home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Compu-Fix
/
Compu-Fix.iso
/
pubnews
/
vir04017.txt
< prev
next >
Wrap
Text File
|
1993-03-01
|
24KB
|
581 lines
VIRUS-L Digest Wednesday, 30 Jan 1991 Volume 4 : Issue 17
******************************************************************************
Today's Topics:
Re: Text in MLTI Virus (PC)
Query - Disinfectant vs. Virex (Mac)
Problems installing F-PROT 1.14 (PC)
Anti-Viral Utilities (PC)
Virus Guidelines
Update on GAME2 (IBM VM/CMS)
SimWare 3.1 (Mac)
Re: Review of SCAN (PC)
Hungarian text in virus (PC)
Nimbus machines and viruses ? (PC)
Re: Processor-specific viruses and other subjects (PC)
Re: Need OTS Virus package (UNIX)
Re: RSCS Protection (IBM VM/CMS)
Word Perfect and change checkers (PC?)
Updating Disinfectant (Mac)
Re: Problem with F-Prot 1.14 (PC)
Possible bug in FPROT 1.14? (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
---------------------------------------------------------------------------
Date: Mon, 28 Jan 91 09:02:18 -0700
From: DGB@BNOS.BLDRDOC.GOV
Subject: Re: Text in MLTI Virus (PC)
Regarding the discussion about "Eddie," I have always associated the
phrase,
"Eddie die somewhere in time"
along with the action of randomly picking a location to kill with the
book Slaughterhouse 5 by Kurt Vonnegut Jr, where the hero has become
unstuck in time.
Am I alone?
Regards,
Dave Beausang
Bell: (303)497-5174
BITNet: DGB@NISTCS2.BITNet
Internet: DGB@BNOS.BLDRDOC.GOV
The opinions expressed herein are not necessarily those of my employer;
and upon futher reflection they may no longer be mine.
------------------------------
Date: Mon, 28 Jan 91 15:42:40 +0000
From: Mr Gordon S Byron <gsb1@forth.stirling.ac.uk>
Subject: Query - Disinfectant vs. Virex (Mac)
how do you rate SAM 6 in relation to the two under discussion. curious
as we've recently got a site license for it. Wnat to know if we've
been silly.
*******************************************************************************
Snailmail: Gordon Byron, Arts Computing Advisor,Pathfoot Building,
University of Stirling,FK9 4LA Stirling, Scotland, UK.
Voice: Phone: 0786 73171: Ext 7266 FAX +78651335
*******************************************************************************
------------------------------
Date: Mon, 28 Jan 91 15:52:19 +0700
From: "J.C. Kohler" <csw76@seq1.keele.ac.uk>
Subject: Problems installing F-PROT 1.14 (PC)
I encountered a small problem while I was installing f-prot 1.14.
When I tried f-flock *.* in my wordperfect directory, it couldn't lock
a number of files, one of them was wp.exe. Since this is the most used
file of wordperfect, it is important that it is kept locked. The error
message from f-flock looks something like 'unable to lock wp.exe,
invalid header'.
I'm using Wordperfect 5.1 dutch version. Anybody has an idea to solve
this problem
Thanks in advance
Christian
- --
[J.] Christian Kohler
Keele university, United Kingdom
JANET : csw76@uk.ac.keele.seq1
INTERNET : csw76%keele.ac.uk@nsfnet-relay.ac.uk
BITNET : csw76%keele.ac.uk@ukacrl
UUCP : ..!ukc!keele!csw76
------------------------------
Date: 28 January, 1991
From: Padgett Peterson <padgett@tccslr.dnet@uvs1.orl.mmc.com>
Subject: Anti-Viral Utilities (PC)
For some time I have been debating whether or not to mention a
possibility concerning the spread of Partition Table/Boot Sector
infections lest anyone get ideas. Watching the postings lately leads
me to think that possibly it has already happened.
In short, it would be trivial to write a trojan or virus that
would place a P-Table or BSI on a machine. At the moment, I suspect that
in the interest of speed, signature scanning routines only look for these
infections in memory and in the partition table and boot sector and not
inside executables.
