VIRUS-L Digest Wednesday, 12 Jul 1989 Volume 2 : Issue 150 Today's Topics: Antique Systems and Vaccine (Mac) Icelandic virus German DOS62 Virus Macintosh system folder looks suspect Comments on SENTRY and VIRUSCAN on protecting Appleshare (Mac - from comp.sys.mac) IEEE code of ethics and computer viruses RE: nVir and Scores on Appletalk [Ed. Sorry about the overwhelming quantity of mail, folks, but I have quite a backlog now that we're back on-line (read: if you think *YOU'VE* got it bad, you should see my inbox!). :-) ] --------------------------------------------------------------------------- Date: Sat, 08 Jul 89 08:19:21 -0400 From: Joe McMahon Subject: Antique Systems and Vaccine (Mac) System 3.2 (which Mac 128K users are probably running) does not support cdev's. To get Vaccine protection, it is necessary to do the following: 1) Copy your startup disk. 2) Boot the disk containing ResEdit, and open the Vaccine file. Copy everything except the BNDL and cdev resources. 3) Open the System file on the copy of the startup disk. 4) Paste. Reboot with the copy of the startup disk. To verify installation, run an infected application, or run the "System Update" program. Either should get violations. The dialogs will not show the file name properly, however. Disclaimer: I didn't have a 128K machine to try this on; I tested it on a Plus running 3.2 and had no trouble. --- Joe M. ------------------------------ Date: Mon, 10 Jul 89 14:52:48 +0000 From: Fridrik Skulason Subject: Icelandic virus Some time ago I reported a new virus, the Icelandic "disk-crunching" virus. I have now finished disassembling it, and a report follows ("Brunnstein"-format) frisk@rhi.hi.is or ...mcvax!hafro!rhi!frisk - ------ Computer Virus Catalog 1.1: "Icelandic" July 8, 1989 -------- Entry...............: "Icelandic disk-crunching virus" Alias(es)...........: One-in-ten, Disk-eating virus Virus Strain........: Virus detected when.: Mid-June '89 where.: Iceland Classification......: .EXE file infecting virus/Extending/Resident Length of Virus.....: 1. 656-671 bytes added to file 2. 2048 bytes in RAM - --------------------- Preconditions ----------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.0 or higher Computer model(s)...: IBM PC,XT,AT and compatibles - --------------------- Attributes ------------------------------------- Identification......: .EXE Files: Infected files end in 4418 5F19 (hex). System: Byte at 0:37F contains FF (hex) Type of infection...: Extends .EXE files. Adds 656-671 bytes to the end of the file. Length MOD 16 will always be 0. Stays resident in RAM, hooks INT 21 and infects other programs when they are executed via function 4B. It will remove the Read-Only attribute if necessary. .COM files are not infected. Infection Trigger...: Every tenth program run is checked. If it is an uninfected .EXE file it will be infected. Storage media affected: None Interrupts hooked...: INT 21 Damage..............: If the current drive is a hard disk larger than 10M bytes, the virus will select one cluster and mark it as bad in the first copy of the FAT. Diskettes and 10M byte disks are not affected. Damage Trigger......: The damage is done whenever a file is infected. Particularities.....: The virus modifies the MCBs in order to hide from detection. It will not be activated if INT 13 contains something other than 0070:xxxx or F000:xxxx when an infected program is run. Similarities........: None. - --------------------- Agents ------------------------------------------ Countermeasures.....: All programs which check for .EXE file length changes will detect infections. Any virus prevention program that changes INT 13 will prevent the activation of the virus. F-SYSCHK (by the author of this article) will detect the system infection. F-FCHK will identify infected files. Countermeasures successful: See above. Standard means......: Use DEBUG to check the byte at 0:37F. Running any program which stays resident and modifies INT 13 (like PRINT) will prevent the virus from being activated. - --------------------- Acknowledgement --------------------------------- Location............: University of Iceland/Computing Services Classification by...: Fridrik Skulason (frisk@rhi.hi.is) Documentation by....: Fridrik Skulason Date................: July 8, 1989 Information Source..: - --------------------------End of "Icelandic"-Virus--------------------- ------------------------------ Date: Tue, 04 Jul 89 20:12:13 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: German DOS62 Virus The virus reported by Chris Fischer is clearly the DOS62 virus. This virus will replace the firts five bytes of every eighth infected file with the system initialization routine. Clearly, COMMAND.COM was the eighth file infected within his system - hence at power-on the system will continuously cycle through the re-boot sequence. We have had numerous reports of similar synptoms from this virus. Alan Roberts HomeBase/CVIA 408 988 4004 ------------------------------ Date: Wed, 12 Jul 89 11:52:48 -0500 From: Lee Brannon Subject: Macintosh system folder looks