home *** CD-ROM | disk | FTP | other *** search
- VIRUS-L Digest Tuesday, 3 Oct 1989 Volume 2 : Issue 210
-
- VIRUS-L is a moderated, digested mail forum for discussing computer
- virus issues; comp.virus is a non-digested Usenet counterpart.
- Discussions are not limited to any one hardware/software platform -
- diversity is welcomed. Contributions should be relevant, concise,
- polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
- LEHIIBM1.BITNET for BITNET folks). Information on accessing
- anti-virus, document, and back-issue archives is distributed
- periodically on the list. Administrative mail (comments, suggestions,
- and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- - Ken van Wyk
-
- Today's Topics:
-
- re: Why not change OS?
- re: Future AV software (PC)
- List of PC viruses
- VGA2CGA.ARC (or .ZIP) infected with virus (PC)
- Re: Future AV software (PC)
- Re: Posting to VALERT-L re: M-1704 (PC)
- nVIR B (Mac)
- Re: Viruses in Commercial Software
- New PC Virus (AIDS Virus)
-
- ---------------------------------------------------------------------------
-
- Date: 02 Oct 89 00:00:00 +0000
- From: David.M..Chess.CHESS@YKTVMV
- Subject: re: Why not change OS?
-
- Hm. You seem to be assuming, among other things, that:
-
- - If a virus can't talk directly to the hardware or to files
- belonging to other folks, it can't do any serious harm, and
-
- - UNIX programs are exchanged only as source, not as binaries.
-
- I'd disagree with both of those claims; the Jerusalem virus, one of
- the most widespread and troublesome in the PC world, doesn't talk
- directly to the hardware, and doesn't rely on being able to write out
- of the user's own space. I imagine everyone on the list can think of
- a number of nasty/destructive/confusing things that a virus could do
- even if it only had access to the user's own data files, and couldn't
- write direct to hardware (I won't list any here, hehe!).
-
- As UNIX and UNIX-derived systems continue to spread beyond the
- programmer community, program exchange among groups using the same
- hardware will tend, I would expect, to include more exchange of
- binaries. I wouldn't expect to see a virus that could infect more
- than one or two hardware platforms in the near future (cross fingers),
- but a virus that could spread to any machine in one of the more
- popular UNIX hardware categories would be quite enough to cause
- problems for lots of folks!
-
- While I don't know of any UNIX viruses at the moment, I would disagree
- with the suggestion that UNIX is inherently virus-resistant enough to
- make it worthwhile switching OS's in hopes of being able to forget
- about virus protection! The same applies to any other general-purpose
- OS around; viruses *don't* need insecure systems to spread and do Bad
- Things. That's the whole point...
-
- DC
- IBM T. J. Watson Research Center
-
- UNIX is a trademark of AT&T (or Bellcore, or someone like that)
-
- ------------------------------
-
- Date: 02 Oct 89 00:00:00 +0000
- From: David.M..Chess.CHESS@YKTVMV
- Subject: re: Future AV software (PC)
-
- Unfortunately, it's just about impossible to scan for new viruses by
- examining the on-disk image of programs, and looking for things like
- INTs. Three (at least) of the families of PC viruses out in the world
- today store themselves on disk in "garbled" form, with only a little
- "degarbler" stored in clear. That degarbler doesn't contain any INTs
- or other suspicious instructions, and the garbled part of the virus
- appears to be random data. The nasty instructions don't appear until
- the virus executes, and the degarbler converts the garbled stuff to
- code. So it's really only possible to catch these things at runtime
- (as Flushot+ and similar programs try to do), not on disk...
-
- DC
-
- ------------------------------
-
- Date: Mon, 02 Oct 89 17:54:26 +0200
- From: Y. Radai <RADAI1%HBUNOS.BITNET@VMA.CC.CMU.EDU>
- Subject: List of PC viruses
-
- On May 16 I submitted a list of 20 PC viruses to VIRUS-L. Since
- then, the Terrible Twenty have become the Threatening Thirty (Plus
- Two). Here's the list updated to the present (well, actually, only
- to yesterday; at the current rate there'll probably be at least five
- more today :-) ).