For this reason, I would suggest that people experiencing multiple
unexplainable infections utilize Mr. McAfee's new extension to SCAN and
check all executables for a random code sequence taken from such an infection.
As some of you know, I have been experimenting with anti-viral
routines implanted in the partition table of the fixed disk and have
become convinced that effective protection against malicious software
MUST include such programs. So far the technique has proven equally
effective against both "stealth" and non-"stealth" software.
Used in conjunction with any number of authentication programs
specific to the operating system (is effective with MS-DOS, and should
be equally effective on an OS/2 or unix platform with an IBM-type
BIOS) it can detect (only hardware can block) infections carried on
the boot sector of a floppy immediately (before DOS loads), can block
any later attempt at infection of the partition table or boot sector,
and can provide an authenticatable path to the disk for other routines
loaded later.
Interestingly, the technique started out as a password
protection scheme to protect fixed disks from intrusion. The full
capability just fell out in testing.
Padgett
------------------------------
Date: Mon, 28 Jan 91 11:51:57 -0700
From: rtravsky@CORRAL.UWyo.Edu (Richard W Travsky)
Subject: Virus Guidelines
Below are some draft virus guidelines we're chewing over at our site
(the University of Wyoming). So far we've been real lucky and not had
a real problem with viruses; lately tho things have picking up. As
this list is very specific to our site, I'll stick explanatory notes
after some items. I'm posting this for the benefit of those in
similar circumstances or to elicit comment from those who've already
been around the track a few times, as it were. (I use "should be" and
"will be" below to distinguish between things that WILL be done no
matter what and things that should be done [but might not, matter is
still open to debate here].)
1. Viral Software
a. Viral scanning/cleaning software will not be used unless the
accompanying documentation has been read by the support person
doing the scan/cleanup.
b. Viral scanning/cleaning software should be kept reasonably up to date.
[As stated, we've had fairly low virus activity, so being up to date with
the latest is not real important - yet.]
c. More than software product should be used for cross checking purposes.
d. After removal of a virus, the machine/disk should be re-scanned to
verify removal.
2. Maintenance
[We maintenance machines owned by the University as well as those in the
student labs.]
a. All incoming machines should be checked for infection.
b. All returning spares will be checked for infection.
[We supply spares when possible so that the user is able to continue working.]
c. All diagnostic disks will have write protect tabs.
d. If software is being restored to someone's machine (like a backup,
format, and then a restore) the disks should be checked for infection.
3. Installs
[We install software - like PC SAS - on users' machines.
a. When possible, install disks will have write protect tabs.
b. When write protect tabs can not be used, the install disks will be
checked for infection upon return.
[Some software, like dBase 4 we found, writes to the install floppy during
installation.]
c. User's machine should be checked for infection.
[This would take care of b .]
4. Rentals, Loaners
[We provide rentals and loaners upon occaision.]
All rentals and loaned machines/software (for example, Lap Link) will be
checked for infection upon return.
5. Public access IT machines (Labs, OWA) with hard disks
Machines such as these should be checked periodically for infection.
Ideally, some resident software (preferably a TSR) should be in place
to help detect and prevent infection. The question of requiring users
to check their disks before insertion should be left open for the time
being.
6. User Support
a. User Support staff should periodically check their machines for
infection.
b. Users bringing in disks for aid should have said disks checked; barring
that the machine used to help them should be checked when done.
[People often bring in disks that are hammered or the software is not working
right for some reason (bad Word Perfect printer files, for example.)]
Richard Travsky Bitnet: RTRAVSKY @ UWYO
Division of Information Technology Internet: RTRAVSKY @ CORRAL.UWYO.EDU
University of Wyoming (307) 766 - 3663 / 3668
------------------------------
Date: Mon, 28 Jan 91 11:21:00 -0800
From: "R N Hathhorn, VM Systems Support" <SYSMAINT@PCCVM.BITNET>
Subject: Update on GAME2 (IBM VM/CMS)
Activity on this worm has slowed down, but a report from TREARN
indicates that it is still alive, at least on that node and probably
others. I have updated the file GAME2 COMMENTS on LISTSERV@PCCVM with
the latest information available.
I am still in need of a 'dis-assembler' program for further
investigation of this and other viri/worms. Your assistance is
requested.
