a new infection method under controlled, documented conditions. This way anti-viral SW would be guarded against bypass methods already thought up by the Tiger Teams. Also, do any anti-viral programs use the 'bad block' method to protect themselves? I think that idea holds some promise. Andy Wing V2002A@TEMPLEVM.BITNET ------------------------------ Date: 06 Oct 89 15:22:42 +0000 From: jmc@PacBell.COM (Jerry Carlin) Subject: Re: UNIX virus proof?! (UNIX) ficc!peter@uunet.uu.net writes: >I wouldn't say UNIX is virus-proof (I posted a hoax article about a >UNIX virus over a year ago, just before the Internet Worm incident), >but it's sure a hell of a lot more virus-resistant than DOS. See "Experience with Viruses on UNIX Systems" by Tom Duff in Computing Systems, Vol 2 No 2, Sprint 89 pp: 155-181. He discusses building a true UNIX virus and the consequences thereof. - -- Jerry Carlin (415) 823-2441 {bellcore,sun,ames,pyramid}!pacbell!jmc To dream the impossible dream. To fight the unbeatable foe. ------------------------------ Date: Fri, 06 Oct 89 14:51:08 +0700 From: Bertil Jonell <d9bertil@dtek.chalmers.se> Subject: New Mac Virus Not In 'Moria' But in SuperClock3.5! Today when I had time to check the various downloads that had been occuring during the last few days I found that the recource STR ID 801 appeared in the document Clock Doc (a word document). I double checked this by extracting it from the .sit archive again and examinig it directly (On Cue from StuffIt to ResEdit). Since Stuffit and Resedit seems to be clean from this and othe known viruses I can only assume that the virus was there when Clock Doc was packaged! What I'm wondering now is: Is it confirmed that the STR ID 801 really *is* a sign of a virus? Is there any chance that it is a legitimate resource? (I've tested making new MacWrite documents with a locked copy, They have resources this 'International Resource' and a STR resource ID 701, None of them have had a STR ID 801) Clock Doc comes with the SuperClock! 3.5 INIT Recently posted to the comp.binaries.mac newsgroup. I'm sorry for causing constenation by proclaming Moria as a possible source, (Frankly, That .sit archive had been deleted so I couldn't check it, But since the known infected machines both had Superclock 3.5 installed within the last few days, Moria hav dropped off the list of prime suspects) - -bertil- Bertil K K Jonell @ Chalmers University of Technology, Gothenburg NET: d9bertil@dtek.chalmers.se VOICE: +46 31 723971 / +46 300 61004 "Don`t worry,I`ve got Pilot-7" SNAILMAIL: Box 154,S-43900 Onsala,SWEDEN (Famous last words) "GOOD DEEL ON SLIGHTLY USED CRANE" - Orson Scott Card 'The Abyss' ------------------------------ Date: Fri, 06 Oct 00 19:89:36 +0000 From: clout!kericks!ken@gargoyle.uchicago.edu Subject: Re: OGRE virus in Arizona (PC) > A new, extremely nasty virus has been discovered on some IBM PCs in > the state of Arizona. This virus, known as OGRE, has been found on > some disks in Flagstaff and nearby areas. This is the first > recognition of said virus that has come to my attention. This memo > gives a description of the virus and possible ways of recognizing and > removing it. This is a very interesting virus. However, I would like to know if anyone knows how it originally infects a disk. It would seem that it would have to be in an executable program at least initially (to infect the first disk). Any ideas? ------------------------------ Date: Fri, 06 Oct 89 16:00:00 EDT From: "Kenneth R. van Wyk" <krvw@SEI.CMU.EDU> Subject: Now I'm *REALLY* going... Really, this is the *last* digest until I get back! I stopped in the office on the way to the airport and was overwhelmed by the amount of email, so I decided to send out *one* more digest (especially since some of it pertained to DataCrime - which should be history by the time I return). So now I'm on my way out the door. REALLY! :-) Ken ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Monday, 23 Oct 1989 Volume 2 : Issue 216 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Protection in Operating Systems GateKeeper vs. SAM Intercept (Mac) A new version of nVIR A (mac) I'm New - What do I do with all of this? (PC) SuperClock 3.5 Virus? (Mac) Virus Information on VAX/VMS? 1701/1704 Infection report - Switzerland (PC) New Virus From the Philippines (system unknown) Equivirulence Map ? Lode Runner Virus (Apple) --------------------------------------------------------------------------- Date: Fri, 06 Oct 89 22:17:00 -0400 From: WHMurray@DOCKMASTER.ARPA Subject: Protection in Operating Systems >I wouldn't say UNIX is virus-proof (I posted a hoax article about a >UNIX virus over a year ago, just before the Internet Worm incident), >but it's sure a hell of a lot more virus-resistant than DOS. It may be useful to compare UNIX with DOS. However, if you are going to do it, you should be a little more complete. In most implementations, UNIX is a multi-user multi-tasking system requiring a system manager or operator. Media is not in the hands of the end-user. It gets whatever storage it requires. DOS is a single-user single-tasking system designed to be operated by the user. Media is normally in his hands. DOS was originally designed to run, with an application, in under 64K. (Had it not been, we would not have a virus problem; we would not even have an industry.) It is not reasonable to expect them to manifest the same vulnerability to viruses, any more than they exhibit the same functionality. However, as it relates to viruses, the big difference between them today is the number and nature of uses and users. If UNIX were being used for the same things and by the same number of users as DOS, it would be just as vulnerable. >Better than changing OS to get better virus "resistance", why not >encourage the systems designers at Apple and IBM to implement >protection in their respective operating systems? Be careful what you ask for; you might get it. The vulnerability to viruses arises from our ability to write and share programs; All complete strategies for dealing with them must ultimately involve some restriction on those capabilities. While operating system functionality may be useful, I would rather reserve the decision over such fundamental choices to the end- user. Much of what appears to be vulnerabilities to viruses in DOS, e.g., the bootblock, are simply the virus designer exploiting a feature in the way that it was intended to be used. The bootblock is intended to give control to the program on the media. It operates the way that it was intended. It contains no surprises. The virus designer uses it as the obvious solution to the problem which confronts every virus designer, i.e., how to get control, how to get his program executed. In the absence of malice the mechanism would be beneath the users level of notice. In the presence of viruses, he must be careful what media he boots from and must avoid putting his media in machines already booted. In the absence of the feature, the virus designer would get his program executed in some other way. As a last resort, he would simply dupe users. We may decide that being able to switch programs by switching media is too dangerous a feature to have, but I am not ready to concede it yet. >I am sure that there are many complex issues facing a >company such as Apple, with regards to this problem, and changes at >the OS level to deal with viruses will, and probably should, be slow. Here we are clearly in agreement. >What users should be doing, is overtly pressuring computer >manufacturers to address this need at the OS level, and start buying >equipment from vendors who move in that direction. The only machines that fully address this problem at the OS level are "application machines" which do not present any ability to modify or install programs. Fred Cohen suggests that in a world of such machines we would still enjoy many, but not all, of the benefits of computers. I would assert that we would enjoy many, but not most, of those benefits. Indeed, the advantages of user programmability are so great that there is no chance that the readers will follow your advice, or that manufacturers would yield to any such pressure. In the end, it is not an operating system issue; it is an application issue. No matter what you do at the system layer, if you include user-programming at the application layer, then you are vulnerable to viruses. Even interpreted languages, such as REXX, BASIC, or key-board macro languages, which need not even know what system they will run in, can be used to implement viruses. William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: 06 Oct 89 18:52:50 +0000 From: chinet!henry@att.att.com Subject: GateKeeper vs. SAM Intercept (Mac) In article <0002.8910051142.AA12544@ge.sei.cmu.edu> ut-emx!chrisj@cs.utexas.edu (Chris Johnson) writes: [Stuff Deleted] >Furthermore, I gather that GateKeeper is significantly more >configurable than SAM insofar as it maintains a privilege list which >can be easily viewed and edited (I've never used SAM, so I don't speak >from first-hand experience on this point, but people assure me that >it's a *very* important difference in practice). I have used both GateKeeper and SAM Intercept and I prefer the latter. The main reason? When "something suspicious" happens, GateKeeper says "you can't do that!" then if you want to override, you must open the Control Panel select GateKeeper and set up the permission; with SAM Intercept, at the time of the happening you can allow the action once or LEARN the action then and there! >GateKeeper doesn't provide a virus-scanner, but with Disinfectant >available (also for free) it's not much of a problem. Agreed. But it is handy to be able to scan as soon as you pop in a floppy. VirusDetective DA is a good way to do this. >One other thing that makes GateKeeper unique in the world of Macintosh >anti- virus systems is that it keeps a log file that details exactly >what virus related operations have been attempted, when, by whom and >against whom. I only see this as being useful if you're trying to track the propagation of a virus, but then you have to allow the "suspicious action" which GateKeeper doesn't do (unless you gave permission, in which case it isn't logged!) >- ----Chris (Johnson) >- ----Author of GateKeeper I'm not trying to put down GateKeeper, if you want to fight viruses cheaply, it's a must! Keep up the good work Chris! Henry C. Schmitt Author of Virus Encyclopdeia Latest Version dated 6/8/89 H3nry C. Schmitt | CompuServe: 72275,1456 (Rarely) | GEnie: H.Schmitt (Occasionally) Royal Inn of Yoruba | UUCP: Henry@chinet.chi.il.us (Best Bet) ------------------------------ Date: 07 Oct 89 03:10:03 +0000 From: prieto@gem.mps.ohio-state.edu (Juan Pablo Prieto-Cox) Subject: A new version of nVIR A (mac) It seems that there is a new version of nVIR A, or at least that's what the program Disinfectant reported. I will try to explain what it did to my system. Unfortunately before I noticed that it didn't behave as the well known nVIR A I erradicated it with Disinfectant. After I run the infected program (a THINK C program) it changed the type of the files in the same folder (and folders therein) into a seemingly random type, taken from another file. That is, if you list the files by KIND under normal circumstances you would get THINK C as the kind, but after I run the infected program it changed the type to "vamos.c" that was just a file in the same folder. Upon further explorations with ResEdit I found in the Desktop file in the APPL resource a repetition. With Creator KAHL (as for all THINK C programs) but Application "vamos.c". I also found a resource of type =/VIR (for typographical reasons by =/ I mean the symbol for not equal). Remember that I had already ran Disinfectant. Does anyone have a clue? or a similar problem? Juan Pablo Prieto-Cox ------------------------------ Date: 06 Oct 89 14:56:54 +0000 From: eschner@mdcbbs.com Subject: I'm New - What do I do with all of this? (PC) I have a question that maybe others want to ask too: I am new to BBS'es. This is my first other than our company one, so I don't think that my PC at home is "bugged" (though I have bought some shareware disks). I find all of this talk about viruses facinating - and frightning. 1) How do I make sure I don't have any viruses on my machine, and 2) How do I remove any found viruses? Do I have to by programs, or are there some in public domain? Can they only be obtained from PC BBS'es, or over this network? Brian Eschner eschner@mdcbbs.COM ------------------------------ Date: Sat, 07 Oct 89 11:10:00 -0800 From: JOHN LOUCH <LOUCHA%CLARGRAD.BITNET@VMA.CC.CMU.EDU> Subject: SuperClock 3.5 Virus? (Mac) Is there a virus on superclock 3.5 for the macintosh. I would like to no since I own that program. Thanks, John Louch Loucha@clargrad.bitnet ------------------------------ Date: Sun, 08 Oct 89 12:18:00 -0400 From: The one and only RED MENACE!!! <CCSST%SEMASSU.BITNET@VMA.CC.CMU.EDU> Subject: Virus Information on VAX/VMS? To whom it may concern: I have been following the discussion on the possibility of a virus on the VAX/VMS. I am wondering if there is any more word on this particular topic? The reason I ask is because I am one of many users at Southeastern Massachusetts University that are concerned about the welfare of our VAX systems. As it turns out, I have submitted the information on possible VAX/VMS viruses to our SYSTEM MANAGER to inform him of the possible threat. If there is anynmore information, could you please send me the information? Thanks in advance, Scott Turbiner ------------------------------ Date: Mon, 09 Oct 89 03:40:00 +0100 From: Markus Fischer <FISHER%CGEUGE52.BITNET@VMA.CC.CMU.EDU> Subject: 1701/1704 Infection report - Switzerland (PC) Infection report from Geneva - Switzerland. =========================================== The Cascade 1701/1704 -B virus has been found in Geneva (Switzerland) this week. It is the first time I see infected machines in that city. At least two machines are infected. The diagnosis was made with VIRUSCAN V35. There is no doubt. It is possible that the infection is going outside the infected computer club, but we are not sure at the moment. I'll publish every interesting news. Fred Demole Disclaimer: ^^^^^^^^^^ "I am posting this through a friend's account. His consent to my use of his account in no way implies his consent to responsibility for the opinions expressed herein." /---------------- Fred Demole - Geneva (Switzerland) ----------------\ / ---------------------------------- \ | "I know my english is very bad... | fisher@sc2a.unige.ch | | Remarks are appreciated. | fisher@CGEUGE52.BITNET | | Congratulations too." | --------------------- | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ------------------------------ Date: 09 Oct 89 10:01:00 -0400 From: <USADS%EMUVM1.BITNET@VMA.CC.CMU.EDU> Subject: New Virus From the Philippines (system unknown) I have a user on campus who brought back a few disks from the Philippines and is now having problems with all of his disks. (hard and floppy) He states that all of his disks have bad tracks at the end of the disks, and he receives "can not load" messages when trying to load files from these disks. I know very little about viruses and would like to know where I can send a disk that I suspect might have a virus. I only have one copy of the disk that I believe is infected, and I don't want to send it to just anyone. Thank you Al Shelton Emory University MicroComputer Support 404-727-0816 ------------------------------ Date: 10 Oct 89 03:29:46 +0000 From: edvvie!eliza!johnny@relay.EU.net (Johann Schweigl) Subject: Equivirulence Map ? Has it ever been tried to verify the center of 'epidemic' virus attacks? What's in my mind is a map of the (PC)known world, splitted into area codes. Whoever catches a virus reports the type (if known), symptoms and number of occurences on the PC's he takes care of. One for the late night home hacker, lots for a company's support staff or universities. If a virus begins to spread, USENET data exchange should be faster than PD or pirated software exchange. Data could be collected at one site in a relational database, with reports sent every week (or so) to a new newsgroup (comp.virusmap)? Some questions arise: Do you think, that - the typical infection paths could be analyzed? - this information would be useful to us? - hyperproductive virus developers could be tracked down? - virus avoidance could be made more effective? - this would make any sense at all? If the answer is yes, any ideas how to deal with - the amount of data that should be expected? - the world could be organized into areas (no problem within a town, but I talk about something a little larger)? In my opinion future Virus defence has to be active and aggressive, not the passive sit-down-and-wait-for-somebody-developing-a-serum. There's lot of infomation in this group, but it has to be cross-referenced to be really useful and can be given to persons not in the USENET family. By the way, has anybody read Michael Crichton's 'The Andromeda Strain'? It's a evil book about a virus, just nothing to do with computers. Shoot the viruses to Pluto. Then, never trust software from there. Johnny - -- This does not reflect the | Johann Schweigl | DOS? opinions of my employer. | johnny@edvvie.at | Kind of complicated I am busy enough by talking | | bootstrap loader ... about my own ... | EDVG Vienna | ------------------------------ Date: Mon, 09 Oct 89 12:33:43 -0500 From: davidbrierley@lynx.northeastern.edu Subject: Lode Runner Virus (Apple) Here is a copy of a virus report posted on Info-Apple. The report, I believe, originally was posted on Compuserve by Brian McCaig. I would like to point out that subsequent messages on Info-Apple have indicated that Speedy Smith is not the primary carrier of the virus. I also have some questions. (1) Does any reader of VIRUS-L know if the French expression "non-destructeur" means "non-destructive" or "indestructible?" (2)Could anyone post a version of VIRUS.KILLER (source code follows the report) written in BASIC? (It could be posted here or to Info-apple@brl.mil) (3) Because the university does not import VIRUS ALERT I have not posted this report to it, for fear of replication. Could someone post this message to VIRUS ALERT if it has not appeared there already? - ------------------------------------------------------------------------- Well folks, here it is...installment number 3 in the Saga of the virus for the Apple II. First it was CyberAids, which wasn't all that great and was quickly defused. It was followed in June of 1988 by Festering Hate, a more sophisticated and deadly evolutionary offspring of CyberAids. F.H. spread rapidly throughout the Apple II world and was particularly insidious as it; infected (usually) the first .SYSTEM file in the root directory, usually Basic.System, would infect more than one file per disk, would infect files in sub-directories, and when it 'went off' would destroy all volumes currently on-line at the time. This included RAM disks and Hard Drives! By now, most of you are aware of Festering Hate and that there are several good virus detecting/protecting programs available that have virtually eradicated the FH virus. It is to the credit of the Apple II community in general, and selfless people like Glen Bredon that FH was halted before it got too out of hand. As a matter of fact it was the very vehicle that spread the virus so rapidly that was also responsible for its quick demise. After I did my initial research on FH last year I wrote a brief study of it and uploaded the study to most of the active BBS's in Canada and the U.S. I also sent copies to Glen Bredon and others who acted very quickly to develop the 'cures'. But it was the massive telecommunications network of Apple II users that spread the details so quickly and stopped FH. Now, number 3 virus has just appeared. Called, rather nostalgically, "LODE RUNNER", it is not quite as destructive as its predecessors but its a virus nonetheless. Here's what I've been able to pull together so far: SOURCE - Although we're not 100% positive it appears that the program called SPEEDY SMITH is the culprit. A recent import from France, Speedy Smith is one of the fastest copy programs for the IIgs. A full 800K disk copy takes about 50 seconds (without verification) to 70 seconds (with) using SS. It has an excellent SHR screen with 'thermometers' that indicate the copy's progress. Unfortunately the reason we cannot either convict or acquit SS is that its creators have seen fit to invent their own DOS. This DOS is not readable by standard Apple II sector editors such as the one in Copy II Plus. There are several reasons, however, for suspecting Speedy Smith. First SS's displays are in French and the virus's text screens are as well. When catalogued Copy II+ indicates that there are 292 used Prodos blocks, but adding up the individual files' blocks only totals 148. And lastly, what better vehicle for the spread of a virus than a copy program? HOW WAS IT DISCOVERED? - Lode Runner was discovered almost by accident by several members of the Apples BC Computer Society. Shortly after receiving several new disks of IIgs software, including Speedy Smith, one member found that his Test Drive II refused to run. This was followed by backups and originals of Space Quest I and Police Quest. At first it was thought that the member's IIgs was having hardware problems. But at the same time another friend from Eugene, Oregon contacted us about having seen a French hi-res screen appear on his monitor just before his Copy II+ disk was trashed. Not being Canadian he was only able to pick out the word "virus". Armed with this info and the 'damaged' Space Quest disks I spent a weekend checking things out. At the same time other friends in Oregon & California were independently analyzing infected disks. HOW DO YOU KNOW IF YOUR DISKS ARE 'INFECTED' - There are 4 ways of detecting Lode Runner: 1) When the virus "goes off" and erases your disk...not exactly the most desirable way, 2) If you have a copy of Space Quest I then you can use it to check all your disks. Boot any suspect disk and wait until the drive stops. Replace the disk with Space Quest and do the 3 or 4 fingered salute (OA-CTRL-RESET). NOTE: Keep Space Quest write protected so that it dosn't get screwed up. If Space Quest boots to the point where it asks you to press a joystick button then you can be pretty sure that the previous disk is OK. If Space Quest trashes with an error message (#206) then the previous disk is likely infected. If you DO get an infected disk then you MUST either power down your IIgs or run the self-test before continuing with your testing to clear the RAM as the virus seems to install itself there. 3) A better check (and much faster) is to boot Copy II+ and run the 3.5" Sector Editor. Do a read of Block 0000 (Track 00, sector 00, side 01). If the first 3 bytes are 01 A9 50 then the disk is infected. Those 3 bytes aren't the only bytes that are different but they are all that is necessary to identify the virus. 4) If you recall, last year during the Festering Hate panic it was noted that one of the best ways to have an Apple II virus was in BLOCK (0) on any Prodos disk. At that point, anticipating another virus, Guy T. Rice wrote a small virus detector/fixer. If you put this program into the SYSTEM/SYSTEM.SETUP folder on IIgs disks then it would automatically detect and correct modifications to Block (0). Now for LODE RUNNER this will also work.. that is, it WILL detect LODE RUNNER and it will try to correct Block (0). BUT, it appears that due to the method of spreading of LR Guy's program cannot correct it. Every time you boot the disk it'll give you the virus detect error. I think the reason for this is that LR installs itself in RAM upon bootup in preparation for infecting a new disk.. and the only way you can be sure that its gone is to either power down or run the self-test.. and since Guy Rice's program does an auto-reboot and corrects the block (0) all in one step then the RAM never really clears and the virus re-infects the disk. And since you cannot write-protect the disk it becomes a vicious circle. I am going to try to get these observations to Guy Rice in the hopes that he can modify his program. NOTE: Three other problems with using Guy's program: its no good for 5.25" disks, it only works with a IIgs and it only works with disks that are bootable. LODE RUNNER can infect ANY Prodos disk because it resides in one of the blocks created when a disk is formatted. There is a 5th way.. the friends in Eugene, Ore have written a Binary program to detect and disarm the virus and I will try to include it in this file when I upload it. The reason theirs is successful is that the detector is not part of the disk being checked and thus the "circle" is broken. METHOD OF SPREADING - As far as we can tell the virus is spread two ways: by being copied with a copy program and by booting an uninfected disk (using OA-CTRL-RESET) immediately after running an infected disk. NOTE: For a disk to be infected it must not be write-protected. The virus does NOT infect actual files so none of your files will look modified in either their file length or their modified date. The virus also does not search all drives, as did Festering Hate, so cannot be detected that way. Because it doesn't infect files it only infects one spot per disk and cannot destroy any sub-directories. Therefore your cannot get rid of the virus just by re-copying the files...the virus is actually part of the Prodos kernel created when the disk is formatted. WHAT HAPPENS WHEN IT "GOES OFF"? - To get Lode Runner to "go off" you must set your Control Panel's clock to the following: the MONTH must be October, the DAY must be an odd numbered day and the minute must be a number divisable by 8. Next you must boot an infected disk then boot (using OA-CTRL-RESET) any other disk. This second disk must NOT be write-protected or the virus won't activate. - Once the second disk is booted the virus will appear. Its a red screen with text characters as follows: +++ SYSTEM FAILURE in : +++ 08 and proceeds to count down to zero where the screen changes to another with a multi-colored scrolling background and the following text; 000E Copies. Distr:Artistes Associes === L O A D R U N N E R === Premier virus NON-DESTRUCTEUR sur IIGS par SUPER HACKER & SHYRKAN du MASTERS CRACKING SERVICE 1988 Lyon By the time you've read the first screen the disk that you just booted has been rendered useless. LR does not appear to erase more than the current disk and doesn't seem to affect 5.25" disks. Not being an expert in French I am unable to determine whether the phrase below the title means: "The first non-destructIVE virus for the IIgs" or "The first non-destructIBLE virus for the IIgs". This is a 'moot' point however as it DOES destroy one disk when it goes off. In addition, and I believe that the writers of LR didn't plan this, LR will destroy Space Quest 1 and Police Quest for the IIgs if they are booted AT ANY TIME after an infected disk.. and if they are not write-protected. It is not necessary for LR to "go off" for these programs to be rendered useless. I have only found these two that behave in this fashion but I am sure there are more.. likely most of the Sierra programs for the IIgs. ACKNOWLEDGEMENTS - As with the studies on Festering Hate there are many people who collaborated on the research for this virus. Many thanks go out to: APPLES BC members, Ross Woodhouse - for being so insistant that something WAS wrong. Pat Daley - for gathering data, programs and relaying info. EUGENE, OREGON users, Jack Stalcup - for accidentally setting the virus off because the battery in his IIgs was dead. And for sending the programs and keeping the communications alive. Neil Parker and Mike Suiter (sp?) - for analyzing LR and writing the detection/correction program. PLEASE upload this file and Virus.killer to all bulletin boards. Please tell everyone you know about this virus so that we can wipe it out as fast as Festering Hate. PLEASE.. if you find out any more information that is either not in these notes or that refutes any of these observations then let me know. I can be reached at (604)294-4471, 8:30am to 4:30pm Pacific time, Monday thru Friday up until September 30, 1989. I can also be either reached by answering machine or in person at home (604)947-9722 anytime. I will also be in attendance at Applefest in San Francisco Sept.22, 23, & 24th. Messages can also be left on Compuserve...to 76475,642 (>>>---Brian--->). >>>---Brian---> (Brian McCaig, Virus Busters) [Ed. Program deleted - please contact message author for copy.] ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Monday, 23 Oct 1989 Volume 2 : Issue 217 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Datacrime II (PC) Data on viruses in Brunnstein format? Re: Virus protection (PC) Operating System virus protection (DOS & UNIX) 0 bytes in 1 hidden file, virus? (PC) RE: IBM-PC virus scanning program from IBM Re: New Mac Virus Not In 'Moria' But in SuperClock (Mac) Re: New Mac Virus Not In 'Moria' But in SuperClock (Mac) Virus list popularity Re: The not-so-new virus (Mac) --------------------------------------------------------------------------- Date: Mon, 09 Oct 89 20:45:50 +0000 From: Alan Solomon <drsolly@ibmpcug.co.uk> Subject: Datacrime II (PC) In his article dated 5-10-89, Yisrael Radai says that he has discovered that Datacrime II does the low level format on every day between Jan 1 and Oct 12 except Sundays. I have a specimen of what I believe is Datacrime II. My analysis of it is different - it does the low level format on every day between October 13th and December 31st inclusive, except *Mondays*. Perhaps my specimen is different to the one that Yisrael is reporting? It certainly announces itself as "DATACRIME II", and matches the rest of his description in file size and avoidance of files whose second letter is "B" and infection of both COM and EXE files. Another possible explanation is that the date comparison has not been disassembled correctly by whoever did the disassembly, so could I ask that Yisrael check his specimen; if he is correct, then we have two Datacrime IIs. While on the subject of Datacrime in general, although the virus certainly exists, there has not been a single reported infection in the field in the UK, and I rather think very few indeed elsewhere. On the other hand, there seems to be a considerable tidal wave of media scare building up in the run up to October 13th. My advice to anyone who might be concerned is: work normally, take normal backups regularly using Dos BACKUP or any other back up utility. One thing that will happen is this: there are, say, 10 million PCs in the world. If the average computer lasts 10 years, 3650 days, then on average about 3000 computers go down per day; I've been deliberately conservative about these figures. There is no reason to suppose that October 13th will see significantly fewer of these normal failures. Please remember that computers fail all the time, for assorted non-virus reasons. Myself, and a number of other researchers, have noticed that there seem to be a number of viruses emerging that do not seem to exist in significant numbers (or indeed, perhaps at all) in the field. Could it be thet virus authors are writing viruses and sending them directly to the virus research community, so cutting out the middle man? Or is it that we are more alert now, and trap viruses before they get very far? Dr Alan Solomon Day voice: +44 494 791900 S&S Anti Virus Group Eve voice: +44 494 724201 Water Meadow Fax: +44 494 791602 Germain Street, BBS: +44 494 724946 Chesham, Fido node: 254/29 Bucks, HP5 1LP Usenet: drsolly@ibmpcug.co.uk England Gold: 83:JNL246 CIX, CONNECT drsolly ------------------------------ Date: 09 Oct 89 22:24:03 +0000 From: mpl@csd4.csd.uwm.edu (Mary Patricia Lowe) Subject: Data on viruses in Brunnstein format? I recently came across Fridrik Skulason's message to this news group from 10 July 89 detailing the Icelandic Virus in "Brunnstein Format". I was wondering if the 40 some other known viruses and their mutants are similarily cataloged and if this data is retreivable. Thanks, Patti Lowe .................................................................. mary patricia lowe computing services division mpl@csd4.csd.uwm.edu university of wisconsin - milwaukee ................................................................... ------------------------------ Date: 09 Oct 89 23:24:28 +0000 From: steve@ucsd.Edu (Steve Misrack) Subject: Re: Virus protection (PC) I was wondering if somebody could tell me where I can find program to detect machines infected with viruses. I would appreciate knowing where and how to get these programs. Thanks in advance, Steve smisrack@ucsd.edu [Ed. Start by taking a look at VIRUSCAN, available via anonymous FTP from the comp.virus archive sites (including ms.uky.edu).] ------------------------------ Date: 10 Oct 89 00:21:35 +0000 From: jlg%lambda@LANL.GOV (Jim Giles), jlg@lanl.gov (Jim Giles) Subject: Operating System virus protection (DOS & UNIX) Re: UNIX virus proof?! (UNIX) ficc!peter@uunet.uu.net writes: >I wouldn't say UNIX is virus-proof (I posted a hoax article about a >UNIX virus over a year ago, just before the Internet Worm incident), >but it's sure a hell of a lot more virus-resistant than DOS. How do you know? The only machines DOS runs on are PCs and compatibles. UNIX implemented on these machines would be just as vulnerable as DOS. The most obvious weaknesses of DOS are unimportant compared to the fact that the hardware itself has no protection mechanisms. ------------------------------ Date: 10 Oct 89 00:45:59 +0000 From: tasos@bu-cs.BU.EDU (Anastasios Kotsikonas) Subject: 0 bytes in 1 hidden file, virus? (PC) When I run CHKDSK it reports "0 bytes in 1 hidden files" and I am wondring if I have a virus. I have been unable to see a hidden file with 0 bytes with PCTOOLS or Norton Commander. I would appreciate any comments on how I could list all of the hidden files, or how does CHKDSK find hidden files (i.e. is it looking for the second bit set ?) Thanks, Tasos Internet: tasos@cs.bu.edu ------------------------------ Date: Mon, 09 Oct 89 18:30:06 -0400 From: Thomas Lapp <thomas@mvac23.uucp> Subject: RE: IBM-PC virus scanning program from IBM Regarding a recent message sent which reproduced an IBM internal memo about their VIRSCAN program: > September 29, 1989 > > The program tests executable files on disks for signature strings that > are found in some common DOS computer viruses. For each drive specified > it will also test the drive for boot sector viruses. > > VIRSCAN.EXE is the executable program. It will run under DOS 2.0, 2.1, > 3.1, 3.2, 3.3, 4.0 and OS/2* 1.0, 1.1, and 1.2. It will not support > OS/2 1.2 with high performance file system names. I used this program on some PC's at work last week. The program VIRSCAN is the executable, however it uses two other files to obtain the search strings and the message to be sent to the user if the search string is found. The search files are in ASCII and can be modified to include more virus strings as necessary. Obviously, greater the search string, the less likely there will be a false positive. Since it reports the number of files searched and number of disks checked, I suspect that this program would not be able to find those viruses which reside on sectors which are then marked bad. - tom - -- internet : mvac23!thomas@udel.edu or thomas%mvac23@udel.edu uucp : {ucbvax,mcvax,psuvax1,uunet}!udel!mvac23!thomas Europe Bitnet: THOMAS1@GRATHUN1 Location: Newark, DE, USA Quote : Virtual Address eXtension. Is that like a 9-digit zip code? ------------------------------ Date: 10 Oct 89 15:51:33 +0000 From: ut-emx!chrisj@cs.utexas.edu (Chris Johnson) Subject: Re: New Mac Virus Not In 'Moria' But in SuperClock3.5! In article <0009.8910062006.AA22699@ge.sei.cmu.edu> d9bertil@dtek.chalmers.se ( Bertil Jonell) writes: >Today when I had time to check the various downloads that had been occuring >during the last few days I found that the recource STR ID 801 appeared >in the document Clock Doc (a word document). I double checked this by Actually, the file *type* is 'WORD', but it's not a Microsoft Word document. The 'WORD' document type is specific to MacWrite files. Actual MS Word documents have a type of 'WDBN' and a creator of 'MSWD'. The creator for MacWrite files is 'MACA' (short for MacAuthor). >extracting it from the .sit archive again and examinig it directly >(On Cue from StuffIt to ResEdit). Since Stuffit and Resedit seems to be >clean from this and othe known viruses I can only assume that the virus >was there when Clock Doc was packaged! Incorrect assumption. First it must be established that there *is* a virus. >What I'm wondering now is: Is it confirmed that the STR ID 801 really *is* >a sign of a virus? Is there any chance that it is a legitimate resource? STR 801 *is* a legitimate resource in (at least) MacWrite versions 4.5 & 4.6. It's also likely to be valid in files created by versions as early as 3.0, and as late as 5.x. To quote from an old copy of Tech. Note #12 (February 20, 1986) "Disk Based MacWrite Format: "FONT MAPPING - In the document's resources is a resource of type STR with the ID #801. It contains a mapping of fonts to font resource IDs and information on real fonts. This resource begins with a word...." >(I've tested making new MacWrite documents with a locked copy, They have > resources this 'International Resource' and a STR resource ID 701, I think you mean STR 700 -- I don't know of any MacWrite format that uses a STR with an ID of 701. If you're curious, STR 700 contains the fifteen most commonly used letters in whatever language MacWrite happens to be set-up for. It's used as an encryption/decryption key for MacWrite's nibble-wise text compression scheme. >None of them have had a STR ID 801) Clock Doc comes with the >SuperClock! 3.5 INIT Recently posted to the comp.binaries.mac >newsgroup. I'm sorry for causing constenation by proclaming Moria as >a possible source, (Frankly, That .sit archive had been deleted so I >couldn't check it, But since the known infected machines both had >Superclock 3.5 installed within the last few days, Moria hav dropped >off the list of prime suspects) >- -bertil- > >Bertil K K Jonell @ Chalmers University of Technology, Gothenburg In conclusion, STR 801 is nothing to worry about, (1) because it's supposed to be there, and (2) because, *in and of itself*, it couldn't transmit a virus since no known program, and certainly no portion of the Mac Toolbox or OS, is going to try to load a STR resource into memory and execute it. All in all, from the evidence listed above, there's no reason to believe there's *any* form of virus present. Cheers, - ----Chris (Johnson) - ----Author of GateKeeper ------------------------------ Date: 10 Oct 89 21:12:25 +0000 From: isle@eleazar.dartmouth.edu (Ken Hancock) Subject: Re: New Mac Virus Not In 'Moria' But in SuperClock3.5! In article <0009.8910062006.AA22699@ge.sei.cmu.edu> d9bertil@dtek.chalmers.se ( Bertil Jonell) writes: [Garbage about finding a STR 801 resource in SuperClock 3.5 documentation] Since when does a STRING RESOURCE become a virus? Get real, folks. Ken Ken Hancock '90 | E-mail: (BITNET/UUCP/INTERNET) Computer Resource Center Consultant | isle@eleazar.dartmouth.edu - -------------------------------------+-------------------------------------- DISCLAIMER? I don't get paid enough to worry about disclaimers. ------------------------------ Date: Wed, 11 Oct 89 10:59:24 -0000 From: "David.J.Ferbrache" <davidf%cs.heriot-watt.ac.uk@NSFnet-Relay.AC.UK> Subject: Virus list popularity For the avid followers of statistics just a quick note from the September 89 USENET readership report, comp.virus now has: 14000 estimated readers worldwide, is received by 87% of all sites, averages 214 messages a month (352Kbytes), no crossposting to other groups, costs 4 cents per month per reader to distribute and is read by 2.7% of all newsreaders. [Ed. Thanks for the stats, David!] ------------------------------ Date: 11 Oct 89 17:18:24 +0000 From: Richard Kennaway <jrk@sys.uea.ac.uk> Subject: Re: The not-so-new virus (Mac) We have not seen any symptoms of the MacWrite-attacking MacWight virus at this site, but on seeing the messages about it, I started looking for STR 801 resources. I doubt if they have anything to do with the virus. A scan of my hard disc showed that something like half the MacWrite docs had STR 801 in them. There didnt seem to be any pattern in which files had STR 801 and which didnt. The STR 801s are not all the same size, BTW. Opening a file which did not have it with MacWrite4.6M had the effect of adding a STR 801. In response to a local enquiry, a colleague said: > I don't have all that many MacWrite docs. on my hard disc, but I managed > find a few that I created about two years ago. They had STR id. = 801 > resources. As far as I can remember, I haven't touched them since > Christmas '87 (other than copying the folder [that contains the folder ...] > that contains them, in the Finder, and running Disinfectant). > > I've also just looked at the MacWrite floppy that came with a new Mac+ > about two years ago. As far as I can remember this disc has been > languishing in its box since a day or two after the machine arrived: the > "Sample Memo" doc. on this disc also has a STR id. = 801 resource on it. I suspect that STR 801 is legitimately used by newer versions of MacWrite for its own inscrutable purposes. Disclaimer: only Apple or Claris can make a definitive pronouncement. Paranoid speculation follows. Maybe someone is using the Joker's trick. There could be several infected applications out there, all quietly spreading harmless-looking things like STR 801 that dont ring GateKeeper's alarms, but when they all come together in one application, the real virus is triggered... Plug for Virus Detective: with this it was easy to search for all files containing STR 700 (legitimate MacWrite resource) or STR 801. All the other virus detectors I've seen have the symptoms to look for hard-wired. I have no relationship with the author other than being a satisfied customer. - -- Richard Kennaway SYS, University of East Anglia, Norwich, U.K. Janet: kennaway@sys.uea.ac.uk uucp: ...mcvax!ukc!uea-sys!jrk ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Monday, 23 Oct 1989 Volume 2 : Issue 218 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Comments on IBM Virus Scanner (PC) Article pre-Datacrime New anti-viral software (PC) Yale / Alameda Virus (PC) Vacsina virus + Den Zuk virus. (PC) OHIO Virus (PC) Virus infection report (PC) Worms again.... (VAX/VMS) Want suggestions on how to delete virus (PC) --------------------------------------------------------------------------- Date: Thu, 12 Oct 89 11:41:49 -0400 From: Peter Jaspers-Fayer <SOFPJF%UOGUELPH.BITNET@VMA.CC.CMU.EDU> Subject: Comments on IBM Virus Scanner (PC) We got a copy of IBM's virus scanner. It is much like McAfee's SCAN, with these differences: - - It is out of date. McAfee's product is disseminated via network (a fact which is looked upon with scorn - or at least with distrust - by many corporate people) so it is very current. IBM's checks for 20+ viruses which are mostly fairly old, vs 40+ for John's program, some of them only weeks old. I feel this is an important point, as viruses CAN spread as fast as eMail. - - IBM's says it checks the "master boot" (partition) record. Does McAfee's? The documentation says so, but the 'running commentary' does not mention it. - - The 'characteristic code signatures' are in plain text, in separate, easily editable files. This allows one to easily add new viruses with any DOS text editor. So when you read (here for instance) that the new 'garble' virus can be located by scanning for '00486921FF' it is trivial to edit your copy of the table to add scanning for that type of virus. You can also use the same program in a 'grep-like' way to scan for any arbitrary string on the disk. (eg 'Copyright') To my mind, this has it's advantages and disadvantages. I like the idea of publishing 'code signatures', and having people configure their own scanners. Unfortunately, this also makes it easier for virus/modifiers to see how they are being caught (like bank robbers monitoring Police radio, I guess), and make small mods to make the virus 'undetectable' with that particular signature. I certainly have nothing against John and all the work he's done for us, but it seems to me IBM's way moves control into the hands of the people, and is more 'open' (gee, come to think of it, that's pretty strange, considering origin ;-) (N.B. 'smiley', IBM!) Any other thoughts on the pro's and con's of having the search strings in pain human-editable text? Could someone CC this to John McAfee and post his reply? /PJ How did a fool and his money ever get together in the first place? - Anon ------------------------------ Date: Thu, 12 Oct 89 12:17:31 -0400 From: "Bruce Guthrie" <BGU%NIHCU.BITNET@VMA.CC.CMU.EDU> Subject: Article pre-Datacrime [Ed. Well, this is a bit late, but...] "'Friday the 13th' Virus Bugging Computer Users" by Evelyn Richards Washington Post, pg E1, Oct 12 1989 Just a hair after midnight tonight, or soon thereafter, as unsuspecting computer users log on, malicious programs now lying dormant inside IBM and IBM-compatible personal computers will be unleashed to begin a reign of terror, scrambling the information stored on the computers' hard disk. Or so some computer-security experts say. Others believe such fears are nothing more than a false alarm. Whether the virus turns out to be a real threat or not, one this is certain--the prospect of a destructive virus attack tomorrow has sent thousands of computer users into a panic and turned up more news reports of the virus than actual sighting of the virus itself. An official at International Business Machines Corp., which is pooh-poohing the prospects of widespread havoc, reported yesterday that the firm is getting "more press calls than customer calls." And John McAfee, a computer security expert in Santa Clara, Calif., has taken to calling this "a media virus." McAfee, who spent yesterday dashing from one ringing phone to another, is reassuring callers that "nothing is going to happen. The virus is a phantom." But PC czars aren't taking any chances. The wheels of Washington have been busy grinding out warnings that the rogue computer program, best known as the "Friday the 13th" virus, could wrest control of a PC and effectively destroy months of information carefully stored within it. The General Services Administration and the Department of Veterans Affairs, for example, have distributed internal memos admonishing users to take certain precautionary steps, among them: backing up their data so that anything destroyed can be replaced, avoiding software programs obtained from friends or from public computerized "bulletin boards", and storing diskettes behind lock and key when they're not in use. Companies are taking similar precautions. In McLean [Virginia], Planning Research Corp. refrained from issuing a special advisory but instead put out the word at departmental meetings. "We thought it would be remiss not to warn people, but we also didn't want them to go overboard," said Jude Franklin, general manager of the technology division. Dennis Steinauer heads the computer security forces at the National Institute of Standards and Technology (nee the National Bureau of Standards), which issued an early advisory about the virus and is partly responsible for coordinating computer security throughout the federal government. Is Steinauer worried? "I'm leaving on Friday the 13th, and I haven't changed my plans," said Steinauer, who plans to attend a conference in Brussels. Steinauer isn't the only computer security expert who will be out of touch tomorrow. Some 2,300 such experts are gathered in Baltimore this week for their annual meeting. ------------------------------ Date: Thu, 12 Oct 89 12:50:24 -0500 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: New anti-viral software (PC) More anti-viral software. Datacure was sent to me from the Netherlands with the author's permission, the other three came from HomeBase. A note on the DataCrime virus. By the time most of you read this, Friday, October 13 1989 will have passed. Unfortunately this doesn't mean that the DataCrime worry is over. Please keep in mind that all the information I have indicates this virus is uncommon in all places except press reports. Nonetheless, better safe than sorry. Remember, DataCrime is set to go off ANY DAY between Columbus day and New Year's, not inclusive. So any latent infection could show up with unpleasant consequences. Now, on with the show... datacure.arc One program that will identify files infected with DataCrime and optionally cure them. A second memory resident program that will block the destructive effects of DataCrime and warn you. Only works on DataCrime II virus. Shareware. No version #. [ I was unable to get datacure.com to perform ] [ properly. I'm trying to find out why, and ] [ will post any updates. It isn't destructive, ] [ just ineffective. -- jrw ] dc89scan.arc A program to identify the DataCrime virus. This package was released largely as a bit of public relations for the company involved, but is useful despite this. Only works on the two strains of DataCrime I (1168 and 1280). Freely redistributable. No version #. scanrs42.arc Resident program which checks each program for viruses before it is allowed to execute. Update to previous version. Shareware. Version 0.9v42. scanv42.arc Program to scan a disk, directory or file for viruses. Will work with SHEZ to scan archives also. Update to previous version. Shareware. Version 0.7v42. DATACURE.ARC Detect and disable the DataCrime II virus DC89SCAN.ARC Detect the two strains of DataCrime I virus SCANRS42.ARC Resident program to scan for many viruses SCANV42.ARC Program to scan files for many viruses Jim ------------------------------ Date: 13 Oct 89 20:18:15 +0000 From: news@acsu.buffalo.edu Subject: Yale / Alameda Virus (PC) Has anyone heard of the Yale/Alameda virus, and know what it does? A friend here at school found 3 of his floppies (he's lucky he doesn't have a hard drive) infected with this by using Viruscan. Apparently it had only infected the hidden boot files so by using the SYS command he feels as if his is rid of it. The real question though is if this is a safe assumption, and how does it duplicate itself (ie, could it possibly be hidden in other files). Doug McKee @relay.cs.net:mckee@canisius.edu [Ed. Here's what I have (from Joe Hirst's list, which should be available from the documentation archive site(s)): 15. Yale - AKA Alameda, Merritt Boot virus - floppy only Type description: This virus consists of a boot sector only. It infects floppies in the A-drive only and it occupies 1K of memory. The original boot sector is held in track thirty-nine, head zero, sector eight. It hooks into INT 9, and only infects when Ctrl-Alt-Del is pressed. It will not run on an 80286 or an 80386 machine, although it will infect on such a machine. It has been assembled using A86. It contains code to format track thirty-nine, head zero, but this has been disabled. ] ------------------------------ Date: 15 Oct 89 07:50:12 +0000 From: munnari!minyos.xx.rmit.oz.au!s864292@uunet.UU.NET (F.S. Seow) Subject: Vacsina virus + Den Zuk virus. (PC) The IBM computer of a friend of mine, has just been attacked by Vacsina and Den Zuk simultaneously. Would anyone know where in Metropolitan Victoria, can my friend get the antidotes ( affordable commercial, shareware or public domain ) for these viruses ? Even better is there such a thing as an all-purpose-multi-virus antidote existing ? F.S. ------------------------------ Date: Mon, 16 Oct 89 11:33:00 -0400 From: <rwmira01%ULKYVX.BITNET@jade.Berkeley.EDU> (Rob Miracle) Subject: OHIO Virus (PC) Does anyone have any information on the Ohio virus? What does it do? How is it triggered etc? Any information would be helpful. Thanks in advance Rob Miracle - -- Rob Miracle | Bitnet : RWMIRA01@ULKYVX CIS: 74216,3134 Programmer/Analyst-II | INTERNET : rwmira01%ulkyvx.bitnet@cunyvm.cuny.edu University of Louisville | UUCP : ...psuvax1!ulkyvx.bitnet!rwmira01 "Greed Kills" -- Anton Devious ------------------------------ Date: Mon, 16 Oct 89 11:49:28 -0500 From: Bill Hobson <X043BH%TAMVM1.BITNET@VMA.CC.CMU.EDU> Subject: Virus infection report (PC) We had one lab hit at Texas A&M University in out Architecture department. Unfortunately, I found about it AFTER they low level formatted all of their hard disks. There are probably many student disks out there with the infections still present, but unfortunately I can't get my hands on them to find out what they had. It happened on THE DAY (Friday 13th), but there are two viruses that blow up on that day. I have personally eradicated the Jerusalem virus from two departments on campus, so I suspect that is it. More later as I find out more! ------------------------------ Date: Mon, 16 Oct 89 15:59:21 -0500 From: Gene Spafford <spaf@CS.PURDUE.EDU> Subject: Worms again.... (VAX/VMS) If you have not yet heard, another network worm incident is in progress. The following bits of information have been collected from multiple sources. I am mailing this so that people don't tie up the phone lines only to get the same information. The folks at SPAN & CERT will issue a report when more details are known. Please refer members of the press and other callers to the SPAN NIC @ (301) 286-7251. DO NOT have them call the CERT -- the folks there are busy enough as is right now, and they won't respond to questions without a need-to-know. The folks at DEC probably won't respond either -- if you can find anyone who knows what it happening in this incident. The folks at NASA will issue formal reports when appropriate. The story so far: Around 4:30 this morning, a worm program was found on machines in the SPAN network. The worm is apparantly similar to the worm that hit SPAN in December (on Christmas eve) in that it is spreading on Decnet and affecting VMS systems. According to a few of the people I talked with, it is not clear what the program is doing other than printing a message labelling the program as "Worms Against Nuclear Killers" and spreading to other machines. There are NO CONFIRMED reports at this time that the worm is doing damage to machines or data. If the worm is still spreading, it is spreading VERY slowly -- only about a half dozen machines have been detected as infected (so far). All of the appropriate authorities have been notified. CERT, DEC, NASA, & various Federal agencies are involved. The problem is being examined by experts in the area, and as soon as the situation is clarified, a public report will be issued. In the meantime, we can all help with the situation: * DON'T PANIC -- it is limited in scope and machine type. Unless you have a Decnet link to SPAN, your machine is in no danger, * Copies of the code are under analysis by experts, so fixes are undoubtedly on the way. If you run Decnet and installed the fixes last December, you are *probably* immune already. * Don't call the CERT, DEC or SPAN about this -- they'll be sure to release details when they are certain enough about them to be sure that they won't cause problems. * Refer any members of the press to the SPAN number. PLEASE be careful what you say to members of the press -- remember that the press doesn't understand the difference between DECnet, the Internet, VMS, Unix, etc, and we don't need another media scare about network invasions. - --spaf ------------------------------ Date: Mon, 16 Oct 89 20:29:26 -0400 From: Elizabeth Caruso <LIZBB%CUNYVM.BITNET@VMA.CC.CMU.EDU> Subject: Want suggestions on how to delete virus (PC) Today, our Novell LAN reported a hardware error when users tried to access programs stored on our File Server. At first we did not know it was a virus because the same programs would run for one user and not run for another. I had a feeling it might be a virus when I performed a Novell Netware command "NCOPY" and the screen messages where overwritten by characters that did not make sense. We decided to run "VIRSCAN" to check for viruses. 39 files where infected with the JERUSALEM virus including the "NCOPY" file. HAS ANYONE ENCOUNTERED THE JERUSALEM VIRUS ON THEIR LOCAL AREA NETWORKS? We would like to delete the infected files and replace them with clean copies but we don't know if this will be a correct action to take. Will recoping be enough or do we have to format our File Server? IF ANYONE HAS DELETED JERUSALEM FROM THEIR SYSTEM, (LAN OR PC SYSTEM) WE WOULD LOVE SOME ADVICE!!!! HOW DOES THIS VIRUS INFECT A SYSTEM AND SPREAD? ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Monday, 23 Oct 1989 Volume 2 : Issue 219 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: CERT_Advisory_Ultrix_3.0 CERT_Advisory_DECnet_WORM DECnet Worm on the loose Nuclear Killers? Quirks in shrink wrapped software (PC) Jerusalem Virus (PC) nVIR A help request (Mac) Disk Killer in Montreal (PC) nVIR problems Disk Killer in Montreal (followup) DARK AVENGER WARNING (PC) DARK AVENGER WARNING (PC) --------------------------------------------------------------------------- Date: Tue, 17 Oct 89 15:24:39 -0400 From: Edward DeHart <ecd@cert.sei.cmu.edu> Subject: CERT_Advisory_Ultrix_3.0 CERT Advisory October 17, 1989 DEC/Ultrix 3.0 Systems Recently, the CERT/CC has been working with several Unix sites that have experienced breakins. Running tftpd, accounts with guessable passwords or no passwords, and known security holes not being patched have been the bulk of the problems. The intruder, once in, gains root access and replaces key programs with ones that create log files which contain accounts and passwords in clear text. The intruder then returns and collects the file. By using accounts which are trusted on other systems the intruder then installs replacement programs which start logging. There have been many postings about the problem from several other net users. In addition to looking for setuid root programs in users' home directories, hidden directories '.. ' (dot dot space space), and a modified telnet program, we have received two reports from Ultrix 3.0 sites that the intruders are replacing the /usr/bin/login program. The Ultrix security hole being used in these attacks is only found in Ultrix 3.0. Suggested steps: 1) Check for a bogus /usr/bin/login. The sum program reports: 27379 67 for VAX/Ultrix 3.0 2) Check for a bogus /usr/etc/telnetd. The sum program reports: 23552 47 for VAX/Ultrix 3.0 3) Look for .savacct in either /usr/etc or in users' directories. This may be the file that the new login program creates. It could have a different name on your system. 4) Upgrade to Ultrix 3.1 ASAP. 5) Monitor accounts for users having passwords that can be found in the /usr/dict/words file or have simple passwords like a persons name or their account name. 6) Search through the file system for programs that are setuid root. 7) Disable or modify the tftpd program so that anonymous access to the file system is prevented. If you find that a system that has been broken into, changing the password on the compromised account is not sufficient. The intruders do remove copies of the /etc/passwd file in order to break the remaining passwords. It is best to change all of the passwords at one time. This will prevent the intruders from using another account. Please alert CERT if you do find a problem. Thank you, Ed DeHart Computer Emergency Response Team Email: cert@sei.cmu.edu Telephone: 412-268-7090 (answers 24 hours a day) ------------------------------ Date: Tue, 17 Oct 89 15:46:06 -0400 From: Edward DeHart <ecd@cert.sei.cmu.edu> Subject: CERT_Advisory_DECnet_WORM CERT Advisory October 17, 1989 "WANK" Worm On SPAN Network On 16 October, the CERT received word from SPAN network control that a worm was attacking SPAN VAX/VMS systems. This worm affects only DEC VMS systems and is propagated via DECnet protocols, not TCP/IP protocols. If a VMS system had other network connections, the worm was not programmed to take advantage of those connections. The worm is very similar to last year's HI.COM (or Father Christmas) worm. This is NOT A PRANK. Serious security holes are left open by this worm. The worm takes advantage of poor password management, modifies .com files, creates a new account, and spreads to other systems via DECnet. It is also important to understand that someone in the future could launch this worm on any DECnet based network. Many copies of the virus have been mailed around. Anyone running a DECnet network should be warned. R. Kevin Oberman from Lawrence Livermore National Labs reports: "This is a mean bug to kill and could have done a lot of damage. Since it notifies (by mail) someone of each successful penetration and leaves a trapdoor (the FIELD account), just killing the bug is not adequate. You must go in an make sure all accounts have passwords and that the passwords are not the same as the account name." The CERT/CC also suggests checking every .com file on the system. The worm appends code to .com files which will reopen a security hole everytime the program is executed. An analysis of the worm appears below and is provided by R. Kevin Oberman of Lawrence Livermore National Laboratory. Included with the analysis is a DCL program that will block the current version of the worm. At least two versions of this worm exist and more may be created. This program should give you enough time to close up obvious security holes. If you have any technical questions or have an infected system, please call the CERT/CC: Computer Emergency Response Team Email: cert@sei.cmu.edu Telephone: 412-268-7090 (answers 24 hours a day) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Report on the W.COM worm. R. Kevin Oberman Engineering Department Lawrence Livermore National Laboratory October 16, 1989 The following describes the action of the W.COM worm (currently based on the examination of the first two incarnations). The replication technique causes the code to be modified slightly which indicates the source of the attack and learned information. All analysis was done with more haste than I care for, but I believe I have all of the basic facts correct. First a description of the program: 1. The program assures that it is working in a directory to which the owner (itself) has full access (Read, Write,Execute, and Delete). 2. The program checks to see if another copy is still running. It looks for a process with the first 5 characters of "NETW_". If such is found, it deletes itself (the file) and stops its process. NOTE A quick check for infection is to look for a process name starting with "NETW_". This may be done with a SHOW PROCESS command. 3. The program then changes the default DECNET account password to a random string of at least 12 characters. 4. Information on the password used to access the system is mailed to the user GEMPAK on SPAN node 6.59. Some versions may have a different address. 5. The process changes its name to "NETW_" followed by a random number. 6. It then checks to see if it has SYSNAM priv. If so, it defines the system announcement message to be the banner in the program: W O R M S A G A I N S T N U C L E A R K I L L E R S _______________________________________________________________ \__ ____________ _____ ________ ____ ____ __ _____/ \ \ \ /\ / / / /\ \ | \ \ | | | | / / / \ \ \ / \ / / / /__\ \ | |\ \ | | | |/ / / \ \ \/ /\ \/ / / ______ \ | | \ \| | | |\ \ / \_\ /__\ /____/ /______\ \____| |__\ | |____| |_\ \_/ \___________________________________________________/ \ / \ Your System Has Been Officically WANKed / \_____________________________________________/ You talk of times of peace for all, and then prepare for war. 7. If it has SYSPRV, it disables mail to the SYSTEM account. 8. If it has SYSPRV, it modifies the system login command procedure to APPEAR to delete all of a user's file. (It really does nothing.) 9. The program then scans the accounts logical name table for command procedures and tries to modify the FIELD account to a known password with login form any source and all privs. This is a primitive virus, but very effective IF it should get into a privileged account. 10. It proceeds to attempt to access other systems by picking node numbers at random. It then used PHONE to get a list of active users on the remote system. It proceeds to irritate them by using PHONE to ring them. 11. The program then tries to access the RIGHTSLIST file and attempts to access some remote system using the users found and a list of "standard" users included with the worm. It looks for passwords which are the same as that of the account or are blank. It records all such accounts. 12. It looks for an account that has access to SYSUAF.DAT. 13. If a priv. account is found, the program is copied to that account and started. If no priv account was found, it is copied to other accounts found on the random system. 14. As soon as it finishes with a system, it picks another random system and repeats (forever). Response: 1. The following program will block the worm. Extract the following code and execute it. It will use minimal resources. It create a process named NETW_BLOCK which will prevent the worm from running. - ------- Editors note: This fix will work only with this version of the worm. Mutated worms will require modification of this code; however, this program should prevent the worm from running long enough to secure your system from the worms attacks. - ------- ============================================================================== $ Set Default SYS$MANAGER $ Create BLOCK_WORM.COM $ DECK/DOLLAR=END_BLOCK $LOOP: $ Set Process/Name=NETW_BLOCK $ Wait 12:0 $ GoTo loop END_BLOCK $ Run/Input=SYS$MANAGER:BLOCK_WORM.COM/Error=NL:/Output=NL:/UIC=[1,4] - SYS$SYSTEM:LOGINOUT ============================================================================== - ------- Editors note: This fix might only work if the worm is running as SYSTEM. An earlier post made by the CERT/CC suggested the following: $ Run SYS$SYSTEM:NCP Clear Object Task All ^Z You must then edit the file SYS$MANAGER:STARTNET.COM, and add the line CLEAR OBJECT TASK ALL AFTER the line which says SET KNOWN OBJECTS ALL This has the side-effect of disabling users from executing any command procedure via DECnet that the system manager has not defined in the DECnet permanent database. - --------- 2. Enable security auditing. The following command turns on the MINIMUM alarms. The log is very useful in detecting the effects of the virus left by the worm. It will catch the viruses modification of the UAF. $ Set Audit/Alarm/Enable=(ACL,Authorization,Breakin=All,Logfailure=All) 3. Check for any account with NETWORK access available for blank passwords or passwords that are the same as the username. Change them! 4. If you are running VMS V5.x, get a copy of SYS$UPDATE:NETCONFIG_UPDATE.COM from any V5.2 system and run it. If you are running V4.x, change the username and password for the network object "FAL". 5. If you have been infected, it will be VERY obvious. Start checking the system for modifications to the FIELD account. Also, start scanning the system for the virus. Any file modified will contain the following line: $ oldsyso=f$trnlnm("SYS$OUTPUT") It may be in LOTS of command procedures. Until all copies of the virus are eliminated, the FIELD account may be changed again. 6. Once you are sure all of the holes are plugged, you might kill off NETW_BLOCK. (And then again, maybe not.) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Mon, 16 Oct 89 21:10:00 -0700 From: "Richard Johnson" <JOHNSON_RJ@CUBLDR.COLORADO.EDU> Subject: DECnet Worm on the loose PLEASE NOTIFY ALL YOUR SITES...THERE IS A WORM ON THE LOOSE WITHIN THE DECNET INTERNET What we know: It is called W.COM and moves by generating psuedo random node numbers. It contains a set of default names like SYSTEM, FIELD, etc, it gets more user names from rightslist.dat and apparently (we don't know for sure) tries username = password to gain access. It attempts to access your node via both the default DECnet account/TASK 0 and a list of 81 canned userid's If successful on your node, it will change the passwords of accounts it has broken into and attempt to start up a batch job to continue its quest. It runs AUTHORIZE and generates a listing of your usernames. To this list, it appends 81 other userid's it will try. It then tries to penetrate each account in it's list using both a null password and the userid as the password. If an account is penetrated then the worm runs under the penetrated account and do the following: o submit a batch job to attack other nodes o changes the user's password o sends a confirmation banner to a central node What you can do quickly to protect yourself: - -- disable TASK 0 if you have it running - -- make sure that the DECnet account's UAF record does not have access to BATCH - -- make sure that the DECnet account UAF record has /PRCLM=1 set - -- protect SYS$SYSTEM:AUTHORIZE.EXE so that WORLD has NO access - -- Create an empty W.COM;32767 in the DECnet Default account and protect - -- WATCH FOR PROCESSES BEGINNING WITH "NETW_" - -- Use "NCP> SHOW KNOWN LINKS" command to show your connections, then verify your "local users" to ensure that they are not running in BATCH mode - if so, it's a possible penetration. *NOTE THESE MEASURES DO NOT PROTECT AGAINST USERS WHO HAVE THEIR PASSWORDS THE SAME AS THEIR USERID'S. More details to follow. Ron Tencati SPAN Security Manager (301)286-7251 ------------------------------ Date: Tue, 17 Oct 89 00:16:00 -0400 From: "Barry L. Newton" <NEWTON@ENH.NIST.GOV> Subject: Nuclear Killers? At risk of pointing out the obvious, the "Nuclear Killers" reference in the current SPAN worm echoes items from this morning's news about protesters in Florida attempting to disrupt the launch of a *nuclear powered* shuttle payload. Seems they're afraid of a Challenger-like disaster spreading plutonium over half the state. With all due respect to NASA, I'd probably be worried myself if I lived nearby. Barry L. D. Newton Standard disclaimer applies ------------------------------ Date: Tue, 17 Oct 89 10:12:00 -0500 From: Beware of programmers bearing screwdrivers! <TUCKER@UNLVAX3.BITNET> Subject: Quirks in shrink wrapped software (PC) Just yesterday, as I was installing Lotus Freelance Plus, I began to notice inconsistencies between Copyright registration procedures and safe anti-virus practices. The following is extracted from the manual "Getting Started" on page 1-9. " Step 1. Run FL_FIRST The FL_FIRST program validates your copy of Freelance Plus. All users must run this program before backing up or using the Freelance Plus diskettes. " Because this registration step involves writing the user and company name to the original master, it is necessary to write-enable the disk and put it in the machine. However, being at the head of the anti-virus campaign for the university, I noticed that this really doesn't allow for safe security practices. ALL documentation that I have read or written to defend systems against viruses suggests that all shrink wrapped software be write-protected and backed up before that software is installed on the system, thereby insuring that you will have at least one copy of everything that isn't infected by a virus. Assuming that my system has viruses, then I could safely say that there is a good chance my Lotus Freelance Plus masters are also infected. Thanks Lotus for your insight on making my system secure... Gregory Tucker- Microcomputer Assistant UNL Computing Resource Center Bitnet: tucker@unlvax3, tucker@unoma1, tucker@unlvax1 Internet: tucker@crchpux.unl.edu, tucker@engvms.unl.edu Noisenet: (402)472-5761 Snailnet: 326 Administration Lincoln, NE 68588-0496 ------------------------------ Date: Tue, 17 Oct 89 13:38:00 -0500 From: <CTDONATH%SUNRISE.BITNET@VMA.CC.CMU.EDU> Subject: Jerusalem Virus (PC) Can anyone give details about what the Jerusalem Virus does? It's floating around a PS/2 cluster here, and I want to know how dangerous it really is. It seems to delete files one at a time on Friday 13, becomes memory resident, slows down the system slightly, and occasionally puts a black spot on the screen. I would like details without having to dissect a copy of it... ------------------------------ Date: 18 Oct 89 16:48:29 +0000 From: david@CS.UCLA.EDU (David Dantowitz) Subject: nVIR A help request (Mac) I found the MAC nVIR A on a disk using some of the MAC virus detection tools, but can't get rid of it (using disinfectant). Another program warns me that I have a problem with file: ZSYS MACS -- System -- System folder David David Dantowitz david@cs.ucla.edu "Curb your dogma" ------------------------------ Date: Fri, 20 Oct 89 03:11:12 -0400 From: RREINER%YORKVM1.BITNET@VMA.CC.CMU.EDU Subject: Disk Killer in Montreal (PC) Three 5.25" DSDD floppies in my possession are reported by ViruScan 0.7V42 to be infected with the Disk Killer virus. Since my system is reported to be clean by ViruScan, and these were the disks I had with me on a recent visit to Montreal, I am assuming that that is where the infection came from. I am in the process of notifying the owners of the machines with which these disks had contact, and will post again when the source is identifed. Alan Roberts' statement in VIRUS-L of 26 Sept 89 is the only information I have been able to find on Disk Killer. Any info will be appreciated. Richard J. Reiner . BITNET ...... rreiner@vm1.yorku.ca ..... (daily) .. .................... old BITNET .. rreiner@yorkvm1 .......... (daily) .. .................... Internet .... grad3077@writer.yorku.ca . (daily) .. .................... Compu$erve .. 73457,3257 ............... (rarely) . ------------------------------ Date: 20 Oct 89 08:25:05 +0000 From: atama@blake.acs.washington.edu (Kakogawa) Subject: nVIR problems We have a network in the Microcomputer lab with more than 20 Macintoshes connected to it. We have been experiencing a severe bout of nVIR. It is usually nVIR-A or nVIR-B infecting the system or finder of the startup diskettes. It has also spread, we believe, extensively among users before we were alerted to it. The problem: We were told that the DA VirusDetective did not always detect the viruses probably. I haven't checked this personally. We started using SAM ... in the meanwhile because disinfectant crashed the multifinder periodically. Today we found that a diskette was reported by disinfectant to be virus-free BUT SAM ... reported it as being infected and we had it "repair"ed using SAM.... I have forgotten the full name for the antiviral program SAM.... Can anyone who is better informed enlighten us a) Why Disinfectant(V 1.2) didn't warn us? b) Is SAM whatever it is, better or is it just seeing ghosts (unlikely?)? c) We have Vaccine on the network. Why did it not alert us at the beginning? Actually, we caught on because vaccine eventually warned us. By that time so many diskettes and the network itself had become infected that we had it shut down. d) Is it true that the DA VirusDetective is not as fully reliable (at least for nVIR strains) as it should be? Soma Consultant, Microcomputer lab Health Sciences Building, UW PS. Please respond as completely as you can. If you feel this is a legitimate concern please respond on the net. If someone has already done it, but you have alternatives/insights please respond by e-mail. I'll summarize if I get any/many good replies. Thanks for your time. ------------------------------ Date: Sat, 21 Oct 89 00:41:30 -0400 From: RREINER%YORKVM1.BITNET@VMA.CC.CMU.EDU Subject: Disk Killer in Montreal (followup) I have now confirmed that the virus I reported in VALERT-L this morning is indeed Disk Killer. The boot sector signature, and the message texts stored elsewhere on the disk, match those reported in VIRUS-L on 26 September by Alan Roberts. There is one discrepancy: while Alan reports that the message texts are stored at sector 152 (presumably decimal) on floppy disks, on the infected disks in my possession they are at sector 354 decimal (0x162). This may therefore be a new strain. I have not yet been able to trace the source of the infection; I will post again if I succeed. Richard J. Reiner . BITNET ...... rreiner@vm1.yorku.ca ..... (daily) .. .................... old BITNET .. rreiner@yorkvm1 .......... (daily) .. .................... Internet .... grad3077@writer.yorku.ca . (daily) .. .................... Compu$erve .. 73457,3257 ............... (rarely) . ------------------------------ Date: Sat, 21 Oct 89 18:35:16 -0700 From: portal!cup.portal.com!Alan_J_Roberts@SUN.COM Subject: DARK AVENGER WARNING (PC) A number of disturbing reports about scanning systems infected with the Dark Avenger virus have just been substantiated by Kevin Harrington at U.C. Davis and Morgan Schweers in Glen Cove N.Y. It seems that the virus infects any and every executable file that is opened for read or write. Thus, if a system is scanned by VIRUSCAN or IBM's VIRSCAN, the virus begins an uncontrollable infection of the system, resulting in corruption of virtually everything in the system. This turns what might have been a modest disinfection task into a total nightmare. VIRUSCAN version 45 has corrected this problem by checking for the active virus in memory before attempting to do a system scan. Dave Chess and Art Gilbert at IBM have been made aware of the problem (according to John McAfee) and a fix for their VIRSCAN program should be forthcoming. If you are using either of these products please get the fixed version before scanning any system suspected of harboring this virus. If you are unable to do this, then scan only a floppy diskette first. This will risk only the files on your floppy. If you have a "clean" system master, then of course re-boot first to start from a clean system. The problem most infected installations have, however, is finding a guaranteed clean system disk, so proceed cautiously. The safest thing, again, is to use the updated versions of these programs. Alan Roberts ------------------------------ Date: Sat, 21 Oct 89 18:46:28 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: DARK AVENGER WARNING (PC) ViruScan (version 43 and below) and Virscan (IBM's scanning program) SHOULD NOT BE USED if a Dark Avenger infection is suspected. These programs cause an uncontrollable spread of the virus when they are used. The virus infects every executable file when the files are opened. Both of these programs open ALL executables, thus the virus saturates the system when it is scanned. VIRUSCAN version 45 has fixed this problem, and IBM will, presumably, issue a new Virscan version shortly. Kevin Harrington of U.C. Davis and Morgan Schweers of Glen Cove, NY have reported that scanning systems infected with this virus have turned what would have been a moderate disinfection task into a monumental problem. If anyone does have this virus, the M-DAV disinfector on HomeBase will remove it and repair the damage. The board number is 408 988 4004. Alan ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Tuesday, 24 Oct 1989 Volume 2 : Issue 220 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: The Power to Look Your Stupidest... (Mac) Not-equals VIR Resource (Mac) RE: IBM-PC virus scanning program from IBM (PC) Dark Avenger and scanners (PC) Re: 0 bytes in 1 hidden file, virus?? (PC) Viruses in archives (PC) init29: data->application?(Mac) Viral susceptivity of UNIX vrs MS-DOS Ohio Virus (no system given) Creating a virus free boot disk (PC) Re: /VIR ([not-equal-to-sign]VIR) App Signature (Mac) Re: The DataCrime viruses (PC) It can happen to anyone :-( (PC) --------------------------------------------------------------------------- Date: Mon, 23 Oct 89 11:17:31 -0400 From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV> Subject: The Power to Look Your Stupidest... (Mac) Some significant facts: 1) Careful testing of SuperClock 3.5 (including dissection via ResEdit) turns up no - repeat, NO - viruses of any kind from any source I can get it from. 2) STR 801 in a MacWrite file is OK and is in fact normal. 3) No further developments have been heard. Can you please tell us more, if anything? 4) Has anyone actually gotten to see this supposed virus? If you have a copy, will you PLEASE send it to John Norstad, or your favorite author of anti-virals? I apologize abjectly to those who may have been misled by *my* contributions. Networking means having to say you're sorry to LOTS of people :-(. --- Joe M. ------------------------------ Date: Mon, 23 Oct 89 11:24:14 -0400 From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV> Subject: Not-equals VIR Resource (Mac) A Not-equals-VIR resource on your disk or in your Desktop file just means that you ran the Interferon program at some point and haven't removed it or rebuilt your Desktop file lately. Nothing to worry about. --- Joe M. ------------------------------ Date: 23 Oct 89 00:00:00 +0000 From: CHESS@YKTVMV.BITNET Subject: RE: IBM-PC virus scanning program from IBM (PC) Thomas Lapp <thomas@mvac23.uucp> writes: > Since it reports the number of files searched and number of > disks checked, I suspect that this program would not be able to find > those viruses which reside on sectors which are then marked bad. All the viruses that I've heard of that live even partially in bad sectors are boot-sector viruses; the "initial hook" of the virus is written to the boot sector, and that hook then reads the rest of the virus off of some sector elsewhere on the disk (which was marked bad in the FAT at initial infection). The IBM virus scanner (and the McAfee one, and probably others) scans boot records to detect this type of virus. In general, a virus has to arrange to get executed; the viruses we've seen so far do this either by modifying executable files, or by modifying the boot record of a disk or diskette. So scanners for known viruses that scan executable files and boot records are looking in the right places! A "virus" that just marked a sector as bad and wrote itself there, without altering the boot sector or any other executable object, would never get executed... DC ------------------------------ Date: 23 Oct 89 00:00:00 +0000 From: CHESS@YKTVMV.BITNET Subject: Dark Avenger and scanners (PC) (This is in reply to Alan Roberts' warning about the Dark Avenger and scanners in VALERT-L.) The recommended procedure for using the IBM Virus Scanning Program includes, I'm pretty sure, cold-booting the machine from a trusted boot diskette before running the scanner. This will keep the "spreads to all files on the disk" from happening, since it will mean that the virus isn't in control when the scanner runs. It's also a bit of a pain, but it may be worth it. If another virus like the Dark Avenger appears, and you run a scanner that doesn't know about it, without cold-booting first, you could end up with an entire disk full of infected files, and not even know it! This isn't really a bug in the scanners that needs to be "fixed". Any program that opens many many files can have the same effect when an infect-on-open virus is active. This includes virus scanners, anti-virus programs that compute check-values for your executables to let you know what's changed, backup programs, GREP-like programs, and so on. It would certainly be a nice enhancement if the scanners also scanned RAM before going to the disk, but even that won't solve the general problem (since an infect-on-open virus not known to the scanner can still be spread to the entire disk, unless you cold-boot before scanning). DC ------------------------------ Date: Mon, 23 Oct 89 11:09:00 -0500 From: <ACSJNF%DEPAUL.BITNET@VMA.CC.CMU.EDU> Subject: Re: 0 bytes in 1 hidden file, virus?? (PC) In reference to CHKDSK's message about 0 bytes in 1 hidden file, if I remember correctly, CHKDSK is probably registering the volume label, in which case PCTOOLS does show it (at the top of the screen, instead of in the file listing). Try installing the system onto the disk (i.e. SYS A:), and then run a CHKDSK. It should register xxxxxx bytes in 3 hidden files, where xxxxxx depends on the version of the system that you are using. Respectively, the hidden files should be: IBMBIO.COM -- Contains the BIOS routines IBMDOS.COM -- Contains the DOS routines (volume label) IBMBIO.COM and IBMDOS.COM will appear in the PCTOOLS window. They will probably have the HIDDEN, SYSTEM, and READ-ONLY bits on. It may also have the ARCHIVE bit on. Joel N. Fischoff Software Support/Technician DePaul University, Chicago, IL ------------------------------ Date: Mon, 23 Oct 89 14:25:00 -0600 From: CHRISTOPHER%GACVAX1.BITNET@VMA.CC.CMU.EDU Subject: Viruses in archives (PC) Are there any programs currently available that will check for viruses within an archive file? I am familiar with the SHEZ program and how it can be used with VIRUSCAN to scan archives, but SHEZ un-arcs the archive file before running VIRUSCAN. My question is, does a program exist or could one be developed that searched for signs of an archived and infected program? I can see two big problems with this immediately. First, each different archiving algorithm will archive a virus (call it X) differently. An ARCed X will be different from a ZIPed X will be different from a ZOOed X, etc. Secondly, say that virus X attaches itself to the end of COM files. Will the output (archived file) of an archiving algorithm translate virus X into the same byte sequence every time? For example, program A is infected and becomes AX. Is arc(AX) (archived AX) the same as arc(A) + arc(X) and is arc(BX) the same as arc(B) + arc(X)? I inquire because I have archived programs/software, and I would like to know if programs in archives are infected without de-archiving them (at last count I had over 100 .ARC files) and then SCANing them as SHEZ does. Christopher Kane <CHRISTOP@GACVAX1.BITNET> ------------------------------ Date: Mon, 23 Oct 89 10:55:45 -0700 From: jim@insect.Berkeley.Edu Subject: init29: data->application?