-
- PC-DOS/MS-DOS Viruses
- =====================
-
- No. of First
- Names Strains Type Appearance
- ----- ------- ---- ----------
- 1. Brain, Pakistani, Ashar 8 Boot sector 7K F Jan? 86
- 2. Merritt, Alameda, Yale 8 Boot sector 1K F Apr? 87
- 3. South African, Friday 13th 2 COM D ? 87
- 4. Lehigh 2 COMMAND.COM RO 0 Nov 87
- 5. Vienna, Austrian, Dos-62, Unesco 3 COM D 648 Dec? 87
- 6. Israeli, Friday-13, Jerusalem 12 COM/EXE R 1813/1808 Dec 87
- 7. April-1-Com, Suriv-1 1 COM R 897 Jan 88
- 8. April-1-Exe, Suriv-2 1 EXE R 1488 Jan 88
- 9. Ping-Pong, Bouncing-Ball, Italian 3 Boot sector 2K Mar 88
- 10. Marijuana, Stoned, New Zealand, 2 Boot sector 1K; Early 88
- Australian partition record on hard disk
- 11. Nichols 1 Boot sector Apr 88
- 12. Missouri 1 Boot sector May 88 (89?)
- 13. Agiplan 1 COM R 1536 Jul 88
- 14. Cascade, Autumn, Blackjack 6 COM R 1701/1704 Sep 88 (87?)
- 15. Oropax, Music 1 COM RD 2756 to 2806 Feb 89
- 16. DenZuk, Venezuelan, Search 6 Boot sector 7K F Early 89?
- 17. Dbase 1 COM/EXE R Mar? 89
- 18. DataCrime 2 COM D 1168/1280 Mar 89
- 19. 405 1 COM DO 405 Apr? 89
- 20. Screen 1 COM R May? 89
- 21. FuManchu 1 COM/EXE R 2086/2080 May? 89
- 22. Ohio 1 Boot sector May 89
- 23. Icelandic, Saratoga 3 EXE R 656/642/632 Jun? 89
- 24. Typo 1 Boot sector 2K Jun 89
- 25. Traceback 1 COM/EXE RD 3066 Jun 89
- 26. Disk Killer 1 Boot sector Jun? 89
- 27. Swap 1 Boot sector 2K Jul 89
- 28. DataCrime II 1 COM/EXE D 1514 Jul 89
- 29. Vacsina 1 COM/EXE R 1206 Aug 89
- 30. Mix1 1 EXE R 1618 Aug 89
- 31. Syslock, 3555 1 COM D 3555 Sep 89
- 32. Dark Avenger 1 COM/EXE 1800 Sep 89
- --
- Total no. of strains 77
-
- Summary by type:
- Boot = 11, COM = 10, EXE = 3, COM/EXE = 7, COMMAND.COM = 1.
- Among file viruses,
- Resident = 12, Direct = 6, Resident-Direct = 2.
-
- Notes:
- 1. In the "Type" column, "COM" or "EXE" indicates the type of files
- infected. "R" stands for "resident", meaning that when an infected
- program is run the virus makes itself RAM-resident (hooking one or
- more interrupts); usually such a virus infects subsequently executed
- programs of the appropriate type, e.g. COM files. "D" stands for
- "direct", meaning that it searches the disk for an uninfected file and
- infects it; normally such a virus does not stay resident. (However,
- it is possible for a virus to be both resident and direct in this
- sense.) "O" indicates that the virus overwrites the beginning of the
- file instead of appending or prepending itself to it. The number(s)
- after the "R" or "D" indicate the number of bytes by which the virus
- extends files which it infects (however, in the case of EXE files, the
- total size of the file after infection will get rounded up to the next
- multiple of 16 if it is not already such a multiple). The number
- after the "O" is the number of bytes overwritten. In the case of a
- boot-sector virus, the number of the form "nK" indicates the amount of
- RAM which the virus occupies. "F" means that the virus infects only
- diskettes.
- 2. I include only those viruses which have spread publicly, as
- opposed to localized test viruses (of which there may be hundreds).
- (The "Pentagon virus" is deliberately excluded since as far as I know
- it has not spread publicly; in fact, in the form it was received in
- the UK, it cannot spread at all.)
- 3. By definition of "virus", this list does not include non-replica-
- ting software.
- 4. Questionable cases:
- (a) I suspect that the "Lotus 123 virus" and the "Cookie virus" repor-
- ted recently in VIRUS-L may not be true viruses, and I have therefore
- decided not to include them, at least for the time being.
- (b) Although I have included the Dbase and Screen viruses reported by
- Ross Greenberg, no one else currently on VIRUS-L seems to have encoun-
- tered them. Jim Goodwin claimed that Dbase does not replicate and
- hence is not a virus, though it's possible that Jim and Ross were
- talking about two different things.
- (c) In May 88 I read about a "retro-virus" which infects 3 specific
- programs and is capable of reinfecting files after apparently being
- eradicated. Does anyone have any further info on this virus?
- (d) I have heard of spreadsheet viruses which occasionally change a
- value by a small amount, but I have not included them in the table.
- Further info would be appreciated.
-
- We frequently find new viruses which have evidently been created by
- using an existing virus as a starting point and then modifying it.
