VIRUS-L Digest Monday, 20 Nov 1989 Volume 2 : Issue 244 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Virus Stoned and Jerusalem - B (PC) Re: Sophisticated Viruses Virus Disinfectors (PC) Re: Reverse engineering CRC validation code. Re: Help...Virus Attack (Mac) EAGLE.EXE Virus (PC) Internet worm impact (UNIX & Internet) Re: Sophisticated Viruses (Mac) The Brain...again (PC) --------------------------------------------------------------------------- Date: Fri, 17 Nov 89 19:12:52 +0000 From: MCGDRKG@CMS.MANCHESTER-COMPUTING-CENTRE.AC.UK Subject: Virus Stoned and Jerusalem - B (PC) Can anyone help? We have recently discovered that a cluster of about 12 Pc`s have become infected with the above mentioned viruses. What preventative action can we take and is there any simple way of removing the viruses without destroying data? Is any software available to do this? The STONED virus is a boot-sector virus and the other one seems to have attached itself to various .com and .exe files. Any help and advice would be much appreciated. R.Gowans - ----------------------------------------------------------------------------- JANET: R.Gowans@uk.ac.MCC Internet: R.Gowans%MCC.ac.uk@cunyvm.cuny.edu Dept Civil Eng, EARN/BITNET: R.Gowans%MCC.ac.uk@UKACRL U.M.I.S.T, UUCP: ...!ukc!umist!R.Gowans Sackville Street, Manchester. FAX: [044 61 | 061] 200-4016 M60 1QD. ------------------------------ Date: 17 Nov 89 21:51:32 +0000 From: wugate!attctc.Dallas.TX.US!hutto@uunet.UU.NET (Jon Hutto) Subject: Re: Sophisticated Viruses In article <0009.8911161700.AA03975@ge.sei.cmu.edu> ttidca.TTI.COM!hollombe%sdc svax@ucsd.edu (The Polymath) writes: >krvw@SEI.CMU.EDU (Kenneth R. van Wyk) writes: >}There's an important distinction to be made here - detection during >}propagation vs. detection after (presumably) successful propagation. >}A virus could well attempt to conceal its existence while propagating, >}and then do quite the opposite (!) during a destructive phase. No one > An unfriendly government wants to cause dislocation in the United > States. It commissions a difficult to detect virus that spends 5 > years propagating, then wipes the hard disks of every machine it's > on, without warning or explanation. This is scary. A Virus writen by someone who knows what they are doing coulsd be very dangerous. Or even one by someone who knows more than viruse writers at any rate. One writen by a non-friendly government would be especaly bad. Forget the cold war, this is the Technical war, between Super computers. We, the users would really be caught between a rock and a hard place. Nothing we could do, but watch them destroy each other. Could you imagine someone who knows IBM-PC ASM well, like Peter Norton, or McAfee writing a virus? (completly hypathetical, no hidden meaning) It would be the worst virus to hit ANYONE. Jon Hutto PC-Tech BBS (214)271-8899 2400 baud USENET: {ames, texbell, rutgers, portal}!attctc!hutto INTERNET: hutto@attctc.dallas.tx.us or attctc!hutto@ames.arc.nasa.gov ------------------------------ Date: Fri, 17 Nov 89 09:35:59 -0800 From: portal!cup.portal.com!Alan_J_Roberts%Sun.COM@vma.cc.cmu.edu Subject: Virus Disinfectors (PC) There have been a number of questions on Virus-L in the past few weeks about "cures" for the various infections that have been reported. While not all infections can be "cured" without the loss of some or all of the infected programs, there are a number of disinfectors that can remove the more common viruses and repair the damage to the infected application in many cases. Disinfectors available on HomeBase (408 988 4004) are: Dark Avenger - M-DAV.ARC Traceback/3066 - M-3066.ARC Vienna - M-VIENNA.ARC Ping-Pong (all vers.) - MD.ARC 1701 - M-1704.ARC 1704 - M-1704.ARC 1704-C - M-1704C.ARC Jerusalem - M-JRUSLM.ARC Stoned - MD.ARC Ghost (Boot seg.) - MD.ARC Brain - MD.ARC (bootable diskettes only) Alameda - MD.ARC " Den Zuk - MD.ARC " Disk Killer (Ogre) - MD.ARC For all other viruses, the ViruScan (versions 48 and above) /D option will overwrite all infected files with C3H and then delete the file. This will effectively remove the virus from the system, but infected applications will be deleted. It'll save a re-format though. If you are looking for a non-shareware (yuch!!) solution, then the VirClean program is an integrated package that does just about all of the viruses. Seems to work but requires money. Alan ------------------------------ Date: Sat, 18 Nov 89 08:55:09 -0500 From: dmg%lid.mitre.org@vma.cc.cmu.edu (David Gursky) Subject: Re: Reverse engineering CRC validation