VIRUS-L Digest Friday, 6 Oct 1989 Volume 2 : Issue 215 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: IBM-supplied antivirus software (IBM PC) re: The DataCrime viruses (PC) The not so new virus (Mac) New Mac Virus Appears in Sweden (Mac) Viruses that inhabit "bad" blocks (PC) Re: Why not change OS? Tiger Teams (General) Re: UNIX virus proof?! (UNIX) New Mac Virus Not In 'Moria' But in SuperClock3.5! Re: OGRE virus in Arizona (PC) Now I'm *REALLY* going... --------------------------------------------------------------------------- Date: Thu, 05 Oct 89 16:18:45 -0400 From: "E.C. Greer" Subject: IBM-supplied antivirus software (IBM PC) Below is the text of an announcement recently made by IBM. We got this from our IBM representative. It's not particularly clear to me exactly which viruses this software works for, but I thought I'd pass it along. There is a number to call for more information. September 29, 1989 MEMORANDUM TO: IBM Business Partners SUBJECT: Personal Computer Virus Detection There is an increasing awareness in the industry of the existence of disruptive computer viruses. Several personal computer viruses exist which are expected to activate after October 12, 1989. These viruses can erase a DOS or OS/2* file or render the files on the fixed disk inaccessible. Although the number of reported occurrences is low, this is to alert you to the potential risk of these viruses and to provide you with a program to assist you in detecting them. Enclosed are 3.5 inch and 5.25 inch diskettes with the IBM Virus Scanning Program for personal computers and its license agreement. At your discretion, you may make copies for your customers. Also included are a fact sheet on the IBM Virus Scanning Program and a virus question and answer document. We recommend that you and your customers run the IBM Virus Scanning Program on all of your personal computers using DOS and/or OS/2 as soon as possible prior to October 12th. If you provide customers a copy of these diskettes, you must also pro- vide them with a copy of the license agreement. To ensure a virus free copy, you must follow the instructions in the READ.ME file on the diskette. You should "write protect" all copies of the original disk- ettes. The READ.ME file also contains additional information on the IBM Virus Scanning Program. There is a $35.00 charge for this program. Payment is to be made by the customer directly to: IBM Corporation Grand Central Station P.O. Box 2646 New York, NY 10163 Alternatively, your customer may order the IBM Virus Scanning Program (part number 64F1424) at a cost of $35.00, with a major credit card, directly from the IBM fulfillment center by calling 1-800-426-7282. IBM Virus Scanning Program Fact Sheet + _____________________________________ WARNING - BEFORE USING THE IBM VIRUS SCANNING PROGRAM MAKE CERTAIN THAT THE COPY YOU INTEND TO USE COMES FROM A SECURE UNINFECTED SOURCE, AND THAT THE DISKETTES' WRITE PROTECT TAB IS IN PLACE IF THE DISKETTE IS NOT PERMANENTLY WRITE PROTECTED. The IBM Virus Scanning Program has been developd by IBM to aid in the detection of some computer viruses and is being used internally by IBM to detect computer viruses. The program is designed to scan boot records and executable files looking for signatures of viruses known to IBM when the program was written. A signature is a bit pattern that is indicative of a particular virus. The files that are scanned by the IBM Virus Scanning Program must be in their native executable form (e.g., not encrypted and not packed) in order for signature matching to occur. There may be other viruses that currently exist, or will exist in the future, that the IBM Virus Scanning Program will not detect. We know of no available, guaranteed solution to computer viruses, so we recommend regular backups of your data, caution in acquiring and using software and good security practices. Description of the IBM Virus Scanning Program +_____________________________________________ The program tests executable files on disks for signature strings that are found in some common DOS computer viruses. For each drive specified it will also test the drive for boot sector viruses. To use it, simply type at the command prompt (for example) VIRSCAN C: to scan the executable files on the C: drive or VIRSCAN A: to scan the executable files on the A: drive or VIRSCAN n: n: n: to scan multiple drives (n = drive id) Type VIRSCAN without any arguments for some help. Files infected with a virus should be erased and replaced with uninfected copies (obtained from the original source, such as original manufacturer's diskettes, in-house source code, backup copies, etc). NOTE: Prior to restoring any files, run the program against the diskette from which you plan to restore to ensure it is virus-free. Technical Detail: +________________ VIRSCAN.EXE is the executable program. It will run under DOS 2.0, 2.1, 3.1, 3.2, 3.3, 4.0 and OS/2* 1.0, 1.1, and 1.2. It will not support OS/2 1.2 with high performance file system names. Virus detection programs and services are available from other companies and you may also wish to advise your customers of these. The IBM Virus Scanning Program will not detect all personal computer virus possibili- ties and should be considered complementary to, and not a substitute for, established security and backup procedures. If you have any questions, please call the NDD National Support Center at 1-800-IBM-PROD or contact your IBM marketing representative. R. F. Martino Vice President Marketing Enclosures * Trademark of the IBM Corporation ------------------------------ Date: 05 Oct 89 00:00:00 +0000 From: David.M..Chess.CHESS@YKTVMV Subject: re: The DataCrime viruses (PC) > DC-2 does it on any day > between Jan 1 and Oct 12, except on Sundays! That's not true for the sample that I've seen. I suspect someone's just misreading the code (it's easy to do; that area is rather convoluted). It could be a new variant, of course, but if it really *did* do its damage between Jan 1 and Oct 12, wouldn't it have basically Gone Off by now? I think your source is just misinformed. There does seem to be a day-of-the-week check in there, but I'm not sure what it does at the moment (not damaging on Sundays is possible, but I wouldn't want to promise anyone!). In summary, the important differences that I know of between the DataCrime (1168 and 1280 strains) and the DataCrime II are that the II: - Makes COM files 1514 bytes longer when it infects them - Also infects EXE files - Stores itself garbled on disk (except for the degarbler) - Has a slightly different message ("* DATACRIME II VIRUS *") Otherwise, it's the same beast, with the same damage conditions. Of course there may be more variants that I haven't seen! DC ------------------------------ Date: 05 Oct 89 20:59:34 +0000 From: jap2_ss@uhura.cc.rochester.edu (Joseph Poutre) Subject: The not so new virus (Mac) Enclosed is a mail message written by a fellow consultant. When it first appears, it's just a form of the nVIR virus which AntiPan works very well to eradicate. But it seems to be a self modifying code which causes it to mutate to an unrecognizable form. SO, what do we do about it, you ask? Well, we have had exceedingly good success in both TAGGING and ERADICATING the virus with a program called SYMANTEC ANTI-VIRUS CLINIC. If the virus is tagged, it can be eradicated with AntiPan, or it can be eradicated with SAM, the SYMANTEC ANTI-VIRUS CLINIC. So when people bring you their disks to have checked, please run SAM on them. It's very easy, there will be instructions at the desk. Copies of this message and an infected application will be sent to all those who requested copies, and any others who also ask. This is _not_ an endorsement of any sort for SAM, or Anti-pan. Joseph Poutre (The Mad Mathematician) jap2_ss@uhura.cc.rochester.edu ------------------------------ Date: Thu, 05 Oct 89 22:41:25 +0700 From: Bertil Jonell Subject: New Mac Virus Appears in Sweden (Mac) Here on Chalmers, we've found an STR id 801 in the game MORIA (Recently posted on comp.binaries.mac), I havent gotten time to check it yet byt it *might* have come with moria. (Altough some signs seam to indicate that it has been around for a long time) Any information on the virus, It's effects and possible techniques to combat it will be geatly appriciated. - -- Bertil K K Jonell @ Chalmers University of Technology, Gothenburg NET: d9bertil@dtek.chalmers.se VOICE: +46 31 723971 / +46 300 61004 "Don`t worry,I've got Pilot-7" SNAILMAIL: Box 154,S-43900 Onsala,SWEDEN (Famous last words) "So for more than a decade, Tiamat had been observing Lucifer with every possible kind of instrumentation" A.C.Clarke '2061' ------------------------------ Date: Thu, 05 Oct 89 19:26:00 -0400 From: MAS-Polecat Subject: Viruses that inhabit "bad" blocks (PC) I was just reading about the OGRE virus when I noticed a pattern. Since a lot (is it a lot?) of viruses mark the sectors they are using as bad, why not just write a utility that will look up the bad sectors on a disk and erase them. There are utilities available now that will analyze EACH sector on a disk to see if it is bad or not. If it is marked bad, but seems ok they will put that sector back into the available sector list. I think SpinRight (sp?) and perhaps PCTools do this. Even if not all of the virus is eradicated, it seems that it would at least be fatally crippled. Has anyone tried this? Erik Bryant Student Assistant Programmer University at Buffalo ------------------------------ Date: Thu, 05 Oct 89 21:35:04 -0400 From: ficc!peter@uunet.uu.net Subject: Re: Why not change OS? time@oxtrap.aa.ox.com (Tim Endres) writes: > Better than changing OS to get better virus "resistance", why not > encourage the systems designers at Apple and IBM to implement > protection in their respective operating systems? I don't know about the Mac... its system software is a lot cleaner than Messy-DOS, albeit rather unconventional. But this is pretty much impossible with MS-DOS. I suspect you would have to write a complete new operating system with an MS-DOS emulator. The reason for this is that the original MS-DOS was so incompetant (for example, the serial driver code never worked right for anything better than dumping to a printer, and it's never been fixed) that any decent program was forced to go direct to the hardware. And of course if you're going to go to a new O/S, why not use an off-the-shelf one that's already achieved wide acceptance? I once sat down and tried to write a terminal emulator that was entirely well-behaved. I was able to keep up with 1200 baud using the XT bios to put stuff on the screen, by heavy use of curses-style heuristics, but I broke down and went straight to the serial port. Of course, OS/2 is supposed to fix all this. For some bizzarre reason, though, it's still got no security features. Anyway, the reason Apple and IBM aren't doing anything is because there's no great call from the user community to do anything, and nobody's willing to consider a better alternative if it means risking their cherished soft- ware investment. Which is only reasonable, but