VIRUS-L Digest Thursday, 31 Aug 1989 Volume 2 : Issue 183 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Ping-Pong variants (PC) Virus Report from Brazil PC virus list; Swap virus; Israeli virus; Disassemblies CVIA reports new virus at Ohio State (PC) VirusScan updated for New Ohio Virus (PC) nVIR A and nVIR B explained (Mac) VACSINA ... why we called it so (PC) Virus Collection (Mac) Virus Collecting (Mac) --------------------------------------------------------------------------- Date: 28 Aug 89 14:09:10 +0000 From: mcvax!rhi.hi.is!frisk@uunet.uu.net (Fridrik Skulason) Subject: Ping-Pong variants (PC) I have now seen three different variants of the ping-pong virus. The only difference is the character that bounces around the screen. The (original ?) version where the character is a dot is the most common one, but a version that uses the "diamond" (character number 4) is also fairly common here. Finally, I have seen a version that displays a "smiley" (character number 2) at one site. Are the two modified versions known elsewhere in the world or are they just local mutations ? Fridrik Skulason University of Iceland frisk@rhi.hi.is Guvf yvar vagragvbanyyl yrsg oynax ................. [Ed. ^(the above sentence) Huh? :-) ] ------------------------------ Date: Tue, 29 Aug 89 10:44:26 +0300 From: Geraldo Xexeo Subject: Virus Report from Brazil I think that the netland could be interested in a Virus Report from Brazil. It is important to say that in Brazil there aren't big networks or lots of Lan's. Most of the virus are distributed by disks. Source: O Globo (nation-wide newspaper) from a research of Modulo Consultants.(21/8/89) Number of micro-computers researched: 550. Viruses detected : disease Brain, Israely : lost of files Ping Pong : a bouncing ball in the video , no harm sUMsDos : slows machine, uses memory, no harm detected Alameda : harm winchester Lehigh : harm any disks (Why Lehigh?) Madonna : While Madonna sings in your video, you looseyour disk Cookie : Shows "Give me a cookie" in the video Water fall : fallof characters(translated from Cascata) Mailson : inversion of characters in video and printer : named after a Brazilian politician Number of detections: Jan: 2 Feb: 4 Mar: 6 Apr: 12 May: 22 Jun: 41 Jul: 66 Avaliation: Most of the virus are harmfull, thenames could not be right but are the used in Brazil.More than 10% are infected. Exponencial growing. From Brazil, Geraldo Xexeo ------------------------------ Date: Tue, 29 Aug 89 16:05:44 +0300 From: Y. Radai Subject: PC virus list; Swap virus; Israeli virus; Disassemblies For several reasons, one of which is very irregular receipt of VIRUS-L, I've been out of touch with it for several weeks now. So please forgive me if some of the postings referred to below are a few weeks old. PC Virus List ------------- Lan Nguyen asks whether a list of PC viruses, incl. date first dis- covered and source(s), exists. I will soon be submitting to VIRUS-L a considerably updated version of the list I first posted on May 16. Meanwhile, Lan, I'm sending you my list as it currently stands (29 viruses, 70 strains). The Swap Virus -------------- Yuval Tal writes: >I don't think that it is so important how we call the virus. I've >decided to call it the swap virus becuase the message "The Swapping- >Virus...' appears in it! ....... I think that calling it "The >Dropping Letter Virus" will be just fine. Well, "The Dropping Letter Virus" would be a poor choice since (as I mentioned in an earlier posting) this also describes the Cascade and Traceback viruses. Yuval has explained that he originally called it the Swap virus because it writes the following string into bytes B7-E4 of track 39, sector 7 (if sectors 6 and 7 are empty): The Swapping-Virus. (C) June, 1989 by the CIA However, he has not publicly explained how the words SWAP VIRUS FAT12 got into the boot sector of some of the diskettes infected by this virus, so let me fill in the details. As David Chess and John McAfee both pointed out quite correctly, these words are not part of the virus. What happened was that Yuval wrote a volume label SWAP VIRUS onto each infected diskette for identification. Had his system been DOS 3 the label would have been written only into the root directory. But since he was apparently using DOS 4, it was also written into bytes 2Bh-35h of the boot sector. (That still leaves the string FAT12 in bytes 36h-3Ah to be explained. Under DOS4, the field 36h-3Dh is supposed to be "reserved". Anyone got any comments on that?) So although I didn't know at the time that the words SWAP VIRUS came from Yuval, it seems that my (and his original) suggestion to call it the Swap virus is still the best choice. The Israeli/Friday-13/Jerusalem Virus ------------------------------------- In response to a query from Andrew Berman, David Rehbein gave a quite accurate description of the virus, except for one small point: >(It will infect and replicate itself in ANY executible, no matter >the extension..check especially .OVL and .SYS) To the best of my knowledge, no strain of this