suspect Hello, I am a Mac user who has already run across two virus programs on my system, and I now suspect that I may have found a third. Any of you who are using a macinto sh and have come across the following symptons please drop me a line (especiall y if you know the cause): Like the scores virus...My System, Finder, Clipboard and scrapbook icons have changed. Unlike the scores virus...they have changed to better drawings of the mac plus with shaded screens I have run several detection programs which do not show anything wrong, but it is beginning to get on my nerves. There maybe something other than a virus making the change, but I really would like to know what? Thank you in advance..... CCREBEL at INDST ------------------------------ Date: Mon, 10 Jul 89 21:12:36 -0000 From: A.SIGFUSSON@ABERDEEN.AC.UK Subject: Comments on SENTRY and VIRUSCAN Hi out there, I am new on this list, although I have followed the discussions on the Lancaster Pdsoft archives, and I have two points which I would like to raise. After being hit by the Brain virus I decided to get some protection and after reading both the VIRUS-L and some reviews on protection software I decided to go for SENTRY. It seems to work fine except for the CONFIG.SYS file. The manual claims that sentry would pick up if you added or changed a device driver but it did not when I tried it. Another thing about SENTRY is that the manual does not state clearly enough for the novice PC user that you have to reinstall SENTRY when you add a new .COM, .EXE or .SYS file to your disk. If this is not made clear people who are not aware of this might be led to think they are safe when they are not. I also got a copy of VIRUSCAN which has been discussed here recently. When I tried it on few diskettes I noticed that the program told me that they all had same number of directories and files. On inspection I found that this was not the case. For some reason if you scan few diskettes, one after another, the program always thinks it is reading the first one. Only if you do something like "A:>DIR" after inserting a new diskette for scanning does the program do it properly. I suspect that if the first disk only contains 1 or 2 files the remaining disks will not be scanned properly because I found that my DOS disk, which contains lots of files took a very short time if scanned following a disk with only 2 files on. I wanted to point these two things out because lots of PC users could be given false security by protection programs if their use and function is not properly explained. Best wishes, Arnor Sigfusson ------------------------------ Date: Tue, 11 Jul 89 11:55:13 -0000 From: The Heriot-Watt Info-Server Subject: on protecting Appleshare (Mac - from comp.sys.mac) [Ed. The following is a discussion taken from comp.sys.mac regarding the protection of Appleshare file servers from viruses.] From: mmccann@hubcap.clemson.edu (Mike McCann) Newsgroups: comp.sys.mac Subject: Virus Protection for AppleShare File Servers? Date: 9 Jul 89 07:00:29 GMT Organization: Clemson University, Clemson, SC Lines: 14 How does one protect the AppleShare file server from viruses? Will running Vaccine on it work? Or will the dialog box produced upon detection of a virus hang the server? Also as a new administrator of a small AppleShare network, any other helpful hints will be welcomed. Thanks for the help, Mike McCann (803) 656-3714 Internet = mmccann@hubcap.clemson.edu Poole Computer Center (Box P-21) UUCP = gatech!hubcap!mmccann Clemson University Bitnet = mmccann@clemson.bitnet Clemson, S.C. 29634-2803 DISCLAIMER = I speak only for myself. From: mithomas@bsu-cs.bsu.edu (Michael Thomas Niehaus) Newsgroups: comp.sys.mac Subject: Re: Virus Protection for AppleShare File Servers? Date: 10 Jul 89 05:06:56 GMT Organization: CS Dept, Ball St U, Muncie, IN, USA In article <5956@hubcap.clemson.edu>, mmccann@hubcap.clemson.edu (Mike McCann) writes: > How does one protect the AppleShare file server from viruses? Will > running Vaccine on it work? Or will the dialog box produced upon > detection of a virus hang the server? I debated this with myself before, and came to this conclusion: You do not need to protect an AppleShare File Server from viruses. How can I make such a statement? Well, install the AppleShare software and maybe the Print Server software as well. Use something like Virus Rx and make sure that you did not install a virus (very unlikely if you are using original, locked disks). Now that your software is installed, you are safe because *THAT IS THE ONLY SOFTWARE EVER RUN* from the server. All of the other files on the network are data files. Viruses cannot be spread from these data files. Now, if you were to shut down your server, boot with another disk, and run some of the software that is on that server's disk *ON THE SAME SERVER MACHINE* then you could infect the server. But, I recommend against doing this. The stations on the network that are using the software from the servers are the ones that need to be protected. If one of them put a virus in one of the oft-used applications on the server, it would spread to all of the stations in a matter of days (or less). But since the server never runs this software, it will remain unscathed. > Also as a new administrator of a small AppleShare network, any other > helpful hints will be welcomed. Put your applications in locked folders so that viruses cannot be installed into them. Put Vaccine or something like it on all of the workstation's system disks. Check the workstation disks regularly. > Mike McCann (803) 656-3714 Internet = mmccann@hubcap.clemson.edu > Poole Computer Center (Box P-21) UUCP = gatech!hubcap!mmccann > Clemson University Bitnet = mmccann@clemson.bitnet > Clemson, S.C. 29634-2803 DISCLAIMER = I speak only for myself. - -Michael - -- Michael Niehaus UUCP: !