home *** CD-ROM | disk | FTP | other *** search
- VIRUS-L Digest Wednesday, 4 Oct 1989 Volume 2 : Issue 212
-
- VIRUS-L is a moderated, digested mail forum for discussing computer
- virus issues; comp.virus is a non-digested Usenet counterpart.
- Discussions are not limited to any one hardware/software platform -
- diversity is welcomed. Contributions should be relevant, concise,
- polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
- LEHIIBM1.BITNET for BITNET folks). Information on accessing
- anti-virus, document, and back-issue archives is distributed
- periodically on the list. Administrative mail (comments, suggestions,
- and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- - Ken van Wyk
-
- Today's Topics:
-
- Virus Commentary
- Re: Virus Commentary
- The invincible virus (Ghost virus) (Atari ST)
- Information wanted
- Re: New virus? (Mac)
- nVIR B Details (Mac)
- Submission for comp-virus
- New Mac Virus - Further Diagnostic Help
- Where to Get Mac Anti-Virals
- datacrime II antidote (PC)
- OGRE virus in Arizona (PC)
-
- ---------------------------------------------------------------------------
-
- Date: Sun, 24 Sep 89 15:12:00 -0600
- From: Frank Starr <55srwlgs@sacemnet.af.mil>
- Subject: Virus Commentary
-
- Sabotaged Program Reactions - An Editorial Review
- by Frank Starr
-
- The continuing threat of virus and Trojan Horse programs - which
- I prefer to call sabotaged programs, has begun to spark some reaction
- from the upper levels of the Department of Defense. Concurrent with
- the discovery of the so-called "Columbus Day Time Bomb", previously
- known as the Datacrime Virus, has come a series of directives which
- may serve to eliminate the use of all forms of shareware by D.O.D.
- personnel on D.O.D. microcomputers.
- Air Force users first received word of the Columbus virus from a
- message published by the USAF Office of Special Investigation,
- republished and mass mailed through MILNET/DDN, the D.O.D. e-mail
- system. Two suspected sources have been listed - a European extremist
- group in the spiritual sway of Bader Meinhoff, and a Norwegian group
- displeased with celebrations honoring Columbus, while ignoring Norse
- discoveries preceeding those of European explorers.
- Later communiques identified the virus as the Datacrime variety,
- capable of trashing the FAT area of a hard drive. From the first
- message to all others received to date, a prevailing directive has
- been to cease using all software downloaded from private bulletin
- boards. Various interpretations have gone so far as to conclude that
- only vendor supplied software should be used, to the absolute
- exclusion of everything else, whether shareware available for purchase
- after an initial test period, or freeware for which no fee or donation
- is ever asked.
- All of this confusion promises to cause a lot of D.O.D. micro
- users to cut themselves off from anything except commercial software,
- purchased through government contracting channels. This in spite of
- the fact that there have even been reports about commercial software
- occasionally being sabotaged by temporary employees (as reported in an
- issue of Government Computer news about a year ago. Sorry, specific
- issue forgotten). There are a number of micro bulletin boards in
- D.O.D., some of which offer shareware software for evaluation to
- potential customers. Some of the SYSOPs of these systems forsee a call
- to close down operations, based on reactions to sabotaged software
- threats, and rough drafts of official regulations to control software
- on D.O.D. micros (see the September/October C2MUG bulletin, page 5).
- Although there are some advisories for users to back up all
- software on D.O.D. micros, more attention seems to be going towards
- the elimination of all non-contract software on D.O.D. micros. Since
- sabotaged programs are more often reported in connection with
- softwaree downloaded from public RBBS systems, this game plan can be
- understood, if not readily supported. However, with micro user
- education still a lower priority object in many areas, and software
- backup not a widespread practice, it seems that, especially with
- funding cuts a now and future reality, more attention would better be
- given to how to defend against sabotaged programs, and perhaps the
- avoidance of all forms of shareware could be reevaluated.
