VIRUS-L Digest Thursday, 21 Sep 1989 Volume 2 : Issue 199 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: NIST Virus Management Guide Issued The McAfee Posting Discussion Re: Centel Corp. and ViruScan New Virus (PC) MIX1 Virus (PC) Software company distributing viruses (PC) New variant of Ping-Pong found (PC) Re: disinfecting nVIR from Appletalk (Mac) Re: VirusDetective questions (Mac) Re: Macintosh Virus "Spanish (?) cookie virus" (PC) --------------------------------------------------------------------------- Date: Wed, 20 Sep 89 15:35:17 -0400 From: krvw@sei.cmu.edu Subject: NIST Virus Management Guide Issued Computer Virus Guide Issued The National Institute of Standards and Technology (NIST) has issued a new publication on computer viruses. It is entitled "Computer Viruses and Related Threats: A Management Guide", NIST Special Publication 500-166, by John P. Wack and Lisa J. Carnahan of the Computer Security Management Group at NIST. The guide is intended to help managers prevent and deter virus attacks, detect when they occur, and contain and recover from an attack. It provides general guidance for management and users, plus more specific guidance for multi-user computer environments and for personal computer environments. It also contains a list of suggested readings. The guide is available from the U.S. General Printing Office, (202) 783-3238. Ordering Information: "Computer Viruses and Related Threats: A Management Guide" NIST Special Publication 500-166 GPO #003-003-02955-6 $2.50/copy ------------------------------ Date: Wed, 20 Sep 89 13:27:20 -0600 From: Chris McDonald ASQNC-TWS-RA Subject: The McAfee Posting Discussion I think David Gursky overlooked the "subtle" point of Mr. McAfee's posting. If indeed Centel is charging customers $25.00 for VIRUSCAN and claims that it is losing money, then something SMELLS. I registered my copy of VIRUSCAN with Mr. McAfee's company for $15.00. More importantly, while the VIRUSCAN program is shareware, it does have a copyright. The legal advice I received was that, if a shareware package has a copyright and if the author states that a fee or registration payment is required, then I as a govenment employee was legally bound to pay the fee. If individuals are familiar with VIRUSCAN, the wording on payment is direct and to the point. It is not one of those "pay if you like type of requests." I think it may also be argued that, if Mr. McAfee wanted to ensure a financial "killing" for a product which has had several independent verifications as to its effectiveness, then he would not have made it so readily available over BBSs and the INTERNET in general. Chris Mc Donald White Sands Missile Range ------------------------------ Date: 20 Sep 89 23:36:29 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: Centel Corp. and ViruScan Not as a flame but you have to remember that the term SHAREWARE does NOT mean Freeware or Public Domain...Centel was attempting to illegally capture shareware profits belonging legally to John Mcafee.(btw Its one thing to redistribute freely...its entirely another to charge $20.00 for the FREE distribution without permission of the author...) WE call that theft of intellectual property rights where I come from!!...While John Mcafee and CVIA wish to encourage the free flow of Antiviral information... the research, collation and codification into VIRUSCAN is a cost intensive process!! therefore John Mcafee logically should be able to determine who can redistribute his software for a FEE and Who shouldnt be able to...(for those that are interested John does have a quite attractive OEM and site licensing agreement!) Sorry to get on the soapbox but people who receive and use shareware repeatedly should be paying fees... This move would greatly improve the quality of software available from shareware authors!!!. cheers kelly p.s. flames to /dev/null ------------------------------ Date: Wed, 20 Sep 89 17:22:54 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: New Virus (PC) Well, it's happening again. We've just received a new virus from Randy Dean at the U.C. Davis bookstore. The virus infects COM and EXE files, including COMMAND.COM, increases the size of infected files by 1800 bytes, and infects through the DOS COPY command, as well as program loads. The virus contains the words - "The Dark Avenger, copyright 1988, 1989 and the message - "This program was written in the city of Sofia. Eddie lives.... Somewhere in Time!". The virus bears no resemblance to the Jerusalem despite the similarity in sizes. ViruScan V38 identifies the virus. By the way, I'd also like to respond to the comments about ViruScan and John McAfee. If I had written a shareware program that was being distributed by some other company for money, I would be pretty ticked off. John has the right to determine who can sell it and who can't, as I see it. [Ed. Has V38 been sent out to the VIRUS-L/comp.virus archive sites?] ------------------------------ Date: Thu, 21 Sep 89 08:39:20 +0200 From: "Yuval Tal (972)-8-474592" Subject: MIX1 Virus (PC) There is a new virus in Israel. It has been going around in Israel since August. The name of the virus is MIX1 becuase of its signature. Ori Berger (the author of JIV - an anti-viral software which was written in Israel) made a program that identifies the virus and exterminates it. (I myself, got the virus but didn't look at it yet. After I disassemlies it, I'll report back). This following report was made by him: Virus Name..............: The Mix1 Attacks.................: .EXE files Virus Detection when....: 22.August.1989 at......: Israel Length of virus.........: 1. The infected .EXE files are growing bigger in 1618-1634 bytes. 