+---------------------------------------------+-------------------------------+
| | |
| Russell N. Hathhorn, VM Systems Support | BITNET: SYSMAINT@PCCVM |
| Portland Community College | |
| Computer Services Department, CC B27c | COMPU$ERVE: 76636,1036 |
| P. O. Box 19000 | |
| 12000 S. W. 49th. Avenue | Voice: (503) 244-6111 x 4705 |
| Portland, Oregon 97219-0990 | FAX: (503) 452-4947 |
| | |
+-----------------------------------------------------------------------------+
------------------------------
Date: Mon, 28 Jan 91 16:52:31 -0600
From: THE GAR <GLWARNER@SAMFORD.BITNET>
Subject: SimWare 3.1 (Mac)
I just ran SAM on my Mac, because someone was using it over the
weekend, and I don't know what they did. I was told that my desktop
was infected with WDEF. This bothered me, so I contacted the person
who had been using it.
They said that they had only used my hard drive to type a memo in MS
WORD and print it, and they had then deleted the file.
So I started checking all the disks that I have received from
"unknown" sources this month (a SAM scan on Jan 5 had been clean).
I of course suspected disks first where someone had said "Hey, here's
some cool game/sound/graphic". All of them were clean. I then began
to check "legitimate" software. White Knight's new ScreenShare, and
MacKeymeleon II, both of which I received un-solicited, were clean,
BUT . . . SIMWARE's "SimMac 3.1 Application Disk" (Master Program),
which I received on or about Jan 11 was infected! SAM reports that it
was last altered on 12/21/90 at 12:55 PM. This INFURIATES me, as I
had up until today always trusted the programs that come straight from
the manufacturer sealed in the "Read Carefully BEFORE Opening" license
envelope!
Just thought someone out there might want to know.
/++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\
! Later + Systems Programmer !
! Gary Warner + Samford University Computer Services !
! + II TIMOTHY 2:15 !
\+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/
------------------------------
Date: 28 Jan 91 23:38:30 +0000
From: gt1546c@prism.gatech.edu (Gatliff, William A.)
Subject: Re: Review of SCAN (PC)
Pardon my input into something I know very little about, but I
have a question/comment:
I have observed that, according to a lot of the posts in this
newsgroup, many of these viri infect the boot sector of a disk.
To help combat this, what would be the possibility of 'delibrately'
infecting ones boot-sector with a piece of code that would display
some kind of 'ok' message if it hadn't been tampered with?
For example, as the computer goes to boot, it loads the boot sector
and prints something like 'All is ok as of ...<maybe insert a date
here.> as instructed by the program that lies there (the one I *put*
there.) Ok. Now, if the user doesn't see that message when he boots,
he can suspect that all is not ok. Maybe this piece of code would run
some kind of check on itself to be sure it hadn't been relocated or
something...
This is just a brief flash of insight I had, I'm *not* a programmer
or anything. Would this be a helpful tool in the war against viruses?
I would like to add that even within the very short amount of time I have
spent reading this newsgroup I have been impressed with the amount
that you guys seem to know about these animals. It makes me feel
good that there are a number of obviously very capable dudes/dude-etts
working on the side of those who need protection from these creatures.
b.g.
------------------------------
Date: Tue, 29 Jan 91 12:43:04 +0000
From: Anthony Appleyard <XPUM04@prime-a.central-services.umist.ac.uk>
Subject: Hungarian text in virus (PC)
This text in the POLIMER PC virus: "A le'jobb kazetta a POLIMER kaz!" is
Hungarian for "The best case/casette is the POLIMER case/casette! This is
mixed/chemical!".
{A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Tue, 29 Jan 91 12:38:20 GMT
------------------------------
Date: Tue, 29 Jan 91 12:42:09 +0000
From: Aidan Saunders <A.C.G.Saunders@newcastle.ac.uk>
Subject: Nimbus machines and viruses ? (PC)
Hi there!
A friend of mine is responsible for a network of RM Nimbus machines.
So far they have not had any problems with viruses (at least, not that
they know about!) These machines behave largely as PCs (so I'm told)
but for some applications need to use an IBM-emulator. So, a couple
of questions:
1) Are Nimbus machines susceptible to 'normal' PC viruses?