code. In VIRUS-L Digest V2 #243, David Hoyt (dhoyt@vx.acs.umn.edu) speculates about patching an internal CRC check for authentication to always return "True". I would like to counter that a virus designed to defeat an internal consistency check in this manner would not be a very good infector. It would have to rely upon either (1) always knowing where to find the consistency check or (2) always being able to *find* the consistency check. In the former case, the virus would only be able to infect files would be limited to the number of files it knows about, and the more files it would know about would cause the virus to be larger and larger. The larger the file, the more likely the virus will be detected by a simply size check. In the latter case, the virus would be unnecessarily cumbersome because of the needed search code to find the consistency check, again, increasing the likelyhood of detection because of the size of the code needed to do the search and any delay caused by the virus performing the search. Also, the virus would be limited to attacking files with the targeted consistency check. If the check is subtly varied from one file to the next, the search would have to be even more complicated. None of this says such an infector is not possible, just that it would be a poor infector. ------------------------------ Date: 18 Nov 89 22:31:27 +0000 From: ut-emx!chrisj@cs.utexas.edu (Chris Johnson) Subject: Re: Help...Virus Attack (Mac) Garry Feldman, Supervisor, CCSU Apple Computer Lab, writes about his problems fighting viruses in a public access computer lab and mentions a problem that forced him to abandon the Gatekeeper anti-virus system: >I tried using gatekeeper, but programs such as Excel would not work. Judging from this description, you need to use the current version of Gatekeeper, 1.1.1. It's been out since 26-June and can be found in the sumex info-mac archives. The problem, for the record, was in Excel - not Gatekeeper. Nonetheless, I coded around that problem (and a number of others) in the interest of sparing people just the sort of problems you've experienced. So give 1.1.1 a try - I think you'll find that it works well. By the way, the Computation Center here at U.T. has installed Gatekeeper on all the Macs (33 of 'em) in its public access microcomputer lab, and found it completely effective. Of course, if users insist on starting Macs from their own disks, Gatekeeper is effectively out of the picture. In practice, though, we don't have much trouble with that since (a) users tend to need software like the LaserWriter driver and the UserInfo RDEV that tend to be unique to the disks we provide, and (b) we scan the disks checked out to each user with Disinfectant 1.2 after the user leaves - if we find the disks are infected, that student (whose ID number was logged when they checked-in) is not allowed to use the facility again until they've allowed us to clean their disks (we explain about viruses and give them copies of Disinfectant and Gatekeeper at that time). This approach has kept our lab completely clean, and has *dramatically* reduced the number of viruses present in our user community. Of course, this approach isn't possible in an unattended lab. In that environ- ment, you have to depend on automatic systems like Gatekeeper almost entirely. And Gatekeeper works extremely well in such environments. Even if some users start Macs from their own, infected disks and thereby infect your lab's Macs, Gatekeeper is still valuable since it will protect later users who do startup from your disks from the viruses left behind by the other users. I hope this helps, - ----Chris (Johnson) - ----Author of Gatekeeper - ----chrisj@emx.utexas.edu ------------------------------ Date: Sat, 18 Nov 89 13:45:21 -0800 From: portal!cup.portal.com!Alan_J_Roberts%Sun.COM@vma.cc.cmu.edu Subject: EAGLE.EXE Virus (PC) The EAGLE.EXE virus reported by Wakeem Rashad was not detected by SCAN because the Jerusalem Virus (and the trojan it was attached to) had been purposely compressed into a self extracting EXE file by a program called AXE (from SEA Systems, Wayne, NJ). This program has been used by a number of crackers to try to plant infected software onto bulletin board systems. There is unfortunately little that can be done to detect viruses in these AXE'd EXE files. The virus will be caught as soon as it attempts to spread, since the next file it attaches to will be infected in the normal manner. It would be possible to screen out all AXE'd files, but that would be detrimental to