2. 2048 bytes in RAM. Operating system(s).....: PC/MS DOS version 2.0 or later. Identifications.........: 1) The signature at the EOF of each infected file is - MIX1 . 2) Byte 0:33C=77h. Type of infection.......: .EXE files only. The virus is put at the end of the .EXE file and the header is changed to point to the virus beginning at the file. Infection trigger.......: EXE file execution through interrupt 21h service 4bh. Interrupt hooked........: 14h,17h,21h, optionally 8,9 (after 6th level of infection). Damage..................: Garbled output on parallel and serial connections, optionally boot is disabled, num-lock is constantly on. Damage trigger..........: Loading of infected file. After 6th level infection vectors 8 and 9 are hooked. Particularities.........: 1) All output through vectors 14h and 17h is garbled. 2) Booting may crash the computer(possibly a bug). 3) Memory allocation is done through direct MCB control. 4) Does not allocate stack, and therefore makes some files unusable. 5) Infects only files which are bigger than 16K (This makes disassembly very hard). - -Yuval +--------------------------------------------------------------------------+ | BitNet: NYYUVL@WEIZMANN Domain: NYYUVAL@WEIZMANN.WEIZMANN.AC.IL | | InterNet: NYYUVAL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU | +-----------------------------------+--------------------------------------+ | Yuval Tal | "Remember - the next time you hear a | | The Weizmann Institute Of Science | fighter jet go by - you are hearing | | Rehovot, Israel | the SOUNDS OF FREEDOM" - Major Bill | +-----------------------------------+--------------------------------------+ ------------------------------ Date: Wed, 20 Sep 89 17:39:39 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Software company distributing viruses (PC) A few days ago I posted a note describing the distribution of PC viruses here in Iceland. One interesting fact was that 1701/1704 is the most common virus here, but it is only in second or third place elsewhere. I just got a phone call explaining why. One software company here has been infected with this virus (1704-A) for some time. They have sent out a number of updates to their programs recently, with all .COM files infected. This was discovered where one site received an update to one program and used a virus-checking program, "just to be sure". What was most serious about the whole thing was the ignorance of the software company in question. Their first response when they were told of this was something like: "We can't have a virus - there are no pirated games here" I guess this will happen elsewhere, but until now there have been very few occurrences of software companies distributing viruses (only 4 that I know of). ---- frisk ------------------------------ Date: Wed, 20 Sep 89 17:16:26 +0000 From: Fridrik Skulason Subject: New variant of Ping-Pong found (PC) I recently gave a copy of a Anti-Ping-Pong program to a person with an infected computer. He had seen the bouncing ball on the screen some time earlier and contacted me. Much to my (and his) surprise, the program refused to remove the virus, saying: This boot sector is not infected with the Italian virus. When I took a closer look I discovered the following: 1) He was using a '286 machine (but normally Ping-Pong only works on '88 or '86 machines) 2) The ball could be activated as normally. (By typing TIME 0, followed by a command that will cause a read) 3) The signature in the boot sector was identical (1357). 4) A NOP byte had been placed in the middle of the string this program used for identification. 5) The code had been modified a bit, and the most significant change was that the MOV CS,AX instruction had been replaced with a sequence of instructions to do the same thing. I will publish a full report soon - but I just wanted to know if anybody else has heard of this variant. ------------------------------ Date: 21 Sep 89 04:49:46 +0000 From: chinet!henry@att.att.com Subject: Re: disinfecting nVIR from Appletalk (Mac) In article <0001.8909181146.AA03502@ge.sei.cmu.edu> dmg@lid.mitre.org (David Gu rsky) writes: > When you finally get Disinfectant, and de-Binhex it and > de-Stuffit, make sure the diskette you keep it on is > write-protected!!! This is very important; a virus cannot infect > an application on a write-protected diskette! This is a good idea, but not entirely necessary with Disinfectant. Disinfectant is resistant to all currently known viruses and will refuse to run if it has been changed in any way. I have run Disinfectant on a System infected with nVIR A with SAM Intercept active to let me see when nVIR attempts to infect anything. Even when I allow nVIR to access Disinfectant, it cannot infect it! Another thing to note is that Disinfectant _can_ disinfect the currently running System. This means that once you have Disinfectant, you can put it on a floppy, disinfect the floppy, lock it and use it to disinfect everything else. Please note that this method should be used only