there's no reason new installations can't be based on something like UNIX. - --- Peter da Silva, *NIX support guy @ Ferranti International Controls Corporation. Biz: peter@ficc.uu.net, +1 713 274 5180. Fun:peter@sugar.hackercorp.com. `-_-' ``I feel that any [environment] with users in it is "adverse".'' ------------------------------ Date: Fri, 06 Oct 89 08:18:43 -0400 From: "Andy Wing" Subject: Tiger Teams (General) Hi, I think that your average non-sophisticated user would be offended by computer support personnel checking their personal machine for "infection". An alternative would be to have the Tiger Teams simply state that they are doing "regular preventative maintenance". People shouldn't have problems with that. The end user doesn't need to know the gruesome details of a PM call. Actually Tiger Team duties should be assigned to a companys regular maintenance people (with a software expert supervising them of course). I guess the best anti-virus protection is one that is both transparent to the end user and in the hands of a well trained support staff. The original Tiger Team idea would work best if slightly modified. Every football team has both an offence and a defense. Right now the anti-viral defense really has no one to practice against. I think what we need is a group of developers that will try to "bust" Gatekeeper/Flushot/etc. These people would be in close contact with the anti-viral developers. The Tiger Team would document their methods and only use benign infections. I guess my real concern is that anti-virus developers take a reactive stance instead of an active one. If I were a anti-virus developer, I would want to encounter a new infection method under controlled, documented conditions. This way anti-viral SW would be guarded against bypass methods already thought up by the Tiger Teams. Also, do any anti-viral programs use the 'bad block' method to protect themselves? I think that idea holds some promise. Andy Wing V2002A@TEMPLEVM.BITNET ------------------------------ Date: 06 Oct 89 15:22:42 +0000 From: jmc@PacBell.COM (Jerry Carlin) Subject: Re: UNIX virus proof?! (UNIX) ficc!peter@uunet.uu.net writes: >I wouldn't say UNIX is virus-proof (I posted a hoax article about a >UNIX virus over a year ago, just before the Internet Worm incident), >but it's sure a hell of a lot more virus-resistant than DOS. See "Experience with Viruses on UNIX Systems" by Tom Duff in Computing Systems, Vol 2 No 2, Sprint 89 pp: 155-181. He discusses building a true UNIX virus and the consequences thereof. - -- Jerry Carlin (415) 823-2441 {bellcore,sun,ames,pyramid}!pacbell!jmc To dream the impossible dream. To fight the unbeatable foe. ------------------------------ Date: Fri, 06 Oct 89 14:51:08 +0700 From: Bertil Jonell Subject: New Mac Virus Not In 'Moria' But in SuperClock3.5! Today when I had time to check the various downloads that had been occuring during the last few days I found that the recource STR ID 801 appeared in the document Clock Doc (a word document). I double checked this by extracting it from the .sit archive again and examinig it directly (On Cue from StuffIt to ResEdit). Since Stuffit and Resedit seems to be clean from this and othe known viruses I can only assume that the virus was there when Clock Doc was packaged! What I'm wondering now is: Is it confirmed that the STR ID 801 really *is* a sign of a virus? Is there any chance that it is a legitimate resource? (I've tested making new MacWrite documents with a locked copy, They have resources this 'International Resource' and a STR resource ID 701, None of them have had a STR ID 801) Clock Doc comes with the SuperClock! 3.5 INIT Recently posted to the comp.binaries.mac newsgroup. I'm sorry for causing constenation by proclaming Moria as a possible source, (Frankly, That .sit archive had been deleted so I couldn't check it, But since the known infected machines both had Superclock 3.5 installed within the last few days, Moria hav dropped off the list of prime suspects) - -bertil- Bertil K K Jonell @ Chalmers University of Technology, Gothenburg NET: d9bertil@dtek.chalmers.se VOICE: +46 31 723971 / +46 300 61004 "Don`t worry,I`ve got Pilot-7" SNAILMAIL: Box 154,S-43900 Onsala,SWEDEN (Famous last words) "GOOD DEEL ON SLIGHTLY USED CRANE" - Orson Scott Card 'The Abyss' ------------------------------ Date: Fri, 06 Oct 00 19:89:36 +0000 From: clout!kericks!ken@gargoyle.uchicago.edu Subject: Re: OGRE virus in Arizona (PC) > A new, extremely nasty virus has been discovered on some IBM PCs in > the state of Arizona. This virus, known as OGRE, has been found on > some disks in Flagstaff and nearby areas. This is the first > recognition of said virus that has come to my attention. This memo > gives a description of the virus and possible ways of recognizing and > removing it. This is a very interesting virus. However, I would like to know if anyone knows how it originally infects a disk. It would seem that it would have to be in an executable program at least initially (to infect the first disk). Any ideas? ------------------------------ Date: Fri, 06 Oct 89 16:00:00 EDT From: "Kenneth R. van Wyk" Subject: Now I'm *REALLY* going... Really, this is the *last* digest until I get back! I stopped in the office on the way to the airport and was overwhelmed by the amount of email, so I decided to send out *one* more digest (especially since some of it pertained to DataCrime - which should be history by the time I return). So now I'm on my way out the door. REALLY! :-) Ken ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253