2) Are there any viruses specific to Nimbuses?
If anyone has any experience of viruses and Nimbuses (or should that
be virii and Nimbii :-) ), I would be most interested to hear from
you.
Thanks,
Aidan
- ----------------------------------------------
ARPA :: a.c.g.saunders@newcastle.ac.uk
UUCP :: ...!ukc!newcastle.ac.uk!a.c.g.saunders
- ----------------------------------------------
------------------------------
Date: 29 Jan 91 17:10:51 +0000
From: tbeke@phoenix.princeton.edu (Tibor Beke)
Subject: Re: Processor-specific viruses and other subjects (PC)
KLUB@MARISTB (Richard Budd) writes:
>frisk@rhi.hi.is (Fridrik Skulason)writes in VIRUS-L V4 #13:
>>From the POLIMER comes this text - is this Polish ? And what does it
>>mean ?
>
>> A le'jobb kazetta a POLIMER kazetta ! Vegye ezt !
>
>The last sentence looks like Magyar (Hungarian). I've had some
It is Hungarian, indeed, and reads:
POLIMER brand casettes are simply the best! Go for them!
Incidentally, this brand is by far the worst anybody, even in the East
Bloc, could have conjured up.
Tibor Beke (Beke Tibor, tinektek magyaroknak)
a Hungarian citizen who miraculously got full undergraduate
scholarship
-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:
There is something fascinating about science. One gets such wholesome
returns of conjecture out of such a trifling investment of fact.
Mark Twain
Disclaimer: one thing i can trust is my absentmindedne
------------------------------
Date: 29 Jan 91 19:59:12 +0000
From: bryden@chopin.udel.edu (Chris Bryden)
Subject: Re: Need OTS Virus package (UNIX)
limes@Eng.Sun.COM (Greg Limes) writes:
}ssdc!jbasara@uunet.UU.NET (jim basara) writes:
}|> I would like to request recommendations for off-the-shelf packages
}|> which will prevent/isolate/monitor/etc. viruses on a Sun workstation
}|> under unix.
}
}Occasionally, I see people asking about such things on this list and
}elsewhere, and I am underwhelmed by the amount of information that
}therefore appears on the net.
}
}Has anyone ever actually SEEN a "virus" on a UNIX box? And, don't tell
}me about worms, that's a different matter ... I am specificly looking
}for information about programs that propogate by modifying other
}programs.
You bet. _Abacus_ had a fairly lengthy series of articles on unix
style viruses. The author of the article wrote a fairly simple virus
and advertized the existance of deseriable programs he had sitting
around. Within a week, the virus had spread to the farthest reaches
of the disk on an exerimental machine.
}My background as an operating systems programmer at Sun leads me to
}believe that such virii would be more difficult and less rewarding for
}Joe Virus-Writer to create, and easier to protect against using
}mechanisms available in the system, but it might be nice if I could
}have some backing information that I could give when people ask me
}about such things ...
I'm surprised. Does the word "crt0" mean anything to you? Break a
fairly mundain security hole, learn some assembly, and wait for the
next big rebuild. Complicated by the fact that most sites with a
source license get their updates in the form of source code, we're
talking about a major hole in Unix. In fact, if you don't know when
the bug was introduced, you may have to go back several operating
system revisions to get back to "normal".
And, hey, I'm not even going to start talking about packet scanners on
a network that has NFS traffic. At some point, the distinction
between virus, worm and trojan horse break down. Has anybody seen a
formal specification that delineates the difference between each?
Ever wonder why?
I saw a Unix virus long before I ever saw a PC virus.
Chris
- --
{gateway}!udel!brahms!bryden | I am a direct result of the policies and actions
bryden@udel.edu 302-451-6339 | that are endorsed by the University of Delaware.
------------------------------
Date: Tue, 29 Jan 91 16:06:31 -0600
From: Jon Eidson <EIDSON@TCUBVM.BITNET>
Subject: Re: RSCS Protection (IBM VM/CMS)
I wrote such an exec just the other day when the CMS worm was
announced the other day. I lists out all rdr files with at file type
of "EXEC" or "MODULE" and I run it periodically.