when you don't have a clean copy of the System. In fact Disinfectant should only be used to disinfect when you have no clean master for a program. Henry Schmitt Author of Virus Encyclopedia H3nry C. Schmitt | CompuServe: 72275,1456 (Rarely) | GEnie: H.Schmitt (Occasionally) Royal Inn of Yoruba | UUCP: Henry@chinet.chi.il.us (Best Bet) ------------------------------ Date: 21 Sep 89 05:05:58 +0000 From: chinet!henry@att.att.com Subject: Re: VirusDetective questions (Mac) In article <0004.8909191146.AA07427@ge.sei.cmu.edu> awinterb@udenva.cair.du.edu (Richard Nixon) writes: >Has anyone used VirusDetective for the Mac? We've >used it, but it seems to detect viruses in files that >we doubt are affected. > >How reliable is this bit of software? How certain are you that these files are not infected? Have you checked them with other programs such as Disinfectant and Virus RX? The latest version of VirusDetective (3.0.1 if memory serves) seems quite reliable. It was the program with which I discovered the nVIR A infection on the disk which came with the Brady Utility book _Applied HyperTalk_. If VD is reporting a virus, I'd be sure to check those files with another detection utility before dismissing it as a false alarm. I'm not saying that VD will never give a false alarm, but since the different utilities use different detection methods the probability of both giving false alarms on the same file is small. Personally I never trust only one program to tell me whether or not I have a virus. I run at least two on a weekly basis. Henry C. Schmitt Author of Virus Encyclopedia H3nry C. Schmitt | CompuServe: 72275,1456 (Rarely) | GEnie: H.Schmitt (Occasionally) Royal Inn of Yoruba | UUCP: Henry@chinet.chi.il.us (Best Bet) ------------------------------ Date: 21 Sep 89 05:23:45 +0000 From: chinet!henry@att.att.com Subject: Re: Macintosh Virus In article <0001.8909191859.AA09184@ge.sei.cmu.edu> JOHN P. BRADLEY writes: > Well it was bound to happen - why should we be any different? We >believe we have discovered a virus in our microcomputer lab. >education of the users, hoping that this won't get out of hand. ...[stuff deleted]... > Any ideas would be greatly appreciated. John - The first thing I recommend is to pick up Disinfectant 1.2 by John Norstad of Northwestern University. It is available from a number of places such as BBSs and Mac Users' Groups as well as FTP. Read the documentation that comes with it, especially his recommendations. He explains the policy they use at Northwestern to combat viruses. This will allow you to find and remove existing viruses. Note that you should replace infected files with known clean copies whenever possible, rather than disinfecting. Use this on a regular basis! To help prevent future infections, get a Virus prevention INIT such as Vaccine, or GateKeeper. Prevention INITs also come with commercial packages as well. Put a copy on every Startup disk you can find. Note this will not help in cases where users bring in their own startup disks (like myself). It will definitely help to educate your users. Might I recommend (here comes the commercial :-) my HyperCard stack Virus Encyclopedia. It is available from the same places as Disinfectant (I'm not sure about FTP, I'm working on that) and also BudgetBytes and Educorp. I wish you success in fighting viruses. Henry C. Schmitt Author of Virus Encyclopedia H3nry C. Schmitt | CompuServe: 72275,1456 (Rarely) | GEnie: H.Schmitt (Occasionally) Royal Inn of Yoruba | UUCP: Henry@chinet.chi.il.us (Best Bet) ------------------------------ Date: 21 Sep 89 13:07:00 +0200 From: Antonio-Paulo Ubieto Artur Subject: "Spanish (?) cookie virus" (PC) I heard recently about a virus here in Spain known as "the cookie virus" ("virus de la galleta"). I don't know if this virus originated here in Spain or somewhere in Europe. Although I haven't seen this virus yet (I got the following from hackers here outside of our University) I think it really exists and seems to be really a nasty virus, so I provide the following information to avoid possible trouble. This "cookie virus" seems to activate itself only when you are using a word-processing program. At random moments it flashes you something like "give me a cookie...!" ("dame una galleta"...!). If you type "have a cookie" ("toma una galleta"), the virus seems to deactivate itself after prompting "thank you" ("gracias"). If you do not "give it a cookie" and escape some other way, it asks two minutes after for a cookie again. If you escape again and afterwards you save your text and exit the word-processor, you will find the next time you try to load your text that all its extent has been replaced with the string "this because you didn't give me a cookie" ("esto por no darme una galleta")... In a first approach to the detection of this virus, any search for the string "cookie" ("galleta") was no use. The only string found was something like "kiecoo" ("etagall"), and the virus seemed to be in "IBMBIO.COM" and "IBMDOS.COM" files, but time and date stamp seemed to be untouched... Somebody out there has suffered effects like the described ones?. Any detection and preventive methods?. Antonio-Paulo Ubieto Artur. Department of Modern and Contemporary History. Zaragoza University. 50071 Zaragoza (Spain-Europe). hiscont@cc.unizar.es ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253