home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Almathera Ten Pack 3: CDPD 3
/
Almathera Ten on Ten - Disc 3: CDPD3.iso
/
scope
/
026-050
/
scopedisk47
/
virusx31
/
irq.doc
< prev
next >
Wrap
Text File
|
1995-03-18
|
11KB
|
248 lines
JAN 1, 1989
The following is a compilation of several messages posted on USENET and BIX
regarding the new IRQ-Virus. The first messages assume it is not too
dangerous, however the comments by Bob Page in the last sequence show that
this is potentially the most lethal virus yet. Read this and LISTEN to the
warnings. This is a VERY dangerous virus because it propogates faster than
any other virus to date, and by a new method. With little modification this
could become an extremely dangerous virus. It already will modify the DIR
command under certain circumstances and WILL crash a machine running
KickStart 1.3 either in ROM or from disk.
I have included in this PAK file the UnHunk program from Fish #26. This
can be used to examine the HUNK structure of any program. In order to use
UnHunk, use this syntax;
UnHunk filename ram:FOO
This will do 2 things. Since UnHunk is a programmers tool, it will create a
file useless to most of you called ram:FOO. Delete this. It will also print
to the screen a HUNK structure listing of the program you are checking. If
you UnHunk UnHunk itself, you get this;
Section Origin Size(bytes)
CODE 0x0 16556 (0x40AC)
DATA 0x40AC 2560 (0xA00)
BSS 0x4AAC 812 (0x32C)
Done
0 errors encountered
The important information is the size of the CODE and DATA hunks. If the
CODE hunk is about 1.1k and the DATA hunk is the size of the normal version
of the program, then the program is likely infected with the IRQ-Virus and
MUST be replaced with an uninfected version. The program which has been
confirmed to be infected is BlitzFonts, a text speedup program. Old
versions are OK, but several copies which have been infected are already
circulating. CHECK IT BEFORE USING IT!! The basic rules for survival seem
to be;
1. KEEP YOUR DISKS WRITE PROTECTED!!
2. TURN OFF YOUR MACHINE FOR 1 MINUTE BEFORE BOOTING PROTECTED SOFTWARE!!
3. DO NOT MAKE ANY DISK BOOTABLE (by INSTALL-ing it) UNLESS ITS A
WORKBENCH!! Data disks which have been INSTALL-ed CAN spread viruses!!
4. Use the command "LIST >PRT: dirname" to print out listings of ALL the
C, Systems and Utilities directories of ALL your Workbench disks. I
KNOW its going to be inconvenient, but the change in file size is the
KEY to SURE protection. You MUST know the NORMAL sizes of ALL the
executable programs you own to know if the virus has modified them!!
REMEMBER: ANYTHING you can run from the CLI or click from the Workbench
is a possible carrier of the IRQ-Virus!!
5. Place a <TAB> before the first command on your Startup-Sequence. This
is the first command the virus tries to modify. This MUST be done to
ALL Startup-Sequences on your Workbenches!!
6. Be cautious of the C:DIR command since the IRQ-Virus will write itself
to this if it can't get past the <TAB> at the beginning of the
Startup-Sequence. Perhaps you could rename it?? (WORTH a TRY!!)
7. Check ALL executable programs you get BEFORE you run them with UnHunk.
8. Get the LATEST version of VIRUSX (currently 2.1) and run it first in
your Startup-Sequence (WITH a <TAB> in front of it, of course!).
9. Be extremely cautious of any graphic demo which doesn't use a "display"
program to show it. I have seen MANY such demos which have destructive
IRQ-like "Trojan Horse" programs attached to them. While you're
watching the neat animation or nude picture, it can plant a virus or
format disks!!
10. DO NOT GET COMPLACENT BECAUSE YOU HAVE DONE 1 - 9!!! BE CAREFUL!!!!
BEWARE!
Terry Stetler
See Ya in the BitStream :->
P.S. I have included the entire UnHunk.ZOO file in case anyone needs it for
its intended purpose. Later.
Call the CHESS BOARD BBS 1-(313)-255-2456.
===========================================================================
New Year's Virus Report
Date: 1 Jan 89 00:08:28 GMT
Reply-To: grr@cbmvax.UUCP (George Robbins)
Organization: Commodore Technology, West Chester, PA
The following Virus report was posted on BIX today. My recollection is that
Steve is English, so perhaps this virus hasn't arrived here. Still, be
warned and take the usual care with suspicious disks...
TITLE: New Virus
While I'm not 100% certain of all the details of what this virus does,
(I got it yesterday), I figure I should post this anyway.
(What I do say here, I'm quite certain of).
I recieved in the mail a new virus, from 2 different continents on the
same day. This one's NOT just another bootblock virus.
This one affects executable programs. It attaches itself to them.
But not just any executable (thankfully), what it does, is it parses
your startup-sequence looking for the first executable program there.
That's the one it hits.
It doesn't seem to be malicious in any way, though it will crash
your machine under KS 1.3. It intercepts the OpenLibrary() call
(that's how it stays around- whenever OpenLibrary is called,
it again checks the startup sequence (thinking maybe a disk has
changed - it uses ":S/Startup-sequence" so it will go after any
SS on the current disk). It also uses a KickTagPtr, but I'm
not sure what for yet. Seems to take about 10 seconds longer
to boot, though.