- When should the new creature be considered a new virus and when should
- it be considered as merely a new strain of the same virus? The cri-
- terion I have tried to follow (though I probably haven't been entirely
- consistent) is as follows:
- If the "damage" part of the virus has been qualitatively altered, or
- if a virus has been altered to infect additional files (e.g. EXE files
- where the original infected only COM files), then I classify it as a
- separate virus. (E.g. although FuManchu, Typo, DataCrime-2, and Mix1
- are based on Israeli-Friday13, Ping-Pong, DataCrime-1 and Icelandic-1,
- resp., I consider these as separate viruses.)
- If code has been altered, but only by something minor, such as
- changing a target date or the number of infections required to trigger
- the damage, or if the alteration seems to be merely an attempt on
- the author's part to *improve* the code of an existing virus without
- adding new features, then I regard it as a different strain of the
- same virus.
- If the only difference is that only strings (e.g. messages or volume
- labels) have been modified, then I do not consider it as even a sepa-
- rate strain.
-
- Corrections and additions to this list are welcome. (I'm particu-
- larly curious about those questionable dates.) Please send your cor-
- rections directly to me; I'll post an updated version of this table
- from time to time.
-
- I have received suggestions to include additional info in the table,
- such as the symptoms and damage caused by each virus, what types of
- disks it infects, etc. While I agree that such information would be
- very useful, it is beyond the intended scope of this table, both be-
- cause of the difficulty of describing this information in such a short
- space and because the answers often depend on the particular strain
- of the virus. This would make the table much more complicated than it
- was intended to be. Those interested in further information on the
- viruses listed here will eventually find it in various catalogs under
- preparation, e.g. one by David Ferbrache and another by the Virus Test
- Center at the Univ. of Hamburg (these include non-PC viruses as well).
-
- Acknowledgments: I have drawn on information provided by many
- people. Postings in VIRUS-L are too numerous to mention individual
- names, but among those who have corresponded with me personally, I
- would like to thank Dave Ferbrache, Dr. Alan Solomon, Joe Hirst, Prof.
- Klaus Brunnstein, Fridrik Skulason, John McAfee, Bernd Fix, Otto
- Stolz, and David Chess.
-
- Y. Radai
- Hebrew Univ. of Jerusalem
-
- ------------------------------
-
- Date: Mon, 02 Oct 89 11:08:00 -0600
- From: Keith Petersen <w8sdz@WSMR-SIMTEL20.ARMY.MIL>
- Subject: VGA2CGA.ARC (or .ZIP) infected with virus (PC)
-
- A BBS operator in the Detroit area received an MSDOS program infected
- with a virus. The file, VGA2CGA.ARC (or .ZIP) - a program which
- claims it can display VGA graphics on a CGA display, has not been
- distributed in Detroit and no systems were affected as far as we know.
-
- The date/time stamps of the member files in this archive are April 1,
- 1989 (April fools day).
-
- The BBS in California where this file was obtained has been notified
- to remove the file.
-
- Please let me stress that SIMTEL20 does NOT have this program in its
- archives. I am just acting as a go-between to pass the warning to
- this newsgroup.
-
- [Ed. See followup, on "AIDS" virus, from Alan Roberts in this digest.]
-
- - --Keith Petersen
- Maintainer of SIMTEL20's CP/M, MSDOS, and MISC archives
- Internet: w8sdz@WSMR-SIMTEL20.Army.Mil [26.2.0.74]
- Uucp: {ames,decwrl,harvard,rutgers,ucbvax,uunet}!wsmr-simtel20.army.mil!w8sdz
-
- ------------------------------
-
- Date: 02 Oct 89 21:32:49 +0000
- From: jwright@atanasoff.cs.iastate.edu (Jim Wright)
- Subject: Re: Future AV software (PC)
-
-
- In article <0014.8910021145.AA27888@ge.sei.cmu.edu> carroll1!tkopp@uunet.UU.NET
- (Tom Kopp) writes:
- | A version/variant of ViruScan would run, searching not for
- | viral-identifying code, but rather for the interrupt calls that write
- | to a disk (a la Flu_Shot techniques). When it finds one, it looks in
- | a table to see if that code is allowed.
-
- There is a program to do this already. CHK4BOMB will scan a program and
- report on anything "suspicious" it finds. This was originally meant to
- find Trojan Horses, but could work against some viruses as well if used
- in conjunction with other programs. One thing it cannot find is code
- which is self-modifying, thus hiding the actual low-level access to the
- disk controller.