-
- Frank Starr
-
- ------------------------------
-
- Date: Sun, 24 Sep 89 18:03:00 -0600
- From: "Frank J. Wancho" <WANCHO@WSMR-SIMTEL20.ARMY.MIL>
- Subject: Re: Virus Commentary
-
- Frank,
-
- I just read and reread your editorial. I fear that possibly many
- people will misread it, overlooking certain key words and phrases,
- such as "may" in "may serve to eliminate," "various interpretations,"
- "foresee," "seems" in "more attention seems to be," etc.
-
- The actual point of your editorial, with which I agree, is in your
- last sentence, which should have been a paragraph by itself (starting
- with the word, "However," and broken into several sentences:
-
- Micro user education is still a low priority activity in many
- areas, and software backup not a widespread practice. With
- funding cuts a now and future reality, more attention should be
- given to defending against sabotaged programs. Then, perhaps, the
- trend toward avoiding all forms of shareware could be reevaluated.
-
- - --Frank
-
- ------------------------------
-
- Date: 03 Oct 89 14:17:35 +0000
- From: erwinh@solist.htsa.aha.nl (Erwin d'Hont)
- Subject: The invincible virus (Ghost virus) (Atari ST)
-
- First I would like to make my excuse for not giving enough information
- in my last (and first in my career) message to usenet.
-
- I asked some information about the Ghost Virus on the Atari ST, well I
- forgot to mention the computersystem and the kind of information I
- requested Well here goes all or nothing :
-
- Since a few months I'm being bugged by a virus that inverses the
- mousepointer. So after I figured that it could be a virus, I pulled
- out my trusty Viruskiller (VDU - Virus Destruction Utility V1.4) and
- became aware of this "Ghost Virus". After wiping the virus from all
- my disks I thought I would be save, but none could be more true. This
- virus returned every time.
-
- Maybe it is a link-virus that somehow manages to copy itself into the
- bootsector so that it can begin it's faul work again. But the VDU
- doesn't reconize any link-virus on any of my disks, so my question to
- all of you is :
-
- Is there some way to get rid of this virus without formatting all my
- disks ??
-
- Erwin
-
- WARNING : Never crunch a file or disk without checking it !!!!!!!!!!!!!!
-
- ------------------------------
-
- Date: 04 Oct 89 02:50:40 +0000
- From: cvl!cvl!umabco!bgoldfar@uunet.UU.NET (Bruce Goldfarb)
- Subject: Information wanted
-
- I am looking for addresses (phone numbers ideal) for the Computer Virus
- Industry Association and the National Bulletin Board Society. Any and
- all help is deeply appreciated.
-
- Bruce Goldfarb
- umabco!bgoldfar@cvl.umd.edu (or)
- cvl!umabco!bgoldfar
-
- ------------------------------
-
- Date: Mon, 02 Oct 89 16:05:35 -0400
- From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV>
- Subject: Re: New virus? (Mac)
-
- >Subject: New virus? (Mac)
-
- I'm afraid so...
-
- >We here at the University of Rochester may have discovered a new
- >virus, or a variation on a theme. What it does is infect Macwrite ...
- (sundry details omitted)
- > ... Disinfectant 1.1 doesn't work, so please email me the
- >latest version of disinfectant to try...
-
- I'm afraid it won't help. You should send some mail to John Norstad
- *immediately* and let him know about it. He may request a copy of your
- infected files. His net address is in the Disinfectant documentation.
-
- >The virus definitely attacks Macwrite. It adds a str ID 801 and
- >modifies the icon to say Macwite instead of the standard application
- >icon. The application increases in size by 104 bytes, 56 in the
- >string. they are added in sector 014F, according to Fedit Plus 1.0.
-
- Actually, you should check it out with ResEdit and see what resource
- they get added to. Ditto for the System; look for INIT resources.
- There are a few that are supposed to be there, but the virus may add
- new ones.
- (more details omitted)
-
- This sounds very much like a new virus. Have you Vaccine or GateKeeper
- installed? Either should keep infections from spreading, unless the
- virus is doing its own disk I/O at the driver level (very dangerous
- and could lead to screwed-up disks).