the legitimate use of AXE by original program authors who wish to decrease the size of their executable modules. If you have run one of these self extracting programs and suspect a virus, run SCAN with the /M option to search for it in memory. Alan ------------------------------ Date: 20 Nov 89 00:00:00 +0000 From: David.M..Chess.CHESS@YKTVMV Subject: Internet worm impact (UNIX & Internet) Alan Roberts, commenting on Pam Kane's book, writes: > We know that 50% of the connections were > downfor 24 hours and some (including ARPANET) were down for up to 4 > days. Do we really know that? That sounds somewhat more severe than numbers I've heard elsewhere. ARPANET being down for 4 days is *certainly* new news to me. The most recent estimate on the number of systems the worm actually ran on (and I'm afraid I've forgotten the source for the moment!) was 2500; seems unlikely that that (or even the earlier 6000 figure) would have killed 50% of the links for 24 hours. Are the numbers you quote from any published source I could get and read? The (very early) reports in the Seeley, Spafford and Eichlin/Rochlis papers didn't give me the impression that the impact on connectivity was that severe, and one chronology says (attributing it to Stoll) that the virus was "pretty much eliminated" by 1800 on 11/4, which is only 48 hours after it was first noticed. I'm not trying to argue that Alan is wrong, of course. I'm only surprised and curiosified by his numbers, and would like to read whatever it was they came from. DC ------------------------------ Date: Mon, 20 Nov 89 15:37:18 +0000 From: christer@cs.umu.se (Christer Ericson) Subject: Re: Sophisticated Viruses (Mac) levin@BBN.COM (Joel B. Levin) writes: >>I don't agree with you on any of these points, Terry. Say, on the >>Macintosh all calls to ROM are done through trap vectors in RAM. These >>trap vectors are patched by the system file (to fix bugs), by some >>programs and by all anti-virus tools. However, it doesn't take a >>genius to figure out that one could restore the trap vector to it's >>original value and thereby bypassing the "safe" system. . . . >> . . . A patch like this wouldn't occupy much space and is quite >>simple to write. > >Except that when system patches or INIT patches or program patches to >the traps were removed by the virus (and how would the virus decide what >value to restore them to?--this is different for each ROM and system >release version) the user would certainly be likely to notice the >resultant changed program behavior -- or system crashes. > > /JBL First, restoring the traps to their original values isn't that difficult. These are initialized by the ROM, then there must be a table from where all initial values are fetched from, right? As I haven't been writing any viruses lately, I'm not sure if this table is moving around from ROM version to ROM version, but attaining the start address of this table for each and every ROM version isn't too difficult. Also, the virus would of course restore the trap vector after it's done, so why would there be crashes? Actually, it wouldn't even have to change the trap vectors, it could call the ROM directly, but I left that to your imagination to figure out (a fruitless attempt, obviously) since I didn't want to give away freebies to aspirant virus writers. Some things they'll have to figure out themselves. /Christer | Christer Ericson Internet: christer@cs.umu.se | | Department of Computer Science, University of Umea, S-90187 UMEA, Sweden | | >>>>> "I bully sheep. I claim God doesn't exist..." <<<<< | ------------------------------ Date: 20 Nov 89 10:37:00 -0400 From: "WILLIAM HADLEY" Subject: The Brain...again (PC) I know the (C) Brain virus is not new...but it is back. Both George Mason University and Northern Virginia Community College have been re-infected with the Brain virus. From what I could tell by talking to one of the consultants at GMU, this is the same version of Brain that both schools were infected with before. If it is, here is some background data: It works on MS/PC DOS operating systems (at least up to 3.3); this version will only infect 5.25" DS DD disks; once loaded into a machine, it will infect EVERY 5.25" disk it comes in contact with; it is only loaded when the machine is booted. If anyone else (or any other school) is experiencing a re-infection of the Brain virus, please send mail directly to me and let me know...I would be interested. Thanks in advance!! Bill Hadley WLHADLEY@GMUVAX.GMU.EDU ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253