(Mac) INIT29 is a "popular" :-) new Macintosh virus that has the unusual property of being able to infect data files, as well as applications. QUESTION: If a diskette that CONTAINS ONLY DATA FILES, which are infected by INIT29, is accessed by an uninfected application residing on a clean diskette, can the virus spread to the clean disk? (Prior to INIT29, I had been advising my users that if they go to Kinko's they would be safe if they took only their data diskette. But if a data infection can spread to their application disks, this would not be good advice.) Anyone got the REAL answer? Jim Bradley, CNR Computer Facility, UC Berkeley ------------------------------ Date: Mon, 23 Oct 89 16:15:00 -0800 From: Steve Albrecht <ALBRECHT@CALIPH> Subject: Viral susceptivity of UNIX vrs MS-DOS in: VIRUS-L Digest V2 #217 Subject: Operating System virus protection (DOS & UNIX) Re: UNIX virus proof?! (UNIX) jlg@lanl.gov (Jim Giles) writes: >>I wouldn't say UNIX is virus-proof (I posted a hoax article about a >>UNIX virus over a year ago, just before the Internet Worm incident), >>but it's sure a hell of a lot more virus-resistant than DOS. > >How do you know? The only machines DOS runs on are PCs and compatibles. >UNIX implemented on these machines would be just as vulnerable as DOS. >The most obvious weaknesses of DOS are unimportant compared to the fact >that the hardware itself has no protection mechanisms. Assuming everyone means "MS-DOS" when using the common acronym "DOS"... Every UNIX implementation on 80286/386 processors that I've seen uses the Intel Protected Mode. If used properly, this provides process isolation. This alone is a great security improvement over MS-DOS. File system security can be provided similarly by using memory-mapped rather than i/o mapped devices. Their are a few UNIX implementations which run on 8088-based PCs. It is true that hardware support for process isolation and file security are lacking in off-the shelf IBM PC and PC/XT-type machines. The rarity of such machines running UNIX is a wonderful defense against viruses, however. The fact remains that most users of PC/AT and 386-based machines use MS-DOS which, now in its 4th major version, is still incapable of using Intel Protected Mode. Thus, Peter's original statement is fully justified. MS-DOS is (also) an easier target than UNIX because of its simplicity and easy access to technical information. While UNIX internals are also widely available, they are written for more sophisticated readers. The multitudinous flavors of UNIX also inhibits low level attacks. MS-DOS is is a sitting duck (such being the price of standardization). As an aside, I abhor the idea of anyone promulating "virus hoaxes" or other forms of terrorism. As I lack complete understanding of Peter's claim to have "posted a hoax article about a UNIX virus over a year ago", I will resist further comment on this distasteful subject. (::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::) ) Steve Albrecht - IntelliCorp, Inc. - Knowledge Systems Product Development ( ( "Opinions expressed here are my own, if anyone's, and not my employer's." ) ) DDS albrecht@intellicorp.com : COMPUSERVE 73657,1342 ( ( UUCP ...!sun!intellicorp.com!albrecht : public bbs (415)969-5643 ) ) or ...!sun!icmv!albrecht : "c"omment to sysop ( (::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::) ------------------------------ Date: 23 Oct 89 14:13:01 +0000 From: wsinrn@urc.tue.nl (Rob J. Nauta) Subject: Ohio Virus (no system given) Hello everybody I'm back on a new usercode. If you still have my old one (RCSTRN@HEITUE51.BITNET) please replace it by this one, as my bitnet account expired sept. 1st. I have a question. I recently found the Ohio Virus on a disk. I've never heard of it, who knows more about it? Thanks in advance Rob J. Nauta wsinrn@eutrc3.UUCP wsinrn@urc.tue.nl ------------------------------ Date: Mon, 23 Oct 89 22:24:09 -0400 From: Dave <consp12@bingvaxu.cc.binghamton.edu> Subject: Creating a virus free boot disk (PC) In regards to the already-resident-virus problem(disinfecting), I follow a fairly easy procedure... Do a low-level format of a new disk.. Take your original(Write-protected, of course) dos and sys the disk.. add command.com and your favorite virus scanner.. This is something that you should do BEFORE you are infected... You have to be sure that your scanner is clean.. Now write protect the disk and tuck it away somewhere.. If you think you're infected, shut down and boot from your floppy.. Now you have no resident virus's.. I don't trust mem-res scanners, myself.. Dave Hoelzer @sunyB.. CONSP12@bingvaxa ------------------------------ Date: Tue, 24 Oct 00 19:89:02 +0000 From: biar!trebor@uunet.UU.NET (Robert J Woodhead) Subject: Re: /VIR ([not-equal-to-sign]VIR) App Signature (Mac) In: VIRUS-L Digest Monday, 23 Oct 1989 Volume 2 : Issue 216 prieto@gem.mps.ohio-state.edu (Juan Pablo Prieto-Cox) writes: >I also found a resource of type =/VIR (for >typographical reasons by =/ I mean the symbol for not equal). Remember >that I had already ran Disinfectant. Does anyone have a clue? or a >similar problem? You may have a new nVIR strain (I would appreciate copies of infected files), but =/VIR is the application signature of my Interferon program. This is not the first time this has come up, and in retrospect it may have been a bad choice. Just FYI: =/VIR Interferon VIRx Virex (early versions) VIRy Virex (more recent versions) Robert J Woodhead, Biar Games, Inc. !uunet!biar!trebor | trebor@biar.UUCP Announcing TEMPORAL EXPRESS. For only $999,999.95 (per page), your message will be carefully stored, then sent back in time as soon as technologically possible. TEMEX - when it absolutely, postively has to be there yesterday! ------------------------------ Date: 24 Oct 89 09:13:11 +0000 From: jr@ncrsecp.Copenhagen.NCR.dk (Jakob Riis) Subject: Re: The DataCrime viruses (PC) In article <0002.8910062006.AA22699@ge.sei.cmu.edu> David.M..Chess.CHESS@YKTVMV writes: >> DC-2 does it on any day >> between Jan 1 and Oct 12, except on Sundays! >That's not true for the sample that I've seen. I suspect someone's >just misreading the code (it's easy to do; that area is rather >convoluted). It could be a new variant, of course, but if it really >*did* do its damage between Jan 1 and Oct 12, wouldn't it have >basically Gone Off by now? I think your source is just misinformed. You might both be right ! The de-assembled code I've seen shows that its fairly easy to trim DCII to go off anytime you would like it - in fact you can de-arm it yourself by setting the day check equal 8 ! (but I guess I would rather re-install the original programs). If I don't remember wrong the newly dreaded Columbus day Virus was such a re-programming of DCII. Just my 2 cents worth, _____________________________________________________________________________ Jakob Riis | Jakob.Riis@Copenhagen.NCR.dk NCR Corporation | or Systems Engineering Copenhagen | ..!uunet!mcvax!dkuug!ncrsecp!jakob.riis - --------------------------------------------------------------------------- ! A plucked goose doesn't lay golden eggs ! - --------------------------------------------------------------------------- ------------------------------ Date: Tue, 24 Oct 89 11:18:37 GMT From: frisk@rhi.hi.is (Fridrik Skulason) Subject: It can happen to anyone :-( (PC) Well - now I know of one victim of the Datacrime-II virus ..... myself. :-( Last Tuesday I was demonstrating how any known virus could be stopped with my anti-virus program. Unfortunately I had forgotten that it was not installed at the time :-( So, when I ran a program infected with DataCrime-II, I just got the message DATACRIME II Bye bye hard disk...... I turned the computer off, but when I turned it on again the computer would of course not boot from the hard disk, but instead jumped into BASIC. When I booted from a diskette, the computer would not even admit that drive C: existed. It sounds bad, but this took only a few minutes to fix, simply by... ... formatting track 0 with correct parameters ... running NDD and everything was back to normal again. phew ! -- frisk [Ed. NDD = Norton Disk Doctor, right?] ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Tuesday, 24 Oct 1989 Volume 2 : Issue 221 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Gatekeeper false alarm? (Mac) Re: SAM vs. Gatekeeper (Mac) RE: Superclock non-virus... (Mac) Re: INIT 29 question from Jim Bradley... IBM Virus Scan program (PC) Virus source available in Toronto IBM's Virscan Program (PC) VIRUSCAN test (IBM PC) --------------------------------------------------------------------------- Date: 23 Oct 89 21:27:20 +0000 From: ut-emx!chrisj@cs.utexas.edu (Chris Johnson) Subject: Re: Gatekeeper false alarm? (Mac) In VIRUS-L Digest V2 #217, Richard Kennaway (kennaway@sys.uea.ac.uk) writes: >Paranoid speculation follows. Paranoia, being a disease, is an inherently bad thing. What follows is, I believe, an unfortunate illustration. >Maybe someone is using the Joker's trick. There could be several >infected applications out there, all quietly spreading harmless-looking >things like STR 801 that dont ring GateKeeper's alarms, but when they >all come together in one application, the real virus is triggered... More likely, there's no virus *at*all*. I do believe this is pure paranoia. Further, there's a good reason that things like STR resources look harmless: they are. Period. They aren't executable, so they don't get executed. In and of themsleves they are *utterly* harmless. The end. For a virus to spread executable code has to move. Although *no* anti-virus scheme is perfect, that is exactly the kind of thing that Gatekeeper watches for. There's no such dichotomy as "real virus" versus un-real virus - either it is a virus, or it isn't. That means that this "Jocker's trick" is essentially nonsense - in order for the "harmless-looking things like STR 801" to spread there has to be a real- live virus *doing* the spreading - a virus which, in all probability, systems like Gatekeeper will stop. >Plug for Virus Detective: with this it was easy to search for all files >containing STR 700 (legitimate MacWrite resource) or STR 801. All the >other virus detectors I've seen have the symptoms to look for >hard-wired. I have no relationship with the author other than being a >satisfied customer. Philosophical Point: The problem with tools is that the users have to under- stand how they work, what they do, and how to use them. A failure of the user on any of these points results in the tool being unable to accomplish its intended purpose. Virus Detective is a fine tool, but it's not being correctly employed here. Sure enough, most MacWrite files have STR 700 and 801 resources, but just because Virus Detective will allow a person to discover this, *doesn't* in any way indicate the presence or involvement of a virus. Like any tool Virus Detective can be used correctly or incorrectly -- in this case it is being used in an incorrect manner, since the key issue, whether or not there is any reason to believe a virus is involved, has been sidestepped. Virus Detective is now merely serving as a tool to "confirm" baseless fears and assertions. Gatekeeper being more a "system" than a "tool", is less prone to feeding wild speculation, since it has its own means of identifying the presense of a virus and, as a result, does not require that the user be a skilled Mac programmer capable of searching out and analyzing would-be new viruses. Of course, Gatekeeper is fallible... but that usually means that users are merely required to tell it what *isn't* a virus, rather than having to search out new viruses from scratch like searching for needles that may-or-may-not be hidden in hay stacks. STRs 801 and 700 are good examples of strands of hay mistaken for needles. Returning to Gatekeeper, the symptoms are not quite "hard-wired". Gatekeeper's philosophy is, basically, that if a virus can't move, add, modify or delete executable resources (there are about 24 types), then it can't spread. And a virus that can't spread isn't really a virus anymore. Of course, you'll still want something like Disinfectant to remove the effectively sterilized virus. The list of executable resources is certainly not hard-wired - it's easily edited by following the instructions in the on-line help. The type of monitoring that Gatekeeper does *is* hard-wired, but in order to establish that this is a problem, a way must first be found to spread a virus without moving, adding, modifying or deleting executable resources. In short, the hard-wired aspects of Gatekeeper are not a problem - they are *fundamental* protections. This is why Gatekeeper has been able to stop every Mac virus discovered to date, including totally new viruses like ANTI and INIT 29 which were developed *after* Gatekeeper was written. I should add that Gatekeeper's security system has not had to change since it was first released on 2-Jan-89, precisely because it is such a fundamental approach to stopping viruses. Gatekeeper isn't perfect - no anti-virus system is - but it's very good. I, personally, tend to be a bit defensive with regard to Gatekeeper because I've observed a number of misconceptions that do it sad injustices, while johnny-come-lately packages like SAM and the Virex INIT, etc. are heralded as the first and only fundamental solutions to the Macintosh virus problem. Since Gatekeeper was discussed here in a misleading manner I thought it was important to try to put an end to, at least, the misconceptions illustrated here. As to the alleged MacWrite virus - paranoia tends to spread... and I've seen a number of postings to other newsgroups from people scared because they've discovered perfectly normal STR resources in their MacWrite documents. This never should have happened. The fact is, the burden of proof is on he who asserts the positive. Yet, for all the talk about this new virus, there's still been no offer of proof of the virus's existence. Nonetheless, the paranoia spreads due to these baseless assertions. If there's some proof, we *need* it and blessings upon whoever provides it, but, for lack of that proof, this discussion should have been terminated long ago. Given that there's been a delay in the VIRUS-L news recently, maybe this discussion has already died, and I've ranted on needlessly. I certainly hope that's the case. - ----Chris (Johnson) - ----Author of Gatekeeper - ----chrisj@emx.utexas.edu ------------------------------ Date: 23 Oct 89 22:09:00 +0000 From: ut-emx!chrisj@cs.utexas.edu (Chris Johnson) Subject: Re: SAM vs. Gatekeeper (Mac) In VIRUS-L Digest V2 #216, Henry C. Schmitt writes: >I have used both GateKeeper and SAM Intercept and I prefer the >latter. The main reason? When "something suspicious" happens, >GateKeeper says "you can't do that!" then if you want to override, >you must open the Control Panel select GateKeeper and set up the >permission; with SAM Intercept, at the time of the happening you can >allow the action once or LEARN the action then and there! The reason Gatekeeper does not bring up a custom dialog that would let the user allow an operation, is neither sloth, nor indifference to the plight of the user. The reason is *compatibility*. Apple will guarantee that the Notification Manager, which Gatekeeper uses to display its alerts, will be compatible with virtually all software and will certainly be compatible with all future versions of the System. SAM's custom dialog may break in future releases of the System - or it may not. For myself, I can't think of any method that's worth the risk. Since the author of SAM probably had support from Apple DTS, he may have been provided with techniques that would make a safe implementation possible. I, regrettably, have no real access to DTS (becoming a registered developer requires money I just don't have). If anyone at DTS would be willing to offer some advice on safe ways of approaching the custom-alert problem, I'd *love* to hear it. (Hint, hint.) :-) One other point though (and please correct me if I'm wrong), I've been told that SAM doesn't provide a way to view all of the privileges that have been granted to various applications, let alone a method of editing them. If this is the case, I have to view it as a far greater problem with SAM, than on-the- fly configuration is with Gatekeeper. If someone using your machine inadvert- antly or unwittingly clicks on the LEARN button when a virus attack is detected, your copy of SAM will have been programmed to let a virus attack succed in that case, and you'll probably never find out. Like I said, though, please correct me if I'm mistaken. On the subject of the Gatekeeper Log file: >I only see this as being useful if you're trying to track the >propagation of a virus, but then you have to allow the "suspicious >action" which GateKeeper doesn't do (unless you gave permission, in >which case it isn't logged!) Depends what you mean by "propagation." If you mean the successful spread of a virus, then yes, Gatekeeper won't tell you much simply because it won't permit the spreading to occur in the first place. :-) But consider what the log file *does* do for you... it will tell you where all of the infection attempts originated from, when they started, what characterized the infection attempt, and it'll even tell you whether or not your machine was booted on a floppy disk and infected that way. Furthermore, if you're a person attempting to quickly gain an understanding of a virus' infection mechanism, running Gatekeeper on a test machine in its "notify only" mode will give you an immediate run-down on how the virus works. Also, each virus has its own "signature" - even when Gatekeeper stops the virus' spread - in the log file. It is easy, for instance, to tell INIT 29 from Scores merely by looking at the records of their failed attempts at infection as recorded in the Gatekeeper Log. This makes it equally easy to indentify both new strains of existing viruses, and totally new viruses. The log file provides an incredible amount of documentation that can be, I believe, extremely useful in protecting an individual or an entire corporation from the influx of viruses. >I'm not trying to put down GateKeeper, if you want to fight viruses >cheaply, it's a must! Keep up the good work Chris! > > Henry C. Schmitt Thanks! Gatekeeper 1.2 is in the works. In the same spirit, I'm not trying to put down SAM - I'm just trying to make sure that Gatekeeper gets full credit where it's due. - ----Chris (Johnson) - ----Author of Gatekeeper - ----chrisj@emx.utexas.edu ------------------------------ Date: Tue, 24 Oct 89 08:32:07 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: RE: Superclock non-virus... (Mac) Superclock (in the general case) is not a virus. It is a legitimate cdev that displays the current time-of-day in the upper right hand corner of your Mac's screen. The current version is 3.5 (although I thought I saw a 3.6 yesterday). It is more likely that the "Superclock" virus is simply an occurance of (if I have to pick one) the INIT 29 virus, or a strain therof. Superclock is not a stand-alone application; it is a "control panel device" that is loaded into RAM at start-up. In the MS-DOS world, Superclock would belong to the class of applications called "TSR"s (Terminate and Stay Resident). In the Macintosh world however, cdev's (and their sister's RDEVs (Chooser devices) and INITs (classic TSRs)) contain their code in resources called (appropriately) INIT. Classic Macintosh viruses (such as nVIR and strains, Scores, Peace, and ANTI) infect code in CODE resources. Only INIT 29 infects code stored in INIT resources. Another possibility is that the "Superclock" virus is a wholly new strain. While this is not impossible, I find this less likely. The Mac is a not as easy a machine to program and acquire expertise on as MS-DOS platforms. Consequently, there is simply a smaller number of potential virus-writers (proportionally) than in the MS-DOS world. David M. Gursky Member of the Technical Staff Special Projects Department, W-143 The MITRE Corporation ------------------------------ Date: Tue, 24 Oct 89 08:50:37 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: Re: INIT 29 question from Jim Bradley... In Virus-L V2 #220, Jim Bradley asked if an application on a clean disk opened a data file infected with INIT 29, would the application then become infected. No. While INIT 29 is capable of infecting data files, the virus is "dormant" essentially. Code in INIT resources is only executed at startup, and no other point. Data files infected with INIT 29 only represent a threat to your system if they are kept in the same folder as your System and Finder files. ------------------------------ Date: Tue, 24 Oct 89 11:09:00 -0400 From: "Gerry Santoro - CAC/PSU 814-863-4356" <GMS@PSUVM.BITNET> Subject: IBM Virus Scan program (PC) I like the fact that the IBM virus scanning program reads its strings from an ASCII file provides the capability for updating this program for new viruses. (I still like McAfee's SCAN program too, and would recommend that a user have BOTH, just to be safe.) My question, are there any plans to add updated virus scan strings to the IBM virus scan data file and have this string file available on one of the anti-virus servers? This could help a lot of people avoid duplication of effort. - ----------------------------------------------------------------------------- gerry santoro, ph.d. *** STANDARD DISCLAIMER *** center for academic computing This posting is intended to penn state university | represent my personal opinions. gms @ psuvm.psu.edu -(*)- It is not representative of the gms @ psuvm.bitnet | thoughts or policies of anyone ...!psuvax1!psuvm.bitnet!gms else here or of the organization. (814) 863-4356 ---- "I yam what I yam!" ---- - ----------------------------------------------------------------------------- ------------------------------ Date: Tue, 24 Oct 89 12:01:49 -0400 From: Russell Herman <rwh@me.utoronto.ca> Subject: Virus source available in Toronto Disassembled source code for the PC virus producing a bouncing ball onscreen just appeared on a major Toronto BBS. It does not appear to be quite correct, nor will it assemble nonfatally with either MASM 5.1 or TASM 1.0.1 (small comforts). Furthermore, the comments are in Portugese, although the file was dubbed "italiano.asm". Now the world has been given the template for an infector (sigh). [Ed. The book "Computer Viruses: A High Tech Disease", published by Abacus, contains several (functional) source code examples, in various languages on various hardware/software platforms, of viruses. This book is readily available in bookstores and from the publisher.] - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Russ Herman | Internet: rwh@me.utoronto.ca | University of Toronto Comp. Sys. Mgr. | UUCP: uunet!utai!me!rwh | Dept. of Mech. Eng. (416)978-4987 | | 5 King's College Rd. (416)978-7753fax| | Toronto, ON M5S 1A4 Canada ------------------------------ Date: Tue, 24 Oct 89 12:38:00 -0400 From: <90_PENNYPAB@UNION.BITNET> Subject: IBM's Virscan Program (PC) I just subscribed to this list, so this posting may be redundant. Bear with me... I worked for IBM over the summer and had a chance to take a look at their VIRSCAN program, which others have discussed on this list. Unfortunately the version I used is listed as "IBM Internal Use Only", meaning that It is only to be used for IBM related purposes. According to the Forums I read on the IBM network while working there, VIRSCAN is supposed to be one of the better programs for detecting known viruses. What I would like to know is if there is a similar version of this program available to the general public, and if so how to get a copy of it. Also, if a public version of this program is available, how are updates to the virus signature files (SIGFILE.LST and SIGBOOT.LST for VIRSCAN) kept up to date, if they are at all? Bruce Pennypacker 90_PENNY@UNION.BITNET 90_PENNYPAB@GAR.UNION.EDU ------------------------------ Date: Tue, 24 Oct 89 07:41:08 -0700 From: portal!cup.portal.com!cpreston@Sun.COM Subject: VIRUSCAN test (IBM PC) These results apply to versions through V38. The current version at this time is V45. Changes are made at least once per week, it seems, to keep up with new viruses, and I finished the work about the time this digest went off for a couple weeks. VIRUSCAN, for the IBM PC, from McAfee Associates, was tested using 23 actual viruses or strains of virus. These included boot or partition viruses such as Stoned, Ping Pong, and Brain, and .COM or .EXE viruses such as Datacrime (1168, 1280, Datacrime II) Jerusalem, Icelandic (several varieties) and Fu Manchu. In each case, with two exceptions (noted below) VIRUSCAN correctly identified the viruses after they had infected programs or disks, and located all instances of infection in all subdirectories of the hard disks. One version of the program, before V35, failed to detect the 405 virus, but this was corrected in later versions. Suriv 300, a Jerusalem variant, was not detected in an .EXE file, but was caught in a .COM file. Based on the testing I did, VIRUSCAN appears to be a well-written and effective program for locating specific known viruses, and is a very useful part of an anti-virus program. Next question: How good are scanning programs? There seems to be a perception, at least as written in several sources, that scanning for known viruses is the weakest method of detecting viruses. This is probably based partly on the assumption that the slightest change in a virus will defeat the effort to detect it using byte strings. Experience shows that minor changes are frequently made to microcomputer viruses. Perhaps the most freqent change is to imbedded, non-encrypted, text strings. Changes are also made to the infection trigger or activation conditions or dates. Obviously, changes can be made to any virus to defeat any particular scan string. This has already occurred in the Macintosh world, but most changes made so far have been on the same level of difficulty as changing ASCII strings. Inspection of a search string in VIRUSCAN and/or its location in the virus code can show that a particular search string is not based on imbedded text, and that changing the text will not interfere with detection. A number of viruses were checked for this. Also, it is easy to determine that text added to a boot sector in the Yale/Alameda virus, for example, to make it look more like a normal boot sector would not interfere with its detection. If the search string used in the scanning program is at a different location than the added text, it won't interfere. On other changes, I found that with a partial disassembly, or one that was perhaps incorrectly interpreted by me, changes to what appeared to be an infection trigger did not replicate with the virus, or did not cause the anticipated change in virus behavior. For this reason, it seemed more efficient, and probably more accurate, just to make a common type of change to a virus, and test VIRUSCAN again. Each virus was modified by patching it, making minor changes in the executable code on the disk. Each modified virus was allowed to infect at least one other program to produce a second generation virus. The final infected program was inspected and run to ascertain that the modification was correctly transmitted with the virus. This established that there was a viable new strain of virus. VIRUSCAN was run to see if it still found the modified virus. - -------- Viruses modified and detected by VIRUSCAN version 0.5V34 or later versions through V38. -Virus name- -Type of modification- Ping Pong boot Virus (Italian) Activation window time was increased Jerusalem Virus - Version D Activation date changed 1280 Virus (Datacrime) Activation (destruction) date changed 1168 Virus (Datacrime) Activation (destruction) date changed Vienna (DOS 62) Virus - Version A Manipulation task to move 5 bytes to corrupt infected program was changed. 