Easy way to protect yourself from it: Change your startup sequence on
any disk in any drive, so that the first character before the first
executable filename is a TAB. The virus tries to Open() the whole line,
parses out a few characters, but not the tab. Note that if you use a
pathname as in DH0:C/BLAH, and you put a tab in front, you'll get a
requester for [TAB]DH0:. Just use [TAB]C/BLAH or whatever.
For those out there who have been safe from boot block viruses thus
far, well, this one you can get from a downloaded program. Ick.
I'll be posting a little utility soon to check a program for this
specific virus.
(Also, last thing it does: On it's first invocation in a session,
it will set the title bar of the ActiveWindow to it's name
(IRQ virus), and since it's running as the first thing in your
startup sequence, it's changing the intial CLI window's title.
...Steve
George Robbins - now working for, uucp: {uunet|pyramid|rutgers}!cbmvax!grr
but no way officially representing arpa: cbmvax!grr@uunet.uu.net
Commodore, Engineering Department fone: 215-431-9255 (only by moonlite)
============================================================================
Re: New Year's Virus Report
Date: 1 Jan 89 07:30:17 GMT
Reply-To: grr@cbmvax.UUCP (George Robbins)
Organization: Commodore Technology, West Chester, PA
More info from Steve Tibbett and co. and on the New Year's virus this
evening:
From BIX:
==========
One more item on the IRQ virus. If it can't attack your Startup-Sequence
it will home in on C:DIR just to be sure that it gets executed.
This is a benign intruder that can mutate to something real nasty in the
hands of a sicko. We have the start of a real problem here.
Djj
[ which is to say it will modify the dir command if it can't mess
with the startup-sequence... ]
==========
No, (I'm a bit rusty on this hunk stuff) I believe it sticks another code
hunk at the beginning of your program, about 1.1K, and when it's done
it's job, it calls your original program.
Note that if the first file in your startup sequence is over 100K
long, it won't infect it. (big help, that... 8-)
I'm thinking of having an option in VirusX (or probably a separate
standalone utility) that would block any CMD_WRITE operation to a
disk device (and something that would just block Write() attempts),
and give the user a requester showing who asked for the Write, and
a Yes/No option. Not much good for general use, but it would
help when checking out unknown programs.
...Steve
George Robbins - now working for, uucp: {uunet|pyramid|rutgers}!cbmvax!grr
but no way officially representing arpa: cbmvax!grr@uunet.uu.net
Commodore, Engineering Department fone: 215-431-9255 (only by moonlite)
============================================================================
Re: IRQ Virus -it's out!!!
Summary: It's very dangerous. Please send me a copy.
Date: 31 Dec 88 04:58:00 GMT
Reply-To: page@swan.ulowell.edu (Bob Page)
Organization: University of Lowell, Computer Science Dept.
This one of the two potential methods of virus I was worried about
(and it's the worst of the two).
I guarantee this will spread much faster and wider than any other
Amiga virus. This one is a *real* virus. The only innoculation is to
check _every_ write to _every_ disk on your system, and refuse if the
block looks like a known pattern. The only treatment is to check
every disk looking for the virus and re-write each infected program
to rearrange the hunks. Time consuming and error-prone, and the
next strain will just restart the problem.
The fault with this approach is that you can't easily distribute the
antidote. Since the innoculator program has to contain the virus code
pattern, any time you try to copy the program, you will be stopped
because the innoculator will detect the pattern! And think about it -
if you can write a program such that you can copy the innoculator
program without being detected, anyone can come up with a similar
method to disguise the pattern.
Worse, they could go right to the metal and scribble the bits right on
the disk. You can't stop that on the current Amiga.
There is another alternative, although not pretty, and not 100%
effective. Make sure your disks are always 100% full, so any write
(that extends the file) will fail. The problem is if the virus itself
can fit in a partial block - if your program takes 18.1 blocks it
takes 19 blocks on the disk. If the virus code is only 0.8 blocks,
you can still get infected.
The *only* ways not to get it?
1. Write protect all your disks and don't give them out. :-(
2. Don't use any new software, commercial or public, unless
you have source code and you *know* your compiler is OK.
3. Don't let anyone else use your machine, or your disks.
Once again, we need to know where this is and how it works, if we are
to be successful in fighting it. As a "publisher" of publicly
available code, I feel I have a stake in this. If anyone has a copy
of this, please send it to me and I will write a disk scanner. It's
not the ultimate answer but it's a start. If anyone else has any
more info, please send it or post it if you feel it's worthwhile.
I don't want to push the panic button but I'm not happy about this news.
I just hope the virus doesn't contain any time bombs.
[I'm going on vacation in a few hours but am still very interested and
will be thinking a lot about it while baking in the sun. :-) If you
can't e-mail via Usenet/ARPAnet, you can email to 'page' on BIX or
'zoxso' on people link, or surface mail to Bob Page, PO Box 1773,
Lowell MA 01853, USA.]
..Bob
Bob Page, U of Lowell CS Dept. page@swan.ulowell.edu ulowell!page
============================================================================