-
- - --
- Jim Wright
- jwright@atanasoff.cs.iastate.edu
-
-
- ------------------------------
-
- Date: Mon, 02 Oct 89 18:18:56 -0500
- From: James Ford <JFORD1%UA1VM.BITNET@VMA.CC.CMU.EDU>
- Subject: Re: Posting to VALERT-L re: M-1704 (PC)
-
- I recently posted a question on VALERT-L about the file M-1704.EXE.
- SCAN V36 stated that it was infected. I now know, from McAfee and
- others, that the 1704 virus is encrypted. Since it is, M-1704 must
- have a specific hex search string in it....one that will indeed cause
- SCAN to flag it. This is *normal* (thats as technical as I can
- get....I don't know more, and what I just said is probably techincally
- wrong).
-
- I hope that my posting of the VALERT-L message does not reflect
- negatively on the Wellspring BBS. The Wellspring BBS is a top-notch
- BBS, and its anti-viral file collection is among the best in the
- country. If I gave you a wrong impression of Wellspring, I apologize.
- I would post this statement about the Wellspring BBS on VALERT-L, but
- have been informed that VALERT-L is not suppost to be carrying such
- postings.
-
- JF
- Acknowledge-To: <JFORD1@UA1VM>
-
- ------------------------------
-
- Date: Mon, 02 Oct 89 19:46:00 -0500
- From: <CTDONATH@SUNRISE.BITNET>
- Subject: nVIR B (Mac)
-
- I recently came across the nVIR B virus on a cluster of Macs. I removed
- it using Disinfecant 1.5 and appears to be gone.
-
- What problems does nVIR B cause? Does it delete files, do annoying things,
- or simply spread? Being a semi-public cluster, how much of a concern
- is its presence?
-
- ------------------------------
-
- Date: 03 Oct 89 02:23:01 +0000
- From: bnr-di!borynec@watmath.waterloo.edu (James Borynec)
- Subject: Re: Viruses in Commercial Software
-
-
- In article <0008.8909281133.AA14331@ge.sei.cmu.edu>, TMPLee@DOCKMASTER.ARPA wri
- tes:
- > In commenting on viruses being distributed (accidentally, of course)
- > through commercial software someone recently mentioned that someone
- > near him had been hit by a virus that was in a shrink-wrapped copy of
- > WordPerfect. I'm skeptical...
-
- It happened. A co-worker bought a copy of WordPerfect for his Amiga. When
- it came to him, it was infected. Those are the facts as he told them to me.
-
- If anyone wants more details I am willing to supply them. It probably
- won't do any good because the problem has been fixed. If anyone is
- collecting historical information and wants more details send E-mail.
- (BTW. to the person who sent me E-mail on this topic, did my reply get
- through to you?)
-
- The story behind this goes something like: WP sold the distribution and
- support rights for the Amiga version of WP for Canada to a company in
- Ontario. That company had some problems. That company no longer
- has the redistribution rights.
-
- I personally have been hit TWICE by viruses in commercial software. From
- different vendors. Once when I was examining a popular speech synthesis
- package for my Mac, and once when we got our TI micro-explorer. Just the
- thing, factory loaded viruses.
-
- To summarize: It happens. Treat ALL software entering your system
- with caution.
-
- James Borynec
-
- - --
- UUCP : utzoo!bnr-vpa!bnr-di!borynec James Borynec, Bell Northern Research
- Bitnet: borynec@bnr.CA Box 3511, Stn C, Ottawa, Ontario K1Y 4H7
-
-
-
- ------------------------------
-
- Date: Mon, 02 Oct 89 21:45:03 -0700
- From: portal!cup.portal.com!Alan_J_Roberts@SUN.COM
- Subject: New PC Virus (AIDS Virus)
-
- A new PC virus was submitted to the CVIA from Keith Peterson (who
- maintains the SIMTEL20 MSDOS archives). This virus replicates in COM files
- and has the unusual capability of infecting generic COM files internally -
- without changing the real size of the file (unlike the zero-bug virus which
- maintains an "apparent" constant infected file size). Small COM files are
- infected externally, and the files sizes, for all files under 10K, changes to
- 13952 bytes - another unusual characteristic. The virus displays a full
- screen graphic with the the word "AIDS" occupying the bottom half of the
- screen. The top half contains a long rambling message from the author
- informing the user of how stupid he has been for using public domain
- software.
- SCANV40 has been updated to identify the virus. It is not yet known
- how destructive the virus may be (all tests have been done with a disabled
- hard disk). More info forthcoming. ViruScan identifies the virus as the
- AIDS Virus. Thanks to Keith Peterson for his quick identification of
- the virus and for his timely response.
- Alan
-
- ------------------------------
-
- End of VIRUS-L Digest
- *********************
- Downloaded From P-80 International Information Systems 304-744-2253
-