405 virus Changed to seek and infect hidden files - ------------- Conclusion: A well-chosen search string for a virus can survive at least some of the common changes to viruses that are made as they pass through different hands. A good scanning program can provide better protection than it might appear at first glance. VIRUSCAN is available from BIX, CompuServe, and other sources, including the Homebase BBS, at 408-988-4004. On Homebase, the latest version is SCANV45.ZIP. Disclaimer: I am a computer security consultant and have been working with PC and Macintosh microcomputer viruses and anti- virus products for about 18 months. I have no obligation to John McAfee except to report the outcome of the tests. Information Integrity is a member of the Computer Virus Industry Association, which is operated by John McAfee. Charles M. Preston 907-344-5164 Information Integrity MCI Mail 214-1369 Box 240027 BIX cpreston Anchorage, AK 99524 cpreston@cup.portal.com ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Wednesday, 25 Oct 1989 Volume 2 : Issue 222 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: VIRUSCAN/VIRSCAN Issues (PC) Free Catalog Disk Infected (PC) Protecting Your User's Disks (Mac) New virus in Israel (PC) You're not alone; DataCrime infection report (PC) possible virus infection (PC) Re: 0 bytes in 1 hidden file, virus? (PC) The not-so-new virus (Mac) Re: VIRUSCAN test (IBM PC) Jerusalem Virus Version B detected (PC) --------------------------------------------------------------------------- Date: Tue, 24 Oct 89 11:12:03 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: VIRUSCAN/VIRSCAN Issues (PC) The following is a forwarded message from John McAfee: ============================================================================= A number of people have commented on the "closed" architecture of VIRUSCAN and the encryption of the individual search strings used for virus identification. Some users feel that this is done in order to maintain a "monopoly" in the scanning industry and to keep competitors from using the same strings. I would like to put that concern to rest, if possible. First, as many users will have noticed, the earlier versions of SCAN had all strings available for anyone who cared to look at them. The users who wished merely to scan for viruses merely noticed them, shrugged (really - what value is it to the average user?), and went on. The folks who seemed to take notice of the strings were those few crackers who used the strings to change the virus segments referenced by the strings. This has happened seven times in three months, the most recent being the New Jerusalem virus discovered by Jan Terpstra and Ernst Baedecker in the Netherlands. The virus is identical to the Jerusalem-B, with the exception of the string changes that SCAN originally referenced. What this does is invalidate all of the work done to date on identification of the Jerusalem-B. To make it more difficult for crackers to get around the scanning process, I've done two things: 1. encrypt the strings (I know that this merely slows down the determined cracker, but it does deter the casual cracker - of which there are many). and 2. I use multiple strings for the more mutable viruses. In addition, I have taken to randomly changing strings for different versions of scan. None of this was done to deter competition. In fact, as Art Gilbert and Bill Vance at IBM should agree, I co-operate fully with competitors in providing virus samples, infection trends, market information and (possibly unwelcome) suggestions for improvements and points to watch out for in the more troublesome viruses. I even provide my string lists to any legitimate competitor who asks for them. I just don't provide them to the public, and I'm not sure the public really would be served by knowing the binary string sequences I use to identify a given virus. I response to the comments that IBM's open string list will make it easier for users to update the files themselves - I absolutely agree. There's a lot to be said for the flexibility and control that such an approach brings. But, ignoring the problem crackers for the moment, we will have to ask - who is going to update the string files? Is it each user? If so then chaos will ensue. I can categorically say that the average user is incapable of taking a live virus sample and creating a valid search string for that virus. The problems are immense. First, many viruses are written in C, PASCAL or other higher level language. Unless you are familiar with the actual code generated by the compiler runtime library and the canned compiler output sequences, you will have dificulty separating the origin virus code from the same code that you will find in hundreds or maybe thousands of other similarly compiled programs. Second, the string segments must have a unique "style" that will avoid false alarms with similar styled programs. For example, choosing a long string of register saves as an identifier will guarantee false alarms with other programs. The user will also have to know something about the infective characteristics of the virus as well. Does it only infect the partition record, or the boot sector? Does it infect overly files? Which ones? etc. All in all it is a task that most user shouldn't have to face. So we can agree, I think, that the strings will havee to be done by competent programmers with a fair amount of virus experience if it is to work. The question then is - which programmers? Who will set the standard. If there is no standard, then again, chaos results and which version of the strings swhould we use? My feeling is that the IBM approach works well for researchers, but that the general public should use only the strings that IBM produces (or someone that IBM should designate). So much for my soap-box for the day. We survived the earthquake out here. We were 6 miles from the epicenter, but we must have been on a standing wave since we suffered only moderate damage. My cat slept through the entire event (though, admittedly, he only normally wakes for 15 minutes at breakfast and 20 minutes at dinnertime). Have a good day. John McAfee ------------------------------ Date: Mon, 23 Oct 89 19:21:00 -0500 From: IA96000 <IA96%PACE.BITNET@VMA.CC.CMU.EDU> Subject: Free Catalog Disk Infected (PC) My friend just received, and I now have in my posession a free disk from a Shareware copying company, which he received after he sent in a "bingo" card from a popular computer magazine. The disk has three infected files on it: 1) GETKEY.COM 3074 bytes 01-01-80 12:35a 2) CL.COM 3457 bytes 08-01-86 02:39p 3) LIST.COM 7871 bytes 06-17-86 02:37p SCAN version 0.7V42 reports as follows: GETKEY.COM - 3066/2930 TRACEBACK VIRUS CL.COM - 3066/2930 TRACEBACK VIRUS LIST.COM - FU MANCHU VERSION A GETKEY.COM and CL.COM are in the disks ROOT directory. CL.COM appears to a hidden file, as it is not seen when you do a DIR from the DOS prompt. LIST.COM is in the subdirectory \ORD. To be fair to the company which sent the disk, I will mention their name here, as in all probability, they do not know the disk is infected. No sense creating another major problem... The disk label is designed as follows: 1989 COMPANY NAME CATALOG *************************** P.O. xxxx HESPERIA, CA 92345 MAY VIEW OR PRINT CATALOG & ORDERFORM TO START CATALOG . . . A>START The disk has one subdirectory on it named \ORD which contains 8 files. The ROOT directory contains 25 files. My friend spotted the fact that LIST.COM is in both the ROOT and the sub-directory and the file sizes differ. Also, since he did not know the company, he ran SCAN as a precaution. If Dave Chess at IBM or Mr. McAfee wants a copy of this disk, please let me know...by EMAIL. I have gone to great lengths to not identify the company to avoid any problems. Also..please note this disk WAS NOT sent to the university, nor was any damage done to any of the university equipment. I hope I have given you all enough information to identify the disk, if you happen to receive one. The disk was not unsolicited, in other words, the disk was requested by my friend and the magazine has nothing to do with this issue, at this point in time. ------------------------------ Date: Tue, 24 Oct 89 15:32:00 -0500 From: "Thomas R. Blake" <TBLAKE%BINGVAXA.BITNET@VMA.CC.CMU.EDU> Subject: Protecting Your User's Disks (Mac) >(Prior to INIT29, I had been advising my users that if they go >to Kinko's they would be safe if they took only their data diskette. >But if a data infection can spread to their application disks, >this would not be good advice.) > >Anyone got the REAL answer? Well, I assume they're going to Kinko's to print. (Yes/No?) I'd say if they write-protect their diskettes they have no need to worry. Macintosh viruses will not spread to write-protected diskettes. Thomas R. Blake SUNY-Binghamton ------------------------------ Date: Tue, 24 Oct 89 19:32:37 +0200 From: "Yuval Tal (972)-8-474592" <NYYUVAL@WEIZMANN.BITNET> Subject: New virus in Israel (PC) A new virus was found here in Israel. I didn't know whether to call it: The Do Nothing Virus or The Stupid Virus. The author (which is as usually known) put an infected program on one of the BBSs in Israel. The program was an infected program which my friend wrote BUT it claimed to be a new version (eg. my friend's latest version was 3.4 and the one on the BBS was 4.0). He quickly downloaded this file and he found out that it is infected with a virus. After checking this virus he and I got to one big conclusion. The author of this virus probably doesn't know assembly so good. You can see this quite clear: -The virus tries to push only one byte into the stack. -The virus is copied always to location 9800:100h this means that it will work only on computers 640KB. The virus doesn't reduce the amount of memory (like other viruses such as Denzuk, Ping-Pong etc'). The virus is copied and that's it! Turbo Pascal, for instance, may use this location as heap and the virus may be erased from memory. Another thing, this virus infects only the first .COM file on the directory. It doesn't check if the file is already infected or not, it just infects it. This virus does nothing besides infecting the file, no damage at all! This is why I called it The Do Nothing Virus. Here is a report I made. I may change it a bit here and there.. - -------------------------------------------------------------------------- Entry................: The Do Nothing Virus Alias(es)............: The Stupid Virus Virus detection when.: 22-October-1989 where.: Israel Classifications......:.COM file infecting virus/extending. Length of virus......: 583 bytes add to file. Operating system(s)..: MS-DOS Version/release......: 2.0 or higher Computer model(s)....: IBM PC,XT,AT and compatibles Identification.......: .COM files: The first 3 bytes of the infected files are changed. System: The virus copies itself to 9800h:100h. Type of infection....: Extends .COM files. Adds 583 bytes to the end of the file. The virus copies itself to 9800:100h. This means that only computers with 640KB may be infected, hooks int 21 and infects other programs by scanning the directory until it finds a .COM file. It is infected upon function Fh and 3Dh. .EXE files are not infected. Infection trigger....: The first .COM file of the current directory is infected whether the file is infected or not. Interrupts hooked....: Int 21 Damage...............: None. Damage trigger.......: Whenever a file is opened. Standard means.......: Lots of programs such as Turbo Pascal use this area And the virus may be erased... Acknowledgment: Location.............: The Weizmann Institute Of Science, Rehovot, Israel Documented by........: Yuval Tal (NYYUVAL@WEIZMANN.BITNET). Date.................: 25-October-1989 - ------------------------------------------------------------------------------- - -Yvual Tal ------------------------------ Date: Tue, 24 Oct 89 17:45:48 -0400 From: Arthur Gutowski <AGUTOWS%WAYNEST1.BITNET@VMA.CC.CMU.EDU> Subject: You're not alone; DataCrime infection report (PC) >From Virus-L Digest v2.220, frisk writes: > Well - now I know of one victim of the Datacrime-II virus ..... > myself. :-( Well, you shouldn't feel alone. A friend of mine who works for ERIM (Environmental Research Institute of Michigan) got hit too. His quotes sounded something like this (before being hit): "Oh, I'm not worried, I don't do much software trading, and what I do is straight from BBSs and buying from vendors." That was until he turned on a computer at work on Saturday 10/14. He had recently DLed a copy of PKZ102.EXE (PKZIP v1.02, self-extracting) from CompuServe and decided to try it out. Although I can't be sure that this was the source of the infection, eh told me it was the first time he had had a chance to run the program (hence, strong implication). Then it was showtime. Bye bye hard drive, low level format (F6) to cylinder 0. Effectively wiped out all access to the hard drive. Even a large chunk of the 2d copy of the FAT was duly destroyed because of this. He admitted to me that rebuilding a FAT, even with Mr. Norton's help, is not much fun. Needless to say, he has grudgingly accepted from me a disk containing several acrhives of antiviral tools to help him along in the battle. This disk is soon to be out in our Consulting center and student labs. Hopefully we can make enough people aware of things like this before more have to pay the awful price. Thankfully, it's already happening... One final note, I'm not POSITIVE it was DC that hit him, it may have been some variant. He is currently trying to see if he can get the infected program to me so I can look at it using info I've gained from watching here. Two strane things that made me question my assumption: 1) No "DATACRIME" message was thrown up on the screen that he remembers; 2) A name, Siegmar Schmidt, was written to the partition record. Now again, it DID format cyl0 and only cyl0...can anyone say for sure? Please e-mail me to the bitnet address above, 'twould be much appreciated. It CAN happen to anyone! Art +------------------------------------------------------------------+ | Arthur J. Gutowski, Student Assistant | | Antiviral Group / Tech Support / WSU University Computing Center | | 5925 Woodward; Detroit MI 48202; PH#: (313) 577-0718 | | Bitnet: AGUTOWS@WAYNEST1 Internet: AGUTOWS@WAYNEST1.BITNET | +==================================================================+ | "OOPS, what OOPS?!?...No, I diSTINCTly heard you say 'OOPS'!" | +------------------------------------------------------------------+ ------------------------------ Date: Tue, 24 Oct 89 19:34:21 -0400 From: flanders@grebyn.com (Dennis Flanders) Subject: possible virus infection (PC) I am a new user on VIRUS-L. I am a communication engineer on the FTS2000 project at Boeing Computer Services and we run a large client/server data network. It now serves over 800 PC's, Sun Workstations and is served by several host machines from mainframes to micros. I said all that to say this: In the process of "de lousing" our network for Columbus day and Friday the 13th, using a program called VScan, we discovered seven programs that showed as possible infected programs or carrier programs. In disassembling them only one proved to be dangerous. The others contained code sequences to totally lock the keyboard and triggered warnings. It may have had the infection passed on by another virus as the first three bytes in the .com file were 909090h. The following bytes (I believe 19) simply blitzed track 0. The infected file was a brief program (217 bytes) called KEYLOCK.COM which comes with a set of utilities distributed by PC Magazine. We could find no infected distribution disks. Only versions found on two PCs were found to contain this bomb. Curiously enough a couple of programs (ie NORTON.COM) popped a warning due to 1Fh found in the Seconds field of the directory. We also found several programs with a value >60 (ie 62) in the same location. All but one turned out to be harmless, we are still looking at the one. +-------------------------------------------------+----------------------+ |Dennis M. Flanders | | |AT&T Mail: !DFLANDERS | If at first you | |MCI Mail: DFLANDERS | don't succeed get | |INTERNET: flanders@grebyn.com | a bigger hammer! | |CompuServe: 73507,1771 | | +-------------------------------------------------+----------------------+ ------------------------------ Date: Tue, 24 Oct 89 14:56:02 -0400 From: rjs@moss.ATT.COM (Robert Snyder) Subject: Re: 0 bytes in 1 hidden file, virus? (PC) In volume 2 issue 217 of the virus list, Tasos notes that CHKDSK report "0 bytes in 1 hidden files" and wonders if he has a virus. This seems to come up fairly often when new people join the list so maybe an automatic answer is needed. In any case, Tasos probably ran CHKDSK on a disk with a volume label as that will exhibit his symptoms. I.e. it's not likely that Tasos has a virus. Robert Snyder {att|clyde}!moss!rjs rjs@moss.ATT.COM (201) 386-4467 The above statements are my own thoughts and observations and are not intended to represent my employer's position on the subject(s). ------------------------------ Date: 25 Oct 89 03:02:34 +0000 From: jap2_ss@uhura.cc.rochester.edu (The Mad Mathematician) Subject: The not-so-new virus (Mac) I am the one who first posted about the possibly new virus. I will give all the information I have here. I believe I hae finally gotten some infected software. There was a great deal of confusion at first as what exactly was happening. I was a consultant once, and as such am called upon to assist the present consultants with tasks they are new at. We had been having a problem with disks crashing at an alarming rate, all showing identical symptoms. They are these: The Chooser becomes unable to find any printer resources. The System and most system software gets writeen to, in an as yet unknown manner. Their sizes may or may not change. Other applications are written to, and documents created with them become unreadable. The Desktop gets damaged, causing the message "This disk needs minor repairs. Do you want to fix it?" to come up on bootup. By this stage the only recourse is to copy documents off with something like Deskzap and reformat the disk, replacing all the software. If the disk is repaired, it actually may seem that way, but ususally is ruined, even to the point of unusability. No virus detection programs identify a virus, except perhaps SAM Anti Virus Clinic, and even that doesn't always work. It _may_ be a NVIR variant that is self-modifying, but it does not create the nVIR resource. It does go through Vaccine, but Gatekeeper stops it cold. The reported STR 801 resource was an error by me. Please ignore this. There appeared to be a second virus also running around for a while. The sysmptoms were: Macwrite had its name changed to Macwite or Macwight. The ICN resource for the application was changed to show Macwite instead of the parallel lines. That's all we could find. We have found no other examples since the first three or four disks. I am of the opinion that someone modified one copy using something like Resedit, then shared it. That is all the information I can recall at this time. As I said, I believe I have found an infected disk, and will be sending copies of an infected application at the earliest opportunity, hopefully tommorrow. Thank you for your patience. Joseph Poutre (The Mad Mathematician) jap2_ss@uhura.cc.rochester.edu Understand the power of a single action. (R.E.M.) ------------------------------ Date: Tue, 24 Oct 89 23:28:15 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: Re: VIRUSCAN test (IBM PC) In VIRUS-L Digest V2 #221, Charles Preston wrote a rather long message about virus scanners vs. more automated virus detection applications. I would like to point out to him that although there are some excellent scanning applications on the market, for Macs, PCs, etc., I prefer recommending that users do not rely on scanners simply because you must remember to periodically scan the disk. My experience has been that users simple do not remember to do this, hence a strategy that relied solely on a scanner application would not be a strong defense against electronic vandalism. David Gursky Member of the Technical Staff Special Projects Department, W-143 The MITRE Corporation ------------------------------ Date: Tue, 24 Oct 89 23:48:11 -0500 From: shaynes@lynx.northeastern.edu Subject: Jerusalem Virus Version B detected (PC) After running Scan 1.1V45 on my hard drive I detected the Jerusalem Virus Version B on one of my files. The file that I detected the virus on had not appeared in earlier runs of Scan. The infected file is UNVIRUS.EXE. The archive I got it out of was UNVIRUS.ARC. I downloaded this file from the SIMTEL20 PD archives. I immediately deleted the file. I have never had a reason to the program (and I would think that running the program on itself would have adverse affects). [Ed. Could someone at SIMTEL20 please check into this and confirm or deny it? Thanks!] +-----------------------------------------------------------------------------+ | PA_HAYNES@VAXE.COE.NORTHEASTERN.EDU | Sean A. Haynes |Student Northeastern | | SHAYNES@LYNX.NORTHEASTERN.EDU | 46 Udine St. |University, Boston | | PA_HAYNES@NUHUB.BITNET | Arlington, MA |MA 02115 | | | (617) 648-8390 |(617) 437-5422 | +-----------------------------------------------------------------------------+ ----------------------------- End of VIRUS-L Digest *********************VIRUS-L Digest Thursday, 26 Oct 1989 Volume 2 : Issue 223 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: re: IBM's Virscan Program (PC) Another suggestion for preventing viral spread (PC) RE: Apple II virus - LODE RUNNER INIT 29 vs. locked disk (Mac) Re: Jerusalem Virus Version B detected (PC) DataCrime Strikes!! (PC) Xeno--possible new virus? (AMIGA) SCANv45 and UNVIRUS (PC) reposting of FICTITIOUS virus story (UNIX) --------------------------------------------------------------------------- Date: 25 Oct 89 00:00:00 +0000 From: "David.M..Chess" <CHESS@YKTVMV.BITNET> Subject: re: IBM's Virscan Program (PC) This is the information I have; I think it's still correct (I'm sure everyone will tell me if I'm wrong!): IBM Personal Computer and PS/2 customers may order the virus detection program by calling 1-800-426-7282 from 8 a.m. to 8 p.m. Eastern time through December 31, 1989 and requesting the IBM Virus Scanning Program, part number 64F1424. The $35 fee can be charged to VISA, MasterCard, American Express, or the IBM Credit Card. There were also a bunch of security-related announcements from IBM yesterday that I haven't finished reading yet; there may have been something of relevance in there. I haven't seen any mention of official updates to the signature files. This program is very similar to the internal version of VIRSCAN that you saw while working for IBM. While I'm here, I'll also mention that it's a good idea to get anti-virus software direct from the owner whenever possible, and not trust indirect or pirated versions from questionable sources. Anti-virus programs are obvious candidates for malicious Trojan-Horse hacks! DC ------------------------------ Date: 25 Oct 89 09:59:00 -0400 From: "Damon Kelley; (RJE)" <damon@umbc2.umbc.edu> Subject: Another suggestion for preventing viral spread (PC) Earlier this week I was reading a book by Peter Norton. There was a passage about the importance of .OBJ files created by compilers (esp. assembly). While I was pondering the importance of .OBJ files, an idea hit me: since this type of file is non-executable and can only run when linked, wouldn't self-attaching viruses be scrambled when the "host" file is changed to an .EXE? Of course, the following factors would come into play: -the linker and the compiler must not be infected; -there are no viruses present in RAM or the disk(s) of the user; -the user must be willing to buy some compilers and linkers with as little economic discomfort as possible; -virus writers don't know very much about manipulating .OBJ files correctly; and -the .OBJ file was not compiled with an attached virus. In other words, wouldn't it be safer if all programs came .OBJ files (or ASCII)? That would eliminate much of the virus transmission going on now, I think. Counterpoints welcome. Damon Kelly jnet%"damon@umbc" "What? Do I speak for anyone damon@umbc.bitnet else?? Does Reagan remember damon@umbc2.umbc.edu what he did between 1980-'88??" ------------------------------ Date: Wed, 25 Oct 89 14:21:37 +0000 From: ZDEE699@ELM.CC.KCL.AC.UK Subject: RE: Apple II virus - LODE RUNNER "Non-destructeur" means: that does not destroy info. (So I would guess that it does not alter info on disks) Olivier Crepin-Leblond (and YES, I am French...) Computer Sys & Elec. , Electrical & Electronic Engineering, King's College London, UK. ------------------------------ Date: Wed, 25 Oct 89 11:45:21 -0400 From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV> Subject: INIT 29 vs. locked disk (Mac) "Thomas R. Blake" <TBLAKE%BINGVAXA.BITNET@VMA.CC.CMU.EDU> writes: >>(Prior to INIT29, I had been advising my users that if they go >>to Kinko's they would be safe if they took only their data diskette. >>But if a data infection can spread to their application disks, >>this would not be good advice.) >> >>Anyone got the REAL answer? > >Well, I assume they're going to Kinko's to print. (Yes/No?) I'd say >if they write-protect their diskettes they have no need to worry. > >Macintosh viruses will not spread to write-protected diskettes. The problem with INIT 29, though, is that inserting a locked disk into the drive will get the "This disk needs minor repairs..." dialog. If they don't unlock it the disk will be rejected. If they do, it will be infected. Cute, huh? Best option is to COPY the files to another floppy, take it, use it, bring it home, and INITIALIZE IT IMMEDIATELY. --- Joe M. ------------------------------ Date: 25 Oct 89 20:51:54 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Re: Jerusalem Virus Version B detected (PC) In article <0010.8910251154.AA23552@ge.sei.cmu.edu> shaynes@lynx.northeastern.e du writes: | After running Scan 1.1V45 on my hard drive I detected the Jerusalem Virus | Version B on one of my files. The file that I detected the virus on had | not appeared in earlier runs of Scan. | | The infected file is UNVIRUS.EXE. The archive I got it out of was | UNVIRUS.ARC. I downloaded this file from the SIMTEL20 PD archives. I | immediately deleted the file. I have never had a reason to the | program (and I would think that running the program on itself would | have adverse affects). I uploaded unvirus.arc to SIMTEL20, after it was sent directly to me by the author. I will assert there is no virus in that file. Of course, for the program to be able to deal with the Jerusalem-B virus, it must first identify it. Apparently scanv is setting off false alarms based on the identification code present in unvirus. Scanv previously had problems with false alarms with one of the author's own programs. Unvirus.arc is an old version that was removed from distribution at the request of the author. No problems, but a newer version has been released. Please get unvir6.arc from any of the IBMPC anti-viral archives. Unvir6.arc also replaces the file immune.arc. Now, as for scanv. The author said previously that he regularly changes the methods he uses to identify viruses, thus hopefully discouraging crackers from releasing minor modifications of existing viruses. It seems that this incarnation of scanv is triggered by what it sees in unvirus. I tested both scanv45 and scanv42. 45 choked on it, 42 gave no false alarms. One more curious point. Scanv45 insisted that Jerusalem-B was present in memory! How to explain this? I *never* executed the unvirus program, so even it it did have a virus it couldn't load itself. No other file set off any alarms. Where did it come from? Well, when I unarchived unvirus.arc or unvir6.arc, the archiving program used more memory than scanv. Since MS-DOS doesn't clear memory after programs execute, there was still an image of unvirus left where the archiver had been working. Scanv45 barfed on this! To verify this, I unarchived unvir6.arc, then ran DBASE III+, then ran scanv45. This time no virus found in memory. So in summary, replace unvirus.arc with the current release unvir6.arc. Apparently scanv45 sets off a false alarm with unvirus (either version). Neither author should be faulted for this. But everyone should be made aware of it. And don't put blind faith in any one program!! - -- Jim Wright jwright@atanasoff.cs.iastate.edu (ignore the Reply-To: line) ------------------------------ Date: Wed, 25 Oct 89 13:51:33 -0500 From: GX6692%SIUCVMB.BITNET@VMA.CC.CMU.EDU (Vince Laurent - work id) Subject: DataCrime Strikes!! (PC) I just got back to work today and was notified that ALL our hard drives at work had to be reformatted since they had the virus on them. We used IBM's release of VIRUSCAN and the tests were positive - we were hit. I don't know the extent of the damage on campus yet but other departments are worried. Is there a 'cure'? Please contact me directly ASAP! Thanks! --------------------------------------------- | Vincent J. Laurent | | Computing Information Center & | | Computer Learning Center 1 | | Southern Illinois University - Carbondale | | GX6692@SIUCVMB | --------------------------------------------- ------------------------------ Date: 25 Oct 89 21:11:00 +0700 From: "Okay S J" <okay@tafs.mitre.org> Subject: Xeno--possible new virus?