virus (or, for that matter, of any other virus that I know of) infects overlay or SYS files. Andrew Berman writes concerning this virus: > She think's >she's cleaned it out by copying only the source codes to new disks, >zapping the hard drives, and recompiling everything on the clean hard >disks. It's a pity that so many people try to eradicate the virus by such difficult means when (as has been mentioned on this list and else- where) there is a file named UNVIR6.ARC on SIMTEL20 (in ) containing a program called UNVIRUS which will easily eradicate this virus and 5-6 others as well, plus a program IMMUNE to prevent further infection. Disassembling of Viruses ------------------------ In response to a posting by Alan Roberts, David Chess replied: >I think it's probably a Good Thing if at least two or three people do >independant disassemblies of each virus, just to make it less likely >that something subtle will be missed. I know my disassemblies (except >the ones I've spent lots of time on) always contain sections marked >with vaguenesses like "Does something subtle with the EXE file header >here". .... I probably tend to lean towards "the more the merrier"! I can appreciate David's point. However, I would like to point out that the quality of (commented) disassemblies differs greatly from one person to another. As Joe Hirst of the British Computer Virus Re- search Centre writes (V2 #174): >Our aim will be to produce disassemblies which cannot be improved upon. And this isn't merely an aim. In my opinion, his disassemblies are an order of magnitude better than any others I've seen. He figures out and comments on the purpose of *every* instruction, and vagueness or doubt in his comments is extremely rare. What I'm suggesting is this: If you have the desire, ability, time and patience to disassemble a virus yourself, then have fun. But unless you're sure it's a brand new virus, you may be wasting your time from the point of view of practical value to the virus-busting community. And even if you are sure that it's a new virus, take into account that there are pros like Joe who can probably do the job much better than you. So what about David's point that any given disassembler may miss something subtle? Well, I'm not saying that Joe Hirst should be the *only* person to disassemble viruses. Even he is only human, so there should be one or two other good disassemblers to do the job indepen- dently. But no more than 1 or 2; I can't accept David's position of "the more the merrier". Btw, disassemblers don't always get the full picture. Take, for example, the Merritt-Alameda-Yale virus, of which I have seen three disassemblies. They all mentioned that the POP CS instruction is invalid on 286 machines, yet none of them mentioned the important fact that when such a machine hangs the virus has already installed itself in high RAM and hooked the keyboard interrupt, so that the infection can spread if a warm boot is then performed! That fact seems to have been noticed only by ordinary humans. Y. Radai Hebrew Univ. of Jerusalem ------------------------------ Date: Tue, 29 Aug 89 12:49:52 -0700 From: portal!cup.portal.com!garyt@Sun.COM Subject: CVIA reports new virus at Ohio State (PC) Forwarded message from John McAfee on the Homebase BBS: A new boot sector virus has been turned in to the CVIA. The virus was first discovered at Ohio State University by Terry Reeves in May of this year. It is a floppy-only variety. It will infect any new diskette as soon as the diskette is accessed (COPY, DIR, DEL, Program Load, etc.), similar to the Pakistani Brain. The virus will freeze the system if a is pressed and a cold boot is then required. When the virus activates, the first copy of the FAT becomes corrupted. No other sysmptoms have been reported. More information will be supplied after a detailed analysis. ------------------------------ Date: Tue, 29 Aug 89 21:24:18 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: VirusScan updated for New Ohio Virus (PC) ViruScan V36 now identifies the new virus found at Ohio State University. The scanner identifies the virus as the 'Ohio Virus'. This name was discussed with Terry Reeves at Ohio State (the discoverer) and he has assented to its use. Alan ------------------------------ Date: Wed, 30 Aug 89 14:41:53 -0000 From: LBA002%PRIME-A.TEES-POLY.AC.UK@IBM1.CC.Lehigh.Edu Subject: nVIR A and nVIR B explained (Mac) I spotted this in the August issue of Apple2000 (a UK Mac user group magazine.) It first appeared on the Infomac network and the author is John Norstad of Academic Computing & Network Services, Northwestern University (hope it's OK with you to reproduce this John?) It may be old-hast to all the virus experts but I found it interesting & informative. nVIR A & B There has been some confusion over exactly what the nVIR A & nVIR B viruses actually do. In fact, I don't believe the details have ever been published. I just finished spending a few days researching the two nVIR viruses. This report presents my findings. As with all viruses, nVIR A & B replicate. When