-
- Things to try:
- - Write-protect a known-clean version of MacWrite and try running
- it on the infected system.
- - Change another application's signature (type/creator) to MacWrite's
- and see if the virus tries to infect it.
- - Name MacWrite something else and see if it is attacked.
- - Look at the system healp with Macsbug and and try to identify all
- of the resources loaded into it. This may help in tracking down
- the infection mechanism.
-
- I'd appreciate hearing further details; post them to me personally
- if you'd like.
-
- --- Joe M.
-
- ------------------------------
-
- Date: Tue, 03 Oct 89 10:16:41 -0400
- From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV>
- Subject: nVIR B Details (Mac)
-
- <CTDONATH@SUNRISE.BITNET> asks:
- >I recently came across the nVIR B virus on a cluster of Macs. I removed
- >it using Disinfecant 1.5 and appears to be gone.
- >
- >What problems does nVIR B cause? Does it delete files, do annoying things,
- >or simply spread? Being a semi-public cluster, how much of a concern
- >is its presence?
-
- It does annoying things (beeps or says "Don't Panic"). Since it also grabs
- space in the system heap AND installs a VBL task, it can cause memory
- problems and timing problems, causing printing failures and crashes.
-
- Its presence is always a concern. Think of it as a public health problem.
- Your cluster, if left infected, would be a reservoir of infection and a
- potential source of spread, no matter how much time other clusters spent
- cleaning themselves up.
-
- Get Vaccine or GateKeeper installed on those Macs. Now. You must have
- either not had them installed, or someone has been turning them off. If
- you suspect that someone is deliberately infecting the cluster, you might
- want to set up a virus-scanning station that all disks must be passed
- through before they are used on your cluster. The Disinfectant
- documentation will tell you how to do this.
-
- --- Joe M.
-
- ------------------------------
-
- Date: 04 Oct 89 13:08:50 +0000
- From: kkk@ohdake.uta.fi (Kimmo Kauranen)
- Subject: Submission for comp-virus Where could I get a copy of "Proceedings..."
-
- Hey!
-
- There is been in some articles a mention about the book "Stephen J.
- Ross (ed.) Computer Viruses - Proceedings of an Invitational
- Symposium, Oct 10-11,1988. New York: Deloitte, Haskings & Sells,
- 1989."
-
- I 'd like to get it, but where could I order it?
-
- Thanks beforehand
- Kimmo Kauranen
-
- ------------------------------
-
- Date: Wed, 04 Oct 89 09:51:17 -0400
- From: Joe McMahon <XRJDM%SCFVM.BITNET@VMA.CC.CMU.EDU>
- Subject: New Mac Virus - Further Diagnostic Help
-
- Try using GateKeeper and shutting down ALL accesses to files. See if
- that will show you what's being copied into the files. It should be
- in the GateKeeper Log.
-
- --- Joe M.
-
- ------------------------------
-
- Date: Wed, 04 Oct 89 09:46:05 -0400
- From: Joe McMahon <XRJDM@SCFVM.BITNET>
- Subject: Where to Get Mac Anti-Virals
-
- CTDONATH@SUNRISE.BITNET asks:
-
- ...where can we get the most recent versions {of anti-viral software} ?
-
- On BITNet, the LISTSERV at our node (SCFVM) has a virus-removal package
- consisting of Disinfectant, Virus Rx, Vaccine, GateKeeper, and some
- other files. You can subscribe to this package and receive updates
- automatically by obtaining a LISTSERV password and AFD ADDing the
- package.
-
- On Internet, sumex-aim.stanford.edu has anti-virals in the
- /info-mac/virus directory. apple.apple.com in the pub/dts/mac/tools
- directory has the newset version of Virus Rx.
-
- Hope this helps.
-
- --- Joe M.