(AMIGA) I received this from Amiga-relay this morning....From all reports, it appears that Xeno, if it is a virus, is the 1st non-boot infector virus in the Amiga community. All the others I've seen so far live in the boot sector and most Amiga anti-virals seem to only worry about the boot sector and in RAM at the time. I'll cross-post anything I hear from either side to their respective lists. - ---Steve - ---------- Stephen Okay Technical Aide, The MITRE Corporation x6737 OKAY@TAFS.MITRE.ORG/m20836@mwvm.mitre.org *************************CUT HERE CUT HERE********************************* Date: 24 Oct 89 11:21:03 GMT From: MTR780::WINS%"<ahonen@ohdake.uta.fi>" 24-OCT-1989 13:36:26.00 Subj: Xeno - Another bad virus? From: Anssi Ahonen <ahonen@ohdake.uta.fi> Newsgroups: comp.sys.amiga Subject: Xeno - Another bad virus? Does anyone have information about virus called 'xeno'? This little beast is living on my hard disk (30 meg Supra, A500) and after many unsuccesful tries I still haven't find it. It first showed up a few days ago when I opened the shell and tried to get directory with 'ls'-command. The shell just gave me 'unknown command ls', and after that I noticed that also 'CD'-command didn't work. Strangely, the programs were still in c-dir, just as usual. I loaded my favourite debugger and examined the broken cli-commands. Both programs were modified so that they only used DOS.Write to print out 'unknown command'. The weirdest thing was yet to come! I found a strange file named '!' in devs-directory. This file was an IFF-picture, black border, white topaz font text : "You will never catch me, the allmighty Xeno" So, this is probably the first virus to write iff-files on your hard disk? I have now examined most of the programs on my hard disk with debugger, searching for 'virus-signs', extra code hunks, xor-loops etc, but no luck. The only facts I know are: Xeno is not a bootblock virus. It doesn't change reset-vectors. I am pretty sure it is some kind of link virus (like IRQ), but much harder to beat. *********************END FORWARDED MESSAGE*********************************** ------------------------------ Date: Wed, 25 Oct 89 18:23:50 -0400 From: Tom Young <XMU%CORNELLA.BITNET@VMA.CC.CMU.EDU> Subject: SCANv45 and UNVIRUS (PC) RE: Posting by Sean Haynes of Northeastern in vol. 2, issue 222. I, too, have a report that SCANv45 is generating a positive for Jerusalem-B when checking UNVIRUS.EXE. I don't have v45 yet, so cannot confirm. But the copy of UNVIRUS that I've distributed here came from the hotel.cis.ksu.edu server, not SIMTEL20. And I have successfully used UNVIRUS to remove Jerusalem-B infections. My copy of UNVIRUS does not set off SCANv42. I suspect that the fault lies with the newer version of John McAfee's program. Someone should confirm this before people start doubting the integrity of the virus archive sites. Thanks. Tom Young, Cornell Information Technologies [Ed. See Jim Wright's message (in this digest) about SCANv45 producing false alarms.] ------------------------------ Date: Tue, 24 Oct 89 20:24:16 -0500 From: Peter da Silva <peter%ficc@uunet.UU.NET> Subject: reposting of FICTITIOUS virus story (UNIX) This is the "UNIX VIRUS" article I referred to in a previous digest. It was posted in this form, complete with postscript. No more than a week later the Internet Worm was loose. I was originally amused by the irony, but as it became clear that the IW was relatively uninfective (only infected Sun-3s and VAXen) I felt more secure about my final paragraph. I still do. The debate "raging in comp.sys.amiga" at the time was about whether UNIX was as susceptible to viruses as PCs were. :-> - -----------8<----8<--------------------------------------------------`-_-'-- The Usenet virus: a case history. A cautionary tale. The Usenet virus was detected when a user discovered that a program he had received from the net seemed to have two versions of malloc included with the source. One version of malloc might be odd, but people have never tired of reinventing the wheel. Two versions were suspicious, particularly since they lead to a name conflict when the program was linked. The first, lmalloc.c, seemed to be identical to the malloc listed in Kernighan and Ritchie. The second, bmalloc.c, was rather strange, so we concentrated our efforts on it... this time was later found to have been wasted. After a little work during spare moments over the course of a week we decided it was actually a clumsy version of the buddy system (a fast but space-inefficient method of memory allocation). It might make a good example of how not to write readable code in some textbook, but it wasn't anything to get worried about. Back to the first. It made use of a routine named speedhack() that was called before sbrk() the first time the malloc() was called. There was a file speedhack.c, but it didn't contain any code at all, just a comment saying that it would be implemented in a future version. After some further digging, speedhack was found at the end of main.c. The name was disguised by some clever #defines, so it never showed up in tags and couldn't be found just by grepping the source. This program turned out to be a slow virus. When it was run, it looked for a file 'lmalloc.c'. If it found it, or it didn't find Makefile, it returned. From then on malloc ran normally. If it didn't find it, it reconstructed it using a series of other routines with innocuous names tagged on to the end of other files. This was apparently an attempt to avoid overly increasing the size of any one of the files in the directory. Then it went into Makefile or makefile (it looked for both) and added lmalloc.o onto the end of the first list of '.o' files it found. It then reconstructed each of the extra routines, and speedhack itself, using techniques familiar to any reader of the obfuscated 'C' contest. These were tagged onto the ends of the '.c' files that corresponded to the '.o' files in this same list. The program was now primed to reconstruct the virus. On inspection, we discovered that about 40% of the sources on our system were infected by the speedhack virus, We also found it in one set of shell archives that we'd received but never unpacked or used, which we took as evidence that it had spread to a number of other systems. We have no idea how our system was infected. Given the frequency with which we make modifications and updates, it's likely that the original speedhacked code is no longer on the system. We urge you to inspect your programs for this virus in an attempt to track it to its source. It almost slipped by us... if the author had actually put a dummy speedhack in speedhack.c we would have merely taken lmalloc.o out of the Makefile and defused *this* copy of the virus without being any the wiser. There are other failings in this program that we have thought of. We have decided not to describe them to avoid giving the author of this program ideas we might regret. Some ways that programs like this can be defeated include 'crc' checks of source files and, of course, careful examination of sources received from insecure sites. - ----- Now I have to make a confession. This whole document is a hoax intended to dramatize the problems involved with viruses and Usenet. I suspect that most of you were clued to this by the Keywords line. While playing with the idea and writing this article several things occurred to me: First of all, this virus is a much more complex program than any of the viruses that have been spotted on personal computers. I think it has to be, based on the design goals that a REAL UNIX virus must satisfy. I have not attempted to actually implement it because of this. It must be small, to avoid detection. It must not cause files to grow without bound. It must infect foreign files, otherwise it's not a virus... just a Trojan Horse (like the bogus ARC and FLAG programs on the PC). Trojan horses are a dime-a-dozen. It must infect source files, since this is the primary software distribution channel for UNIX. A virus stuck on one machine is a boring one. It must not break the infected program (other than what it might care to do deliberately). It must not be obvious from a simple examination of the source (like, changing main to Main and having a virus-main call Main). I believe that given these goals (which are, of course, subject to debate) a simpler program would be unsuccessful in infesting more than a small fraction of the machines that (say) comp.sources.misc reaches. There are systems immune to this particular attack, of course. Ones not running UNIX, so sbrk() doesn't work. Or ones with radically different versions of malloc(). Ones with no 'c' compiler. They are in the minority, though. On the other hand a virus of this type could infest a large proportion of the net before it was found. The virus I described does not cause any direct damage, except for using up a relatively small amount of disk space. A more vicious virus is possible. Other variations of this virus are obviously possible. For example, it could be tagged onto any standard 'C' library routine... I chose malloc merely because source was available and because it's something that people complain about, so they wouldn't be likely to find an extra copy suspicious. Another good routine would be perror(), for the same reason. This would have the additional benefit of making the spread of the infection dependent on an additional random factor, making it harder to detect the virus. Do I think something like this is likely? No. Especially not now that I've written this little piece of science fiction. I'm sure that eventually someone will try something unlike this, I suspect that their virus would get caught much sooner than 'speedhack', because I think that more people look at the source than conventional wisdom would lead you to believe. But, again, this is just my personal opinion. Debate is welcomed... that's why I did this in the first place: to inject some sense into the debate currently raging in comp.sys.amiga. - --- Peter da Silva, *NIX support guy @ Ferranti International Controls Corporation. Biz: peter@ficc.uu.net, +1 713 274 5180. Fun: peter@sugar.hackercorp.com. `-_-' "That particular mistake will not be repeated. There are plenty of 'U` mistakes left that have not yet been used." -- Andy Tanenbaum (ast@cs.vu.nl) ----------------------------- End of VIRUS-L Digest *********************VIRUS-L Digest Friday, 27 Oct 1989 Volume 2 : Issue 224 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Using OBJ files to prevent viruses (PC) Macintoch MacWrite, STR 801 (Mac) Obj - anti-virus (PC) Re: Operating System virus protection (DOS & UNIX) Re: VIRUSCAN/VIRSCAN Issues (PC) VIRUSCAN False Alarms (PC) CERT_RCP_Advisory Can we get a summary? Virus scanners Clarifying SAM Comments... (Mac) Jerusalem virus infects boot sector ? (PC) PC Problem? --------------------------------------------------------------------------- Date: 26 Oct 89 09:15:00 -0500 From: EVERHART%ARISIA.decnet@crdgw1.ge.com Subject: Using OBJ files to prevent viruses (PC) May I suggest that distributing .OBJ files and having the user link them would only disable current viruses; an obj infector is perfectly feasible, and could be easier than an .EXE infector. More to the point, though, linking applications is not always feasible at all PC sites. To link AnalytiCalc on a 256K machine with dual 5.25" floppies is barely possible, with many disk changes, and requires some skill AND the correct linker (since the linker distributed with most MSDOS versions cannot handle the particular .OBJ constructions). This even though the resulting executable will fit (tightly) in 256K. With an only slightly larger file, linking would be completely infeasible on such a small engine. In addition to a fairly onerous "installation" procedure thus invoked, the distribution would be several times larger than it is; the object library requires an entire disk, and separate objects needed for overlays take much of a second. Documents, utilities, and so on are still required. Finally, commercial software vendors may be nervous about distributing .OBJ code. Consider that global symbols, and sometimes internal symbols, are present in these files. A disassembly of such a beast can be VERY close to the original code, labels included...especially if the original is IN assembler. This is wonderful for learning algorithms, etc., but tends to make it easier to clone applications. In the current climate I suspect it would lead to a great many more lawsuits based upon suspicions that competitors' code was derived in part from such sources. Unfortunate, but likely... Then, some object libraries that come with compilers can be linked and the results distributed; without these, the .OBJ files cannot be linked. This would also prevent widespread use of .OBJ files. In a different vein, may I suggest that a great deal of the hysteria over viruses stems from the fact that well backed-up PC disks are the exception rather than the rule. As an industry we should become VERY upset over machines with inadequate backup hardware and software. More energy in this direction could render the damage viruses can cause moot. By easy backup/restore, I mean hardware such that one can slap a tape into a slot, type some simple command, and after a few minutes (over lunch break, perhaps?) come back with the entire volume copied. Not having this designed into ALL the PCs we use, or at least made a requirement for those containing business-critical data, seems a mistake. As Grace Hopper put it, we are terrible custodians of the data we have/use. Glenn Everhart Everhart%Arisia.decnet@crd.ge.com ------------------------------ Date: Thu, 26 Oct 89 10:39:09 -0500 From: Joe Simpson <JS05STAF%MIAMIU.BITNET@VMA.CC.CMU.EDU> Subject: Macintoch MacWrite, STR 801 (Mac) I'm unclear about the STR 801 discussion. Let me tell a little story to see if I can further confuse things. About 4 months ago a client reported that MacWrite was growing in file size on a public Mac. I checked to see that VACCINE was turned on. I ran Disinfectant 1.2. A clean machine. I then ran ResEdit to look at the MacWrite file. There were a large number of STR 801 resources. The program was adding STR 801 resources at some unknown interval. I replacedthe file with a fresh copy of MacWrite and the problem disappeared. I put it down to normal computer miseries and not a computer virus. ------------------------------ Date: Thu, 26 Oct 89 10:39:00 -0400 From: "Paul Bienvenue" <s0703pdb@semassu.bitnet> Subject: Obj - anti-virus (PC) Damon Kelly writes: > Earlier this week I was reading a book by Peter Norton. There was >a passage about the importance of .OBJ files created by compilers >(esp. assembly). While I was pondering the importance of .OBJ files, >an idea hit me: since this type of file is non-executable and can only >run when linked, wouldn't self-attaching viruses be scrambled when the >"host" file is changed to an .EXE? It's a nice idea, but it wouldn't really stop virus writers, just make life a little more difficult for them. (and possibly for virus detectors as well) What would keep a virus writer from creating an obj which would become a virus when compiled? Also, it would be a real pain for users to have to compile every piece of software they were going to use. Anyone with much assembling experience would also know how difficult it is to write code which will successfully compile with all major assemblers. Good try, though... Paul Bienvenue S0703PDB@SEMASSU.BITNET ------------------------------ Date: Thu, 26 Oct 00 19:89:08 +0000 From: davidsen@crdos1.crd.ge.com Subject: Re: Operating System virus protection (DOS & UNIX) | How do you know? The only machines DOS runs on are PCs and compatibles. | UNIX implemented on these machines would be just as vulnerable as DOS. | The most obvious weaknesses of DOS are unimportant compared to the fact | that the hardware itself has no protection mechanisms. True, but only of the 8088 (original XT) machines. The AT and 386 machines run UNIX in protected mode, and have as much hardware protection as a VAX. - --- bill davidsen (davidsen@crdos1.crd.GE.COM -or- uunet!crdgw1!crdos1!davidsen) "The world is filled with fools. They blindly follow their so-called 'reason' in the face of the church and common sense. Any fool can see that the world is flat!" - anon ------------------------------ Date: Thu, 26 Oct 00 19:89:34 +0000 From: davidsen@crdos1.crd.ge.com Subject: Re: VIRUSCAN/VIRSCAN Issues (PC) You have a good point about encrypting strings, and I am as guilty as anyone else of not saying thanks often or publically enough. Due to the recent flap about viruses, I gave a talk about protection at a local user group meeting, and distributed about 40 copies of viruscan, including putting a copy on my BBS. I am happy to say that I am not a user of the program, since I run UNIX, but I have tried it, am impressed, and do provide it to any PC user who wishes it. Well done, for what it's worth! - --- bill davidsen (davidsen@crdos1.crd.GE.COM -or- uunet!crdgw1!crdos1!davidsen) "The world is filled with fools. They blindly follow their so-called 'reason' in the face of the church and common sense. Any fool can see that the world is flat!" - anon ------------------------------ Date: Thu, 26 Oct 89 10:52:42 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: VIRUSCAN False Alarms (PC) This message is forwarded from John McAfee: ============================================================================= SCANV45 causes false alarms when used with a number of Jerusalem Virus detectors/eradicators. What has happened is this: I returned to an earlier version of string identification for this virus in order to avoid conflicts with a number of newer Jerusalem detectors. Apparently, however, the string identifiers used in earlier versions (being unencrypted) were picked up on by other authors (perfectly legitimate) and used in their own detectors. There are over 30 such detector/eradicator programs in use now. I stgrongly urge all such authors to do one of two things: Choose your own strings, or encrypt them if you use strings from older versions of SCAN. Otherwise, your programs will be flagged as viruses not just by my scanner, but by everyone who chooses those same strings. The problem is worsened now cause I use multiple strings for some viruses (to avoid cracking) and either one of the multiple strings will cause an alarm if that string is chosen by others and not encrypted. If authors do not like the idea of encryption, then ASCII representations can be used (like IBM uses). THis will allow your users to see the strings that you have chosen but will not cause false alarms. We must all remember that multiple authors are trying to fight the virus problem, and we should do everything possible to avoid conflicts with each other's programs. John McAfee ------------------------------ Date: Thu, 26 Oct 89 21:24:58 -0400 From: CERT Advisory <cert@cert.sei.cmu.edu> Subject: CERT_RCP_Advisory CERT Advisory October 26, 1989 Sun RCP vulnerability A problem has been discovered in the SunOS 4.0.x rcp. If exploited, this problem can allow users of other trusted machines to execute root-privilege commands on a Sun via rcp. This affects only SunOS 4.0.x systems; 3.5 systems are not affected. A Sun running 4.0.x rcp can be exploited by any other trusted host listed in /etc/hosts.equiv or /.rhosts. Note that the other machine exploiting this hole does not have to be running Unix; this vulnerability can be exploited by a PC running PC/NFS, for example. This bug will be fixed by Sun in version 4.1 (Sun Bug number 1017314), but for now the following workaround is suggested by Sun: Change the 'nobody' /etc/passwd file entry from nobody:*:-2:-2::/: to nobody:*:32767:32767:Mismatched NFS ID's:/nonexistant:/nosuchshell If you need further information about this problem, please contact CERT by electronic mail or phone. J. Paul Holbrook Computer Emergency Response Team (CERT) Carnegie Mellon University Software Engineering Institute Internet: <cert@SEI.CMU.EDU> (412) 268-7090 (24 hour hotline) ------------------------------ Date: Thu, 26 Oct 89 21:16:31 +0100 From: cas@mtdcb.att.com (Clifford A Stevens, Jr) Subject: Can we get a summary? I'm new to all this stuff, been on superminis for 10 or so years, so could somebody post a summary of what a virus is, how it works (in *REAL* general terms), and how it propogates? Thanks! [Ed. This is a frequently asked question; let me "answer" it by referring you, and others who've asked, to some of the introductory documents found on the VIRUS-L/comp.virus documentation archive sites - - or to any of the introductory books on the subject, many of which can be commonly found in bookstores.] Who, me worry?!? Cliff Stevens MT1E228 att!cbnewsj!ncas (201)957-3902 ------------------------------ Date: Thu, 26 Oct 89 18:58:33 -0700 From: portal!cup.portal.com!cpreston@Sun.COM Subject: Virus scanners In VIRUS-L #222 David Gursky wrote concerning an earlier posting that "a strategy that relied solely on a scanner application would not be a strong defense defense against electronic vandalism." This is because "you must remember to periodically scan the disk." I believe Mr. Gursky is quite correct about not relying solely on a scanning program. While I was mainly relying on the technical sophistication of VIRUS-L readers to know that, I did mention qualifiers such as "very useful part of an anti-virus program." Actually, there are programs for the Macintosh (SAM, Virex) that can be set to check each floppy disk each time it is inserted. Or a "log-on" or "log-off" batch file could be used for other machines to run the scanning program against all the hard disk files. Even if that were done, it would still not be adaquate protection against viruses, even on microcomputers, since it can be effective only against known viruses. My point about "How good are scanning programs" is mainly that if the program uses well-chosen search strings it can be more effective than I, at least, initially expected. Several scanning programs for the Macintosh relied only on resource names (resources include program code on the Mac). These resource names, such as nVIR, are very easily and quickly changed to hPat or anything else, completely defeating the scanning program. I always urge clients to use additional detection and prevention, and am somewhat frustrated that some of them feel that scanning programs will protect them. Charles M. Preston MCI Mail 214-1369 Information Integrity BIX cpreston Box 240027 907-344-5164 Anchorage, AK 99524 ------------------------------ Date: 26 Oct 89 17:05:00 -0700 From: harvard!applelink.apple.com!D1660@garp.MIT.EDU Subject: Clarifying SAM Comments... (Mac) In response to Henry Schmitt's comments about SAM, I would like to clear up a few things. SAM does indeed provide a mechanism to view, edit, and even print its exceptions list (i.e., the alerts that have been learned). It's quite easy to remove any exception that may have been accidentally entered. So his comments about SAM letting a virus through, etc. are not true. Also, I programmed the alert display in SAM without the help of MacDTS (I too am simply an independent developer)! BUT, I believe how I do it is even safer than how Apple does certain similar things! This was the hardest part of SAM, and required quite a bit of research, testing, and so forth to guarantee a stable alert under all environments. There are man-months of work in those alert boxes!! Paul Cozza SAM Author ------------------------------ Date: Fri, 27 Oct 89 11:23:16 +0700 From: "S. Yeo" <CCEYEOYT%NUSVM.BITNET@VMA.CC.CMU.EDU> Subject: Jerusalem virus infects boot sector ? (PC) Hi everybody, My colleague passed me a diskette which contains a viruscan program from Rotterdam this morning. While looking through a file which contains some virus signatures, I was surprise to learn that all Jerusalem strains of viruses except Jerusalem (PLO/sUMsDos) virus infect COM/EXE files as well as*boot sector*.The documentation for this program was written by J.P. van der Landen and the signatures collected by Jan Terpstra. Could anyone out there please verify this? Thanks ! ------------------------------ Date: Thu, 26 Oct 89 23:54:48 -0500 From: James Ford <JFORD1%UA1VM.BITNET@VMA.CC.CMU.EDU> Subject: PC Problem? A friend who works a company began to experience some interesting problems on his hard drive. He works with JL Modula2. Code that had run in the past would not work now. Someone else could put a comment in a file (however you do that in Modula2), re-compile it, and it would hang. I gave him a copy of Scan 1.1V45 and Scanres 1.1V45, but they found nothing strange. He has purchased a copy of Flushot, and the following message is from him, describing what Flushot sees. Can anyone explain this? If you need more information from him, send direct to me and I'll ask him. For better or worse, the powers-that-be are leaning towards taking all source code off the hard drives, and doing a lowlevel/highlevel format of all harddisks involved. (I have no ideal if he has installed Flushot+ correctly, but he is by no means ignorant when dealing with computers.) Thxs James Ford - JFORD1@UA1VM.BITNET =========================================================================== Sent : Oct 25, 1989 at 5:44 PM Subj : Re: <1446> Bit (...after running SCAN 1.1V45, it found...) Not a thing.. it found nothing either on my systems or the ones at work. I'm still totally convinced something is sorely amiss, however. We installed Flu+ and watched JPI's Mod 2 compiler/linker do all kinds of strange calls (Flu+ labeled them as 'handle write access attempted' operations, but they appeared to be reads... why would anyone write to a 'DEF' file during a link? I checked them with a disk editor afterwards and found nothing but pure ASCII text...) I did discover one interesting thing. When you copy a non-executable file with COMMAND.COM, Flu is perfectly happy. When you copy an EXE, COM, etc. file you get the old 'handle write access attempted' msgs. Curious. Why would COMMAND.COM care what type of file is being copied? It seems to use DOS to open the file and the BIOS to transfer the data or something. The only thing I can figure with the compiler is that the program opens the file for READ/WRITE and Flu+ flags it just to be safe. We all got tired of the beeping, and Dean absolutely refused to believe anything was wrong, so everyone just kinda went back to doing their stuff and just checked it occasionally. Anyway, I really appreciate your uploading SCAN45 - I'm gonna keep pluggin and see if I can find out the problem. I'm also gonna call McAffee Assoc's board tonite and see what I can start finding out. Thanks! - -=Marcel=- ====================== end of note ======================================== ----------------------------- End of VIRUS-L Digest *********************VIRUS-L Digest Friday, 27 Oct 1989 Volume 2 : Issue 225 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: A lesson involving 'CRACKERS' (APPLE II) Virus infection in commercial package (PC) How to get start to be an anti-virus worker for Mac? re: Jerusalem virus infects boot sector ? No! (PC) "THIS_1S_NEXT" virus? (PC) re: Jerusalem virus infects boot sector ? No! (PC) Imbeded virus detection A new virus from Iceland (PC) --------------------------------------------------------------------------- Date: Thu, 26 Oct 89 18:43:55 +0000 From: ZDEE699@ELM.CC.KCL.AC.UK Subject: A lesson involving 'CRACKERS' (APPLE II) This message is being sent to both RISKS and VIRUS lists. Apologies to those who receive both digests. I was well shocked in finding-out that there was actually a virus running on the Apple II family of computers ! Where could the LODE RUNNER virus have infected such a small machine, with no integrated hard disk, and the possibility of rebooting the machine quickly by using a simple sequence of control codes ? (open-apple-ctrl- reset ). In FRANCE, of course ! The Apple II did very well in France. It is very widely used over there. This success, like in the U.S.A., triggered a large market for pirated copies of programs. I have been an Apple II owner since 1982. It is absolutely amazing how many copies of programs went around since that time. I guess that virtually every program for this type of computer was available as a pirated copy in France. This is because of the following: 1. There are laws about unlawful software copying, but they are very hard to enforce. In addition to that, it is extremely difficult to find the originators of the software. ie: The "top" pirates are well hidden, and if the police was to catch every person who copies a program, then they'd probably have to prosecute virtually *any* computer user ! 