you run an infected application on a clean system the infection spreads from the application to the system file. After rebooting the infection in turn spreads from the system to other applications, as they are run. At first nVIR A & B only replicate. When the system file is first infected a counter is initialized to 1000. The counter is decremented by 1 each time the system is booted, and it is decremented by 2 each time an infected application is run. When the counter reaches 0 nVIR A will sometimes either say "Don't Panic" (if MacinTalk is installed in the system folder) or beep (if MacinTalk is not installed in the system folder.) This will happen on a system boot with a probability of 1/16. It will also happen when an infected application is launched with a probability of 31/256. In addition when an infected application is launched nVIR A may say "Don't Panic" twice or beep twice with a probability of 1/256. When the counter reaches 0 nVIR B will sometimes beep. nVIR B does not call MacinTalk. The beep will happen on a system boot with a probability of 1/8. A single beep will happen when an infected application is launched with a probability of 15/64. A double beep will happen when an application is launched with a probability of 1/64. I've discovered that it is possible for nVIRA and nVIRB to mate and sexually reproduce, resulting in new viruses combining parts of their parents. For example if a system is infected with nVIRA and if an application infected with nVIRB is tun on that system, part of the nVIRB infection is replaced by part of the nVIRA infection from the system. The resulting offspring contains parts from each of its parents, and behaves like nVIRA. Similarly if a system is infected with nVIRB and if an application infected with nVIRA is run on that system, part of the nVIRA infection in the application is replaced by part of the nVIRB infection from the system. The resulting offspring is very similar to its sibling described in the previous paragraph except that it has the opposite "sex" - each part is from the opposite parent. it behaves like nVIRB. These offspring are new viruses. if they are taken to a clean system they will infect that system, which will in turn infect other applications. The descendents are identical to the original offspring. I've also investigated some of the possibly incestual matings of these two kinds of children with each other and with their parents. Again the result is infections that contain various combinations of parts from their parents. (Hot stuff!) Rgds, Iain Noble ------------------------------ Date: Wed, 30 Aug 89 19:52:23 -0500 From: Christoph Fischer Subject: VACSINA ... why we called it so (PC) Hi, we called the virus VACSINA because the virus opens a file named VACSINA. It dosen't check the return status of the open call. It never touches the file till the end of the virus code, where it closes the file (again ignoring the return code). We think the virus programmer will add some code in a later version of the virus. (Remember we presumed that this is a prematurely escaped virus). The word vaccine comes from the latin word vacca = cow and is spelled with two c in all languages. Only in Norwegian we found the word to be spelled vaksine. So VACSINA is rather odd and what the virus does with the file it opens is odd too, so we decide to name the virus VACSINA. Anyhow nobody will detect a virus by it's name like cascade or vienna or whatever. The File length is somewhat ambigous and therefor not necessarily suitable. To detect the original virus we found, you can in fact search for the word VACSINA (all capitals). I hope this answers those questions about the name. Chris ***************************************************************** * Torsten Boerstler and Christoph Fischer and Rainer Stober * * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET * ***************************************************************** ------------------------------ Date: Wed, 30 Aug 89 15:35:53 -0400 From: "Gregory E. Gilbert" Subject: Virus Collection (Mac) Suppose one has a disk infected with nVir B. How would one go about "capturing" the virus? ------------------------------ Date: Wed, 30 Aug 89 17:11:34 -0400 From: Joe McMahon Subject: Virus Collecting (Mac) "Gregory E. Gilbert" writes: > >How does one go about "capturing" virus code on an infected disk or at >least view the offending code? Would one use ResEdit? Any other >comments are most welcome. Thanks much. > Very carefully. ResEdit is of course the best way of looking at the resources in a given file, but it's of little use if you are attempting do disassemble the code. MacNosy is a good debugger/disassembler combination, once you know where the code is hiding. My suggestion, of course, is to get rid of any virus you find as fast as possible. If you're sure it's new, contact John Norstad at the address in the Disinfectant documentation; he's interested in new viruses, so that he can keep Disinfectant up to date. --- Joe M. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253