-
- ------------------------------
-
- Date: 04 Oct 89 18:14:00 +0700
- From: NOAM@SARA.NL
- Subject: datacrime II antidote (PC)
-
- On or after the 12th of October, an undetermined number of computer
- 'viruses' are scheduled to start erasing the data of their
- unsuspecting hosts. One virus in particular, known as 'DATACRIME II',
- is an especially nasty specimen, as it not only spreads very rapidly,
- but also formats the hard disk of any computer it infests, permanently
- destroying all of the contents.
-
- DATACRIME was first detected in the Netherlands, and the leading
- computer publication of that country, PERSONAL COMPUTER MAGAZINE,
- commissioned computer expert Rikki Cate to write an 'antidote' program
- for its readers. Cate, an American who lives in the Netherlands, is a
- programmer specialized in this kind of work.
-
- Cate's Cure was an overnight sensation. Featured on radio, television
- and in Holland's leading newspapers, thousands of copies were
- distributed within the first few days and it has already inspired a
- number of hastily composed imitations. Even the Dutch police have
- begun distributing a version of their own. Cate's Cure, however,
- claims superiority to all of these. It is much faster, it actually
- removes the virus, it repairs damaged programs, it automatically
- searches all the directories on the hard disk, and it provides
- permanent protection against formating of the hard disk or new
- infections by the virus. None of the other programs released have any
- of these features. This is believed to have been confirmed in an
- independent test carried out by the Dutch Railways.
-
- In view of the huge demand and the clear anxiety indicated by that,
- Cate has decided, with the approval of PCM, to make the antidote more
- widely available at a cost of $10 per disk. Additional information
- can be obtained from her directly by calling 31-20-981963 in
- Amsterdam. Fax: 31-20-763706, telex 12969 neabs nl, Fido 2:280/2,
- electronic mail 31-20-717666, all marked to her attention.
-
- [Ed. Any chance of getting a copy of Catee's Cure on this side of The
- Pond, for electronic distribution?]
-
- ------------------------------
-
- Date: Wed, 04 Oct 89 10:18:00 -0700
- From: <WIER@NAUVAX.BITNET>
- Subject: OGRE virus in Arizona (PC)
-
- Original_From: Paul Balyoz
-
- A new, extremely nasty virus has been discovered on some IBM PCs in
- the state of Arizona. This virus, known as OGRE, has been found on
- some disks in Flagstaff and nearby areas. This is the first
- recognition of said virus that has come to my attention. This memo
- gives a description of the virus and possible ways of recognizing and
- removing it.
-
- DESCRIPTION
-
- The OGRE virus tries to infect any disks it sees that haven't yet been
- infected with itself. It counts the number of disks it has infected
- as it goes along. It does no harm until after it has infected a
- certain number of disks. After that point it will display a message
- on the screen at boot time identifying itself as the COMPUTER OGRE
- dated April 1, and telling you to leave your machine alone as it
- begins "stomping" blocks on the disk randomly, by writing blocks full
- of one character all over the disk. This holds true for both floppy
- disks and hard disks. The damage done in this manner is virtually
- irrepairable. Once this happens the hard disk usually needs to be
- reformatted (which effectively erases everything on on disk). If
- backup copies of the files from that disk were made, it can be
- restored back onto the reformatted disk, and all is well again (until
- the next time).
-
- If you see this message appear on your screen, ignore the warning and
- TURN YOUR COMPUTER OFF IMMEDIATELY! The quicker you turn it off, the
- less damage it will have done. The first blocks it destroys are the
- boot blocks and file and directory information; files go after that.
- If stopped in time, the files on the disk may be retrieved using
- various disk utility programs.
-
- TECHNICAL DETAILS
-
- The OGRE virus spreads by writing copies of itself onto 3 unused
- blocks on the disk. It then marks those blocks as being "bad," so
- that normal disk usage won't ever choose those blocks for storing
- ordinary data. Thus the virus can stay on the disk without being
- bothered. The important step is when it modifies the boot blocks of
- the disk so that next time the disk is booted, the special code on
- those three blocks is executed, and the virus can try to infect new
- disks. Thus, every time the disk is booted thereafter, the OGRE code
- is executed, and can do what it has been programmed to do.