2. Most software was copied and "exchanged" against other software, a bit like a one to one swap. Commercial pirate factories were discovered in Lyons a few years ago. There, the programs were deprotected, copied, and then protected again, and sold to customers for a fraction of the price. The pirates were arrested and heavily fined (and given a prison sentence). SOME SORT OF COMPETITION There were many independent groups of pirates. The average age was 16-22 years old. All of them were experts at Apple II's Disk Operating System. The most "advanced" of these "crackers" were the CCB. CCB for "Clean Crack Band". From the number of programs that they have cracked, they seemed to spend their days and nights cracking games and software. Some French magazines and newspapers wrote articles and interviews with them. They even went on national French TV. Of course, they were in hiding; a bit like drug dealers, really. The quality of their "work" was unbelievable. The program was as good as new, only it had their name in the presentation page. Often, they added pretty graphics, and additional options in some cases. In fact, it looked as though they had completely re-written the program entirely. At the end of 1985, I think, they renamed themselves, the SHC, "Solex Hack Band". (A Solex used to be a cheap moped at the time) They hacked a few French Computers by using dial lines; they did one "Hacking" direct, on TV, showing the journalists how vulnerable computers were. Since that time, I don't know what happened to them. OTHER GROUPS There are a lot of other groups of pirates around France. The CCB were based in Paris (according to the press), and the two most famous members of this group called themselves: Aldo Reset, and Laurent Rueil. Other groups include: - - Johnny Diskette: this name was used by many anonymous pirates who had formed some kind of club in Paris, where they had competitions (!) on who would be the fastest to unprotect a disk. - - BCG (Baby Crack Gang): funny name. They seemed to like Karateka games. - - CES (Cracking Elite Software): They added features to games from time to time. - - Chip Select and the Softman: These pirates went as far as including a digitised picture of themselves wearing dark glasses and saying: "I am Chip Select". A Certain Eric IRQ (Interrupt Request) was also part of this group. - - Mister Z (Geneva): These were Swiss pirates, but for some reason, they were sending copies to French crackers, telling them to change the title page that they had made-up. It was some kind of competition of: "We can protect this program; can you unprotect it ?" - - MAC (Marseilles Association of Crackers): group based in Marseilles. - - P.Avenue Nice: and this one is in Nice... These groups deprotect the software. Once deprotected, it can be copied very easily using a normal copy program. Most copying goes-on in large computer centres, where machines can be used free of charge. There is no supervision there, and no control on what goes-on. Somes places are popular just because it is such an easy way to get hold of any program for no charge (well... just the cost of a diskette). Since 1987, though, the shops are more careful since they could be held responsible for what happens on their machines. HIDDEN INFO If you use a track/sector disassembler, you can see the information on the tracks of the disk displayed as ASCII characters. Often crackers would converse between themselves in this way. Software is copied through a string of intermediaries, and the messages can therefore be passed this way. It is impossible to know if there is some hidden information on the disk if it is not analysed by using a track/sector disassembler. It is therefore very easy to hide other programs within the disk, whether they are games, or even viruses ! IN CONCLUSION So in fact, considering the level of expertise that these crackers have, it would be very easy for them to hide a virus within a floppy disk, which would be triggered by the actual program. I am talking here about the APPLE II computer, but I am sure that other computers (including PC's) have their "expert" crackers, who no doubt, would be very happy to write viruses/worms/trojan horses/time bombs etc. Why do they do it ? My idea is that they do it for "fame", just to see other people talk about "their" virus. Any suggestions ? Olivier Crepin-Leblond, Computer Systems & Electronics, Electrical & Electronic Eng., King's College London Disclaimer: My own views. Any comments/flames/congratulations welcome ! ------------------------------ Date: Thu, 26 Oct 89 16:42:57 -0400 From: TENCATI@NSSDCA.GSFC.NASA.GOV (SPAN Security Manager (301)286-5223) Subject: Virus infection in commercial package (PC) AI32 October 23, 1989 FROM: AI32/Fred A. Rodrigue SUBJECT: Personal Computer Virus Attention: Personnel responsible for personal computers. Kennedy Space Center (KSC) has discovered a virus in a commercially purchased software package, Unlock Masterkey. The HELP.COM file contained the 648 virus, also known as the Vienna virus, Austrian virus, DOS-68 virus and the One-in-Eight virus. Fortunately, the virus was not active because there was no "jump" to the malicious code. The virus was discovered by Lockheed Space Operations Company, a KSC contractor, using a commercially available virus detection program. The infected diskette was marketed by a company, Transec Systems, Inc., that has gone out of business. PCEasy, Inc., Unlock Masterkey's developer, learned of the virus several months ago and notified its customers. PCEasy, Inc., has no knowledge of Transec Systems, Inc., customers. Additional information is available from Mark Mason, EX-INF, Kennedy Space Center, FL 32899, (407)-867-7293, FTS 823-7293. In case of an incident, contact AI32, Fred Rodrigue, 544-2843 or Bob Keasling, 544-1223. original signed by Fred A. Rodrigue Automated Information Security Coordinator ------------------------------ Date: 24 Oct 89 20:36:35 +0000 From: wcpl_ltd@uhura.cc.rochester.edu (Wing Leung) Subject: How to get start to be an anti-virus worker for Mac? I've been reading this news group for quite a while and I am very interested to become an anti-virus worker. I do have the basic antiviral programs like disinfectant, but I'd like to know more about virus from the lower level. I have Fedit and Resedit. Can anyone recommend me to a good reference to get start with? Basically I am focusing on Mac. Thanks in advance. Peter-- _ _ ____ ____ _ * Internet: wcpl_ltd@uhura.cc.rochester.edu (/ / // / // ) (/ * BITNET : WCPL_LTD@UORDBV / / / // //___/ _/ * DecNet : UORHEP::PETER /_/_/ //__/ // _/\___/ * UUCP : ...rochester!uhura!wcpl_ltd ------------------------------ Date: 27 Oct 89 00:00:00 +0000 From: "David.M..Chess" <CHESS@YKTVMV.BITNET> Subject: re: Jerusalem virus infects boot sector ? No! (PC) No, the only viruses I've ever heard called "Jerusalem" infect only COM and EXE files. So either what you were reading just contains an error (happens to all of us!), or they're using the name "Jerusalem" to describe some other virus (not a good idea...). DC ------------------------------ Date: Thu, 26 Oct 89 16:24:01 -0500 From: Dave Boddie <DB06103%UAFSYSB.BITNET@VMA.CC.CMU.EDU> Subject: "THIS_1S_NEXT" virus? (PC) I need to find some quick information from anyone who knows what type of virus replaces your harddisk label with the above subject line. I have just notice this to appear on the label, and I have no idea what it (the perpetrator) will do, or when it will do its little job. VIRUSCAN v4.2 will not locate any virus on this machine. By the way, can I get a copy of the new version of 'SCAN from someone??? Dave Boddie Computer Operator Remote4 Lab University of Arkansas, Fayetteville ------------------------------ Date: 27 Oct 89 00:00:00 +0000 From: "David.M..Chess" <CHESS@YKTVMV.BITNET> Subject: re: Jerusalem virus infects boot sector ? No! (PC) I wrote to Jan T. about this, and he confirms that the "Jerusalem" does *not* infect boot sectors. His officially-distributed list of virus signatures doesn't say that it does, so what you were reading was probably a version that someone else had modified by inserting wrong information. Message from Jan follows. (Note that the "Virscan" program that he's talking about is *not* the IBM Virus Scanning Program, but another program whose executable is also called VIRSCAN...) " I would appreciate if you could explain that the list that is distributed via " the "Software Distribution Network" on FIDONET is a *verified* list of virus " signatures that has been extensively tested by a number of people. The list " contains a notice not to distribute modified copies of the original file. " For those without access to other networks, the latest fresh copy of the " VIRSCAN.DAT file is available on any of the "SDN" nodes in FIDONET within 24 " hours after the master copy on 2:512/10.0 is refreshed. The file is usually " available as VIRUSSIG.ZIP or VIRUSSIG.PAK " Anything that is not directly pulled off a "SDN" node is probably not the " original...... " " There were several modified versions of the file going round with the wrong " information and 1 version of the file rendered the Virscan program useless " because of the info being in the wrong format, pointing to EXE instead of COM " files, etcetera. " " <JT> ------------------------------ Date: Fri, 27 Oct 89 11:51:19 -0400 From: Bob McCabe <PSYMCCAB%UOGUELPH.BITNET@VMA.CC.CMU.EDU> Subject: Imbeded virus detection As a consultant who writes software for the PC I am worried about the possibility of my programs getting infected and becoming vectors by which viri are spread. In particular I am developing an application that will be hand carried from site to site to gather data by a number of users. If this program were to get infected it could cause wide spread loss of data to an important research project, not to mention other programs and data on affected systems. I am looking at including a check to see if there has been any change in the EXE files. Failure on such a check would cause the program to disable it's self and report a possible infection. While working out the algorithm for this check it struck me that it should be possible to work out a scheme by which any program could check itself at load time for infection. In order to avoid programs using identical checks that a virus writter could get around, the algorithm would include some form of encryption parameter that could be 'customized' in each program. Presently, I am working on a system of prime number coding in which the CRC check of the EXE file is compared with a encoded CRC. The coding of the CRC would be done with a large prime number, chosen at random from a table. If written in assemblier this scheme would not slow down load time by that much. I have not had much time to persue this but hope to get back to it next month. I would welcome any comments, criticisms and suggestions. ======================================================================== BITNET : PSYMCCAB@VM.UOGUELPH.CA Bob McCabe CoSy : bmccabe Computer Consultant Phone : (519) 821-8982 University of Guelph Guelph, Ont. Canada ========================================================================= ------------------------------ Date: Fri, 27 Oct 89 17:08:16 +0000 From: Fridrik Skulason <frisk@RHI.HI.IS> Subject: A new virus from Iceland (PC) New virus - first report...... I have just obtained a copy of a new virus, which seems to be of Icelandic origin, at least a text string inside the virus contains the message "Ghostballs, Product of Iceland" The virus is a combination of the Vienna virus and the Ping-Pong virus. It infects .COM files, just like "Vienna", but at the same time it tries to place a copy of Ping-Pong on the boot sector in drive A: This copy of Ping-Pong has, however, been heavily patched. Actually it can not be called a virus, since it does not replicate - large parts of the code have been replaced with NOP instructions. The "Vienna" part seems to have been only slightly modified, but I have not yet had time to disassemble it. Infected files grow by 2351 bytes. This virus was discovered when a person I had given an utility to remove the Ping-Pong virus called back to complain that it did not work, the virus would simply reappear on all diskettes, even if he booted from a "clean" diskette. The reason was that most of his .COM files on the hard disk had been infected. One final note - the patched Ping-Pong virus seems based on the '286 variant reported recently. ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Monday, 30 Oct 1989 Volume 2 : Issue 226 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Virus scanning on PCs? Re: Protection in Operating Systems How to Become a Virus Expert (Mac) Re: Lode [sic] Runner Virus (Apple) Where are the Sophisticated Viruses? 2608- possible virus? (AMIGA) BOOTCHEK (possible virus) (PC) Defensive computing... Re: Obj - anti-virus (PC) MacDraw II 1.1/GateKeeper 1.1 problems (Mac) Self-checking programs (PC anti-virus protection) --------------------------------------------------------------------------- Date: 26 Oct 89 16:07:15 +0000 From: davidsen@crdos1.crd.ge.com (Wm E Davidsen Jr) Subject: Virus scanning on PCs? Do scanning programs (in particular scanv45) check video memory for a virus? I once developed a program which installed itself in the 2nd page of video memory because there was nowhere else for it. Not a virus, just a fix for some BIOS bugs, but someone else could hide a virus there if they were so inclined. Very little software ever uses any page but the first. Oh, if the video pages were swapped and then output to the serial port was done, the display was really pretty! - -- bill davidsen (davidsen@crdos1.crd.GE.COM -or- uunet!crdgw1!crdos1!davidsen) "The world is filled with fools. They blindly follow their so-called 'reason' in the face of the church and common sense. Any fool can see that the world is flat!" - anon ------------------------------ Date: 26 Oct 89 16:03:14 +0000 From: davidsen@crdos1.crd.ge.com (Wm E Davidsen Jr) Subject: Re: Protection in Operating Systems In article <0001.8910231129.AA06880@ge.sei.cmu.edu>, WHMurray@DOCKMASTER.ARPA w rites: | However, as it relates to viruses, the big difference between them | today is the number and nature of uses and users. If UNIX were being | used for the same things and by the same number of users as DOS, it | would be just as vulnerable. I don't see how that relates to the technical issues. DOS allows any program to write anywhere in memory, including over the o/s. UNIX does not. DOS allows any program to write directly on the hard disk. UNIX does not. DOS allows any program to write to a floppy disk. UNIX may or may not, but in general UNIX seldom uses floppies at all, and when it does the formats are usually not susceptable to changing one file without changing others (ie. tar, cpio). DOS allows any program to modify any file on any disk. UNIX does not. This is not a case of one being "better" than another, just a case of inherent characteristics of the systems. Yes, if someone is running UNIX on an 8088 machine many of the protections are bypassed. - -- bill davidsen (davidsen@crdos1.crd.GE.COM -or- uunet!crdgw1!crdos1!davidsen) "The world is filled with fools. They blindly follow their so-called 'reason' in the face of the church and common sense. Any fool can see that the world is flat!" - anon ------------------------------ Date: Fri, 27 Oct 89 15:48:39 -0500 From: Joe McMahon <XRJDM%SCFVM.BITNET@VMA.CC.CMU.EDU> Subject: How to Become a Virus Expert (Mac) 1) Read this digest. There are probably more contributors here than in any other spot around. 2) Study Inside Macintosh, particularly the sections on ROM patches, INITs, and VBL tasks. These are the principle attack vectors for Mac viruses. 3) Become adept at using TMON, Macsbug, or some other disassembler/ debugger. This will help you track down what is happening during a given infection. I don't know of anything equivalent to the "microscope and tweezers" report on the Internet worm for any Mac virus, so I can't refer you to any articles which talk about the mechanics of any virus in great detail. The only one which might be of use to you is an article in MacTutor magazine (last year? check the MacTutor anthologies) which has a description of an nVIR infection and a primitive but useful removal program. --- Joe M. ------------------------------ Date: Fri, 27 Oct 89 14:59:56 -0700 From: nparker@cie.uoregon.edu Subject: Re: Lode [sic] Runner Virus (Apple) In article <0010.8910231129.AA06880@ge.sei.cmu.edu>, davidbrierley@lynx.northeastern.edu posted an article about the Apple IIGS LOAD RUNNER virus, and asked the following questions: > [...] (1) Does any reader of VIRUS-L >know if the French expression "non-destructeur" means >"non-destructive" or "indestructible?" (2)Could anyone post a >version of VIRUS.KILLER (source code follows the report) written >in BASIC? (It could be posted here or to Info-apple@brl.mil) >(3) Because the university does not import VIRUS ALERT I >have not posted this report to it, for fear of replication. Could >someone post this message to VIRUS ALERT if it has not appeared there >already? Way back in July, I found this beasty lurking on some of my disks, and did a fairly thorough analysis of it, which culminated in the writing of the program which appeared at the end of the original article (copies of the program are available from me at the addresses below). I think I can provide some answers and information. I speak no French, but I think I can say after looking at the virus code that whatever "non-destructeur" really means, it OUGHT to mean "non-destructive." The damage done by this virus is minimal--it destroys only the boot blocks of a 3.5" disk (5.25" disks and hard disks seem to be immune), leaving all the files and directories intact (it can, however, render some copy-protected games unusable). My impression is that the author of the virus was thinking something like "I'm going to release this virus, which is a really bad thing to do, but it will be all right if it doesn't do any real damage." This impression seems to be reinforced by the fact that LOAD RUNNER has a finite life-span built in-- at the same time it starts damaging, it also stops propagating, and being a boot block virus, it destroys copies of itself when it destroys the boot blocks. Posting a BASIC version of VIRUS.KILLER isn't really practical--the steps that it takes to eliminate LOAD RUNNER are pretty much beyond the capabilities of poor old Applesoft BASIC. Any BASIC program would probably be just a short menu routine wrapped around a machine-language core which would be essentially the same as the current program. It's probably a bit late for a VIRUS ALERT message. I first saw LOAD RUNNER back in July (at which point it had probably already been around for a while), and if memory serves, the article quoted in the original posting was first posted sometime around August or September. Besides, LOAD RUNNER's trigger dates are any time between Oct. 1 and Dec. 31 inclusive, so any infected users have probably aready seen it run its course, and an alert now would be somewhat akin to locking the proverbial barn door after the horse has escaped. - ------------------------- A summary of LOAD RUNNER: Entry................: LOAD RUNNER Alias(es)............: (none) Virus detection when.: July, 1989 where.: Various places in the US and Canada Classifications......: Boot block virus Length of virus......: 1024 bytes (all of blocks 0 and 1) Operating system(s)..: ProDOS 8, ProDOS 16, GS/OS Version/release......: all Computer model(s)....: Apple IIGS Identification.......: Boot blocks are changed. System: Virus copies itself to $E1/BC00 thru $E1/BFFF. Type of infection....: Virus resides in the boot blocks of a 3.5" disk. Copies itself to $E1/BC00 when disk is booted. Copies itself to disk in slot 5, drive 1 when CONTROL-APPLE-RESET is pressed. Propagation routine gains control by patching undocumented system vector in Memory Manager. Original boot blocks are not saved--virus contains code to emulate standard boot process. Infection trigger....: Infects disks in slot 5, drive 1 only. Infection of disks occurs when CONTROL-APPLE-RESET is pressed. Infection of host machine occurs when an infected disk is booted. Interrupts hooked....: n/a Damage...............: Erases boot blocks of disk in slot 5, drive 1. No files are damaged. Damage trigger.......: Any date between Oct. 1 and Dec. 31 inclusive, of any year. Damage occurs when an infected disk is booted. If damage occurs, further infection will not occur. (Note that the damage process wipes the virus off of the infected disk.) Acknowledgment: Location.............: University of Oregon Documented by........: Neil Parker (nparker@cie.uoregon.edu) Date.................: 27-October-1989 Personal opinion: A rather wimpy virus. Damage is minimal and easily repaired. The virus code uses no special tricks, except for the method used to survive and gain control after RESET. All in all, it's not worth making much of a fuss about (except to the extent that ALL viruses are worth making a fuss about). (This is my first posting to comp.virus/VIRUS-L. Did I get the report format right?) Neil Parker nparker@cie.uoregon.edu parker@astro.uoregon.edu DISCLAIMER: Opinions are mine alone. ------------------------------ Date: Sat, 28 Oct 89 01:46:00 -0400 From: TMPLee@DOCKMASTER.ARPA Subject: Where are the Sophisticated Viruses? For various reasons I have been behind in my reading of Virus-L, and so I found myself skimming something like the last dozen issues of the digest all at once. I was struck by something: are we lucky and there are no competent, sophisticated writers of viruses out there, or are we just fooling ourselves? Although the details of most of the virus prevention programs (e.g., Gatekeeper for the Mac) haven't been discussed at all or recently enough that I remember them, it seems to me that any virus writer willing to get his hands dirty and write code that directly uses the I/O hardware (rather than rely on the operating system) should be able to write a virus that could not be detected by any of the preventative defenses that are supposed to be watching for suspicious writes and that would only be detected after-the-fact by reactive defenses that did a lot of robust integrity checksumming. (Looking for file modification dates would be useless since the virus would of course not be polite enough to update any directories; scanning programs would be useless on the assumption that the virus remains undetected until it goes off so no-one would have included a signature to scan for.) Suppose some suitably motivated person wrote such a virus and set the trigger for a year or two away (provided the virus had been executed and/or propagated some number of times) -- how far within the IBM-PC or Mac community would it likely spread before the trigger fired? How do we know one or more such beasts isn't already out there, just biding its time? ------------------------------ Date: 29 Oct 89 00:16:58 +0000 From: n8735053@unicorn.wwu.edu (Iain Davidson) Subject: 2608- possible virus? (AMIGA) In article <0007.8910261143.AA02119@ge.sei.cmu.edu> okay@tafs.mitre.org (Okay S J) writes: >I received this from Amiga-relay this morning....From all reports, it >appears that Xeno, if it is a virus, is the 1st non-boot infector virus >in the Amiga community. All the others I've seen so far live in the boot >sector and most Amiga anti-virals seem to only worry about the boot sector >and in RAM at the time. >I'll cross-post anything I hear from either side to their respective >lists. > >Stephen Okay Technical Aide, The MITRE Corporation >x6737 OKAY@TAFS.MITRE.ORG/m20836@mwvm.mitre.org [Text deleted] Well, while up in Vancouver, BC at an Amiga Users Group meeting, a interesting thing was demostrated..... I call it the "2608" virus. (don't know the offical name). It worked like the IRQ virus attaching itself to the first executable in the startup-sequence. But with a slight twist. It would copy the found executable to devs:" " and copy itself into the old name in the "C" directory (size 2608 bytes). The way that it was noticed was that the person had typed "echo blah blah" in his startup-sequence, but in "C" directory he had "echo" called "Echo" . One day he had noticed that the command was in all lowercase and 2608 bytes long (not the usual 653? bytes long). He also noticed that he had a extra file " " in the devs: directory the same size as the echo command. Evidently, the virus copyed itself to the command location, then copied the command to the devs: directory. Everytime the command was executed it would call the virus-program which in turn would call the REAL command. Appearing as though all worked fine. Another interesting thing.... about every 5 times he warm-boot, a message would come up saying something like "Virus Exterminator.. blah blah.... Virus by Blah Blah (i don't remember the specifics)" this only appeared for a brief second ... not long enough to read the whole thing. Anybody else have any info on this ? - -Iain Davidson IAIN@wwu.edu n8735053@unicorn.wwu.edu uw-beaver!wwu.edu!IAIN ------------------------------ Date: Sun, 29 Oct 89 00:19:00 -0500 From: PERRY@northeastern.edu Subject: BOOTCHEK (possible virus) (PC) HI! This list provides a service of great benefit to many many computer users! Congratulations. I recently downloaded BootChek 1.0 from Simtel20. With increasing frequency it has been saying my boot sector has been modified. I have allowed it to replace the "corrupt" boot sector on each of these occaisions. The complaint only happens on cold boots and not everytime the machine is cold booted. BootCHek lists the offset at which the sector starts to be different as 11 (on other occaisions 17, and most recently as 6.) The most recent time this symptom occured was after three reboots (each of which set off bootchek) Viruscanv42 shows no viruses on my 10 meg hard disk. I also run flushot plus ver 1.5 and UNVIRUS6 from Simtel20. These are running on my 4.77mhz IBM PC Clone with a DTK BIOS. I am concerned that BootChek has a bug, a virus, or both. Would someone please respond ASAP with any thoughts or info on my concerns! Jeffrey Perry Northeastern University PC Users Group PS. I have the corrupt.hex file produced by each of the five times bootchek claimed my boot sector had been changed. If anyone wants to analyze them I would be glad to send them along. PSS. I have backed up my Hard Disk so I am ready for just about anything BUT I hope it is merely a bug in bootchek!!! ------------------------------ Date: Sun, 29 Oct 89 09:33:05 -0500 From: dmg@lid.mitre.org (David Gursky) Subject: Defensive computing... Just a "friendly reminder" to the readers of Virus-L (and apologies to those who get both RISKS and Virus-L, and saw this note in RISKS some weeks ago). There are several key dates that electronic vandals like to strike on: Any Friday the 13th, April Fool's Day, and Halloween. The latter is Tuesday, and it would be exceedingly prudent (not to mention cheap insurance) for people to back up their disks in the event they are infected with a virus, or are unwittingly using a Trojan Horse, equipped with a time-bomb set for Halloween. A backup will not prevent the time-bomb from going off, nor will it remove the virus or Trojan Horse from your system, but it will be invaluable in recovering any data you may loose. ------------------------------ Date: 29 Oct 89 19:56:08 +0000 From: kerchen@iris.ucdavis.edu (Paul Kerchen) Subject: Re: Obj - anti-virus (PC) In article <0003.8910271112.AA11335@ge.sei.cmu.edu> s0703pdb@semassu.bitnet (Pa ul Bienvenue) writes: > [stuff about distributing OBJ files as anti-viral technique] > > It's a nice idea, but it wouldn't really stop virus writers, just >make life a little more difficult for them. That's the whole point: to make life more difficult for virus writers. The whole virus problem is NP complete, meaning that there is no way to ever completely solve it. For every protection scheme, there is a way to break it; just look at the copy protection war that has been going on for years now. Anyone who's in the virus business (either attacking or defending) had better know that they can never hope to create a virus/vaccine which is completely bulletproof. There will always be someone on the other side who will figure out a scheme to counter that virus/vaccine. Therefore, no solution should ever be ruled out simply on the basis that it cannot stop virus writers (I know that this isn`t the only reason Paul gave, but I just wanted to make this point). Stopping virus writers isn`t going to happen in software or hardware, but in societal pressure. (Perhaps some future first lady will make that her project: viruses--just say no. :-) ) Paul Kerchen | kerchen@iris.ucdavis.edu ------------------------------ Date: Sun, 29 Oct 89 15:14:00 -0500 From: HONORS@kuhub.cc.ukans.edu Subject: MacDraw II 1.1/GateKeeper 1.1 problems (Mac) Question: Does GateKeeper 1.1 have problems with MacDraw 1.1? Our installation has version 1.1 running on a machine protected with GateKeeper. Whenever we try to save a previously opened document, we get a dialog box saying "File not Found". SOMETHING is saved, because the changes are there when we open the document; but MacDraw does not recognize this. I've pretty much narrowed the trouble down to either GateKeeper or a virus in MacDraw II, because when I use the override feature on GateKeeper, MacDraw works fine. But even when I give MacDraw II 1.1 full privliges, (Res/File on Other, System, and Self) it still gives the File Not Found dialog box. Has anyone else had this problem? Travis Butler at HONORS@kuhub.cc.ukans.edu ------------------------------ Date: Sun, 29 Oct 89 21:13:00 -0500 From: JHSangster@DOCKMASTER.ARPA Subject: Self-checking programs (PC anti-virus protection) Bob McCabe of the University of Guelph wrote (27 Oct) "it struck me that it should be possible to work out a scheme by which any program could check itself at load time for infection..." This is quite true, and in fact there is at least one commercial anti-virus product out there which implements this idea. (There may well be others.) The one I have noticed is VACCINATE PLUS, by Computer Integrity Corp. of Boulder Colorado. Along with several other anti-viral tools, this product includes an "INSTALL" utility which "vaccinates" the boot track and all executables on the disk. "Vaccination" consists of appending a cryptographic "seal" checking module (smaller than a typical virus!) and patching the load module header so that this module executes first, then passes control to the original application program if the program is "clean", otherwise halting and issuing a warning message. According to Larry Martin of Computer Integrity Corp., the resulting protection is entirely transparent to the end user, i.e. no keystrokes are required, you just run a program in the normal way, and it runs normally unless the file has been infected, in which case it issues the warning and returns control to DOS. Computer Integrity Corp. can be reached by phone at (303) 449-7377 (FAX number is 449-7477). Their address is PO Box 17721, Boulder CO 80308. (I have no commercial connection with this company.) Regarding the specific scheme Bob McCabe described, i.e. computing a CRC on a program and then encrypting it, it is fairly well known that since the CRC process is linear over the binary field (commonly called "GF(2)" by algebraists), it is little more than a high school algebra exercise to make your desired changes to the program, then make a few more bits' worth of additional changes (determined by simple linear algebra over GF(2)) which restore the CRC bits to their former value so that they will still perfectly match the bits recovered from the encrypted CRC -- thus defeating the protection scheme. The only trick, in an executable program, is to set up the code so that the additional bits you have to diddle to restore the CRC do not adversely affect execution, e.g. include a branch around them or whatever suits your fancy. The basic idea is OK, but you need to use a "one-way" hash function, rather than something readily invertible like a linear CRC. See Dorothy Denning's book or any of a number of recent articles for ideas on better hash functions, or use one of the "chained" modes of the DES which have been proposed for detecting data alterations. The key (so to speak) property that is needed is that it must be difficult to construct a second message or in this case computer program with the same value for the hashing function's output. - -John Sangster SPHINX Technologies, Incorporated (617) 235-8801 P.O. Box 81287 Wellesley Hills, MA 02181 ------------------------------ End of VIRUS-L Digest *********************VIRUS-L Digest Tuesday, 31 Oct 1989 Volume 2 : Issue 227 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Virus scanners Re: Virus source available in Toronto RE: BootChek (possible virus) (PC) Re: MacDraw II 1.1/GateKeeper 1.1 problems (Mac) Re: Another suggestion for preventing viral spread (PC) stoned removal? (PC) Re: Macintoch MacWrite, STR 801 (Mac) Free catalog disk update Yale/Alameda & Stoned Viruses (PC) --------------------------------------------------------------------------- Date: Mon, 30 Oct 89 16:32:39 +0000 From: yale!slb-sdr!sdr.slb!shulman@uunet.UU.NET (Jeff Shulman) Subject: Re: Virus scanners portal!cup.portal.com!cpreston@Sun.COM writes: >My point about "How good are scanning programs" is mainly that if the >program uses well-chosen search strings it can be more effective than >I, at least, initially expected. Several scanning programs for the >Macintosh relied only on resource names (resources include program >code on the Mac). These resource names, such as nVIR, are very easily >and quickly changed to hPat or anything else, completely defeating the >scanning program. >Charles M. Preston MCI Mail 214-1369 >Information Integrity BIX cpreston >Box 240027 907-344-5164 >Anchorage, AK 99524 Very true. Which is why the scanning strings in VirusDetective(TM) are (1) resource type/ID independent (for all the Mac viruses) and (2) *user* configurable [but the GIGO rule applies: Use invalid search strings and you will get invalid results]. Plug: VirusBlockade(TM) II Ltd. has just been released by me (along with VD 3.1) which, among other things, allows you to scan floppies in background (when used with VD 3.1) when they are inserted WITHOUT having to have VD open. [VB II Ltd. is a DEMO of VB II which does everything except save any configuration changes to disk] Jeff Shulman VirusDetective & VirusBlockade author - -- uucp: ...rutgers!yale!slb-sdr!shulman CSNet: SHULMAN@SDR.SLB.COM Delphi: JEFFS GEnie: KILROY CIS: 76136,667 AppleLink: KILROY ------------------------------ Date: 30 Oct 89 17:04:03 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: Virus source available in Toronto Yes it is indeed true that viral sources are published in several areas... however "Viruses , A high Tech disease" published only overwriting viruses!! more similar to a logic bomb as when they infect the target executable the file is immediately destroyed(VERY EASY to detect) by the overwriting process. However any COMPETANT Assembly coder can manufacture far more unobtrusive viruses if he just thinks about it!! the published sources working or non working are really not that much of a threat... cheers from the front lines!! kelly/silly CON Valley!! ------------------------------ Date: Mon, 30 Oct 89 10:15:39 -0500 From: Arthur Gutowski <AGUTOWS%WAYNEST1.BITNET@VMA.CC.CMU.EDU> Subject: RE: BootChek (possible virus) (PC) In Virus-L Digest v2, i226, Jeffrey Perry expressed some concern about his copy of BootChek that he is running. I sent him a note asking him to send me the copy of the program he is running now, the corrupt.hex files, and the copy of the boot sector generated by BootChek. Since ViruScan and other products have failed to find anything, I doubt it is a virus that infected him (although it is possible a new nasty has surfaced :-( ... Thus my interest in the corrupted boot sector files). I can only make the assumption for the time being that the program is bugged. I am looking into the matter, and if in fact there is a bug in the program, a version update will be released with the fix and posted via Jim Wright's antiviral archives. I also asked him to take some measures in re-running the program in a (relatively) guaranteed clean environment. Hopefully, these tests will show that there isn't yet another new virus out there. I will post an update when more info is available. Arthur Gutowski, Co-author of BootChek +--------------------------------------------------------------------+ | Arthur J. Gutowski, Student Assistant | | Antiviral Group / Tech Support / WSU University Computing Center | | 5925 Woodward; Detroit MI 48202; PH#: (313) 577-0718 | | Bitnet: AGUTOWS@WAYNEST1 Internet: AGUTOWS@WAYNEST1.BITNET | +====================================================================+ | Rules to live by, #153: | | Never get caught on the wrong side of a Doppler shift. | +--------------------------------------------------------------------+ ------------------------------ Date: 30 Oct 89 17:04:46 +0000 From: ut-emx!chrisj@cs.utexas.edu (Chris Johnson) Subject: Re: MacDraw II 1.1/GateKeeper 1.1 problems (Mac) In article <0010.8910301224.AA05511@ge.sei.cmu.edu> HONORS@kuhub.cc.ukans.edu w rites: >Question: Does GateKeeper 1.1 have problems with MacDraw 1.1? Our (stuff deleted) > Travis Butler at HONORS@kuhub.cc.ukans.edu The answer is that GateKeeper 1.1 is making the problem apparent - it's not at all clear whether the problem is a very obscure bug in GateKeeper (and it would have to be obscure since so few pieces of software demonstrate this problem) or a bug in MacDraw. I've been working with Ken Walters at Claris for some time now, and we haven't reached any useful conclusions as yet. There are other packages that demonstrate related problems. They include MacWrite 1.x and Claris CAD, and a few programs from other vendors, as well. The solution (after a fashion) is to use version 1.1.1 of GateKeeper. Although the problem remains, 1.1.1 can be warned about programs that suffer from the problem. Thus warned, GateKeeper avoids the situations that give rise to the problem. There are a number of other good reasons to upgrade to 1.1.1, so consider the upgrade *highly* recommended. - ----Chris (Johnson) - ----chrisj@emx.utexas.edu - ----Author of Gatekeeper ------------------------------ Date: 30 Oct 89 17:37:56 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: Another suggestion for preventing viral spread (PC) Sorry close but no cigar... OBJ files are even easier for a viral writer to manipulate... the format is EXTREMELY well document... how do I know??? simply I have written a few linkers!! its quite trivial to cause a OBJ type virus to repropagate!! I suggest if you are interested further check out the MS-DOS encyclopedia!! from microsoft press!! cheers kelly ------------------------------ Date: Mon, 30 Oct 89 13:18:15 -0500 From: howard@maccs.dcss.mcmaster.ca (Howard Betel) Subject: stoned removal? (PC) I have a friend that has recently been hit by the stoned virus. His question quite simply is whether there is anyway to eradicate the virus without having to do a low level format. After the low level, is there anything else he should be worried about? If no files are involved in your answer could you please mail him at: 39CJORDAN@SHERCOL1.BITNET or if there are files involved please respond to me so I can grab them for him. Thanks for any help you can give, I think he's almost around the bend. :-0 - -- Howard Betel Howard@maccs.dcss.McMaster.CA Dept of Computer Science ...!unet!utai!utgpu!maccs!howard McMaster University ------------------------------ Date: 30 Oct 89 22:29:42 +0000 From: ut-emx!chrisj@cs.utexas.edu (Chris Johnson) Subject: Re: Macintoch MacWrite, STR 801 (Mac) In article <0002.8910271112.AA11335@ge.sei.cmu.edu> JS05STAF%MIAMIU.BITNET@VMA. CC.CMU.EDU (Joe Simpson) writes: >I'm unclear about the STR 801 discussion. Let me tell a little story >to see if I can further confuse things. > >About 4 months ago a client reported that MacWrite was growing in file >size on a public Mac. I checked to see that VACCINE was turned on. >I ran Disinfectant 1.2. A clean machine. > >I then ran ResEdit to look at the MacWrite file. There were a large >number of STR 801 resources. The program was adding STR 801 resources >at some unknown interval. > >I replacedthe file with a fresh copy of MacWrite and the problem disappeared. > >I put it down to normal computer miseries and not a computer virus. You were right to assume that it was just normal "miseries". Ken Walters at Claris recently mentioned that they've received reports of this problem in the past with version 5.x of MacWrite (possibly earlier versions, too - I didn't get all the details on which versions). They don't worry about it, though, because they now put out MacWrite II which doesn't have this problem, so, as far as they're concerned, the bug is "fixed". :-) And, when you consider it, it would be a pretty simple mistake to make... all that's required is for someone to forget to do a UseResFile() at the right time (just before the AddResource() call is made), and the STR 801 could go into any of the currently open resource files, including MacWrite's own file. So, it doesn't sound like there's anything to be concerned about. - ----Chris (Johnson) - ----chrisj@emx.utexas.edu - ----Author of Gatekeeper ------------------------------ Date: Mon, 30 Oct 89 18:30:00 -0500 From: IA96000 <IA96%PACE.BITNET@VMA.CC.CMU.EDU> Subject: Free catalog disk update Regarding the xxx catalog disk mentioned last week. here is an update. the three infected files were uploaded to homebase for evaluation by the experts there. one of the files cl.com was a hidden file and would not be seen just by doing a dir command. the company was contacted, (the phone was answered by a kid who yelled out, "hey daddy it's for you"),and the responsible party was informed that the disk received had three viruses on it. his reply, and i quote was "that is impossible, i wrote the all of the programs on the free catalog disk." he then proceeded to ask why he would include a virus. an attempt was made to explain that the infected programs were shareware used by batch files on the catalog disk. he was not at aLL INTERESTED IN HEARING ABOUT THE PROBLEM AND RATHER RUDELY SLAMMED THE PHONE DOWN, AFTER UTTERING A FEW CHOICE WORDS. TO REITERATE, THIS DISK WAS received in response to a "bingo card" request from the back of one of the major computer magazines. the ad offered a free disk containing a catalog of shareware and other software sold by the xxx company in hesperia, california. the disk label appears as follows: 1989 xxx catalog ********************** p.o. xxxx hesperia, ca 92345 may view or print catalog & orderform to start catalog . . . a>start the company name and post office box number have been replaced by x's to avoid any legal problems. on the disk there is the root directory and a subdirectory named \ord. in the root directory two files are infected. cl.com is the hidden file in the root which is infected. in the \ord directory a file is also infected. other than that i am at a loss. attempts to speak to the company have failed, so i guess it will take a complaint to the editor of the magazine where the ad appeared. ------------------------------ Date: Mon, 30 Oct 89 18:45:54 -0500 From: Tom Luthman <ST9%UGA.BITNET@VMA.CC.CMU.EDU> Subject: Yale/Alameda & Stoned Viruses (PC) Here in the PC labs at UGA we've been having outbreaks of what Scanv45 calls the Yale/Alameda virus in the boot sector. What does this virus do and how dangerous is it? Also, one user found a "stoned" virus on his hard drive. Are there removal programs available for either or both of these? And how can we get 'em? Thanks... --- Tom Luthman (st9 @ uga) ------------------------------ End of VIRUS-L Digest ********************* VIRUS-L Digest Tuesday, 31 Oct 1989 Volume 2 : Issue 228 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Fri 13 virus in Taiwan Checksum programs New Variant of WANK Worm (VAX/DECnet) [Ed. This VIRUS-L issue is going out early to get the WANK notice out in a reasonably timely manner.] --------------------------------------------------------------------------- Date: Tue, 31 Oct 89 08:02:54 -0500 From: Elliott Parker <3ZLUFUR%CMUVM.BITNET@VMA.CC.CMU.EDU> Subject: Fri 13 virus in Taiwan The following is from "The Free China Journal" (19 Oct 89): Head: Phantom Virus Unseen In ROC The "Friday the 13th" computer virus that was supposed to wipe out the world's IBM-compatible computer systems failed to materialize in Taiwan. Mitac, Inc., one of Taiwan's leading computer companies reportedly discovered some of its personal computers were infected by the virus, but a spokesman said the virus not the one called "Friday the 13th." No attack was reported in other computer companies, including Acer Inc., Eten Technology, Kuo Chiao, HP or Digital. Computer systems in local banks and securities firms worked well on Oct. 13. The post office in Taipei was thrown into panic when it was discovered none of its computers worked. But it was determined the breakdown was caused by the motor of a disk drive. - ------------------------------------------------------------------------ Elliott Parker BITNET: 3ZLUFUR@CMUVM Journalism Dept. Internet: eparker@well.sf.ca.us Central Michigan University Compuserve: 70701,520 Mt. Pleasant, MI 48859 BIX: eparker USA UUCP: {psuvax1}!cmuvm.bitnet!3zlufur ------------------------------ Date: Tue, 31 Oct 89 14:47:32 +0200 From: Y. Radai <RADAI1%HBUNOS.BITNET@VMA.CC.CMU.EDU> Subject: Checksum programs Bob McCabe writes: > While working out the algorithm for this check it struck me >that it should be possible to work out a scheme by which any >program could check itself at load time for infection. .... >Presently, I am working on a system of prime number coding in >which the CRC check of the EXE file is compared with a encoded >CRC. The coding of the CRC would be done with a large prime >number, chosen at random from a table. Fine, just be aware that dozens of people have done it before you. (There must be at least 30 such programs for the PC alone.) But I don't mean to discourage you; some such programs are much better than others. And if you can think of a better way of doing it, more power to you. In my opinion, the most important requirements on a checksum program are: (1) For any given file it must yield a different checksum on each com- puter. (2) Even if the checksum algorithm and checksum length are known, without knowledge of the key (the generating polynomial in the case of a CRC algorithm), it should be impossible to modify a file in such a way that the checksum remains unchanged. (3) It must be able to checksum the boot sector and partition record (in PC terminology) in addition to arbitrary files. (4) It should check file sizes as well as checksums. (5) It must be convenient to specify and update the list of files to be checksummed. (6) A naively written checksum program (and most of them are, unfortu- nately, of this type) will contain loopholes which a clever virus creator can exploit to introduce a virus despite the checksumming. The author of the checksum program must therefore try to think of every such loophole and plug it. (7) It must be reasonably fast. While almost every author concerns himself with (7), there are lots of programs (e.g. FSP) which do not satisfy most (or even any) of the other requirements. Btw, I'm curious to know what importance you attach to making the number prime. John Sangster comments on Bob's posting as follows: > it is fairly well known that >since the CRC process is linear over the binary field (commonly called >"GF(2)" by algebraists), it is little more than a high school algebra >exercise to make your desired changes to the program, then make a few >more bits' worth of additional changes (determined by simple linear >algebra over GF(2)) which restore the CRC bits to their former value so >that they will still perfectly match the bits recovered from the >encrypted CRC -- thus defeating the protection scheme. This is a common opinion, but is incorrect in the current context. You can restore the CRC to its former value *only if you know the ge- nerating polynomial*. But condition (1) above, when implemented with a CRC algorithm, is usually fulfilled by either selecting the genera- tor randomly when the checksum base is initially set up, or by letting the user select it personally. In this situation, the above tech- nique is useless. In the majority of cases, this technique would not work even if the generator were known, since the viral code will increase the size of the file (unless the virus is restricted to infecting particular files having unused space, as in the case of the Lehigh virus). Since a checksum program should also compare the *sizes* of the files (re- quirement (4) above), the change would be detected. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI1@HBUNOS.BITNET ------------------------------ Date: Tue, 31 Oct 89 08:56:00 -0500 From: TENCATI@NSSDCA.GSFC.NASA.GOV (SPAN SECURITY MGR. (301)286-5223) Subject: New Variant of WANK Worm (VAX/DECnet) ============================================================================ INTER-NETWORK MEMORANDUM SPAN MANAGEMENT OFFICE ============================================================================= 30-OCT-1989 TO: ALL SPAN SYSTEM MANAGERS FROM: SPAN MANAGEMENT OFFICE GODDARD SPACE FLIGHT CENTER CODE 630.2 GREENBELT, MD. 20771 (301)286-7251 SUBJ: SECURITY GUIDELINES TO BE FOLLOWED IN LATEST WORM ATTACK ---------- A variant of the 16-Oct worm has been restarted on the DECnet internet. This worm is a slightly modified copy of the original worm that infected the networks last week. The method of attack is identical to the last except that this version calls itself OILZ_nnnn instead of NETW_nnnn. This variant of the worm changes the password of the account it penetrates unlike its predecessor which only changed passwords if it penetrated a privileged account. The effect of this modification is that if the DECNET account is breached (Userid DECNET, Password DECNET), changing of the password will disable further *INBOUND* network connections to the node, effectively removing it from the network. THIS IS THE PRIMARY WAY IN WHICH THE CURRENT WORM IS ACHIEVING SUCCESS. The previous precautions and guidelines issued by this office are still applicable and valid. The following 5 procedures should be implemented on all DECnet nodes to ensure that the worm cannot gain access to your node. ---------- 1) The current worm has been modified to attack the default DECNET account first. It attempts to enter the default DECNET account with user=DECNET and password=DECNET. This is the default set up. IT MUST BE CHANGED. To change it, two things have to be done: $MCR AUTHORIZE UAF> mod DECNET /pass=<something> !anything BUT "DECNET" UAF> mod DECNET /flag=lockpwd/nobatch/prclm=0 UAF> exit Then, to match default access control information in the executor (so MAIL and NML will still work): $MCR NCP NCP> set executor nonpriv pass <something> !NOTE this MUST match what you set in AUTHORIZE! The above changes will not effect operation of your system, but will prevent the worm from entering via your default DECNET account. 2) DISABLE THE TASK OBJECT The TASK Object MUST be removed from your DECnet database. There are two methods by which you can accomplish this: 1. In SYSTARTUP.COM/SYSTARTUP_V5.COM, after the call to @SYS$MANAGER:STARTNET, insert the following line: $ MCR NCP CLEAR OBJECT TASK ALL THIS COMMAND MUST BE EXECUTED *EACH TIME* THE NETWORK IS STARTED OR RESTARTED. DOING IT AT BOOT-TIME ALONE IS NOT SUFFICIENT. 2. Instead of option 1, the following commands can be issued ONCE from a privileged account to permanently change the information in the DECnet database for the TASK object: $ MCR NCP SET OBJECT TASK PASSWORD <type an INCORRECT password> $ MCR NCP DEF OBJECT TASK PASSWORD <type an INCORRECT password> If for some reason you MUST have a TASK object, please call the SPAN network office at (301)286-7251. 3a) Protect SYS$SYSTEM:RIGHTSLIST.DAT so that it is has no protection bits set for the WORLD category of users. This is how the attacking worm determines who your valid users are. There is some discussion about this approach, it apparently works on 4.7 thru 5.1-1 systems, reports from systems testing this approach say it breaks under V5.2. So there are 2 other approaches, set an ACL on RIGHTSLIST.DAT disabling NETWORK access, or using a logical name to point to RIGHTSLIST. **NOTE** THE ACL APPROACH MAY REQUIRE A REBOOT TO PURGE THE OLD RIGHTSLIST.DAT ON V4.7 SYSTEMS. b) Place an ACL on RIGHTSLIST.DAT to prevent network access of your user names . For V5.X: SET ACL SYS$SYSTEM:RIGHTSLIST.DAT /ACL=(IDENTIFIER=NETWORK,ACCESS=NONE) Version 4.X systems have a more difficult time of it since the file locked by other images. The suggested way of protecting it is from the SYSTEM account to: SET DEFAULT SYS$SYSTEM: COPY RIGHTSLIST.DAT *.TEMP SET ACL RIGHTSLIST.TEMP /ACL=(IDENTIFIER=NETWORK, ACCESS=NONE) RENAME RIGHTSLIST.TEMP *.DAT On completion, make sure that the protection is correct (W:R). You should purge the file as soon as possible. However, you may not be able to purge until the system has either been rebooted or OPCOM has been stopped and restarted. c) The logical name approach relies on "hiding" RIGHTSLIST.DAT and defining a system wide logical name that points to it. Network access does not translate this logical name. $RENAME SYS$SYSTEM:RIGHTSLIST.DAT any_old_file_you_want.dat $DEFINE/SYSTEM/EXEC RIGHTSLIST any_old_file_you_want.dat As long as the logical symbol RIGHTSLIST points to the *real* file, it doesn't matter what you name it, or where it is. The worm EXPECTS it to be in SYS$SYSTEM:RIGHTSLIST.DAT. 4) If possible, verify that none of your users are using their username for their password. Chances are that if they were, you'd have a worm running on your node right now though. The SPAN office has a toolkit available which contains a program that can be used for this purpose. Contact NCF::NETMGR for details. 5) Place an ACL on the default BATCH QUEUE of Version 5.x systems. SET ACL SYS$BATCH/OBJECT=QUEUE /ACL=(IDENTIFIER=NETWORK, ACCESS=NONE) ACLS are not supported on batch queues in Version 4. It is suggested remote Batch be disable by inserting the following command as the first command in SYS$SYSTEM:NETSERVER.COM:, after the label LOOP: $ DEFINE SYS$BATCH NO_SUCH_QUEUE This will prevent the command from ever getting the correct queue. ---------- DEC also recommends that certain SYSGEN parameters be modified in order to thwart an attack technique the worm utilizes. The SPAN management supports these suggested modifications: $MCR SYSGEN USE CURRENT SET LGI_BRK_TERM 0 SET LGI_BRK_TMO 3600 SET LGI_HID_TIM 86400 WRITE ACTIVE WRITE CURRENT EXIT $ If you have been attacked by this worm, please send the node name/number that the attack came from and if possible, the username of the attacker. Send this information your local Routing Center Manager and to NCF::NETMGR on SPAN, 6277::NETMGR on HEPnet/Other nodes on the DECnet Internet. The SPAN Management office also has a new version of ANTI_WANK.COM which can be started in a node's batch queue to search-out and report/destroy worms which may be running on a node. For copies of this procedure, send mail to NCF::NETMGR. REMINDER - The NSI Networking Users Group (Formerly SPAN Data System Users Working Group - DSUWG) is meeting at Goddard Space Flight Center on NOV 13-15. All members of the SPAN community are invited to attend. For information, contact Valerie Thomas, SPAN Project Manager at (301) 286-4740, or send mail to NCF::THOMAS. ------------------------------ End of VIRUS-L Digest *********************