$iuvax,pur-ee*!bsu-cs!mithomas Apple Student Rep ARPA: mithomas@bsu-cs.bsu.edu Ball State University AppleLink: ST0374 (from UUCP: st0374@applelink.apple.com ) From: chris@accuvax.nwu.edu (Chris Krohn) Newsgroups: comp.sys.mac Subject: Re: Virus Protection for AppleShare File Servers? Message-ID: <852@accuvax.nwu.edu> Date: 10 Jul 89 17:14:04 GMT Organization: Northwestern Univ. Evanston, Il. Lines: 84 In article <8148@bsu-cs.bsu.edu> mithomas@bsu-cs.bsu.edu (Michael Thomas Niehaus) writes: ##> How does one protect the AppleShare file server from viruses? Will ##> running Vaccine on it work? Or will the dialog box produced upon ##> detection of a virus hang the server? ## ##I debated this with myself before, and came to this conclusion: You do not ##need to protect an AppleShare File Server from viruses. Having been an AppleShare net administrator for a couple years, and having witnessed several viral infections on various types of server configurations, I must strongly disagree with this statement. ##How can I make such ##a statement? Well, install the AppleShare software and maybe the ##Print Server software as well. Use something like Virus Rx and make sure ##that you did not install a virus (very unlikely if you are using original, ##locked disks). Nevertheless, it can happen. For example, Adobe shipped many copies of it's popular Illustrator program complete with a virus. Even if you did use the orginal, locked disks, you were still vulnerable to infection. ##Now that your software is installed, you are safe because *THAT IS THE ##ONLY SOFTWARE EVER RUN* from the server. Well, the server system *itself* is safe, but (as you point out below) the client workstations are not. ##All of the other files on the ##network are data files. Viruses cannot be spread from these data files. Not true. The Init29 virus, for example, will infect data files as well as applications. ##Now, if you were to shut down your server, boot with another disk, and run ##some of the software that is on that server's disk *ON THE SAME SERVER ##MACHINE* then you could infect the server. But, I recommend against ##doing this. I agree with this. If you do need to do this, (run a disk optimization package or partition utility or something), make sure you have Vaccine installed and turned on for the system disk which you use to boot the machine. ##The stations on the network that are using the software from the servers ##are the ones that need to be protected. If one of them put a virus in one ##of the oft-used applications on the server, it would spread to all of the ##stations in a matter of days (or less). But since the server never runs ##this software, it will remain unscathed. ##Put your applications in locked folders so that viruses cannot be installed ##into them. Put Vaccine or something like it on all of the workstation's ##system disks. Check the workstation disks regularly. ## This is excellent advice. This will not necessarily protect you from spreading viruses off the server, but will do a good job. It is necessary to check the workstation disks regularly, as people often will turn vaccine off, or delete it, or whatever. Additionally, do what you can to ensure your users are educated about viruses, because even if Vaccine is installed, they may not understand what is going on, and may through ignorance allow a virus to spread. Certain software packages will not run in locked folders, however. (E.G. FileMaker II, CricketDraw, WriteNow 1.0) and are therefore always vulnerable. The only real solution is not to allow such software packages to be installed on the file server, but this may not be possible. Because no virus prevention technique is foolproof, you will *always* be in danger of viral infections. Check your server with a virus detection/ removal program like Disinfectant on a regular basis. ##Michael Niehaus UUCP: !