-
- Because the OGRE virus operates at such a "low level," none of the
- existing virus detection/elimination programs currently in existence
- for the IBM PC will work. Note that OGRE doesn't create or modify any
- of the files on the disk at the time of infection, nor does it effect
- the FAT in any way. Thus it is virtually undetectable by present
- means, until special programs are developed to detect and remove it.
-
- RECOGNIZING THE VIRUS
-
- If you have a "disk zap" or "sector edit" type of program, you can use
- that to see if the OGRE virus has infected each of your disks. You'll
- want to search the disk for the string "OGRE" (those four upper-case
- ascii characters) or "COMPUTER OGRE" to be sure. You will know by the
- surrounding text if each occurrance of the string is truly the virus
- or not.
-
- The software package "Norton Utilities" has a program that can do this
- sort of disk-searching function. The most important place to look are
- the boot- blocks on the disk. If the string exists in that area, your
- disk is probably infected.
-
- Note: It is possible for normal information on the disk to spell out
- the string "OGRE" just by chance. As I understand it, that string
- being found in the boot-blocks nearly guarantees infection. The text
- before and after the string must be viewed to be sure. There is a
- date of April 1, and a copy- right notice, as well as the English text
- that it can display. You will know from the context whether your disk
- is infected or not.
-
- CLEANING AN INFECTED DISK
-
- File copying will "clean" an infected disk.
-
- Because OGRE doesn't effect any files, per se, a good method for
- cleaning up an infected disk that hasn't been "stomped on" yet would
- be to copy all of the files off that disk onto a freshly formatted
- one. Of course you'll want to be sure that the virus isn't running
- while you do this, or it will quickly infect the new disk as well!
- Boot your computer from an original system disk that was distributed
- with your computer. Make sure it is write-protected before booting.
- If this disk has never been un-write-protected, then it can't ever
- have been infected. Then go ahead and format the new disk, and copy
- your files to it.
-
- The infected disk you just copied all the files off of can now be
- formatted to clean it up, and files copied back onto it again.
-
- FUTURE VIRUS DETECTION IDEA
-
- Checksum the boot blocks.
-
- A program should be written to run a set of checksums on the boot
- blocks of your disk, and remember the number somewhere. When run
- thereafter it can recompute the checksum and compare it to the one
- recorded previously. If the two checksums do not match exactly then
- the boot blocks have been modified, which is not a normal thing to
- have happen. The program can then notify the user that,
-
- "The boot blocks on this disk have changed; you may have a virus."
-
- If this program were written and launched from the AUTOEXEC.BAT file
- on all bootable disks, then the user would know immediately if they
- were infected. Of course, the OGRE virus would have already been
- executed once by then, since the disk was booted before the
- AUTOEXEC.BAT file was read, so it may have infected another disk; but
- it won't have gone on the rampage yet. The user would thus have
- pre-knowledge of the infection, and can combat it before any damage is
- done.
-
- DISCLAIMER
-
- I have not personally seen the virus nor any disks damaged by it.
-
- SOURCE INFORMATION
-
- This new virus was discovered by members of the staff at Computer
- Solutions here in Flagstaff Arizona. They are working on
- disassembling the virus and will hopefully come up with a virus
- removal procedure or program. The current theory is that it
- originated somewhere in the Phoenix area, but nothing is sure yet.
- Computer Solutions is trying to contact as many people as they can to
- warn them about this new problem. You are encouraged to make copies
- of this memo in any form and distribute them to anyone who might need
- to know this information.
-
- You can contact Computer Solutions at 602-774-1272 during the day.
-
- submitted by:
- *usual disclaimers*
- ---------------------------------------------------------------------
- - Bob Wier Northern Arizona University
- Ouray, Colorado & Flagstaff, Arizona
- ...arizona!naucse!rrw | BITNET: WIER@NAUVAX | WB5KXH
-
- ------------------------------
-
- End of VIRUS-L Digest
- *********************
- Downloaded From P-80 International Information Systems 304-744-2253
-