Fortunately, the only occurance of the "GAME2" worm came to one for
our VAX/VMS user ... of course it couldn't go any furthers.
I'll be happy to post the REXX programs if anyone desires.
Jon Eidson
Senior Systems Programmer
Texas Christian University
------------------------------
Date: Tue, 29 Jan 91 12:11:36 -0800
From: p1@arkham.wimsey.bc.ca (Rob Slade)
Subject: Word Perfect and change checkers (PC?)
csw76@seq1.keele.ac.uk (J.C. Kohler) writes:
> I'm using a Dutch version of WP 5.1, does anybody has an ideay why
> F-XLOCK can't lock them, it displays an error message, which contains
> something about a illegal header.
All versions of Word Perfect (at least since 4.2) have had a self
testing module on them. Neither F-XLOCK nor SCAN /AV nor any other
slef checker that adds code to the program can be used on it, since
the added code invalidates the internal self test.
------------------------------
Date: Wed, 30 Jan 91 01:54:41 -0500
From: Eric Weisberg <WEISBERG@SUVM.BITNET>
Subject: Updating Disinfectant (Mac)
To Whom It May Concern,
I was given this address by someone at Syrcause University. I am interested
in getting iformation about the Virus Package Update Server. I quess that's
what it's called? Anyways, I am in charge of kepping quite a few Macintoshes
virus free, and I would like to always have the latest version of Disinfectant.
The SU Computing Services is still passing out version 2.0 and when I last got
a copy from a friend it was 2.4. -- That's why I have gone in search of a
better source.
If you could tell me where I can always download the latest version or pay to
get it in the mail I would be most thankful. If this is not the place to get
this information could you please help direct me to the person or people who
can give it to me.
Thanx,
Eric Weisberg
------------------------------
Date: 30 Jan 91 11:55:51 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: Re: Problem with F-Prot 1.14 (PC)
csw76@seq1.keele.ac.uk (J.C. Kohler) writes:
>I installed the new version of F-PROT (1.14) today and I encountered a
>small problem. When I tried to do a F-XLOCK *.* in my WordPerfect
>directory, there were many files which it couldn't protect.
This problem is a side-effect of the correction of another problem.
Here is what happened:
The "length" of EXE files can be defined in two ways - the actual (physical)
length of the file, and the length according to the header. Case in point:
Turbo C++ is an 800K file, but according to the header it is only 165K long.
When it is executed, only 165K are loaded into memory, but the program may
later load parts of itself as necessary.
Using F-XLOCK (to add automatic detection of infection of unknown viruses)
involves adding a small module to the end of the file. If Turbo C++ was
F-XLOCKed in this way, it would not run, as the resulting length of the file
was 800K (according to the header), and the file just could not be loaded
into memory.
For this reason, I decided to prevent F-XLOCK from adding the module to EXE
files, if the actual length was different from the length, according to
the header.
But, in many cases the difference between the two "lengths" is small, and
adding the module has no undesirable effect - I plan to change F-XLOCK a
bit in the next version, and will try to improve this.
- -frisk
------------------------------
Date: Wed, 30 Jan 91 09:31:38 -0500
From: Paul D. Shan <PDS2@PSUVM.PSU.EDU>
Subject: Possible bug in FPROT 1.14? (PC)
I recently obtained a copy of F-PROT 1.14. As timing would have it,
we also had a staff member from another department come in with a
virus on his disk. By checking the file with Norton Utilities and the
VIRUSSUM.DOC file, I knew that it was the Sunday virus. So I ran
F-FCHK against that disk, and sure enough it found the Sunday virus.
I answered YES when it asked if I wanted to disinfect the file, but it
said that it could not disinfect the virus because it looked like a
new strain.
Not liking that answer, I ran McAfee's CLEAN 72 just to see if it
would work. Indeed it did work and the virus was removed.
Has anyone else discovered any problems like this one?
Thank you!
Paul D. Shan
Microcomputer and Personal Workstation Support
Center for Academic Computing
12 Willard Building
University Park, PA 16802
(814) 863-4356
PDS2@PSUVM.psu.edu
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 17]
*****************************************