$iuvax,pur-ee*!bsu-cs!mithomas ##Apple Student Rep ARPA: mithomas@bsu-cs.bsu.edu ##Ball State University AppleLink: ST0374 (from UUCP: st0374@applelink.apple.com) Chris Krohn Academic Computing and Network Services Northwestern University From: johnroc@ucsco.UCSC.EDU (John Rocchio) Newsgroups: comp.sys.mac Subject: AppleShare and virus Date: 10 Jul 89 18:10:13 GMT Organization: UCSC Computing and Telecommunications Services Lines: 26 Here is some info I retrived from AppleLink: AppleShare Security: How Secure Against Viruses Is It? This article last reviewed: 23 March 1989 Q: How secure is AppleShare from viruses? Users recognize the threat to folders where others have write access and the ability to affect others using applications contained in those folders, but what about the Server Folder itself? Is the running of VACCINE on an AppleShare server indicated? Is there something better? Is it possible to issue low-level I/O calls (PBWrite and lower?) to server volumes (bypassing any AppleShare built-in security) from other Macintosh systems on the network? A: The AppleShare server folder itself is quite secure when the server is running. Is it not accessible by any system call, whether high-level or low-level. A virus would only be able to attack folders and files that it has access to. It is not necessary or recommended to install Vaccine in the Server folder on the AppleShare server. If the server is running at the Finder level, it is just as susceptible to viruses as any system. Copyright 1989 Apple Computer, Inc. disclaimer disclaimer disclaimer disclaimer disclaimer disclaimer disclaimer... ------------------------------ Date: Wed, 12 Jul 89 14:38:26 -0400 From: Mark Paulk Subject: IEEE code of ethics and computer viruses An article in the Computer Society News section of IEEE Computer, July, 1989, pp. 83-84, discusses a draft position paper on software vandalism, specifically computer viruses. I had some comments, which I mailed to the acting chair of the Committee on Public Policy: Ralph J. Preiss 12 Colburn Drive Poughkeepsie, NY 12603 I think the article, and possibly my comments, will be of interest to the VIRUS-L readers. Letter text follows: - - ------- I have just finished reading the article in the July 1989 issue of IEEE Computer on the code of ethics and computer viruses position paper. First, let me compliment your group on their statement. It seems so obvious what the correct ethical position with regard to these issues is, yet I have communicated with all too many "unethical" people where computer viruses and Trojan horses are concerned. I support having the IEEE take a very clear and explicit stand in these matters. I have a minor interest in these matters. Although not of direct professional interest, I just gave a presentation on "Computer Fauna: Viruses, Worms, and Trojan Horses" where I discussed the differences between these entities. I have some qualms about the definitions given in the sidebar. The second sentence in the definition of a "worm" is an overstatement. Although worm programs @i(may) overlay or erase other programs or data, in the original work with worm programs by J.F. Shoch and J.A. Hupp ("The 'Worm' Programs - Early Experience with a Distributed Computation," Communications of the ACM, Vol. 25, No. 3, March, 1982, pp. 172-180) the worm model is "a program or a computation that can move from machine to machine, harnessing resources as needed, and replicating itself when necessary" aka distributed computation, a program which spans machine boundaries. They quote the science fiction writer John Brunner: a worm adds to itself; a phage wipes out (Shockwave Rider). The same problem of assuming malicious behavior holds with viruses. In Cohen's work, he gives an example of a beneficient "compression" virus. Although I agree that for all practical purposes, there are no benign viruses, worm programs hold a great deal of promise as a distributed computing technology. The two different definitions of computer virus are also problematic. Computer virus-A seems to be an attempt to address programs such as the Christmas worm which propagate by the (inadvertent) action of humans. This is NOT a computer virus. Terms which have been used for this class of programs includes "rabbit" and "bacterium," although the emphasis tends to be on denial of service rather than the infection mechanism. I think the Trojan horse definition covers the class of program described adequately. Computer virus-B is a "reasonable" virus definition, although I have some slight qualms about the assumption of malicious instructions as mentioned earler. Good definitions for these classes of programs are rather nebulous at this time, and there are a number of candidates running around. Most notably Fred Cohen and Peter Freeman have supplied readily available definitions, although there are no rigorous ones yet. The discussions on the VIRUS-L (Comp.virus) group, moderated by Ken van Wyk, covers this ground now and again. I might suggest that you solicit some discussion from the group. I will take the liberty of cross-posting this missive to direct attention to the article. All in all, my compliments. Keep up the good work. ------------------------------ Date: Wed, 05 Jul 89 13:05:00 -0400 From: Subject: RE: nVir and Scores on Appletalk ACSAZ@SEMASSU, 5-JUL-1989 To the best of my knowledge and experience, nVir and Scores do not spread over appletalk. At least they didn't spread over ours. Alex Z... . . . ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253